Just when you think that the self-appointed copyright Gestapo can’t sink any lower they kick the old limbo stick down another notch. Now before you jump to the conclusion that I’m one of those “content wants to be free” activists, rest assured that I am not. All of my career has been spent as a code monkey writing software for somebody else (as a “work made for hire” in copyright lingo). And trust me, I’m all about getting paid. Which doesn’t happen if my employer goes broke because their products were pirated. I’m also a musician who composes and records original material. Now my attitude towards copyright protection is quite a bit different with my music because, as Cory Doctorow says in the forward material to his latest book Makers [you can download the e-book  here for free] my problem isn’t piracy, it’s obscurity. But what about that piracy notion? I just said that I won’t get paid if my employer goes broke because their products were pirated. Well guess what? That has never happened. Not to me. Not to anyone. In short, I’m not opposed to copyright or copyright enforcement.

What I am opposed to, and baffled by, is a business model that comes down to “we aren’t selling as much of our stuff as we want, so we will go after people who are pirating it.” The most recent episode in this ridiculous jihad against customers is reported by Cory Doctorow in boingboing.

The MPAA has successfully shut down an entire town’s municipal WiFi because a single user was found to be downloading a copyrighted movie. Rather than being embarrassed by this gross example of collective punishment (a practice outlawed in the Geneva conventions) against Coshocton, OH, the MPAA’s spokeslizard took the opportunity to cry poor (even though the studios are bringing in record box-office and aftermarket receipts).

That’s right, the entire public WiFi net of Coshocton, OH. The same net that is used by Coshocton County Sheriff’s deputies to complete a traffic or incident report without leaving their vehicle. The same net that out-of-town business people can park and use their laptops to make connections. The very same net that during festival times, vendors use to check the status of credit cards being used to make purchases. And the same net that has a single address used by many people, so it’s difficult to tell who made the illegal download (although the county plans to investigate the matter).

Great job MPAA! Way to look out for your own financial interests in blatant disregard for the interests of everyone else. So what exactly have the MPAA clowns (I love Cory’s reference to the MPAA’s spokeslizard) accomplished here. Several things come to mind:

1. Users of Coshocton public WiFi will likely never download another pirated movie again… without going through TOR.
2. Users of Coshocton public WiFi will likely never purchase any movie ever again.

As I said before, I’m not a fan of pirating movies. Quite frankly there is so much stuff legitimately available for free or incredibly cheap that I can’t begin to consume everything I might be interested in. But in addition, I can’t for the life of me see how alienating your customers because somebody downloaded a movie and allegedly deprived you of $10 or less (assuming of course that the perp would have actually paid for it anyway) makes any sense at all. What I can say is that cheesy stunts like this almost make me want to fire up bit torrent and snag some episodes of Desperate Housewives. Just on principle. That and I’ve never seen Desperate Housewives. But I can get it from Netflix way easier. And I don’t have to use TOR. But believe me, I’m not going to purchase any movie or TV show. Not now. Not ever.

Recently I posted this entry entitled Once I was a caregiver and didn’t even know it wherein I found the current confusion about the legal definition of a marijuana “caregiver” in the state of Colorado quite amusing. Well, like most things involving dope (er… controlled substances trying to be prescription medications) and lawyers it just keeps getting better. Several days ago the Denver District court weighed in on the issue. This story on TheDenverChannel.com sums it up.

A Denver district court judge has overturned a state health board ruling that narrowed the definition of who can supply medical marijuana.Chief Judge Larry Naves ruled Tuesday that the Colorado Board of Health broke the law by rushing an emergency meeting to redefine the term caregiver.”I find there was no emergency,” Naves said. “There was no consideration of how the plaintiffs and others who are in need of medical marijuana would obtain it.”

Naves said, “The board’s action Nov. 3 violated the law and is, therefore, invalid and void.”

Okay… For those who have just joined us, let’s recap:

1. Last summer, the Board of Health defined a list of duties that could be considered “significant responsibility for managing the well-being of a patient,” for someone to qualify as a caregiver entitled to provide marijuana. But the language made it possible to qualify even if the only thing they did was provide marijuana to a patient.
2. A Colorado Court of Appeals found in the case of a woman charged with cultivation of marijuana in her Longmont home, who argued that the marijuana she grew was distributed to authorized medical-marijuana patients through dispensaries, that caregivers needed to know the patients. This forced the board to take quick action: They removed the entire definition, intending to take up the issue on Dec. 16, 2009 at a public meeting.
3. Much squealing ensued because changing the rule, it was argued, could force dispensaries and growers to offer other care as well which would be impossible for many growers who supply the dispensaries, thereby exposing marijuana growing operations to criminal prosecution.

So now Judge Naves says [I paraphrase here] “not so fast, bucko! These guys got their weed fair, square, cheap and legal like. You can’t just cut off their stash with no notice”. But wait, wasn’t it another court that caused the BoH to jerk the Jamaican [growing] rule? Well this certainly clears that up.

Meanwhile back in the Peoples Republic of Boulder (also reported to be in the State of Colorado) we have the Boulder City Council approving temporary medical pot rules according to this article in the Boulder Daily Camera.

The council voted to pass an emergency ordinance aimed at keeping medical marijuana dispensaries away from schools, clustering together or operating in neighborhoods.

The ordinance means that through March 31, 2010, any dispensaries that want to open in Boulder may only do so if they are at least 500 feet away from schools or licensed daycare centers, are not within 500 feet of three or more other dispensaries, and are not located in residential areas.

What’s this!? Has Boulder taken a hard right turn? Say it ain’t so! Okay – it ain’t so. Let’s put this in a bit of context. Again from the Camera article:

The rules do not apply to the 42 businesses that have already pulled sales-tax licenses with the city, or the 21 or so dispensaries that applied for permits prior to Nov. 6.

So by my count that is 42 existing dope dealerships (er… Medical Marijuana dispensaries) and 21 wanabees for a total of 63 new places to go to feed the jones (er… get your medication). Compare that to the number of Starbucks in Boulder. You know that coffee place on pretty much every corner. Well that number – including Licensed Stores (not operated by Starbucks) is 14. Of course the total number of coffee shops is much higher: 33. So there is already half again as many reefer shops as java shops in Boulder. And soon there will be twice as many. Whew! My faith in the Peoples Republic is restored.

But what does all of this mean? What is the greater significance? You tell me. This is just giving me a headache. Say… I’m in Boulder. I’ll bet that a few tokes of medication would fix me right up.

Just lately I’ve discovered Common Sense Media and am quite impressed with their tools and advice for parents that are soundly based on, well, common sense. Anyone who has read earlier posts on this blog like this one or this one knows that I’m really big on the idea that security begins with don’t be an idiot. So I was quite pleased when Common Sense had this featured article by Liz Perle in the Common Sense Newsletter entitled Rules of the Road for Parents in a Digital Age. She had me at the first line: “Even if you’re clueless, you’re still your kid’s teacher“.

Common Sense Rules of the Road for Parents

1. Model good behavior. If we’re on our Blackberries or iPhones at dinner, why will our kids listen to us when we tell them to turn theirs off?
2. Pay attention. We have to know where our kids are going online – and what they’re doing there.
3. Impart our values. Cheating, lying, being cruel – they’re all non-starters. Right and wrong extends to online and mobile life.
4. Establish limits. Phone time, video download time, destinations. There’s really a right time and place for everything.
5. Encourage balance. Get kids involved in offline activities – especially where there’s no cell service.
6. Make kids accountable. If they have a privilege, make sure they earn it.
7. Explain what’s at stake. Let kids know that what they do today can be abused by someone tomorrow.
8. Find ways to say “yes.” That means we have to do some homework and know the sites they visit, the songs they download, etc. – and find ways to use technology that lets us say “yes” more often than we say “no.”
9. It’s not rocket science. Learn to text, send a mobile photo, set up a Facebook page, upload a video. Or have your kids show you how. It’s impossible to guide what you don’t understand. Not only that, but think of all the anxiety you can avoid by knowing how things work.
10. Lighten up, embrace their world, and enjoy the possibilities together. None of us want digital divides in our relationships with our kids. It’s up to us to join the fun and help them seize the potential.

Some great stuff here. I think the main point (well at least the point I’d like to make) is that for a parent being clueless is normal, but staying clueless is not an option. And I’d also like to draw particular attention to #5  (Encourage balance). This is where kids – and parents – discover the actual purpose and utility of the online world. Yeah, that’s right – it’s way too easy to get caught up in the fiction of  ”socializing” online with people we’ve never met when in fact most of those people are not at all who they pretend to be. And some aren’t even people. The point? Social media is a powerful tool to collaborate and stay connected to real people you actually know, but to just be a poser interacting with other posers never accomplishing anything tangible in the real world is not only pointless, but boring. How do I know this? My son Nicholas is an avid gamer and web designer. So he has spent a good deal of time online since he was fairly young. Several years ago we (Nicholas and I) started volunteering for the FIRST Robotics challenge. In the real world. He now helps mentor and judge the web sites for the teams as well as doing crowd control and other jobs at the actual event. This requires collaboration and communication with other volunteers, the teams and challenge coordinators. Nicholas – and I – now have practical experience collaborating via social media with others folks who are involved in doing something that is very real, very tangible and wicked cool. Needless to say neither of us are interested in wasting time gossiping with posers when we can connect with interesting folks doing amazing stuff. Real stuff.

So if you are a parent, think about these 10 rules. It really all comes down to this: If your kids see you not being an idiot and doing cool stuff that’s what they will pay attention to. And everybody will get a clue in the process.

I first mentioned “Operation Numbers Game” last August in this post and followed up about a month later with this post.

Here’s a quick recap of the controversial investigation.

“Operation Numbers Game” began after a Texas man told Greeley [Colorado] authorities someone there was using his identity. The suspect in that case alerted law enforcement to the firm that prepared his taxes. Investigators obtained a search warrant [and] seized the returns last year from a tax preparation firm that catered to Latinos in Greeley, where Hispanics make up about a third of the population.

A District Court judge halted the investigation in April. He ruled Weld County authorities violated people’s privacy rights and had no probable cause to inspect the tax returns, which were used to file charges of criminal impersonation and identity theft against more than 70 people.

Weld County appealed the decision.

Weld County District Attorney Ken Buck, a Republican U.S. Senate candidate who advocates stricter immigration laws, has maintained the investigation was about identity theft, not illegal immigration.

Today the Colorado Supreme Court is hearing arguments about the legality of “Operation Numbers Game”. As reported in this story on TheDenverChannel.com, the web site for Denver ABC affiliate 7News, Weld County is sticking with their original “identity theft” spin.

The Colorado Supreme Court is hearing arguments Thursday about the legality of an identity theft investigation that targeted hundreds of suspected illegal immigrants who filed U.S. tax returns without valid Social Security numbers.

Authorities say that as many as 1,300 suspected illegal immigrants were using other people’s identities to work and to file taxes. Some of those charged face deportation. Others pleaded guilty before the court stopped the investigation.

Weld County is appealing the lower court’s ruling that there was no probable cause for the search warrant. The District Court judge called the warrant “nothing more than an exploratory search based upon suspicion that some unknown person or persons” committed a crime.

The county is appealing another judge’s ruling that barred prosecutors from filing more cases using evidence seized from the tax preparer.

Filing taxes is mandatory for anyone who earns income in the U.S. regardless of legal status. Many of the people targeted in Operation Numbers Game were filing taxes with government-issued taxpayer identification numbers.

So other than being an update on yet another creative interpretation of one law to enforce something completely different case, why should anyone care? What’s the big deal? Well here’s the big deal, again from the 7News article:

Prosecutors in other states have expressed interest in Weld County’s use of tax documents to go after illegal immigrants. Immigrant advocacy groups have said Weld County is the only jurisdiction to use tax records – which are confidential under federal law – to prosecute illegal immigrants.

Yikes! That’s right, fellow citizens, apparently D.A. Buck has some philosophically kindred spirits out there in other states. Hopefully the Colorado Supreme Court will stop this runaway train in it’s tracks before it can run roughshod (to the extent that trains, runaway or otherwise, have shoes) over more civil liberties.

Here are some previous stories related to this case.

• April 13, 2009: Judge Rules In Favor Of ACLU In Weld County ID-Theft Case
• March 9, 2009: ACLU Suit Against Weld County DA Goes To Trial
• February 9, 2009: Weld County DA Takes Jab At ACLU With T-Shirts
• November 14, 2008: Weld Co. Probe Focuses On Illegal Tax Refunds

[updated to fixed broken links]

Apparently there are some folks out there in the great state of Colorado confusing the roles of caregiver and dope dealer. Or would like to. Or would like us to. Attempts to the clarify the issue by the Colorado State Board of Health and Environment has succeeded only in making the distinction even more hazy. According to this article by Tom McGhee in the Denver Post there is a whole lotta confusion going on.

Last summer, the Board of Health defined a list of duties that could be considered “significant responsibility for managing the well-being of a patient,” for someone to qualify as a caregiver entitled to provide marijuana. But the language made it possible to qualify even if the only thing they did was provide marijuana to a patient.

The board removed the entire definition, intending to take up the issue on Dec. 16 at a public meeting.

Colorado Department of Public Health Executive Director Jim Martin said a Colorado Court of Appeals opinion released last week forced the board to take quick action.

“I don’t believe this leaves the board any leeway,” he said of the ruling made Thursday in the case of Stacy Clendenin.

In 2006, Clendenin was charged with cultivation of marijuana in her Longmont home, which is a felony.

Clendenin argued that the marijuana she grew was distributed to authorized medical-marijuana patients through dispensaries. The court found that Clendenin needed to know the patients.

By changing the rule, the state Board of Health has given itself time to consider whether to repeal the language permanently.

But it could force dispensaries and growers to offer other care as well, said attorney Warren Edson, who represents dispensaries and growers.

While many dispensaries offer other services to those buying their marijuana, it would be impossible for growers who supply the dispensaries to offer anything but the drug, said Edson.

The rule change exposes [marijuana] growing operations to criminal prosecution, he said.

“They told us in July, you don’t have to do anything but (provide) pot,” Edson said. “We have a whole industry that has grown up that is screwed.”

It isn’t the intention of the board to throw a kink in business plans of those selling medical marijuana, said health department spokesman Mark Salley. “I think it is the Court of Appeals decision that might have changed the game. All this board did was make sure it was not in contradiction with the court.”

Yep a whole new industry that popped up like weed [snicker] going up in smoke [guffaw]. Sorry, but this subject just begs the tokin’ puns. And far be it from me to take the high road.

Still you have to wonder about those unfortunate caregivers of the past, when the government was all about Reefer Madness and disinclined to tolerate them. Even to the point of incarcerating them. Will they finally be recognized as societal assets rather than parasites? Guess we’ll just have to wait for the smoke to clear. Or not.

Party on, dudes!

Steve Ragan over at The Tech Herald reports a most curious situation in this post wherein the attempted closure of The Pirate Bay [don't worry the link is to Wikipedia, not TPB] is having some unintended side effects.

The number of new file-sharing sites hosting pirated copyrighted content skyrocketed over the last three months, according to McAfee’s Q3 Threats Report. The attempted closure of the infamous Pirate Bay site spawned clones and scams as criminals used the hype to spread Malware.

“The attempted shut down of The Pirate Bay led to an explosion of similar sites, many of which are malicious,” said Dave Marcus, director of security research and communications for McAfee Labs. “The sharing of illegal content online has not been quelled by the prosecution of The Pirate Bay founders, whose site was back online within 24 hours.”

Way to go, copyright crusaders. Not only did the attempts to shut down The Pirate Bay fail miserably, but now there are even more sites providing even more dubious services. That would be way more pirated content and way more nasty malware. And these newcomers don’t even have the amusing legal messages and responses pages [again not to worry, the link is to Hip Forums] of the original. Right about now I’m thinking that maybe you would have been better off to just stick with the pirate you know.

The entire McAfee Q3 Threats report may be found here.

Recently Chris Webster, a law student at the University of Maryland Baltimore School of Law, started this email thread which I will present here with minimal editing in hopes that some experts or interested parties among you, dear readers, can chime in. Just so everyone is clear, a disclaimer: I’m fascinated by e-discovery and legal issues surrounding security and privacy and blog about these subjects fairly often. I’m not, however, an expert in this area. And I’m certainly not a lawyer. Having said that, let’s begin.

This article from the Wall Street Journal Law Blog Newsletter about an opinion Re United States, – F.Supp.2d -, 2009 WL 3416240 (D.Or. 2009) handed down by District Judge Mosman earlier this year is what started the exchange.

Here’s a question: Is it kosher for a law enforcement agency to, pursuant to a lawfully granted search warrant, search your Gmail account without telling you? According to [District Judge Mosman] the answer is yes.

The Fourth Amendment protects our homes from unreasonable searches and seizures, requiring that, absent special circumstances, the government obtain a search warrant based on probable cause before entering. . . . This is strong privacy protection for homes and the items within them in the physical world.

When a person uses the Internet, however, the user’s actions are no longer in his or her physical home; in fact he or she is not truly acting in private space at all. The user is generally accessing the Internet with a network account and computer storage owned by an ISP like Comcast or NetZero. All materials stored online, whether they are e-mails or remotely stored documents, are physically stored on servers owned by an ISP. When we send an e-mail or instant message from the comfort of our own homes to a friend across town the message travels from our computer to computers owned by a third party, the ISP, before being delivered to the intended recipient. Thus, “private” information is actually being held by third-party private companies.

It is clear that notice is an essential part of the reasonableness calculus in judging searches and seizures under the Fourth Amendment. The Federal Public Defender has argued that this constitutional notice requirement supports [the view] that the copy of the warrant and receipt . . . must be provided to the subscriber to the e-mail account, rather than just to the ISP. The notice must be provided to the subscriber because the ISP “has a far lesser privacy interest in the content of its subscriber’s e-mails than the subscribers themselves.”

This argument fails to take into account the third party context in this case. If a suspect leaves private documents at his mother’s house and the police obtain a warrant to search his mother’s house, they need only provide a copy of the warrant and a receipt to the mother, even though she is not the “owner” of the documents. (citations omitted). In such a case, it is irrelevant that the suspect had a greater privacy interest in the content of the documents than did his mother. When he left the documents in her possession he no longer has a reasonable expectation of privacy in their contents.

Chris:

I think I found a judge who reads your blog…

Much of the reluctance to apply traditional notions of third party disclosure to the e-mail context seems to stem from a fundamental misunderstanding of the lack of privacy we all have in our e-mails. Some people seem to think that they are as private as letters, phone calls, or journal entries. The blunt fact is, they are not.

I am concerned about the legal effect of this misunderstanding – are we entering a world in which all data storage is online, and so not protected by the constitution? For example, we just bought a scanner to upload our contracts and family records (bills, medical records, insurance and such).  I thought I was being a “good” lawyer when I decided to upload these to an online account. This way a disaster striking my home would not leave me without my vital records and contracts – my primary evidence in a contractual dispute. Now I am rethinking this. I never had the intention of opening those documents up to search and seizure without notification. Now my records live on a DVD in the bank vault – where the constitution still applies. DVDs in a bank vault, it’s a 19th century solution to a 21st century problem.

Very dicey topic. Thought you might want to weigh in.

Joe:

This judge is saying that on the internet you essentially have no reasonable expectation of privacy. While I agree wholeheartedly with his assessment, I would submit that the act of encrypting data that is sent into the cloud does, in fact, give you a reasonable expectation of privacy – that being the sole purpose of encrypting the data. Therefore, while I’m not sure what the legal standing is on this, it would seem like encrypted data that requires a privately held key, explicitly excluding routine data transmission encryption (e.g. HTTPS and SSL), is no different than a safe deposit box at the bank where you hold the key. In other words, while you may be compelled to provide the key subject to a court order, that court order would require probable cause.

I can certainly offer some advice with respect to the offsite archive of your personal data.

I have a Verisign OpenID (which you can get for free here). In the process you setup a “Personal Identitly Portal” which includes an encrypted “File Vault” that holds 2 GB. That’s a lot of documents. I’m exceedingly paranoid so I encrypt everything prior to putting it in my file vault using SecureZip (which you can get for free here) so there is minimal chance of exposure.

Chris:

If the Government seizes documents which are encrypted can they then seize the key from you? The request for the key would be effective notice of sorts, but would you have to provide it? I know this is a purely legal question, but I thought you might know the answer.

Joe:

Legally the answer is “yes” the government can compel you to reveal your password. Practically there are so many ways around it that the answer is “fat chance”. A really simple workaround would be for you to have an encrypted data store where only your wife has the key. A private key escrow. As you know your spouse can’t be compelled to testify (i.e. provide the key) against you.

The other point is that any encrypted data store whether online or not is not amenable to search. In other words you can’t even see what’s there so there is no way to know know what’s in it. From the point of view of Google, a Verisign file vault doesn’t exist.

If you are really paranoid, Bruce Schneier has this article all about plausible deniability. The article is about securing laptops but the principles apply anywhere.

The bottom line is, sure the government can try to compel you to reveal encrypted data, but only if they know it exists. TrueCrypt has this guidance on plausible deniability. So to be completely safe and secure you could create a “hidden encrypted volume” inside an encrypted volume and upload the encrypted container to a Verisign file vault. With a little creative key management, you would be untouchable in any practical sense.

Now you may end up doing time for contempt of court or some bogus DHS charge but your data will be safe.

Chris:

Ok, this is heading into some really interesting legal waters. Building on your last comment,  I am not an expert on the criminal side, but I can tell you that on the civil side a judge can compel discovery. If you do not comply the Judge can order the jury to draw the negative inference (meaning that they will be instructed that the encrypted document is what the plaintiff says it is, and that it says what they say it says). There is however a safe harbor for electronic documents destroyed in the course of regular maintenance – I would be interested to see if this would include encryption keys which are time sensitive, or single use.

Switching to the criminal example we are working with – if my wife had a physical copy of the key (on a hard drive or otherwise) a judge could compel production of this in the same way he could make her give over a murder weapon. If it was memorized, I suppose she could refuse.

My concern wasn’t really with the compulsion to turn it over, it was the fact that you get no notice. This allows for secret searches (fishing expeditions)  to take place. Also, presumably they have probable cause, or the warrant in this case would not have been issued.

I do find the distinction between encrypted data and non-encrypted data, and the differing expectations of privacy intriguing. However, would your expectation of privacy survive the fact that the data is housed on another person’s machine. In the example the case offers, a letter on your mother’s table can be taken into evidence without your notice if your mother’s house is searched under a valid warrant. In that case the only one who gets notice is dear old mum. It is hard to argue the ruling would be different if you had the papers in a safe at mom’s place – the result would be the same, notice to mom, none to you.  Would the same be true for packets of encrypted information on internet servers? Maybe you have an expectation of privacy with encrypted data (like with the safe) but the reality is governed by the physical location of the “evidence”. Once they have the encrypted data can they subpoena you, or your mom, or others, to compel the production of a key? I acknowledge this would give you notice. This is more proof that the internet is absolutely non-private, even when encryption leads to an expectation of privacy.

The problem is, the conclusion that the internet is a group of guest houses through which your packets pass, and at any given time are subject to ownership by the individual who runs the house, is a troubling roadblock for the development of the net. In order to streamline our society, the internet must at some point be viewed as an instant “post-office” type service. While people sometimes use the mail to do bad things, or even steal it, the Feds and suing parties can’t. In fact messing with people’s mail, even by carriers and third parties, is a crime. Shouldn’t the same model be imposed on the internet, even if it is a legal fiction? Wouldn’t such a model be better for the ISP’s and users?

Joe:

The salient feature of encrypted data is that it is useless (i.e. random noise) without the decryption key. If you hold that key then clearly you must be notified in order to compel you to provide the key, otherwise there is no evidence.

For example, let’s say that the letter you left on mom’s table was encoded using a one-time-pad. The letter is seized under a valid court order. What have they got? Diddley. Just some weird random text on a page that is meaningless until the key – which only you have – is applied to it.

Now they can try to decode it, but the chances of success are exceedingly unlikely. They may attempt to compel you to provide the key, at which point if you refuse, you may get slapped with contempt or adverse inference but either way you get notified.

So unless they can make the case that some random collection of bits is anything more than just that, it will be impossible to use it for a fishing expedition. The point being, who cares if they seize it, it’s useless.

The original court opinion was with respect to GMail type services where your data is stored in cleartext for anyone who has the legal authority or technical prowess to see. But even the U.S. government would have a hard time deciphering AES 256 encrypted data without the key in your lifetime.

As for the instant “post-office” model legal fiction you suggest, that’s called “Net Neutrality” and the main groups opposed to it are the entertainment industry who wants to control their copyrighted content (same clowns, different circus) and some large ISPs that would like to give precedence to their own content over competitors (everybody thinks they can be Microsoft). Of course that’s not what they’re saying, but it essentially boils down to that. For the record, I agree that net neutrality would be much better for ISPs and net users alike. Whether they recognize it or not.

Regular readers of this blog know that I’m a huge fan of the One Laptop Per Child (OLPC) project and the XO laptop. A previous OLPC related post may be found here. As a result I follow the OLPC News blog which recently had this great article by 16-year-old Derek Chan on his experience with a small scale OLPC implementation in Kenya.

My name is Derek Chan, I’m 16 years old, and I was part of Mark Battley’s team of high school students from Upper Canada College that initiated a small scale OLPC implementation at the Ntugi Day Secondary School.
Part of our goal was to provide Ntugi with power for their initial complement of 8 XOs and 2 Cradlepoint PHS300s at a school that had no access to the country’s power grid.

In addition to this being a very well written piece about an extremely fascinating project, Derek enumerates some lessons learned that are directly applicable to any Infrastructure and Integration project. Especially security infrastructure projects like say a Network Access Control (NAC) or Enterprise Single Sign On (SSO) project. Just replace the word “school” with “enterprise” or “business“.

Ultimately, we were successful, but not without missteps and failures along the way. We did lots of things right, but we made a few newbie errors. Here’s what we learned!

1. Learn as much as you can about your destination school’s physical resources.
2. Don’t assume that tests in the lab will duplicate conditions in the field.
3. Read all the relevant blogs, forums and bulletin boards before implementing.
4. Don’t underestimate the sophistication of local technology and expertise at your destination.

 

Let’s think about each of these in turn, much as Derek did in his post.

Learn as much as you can about your destination physical resources.
Who hasn’t heard the horror stories from the installation team that just tried to add “one more appliance” to the customer’s data center, only to find out that the power or cooling or rack space just wasn’t there. Always verify ahead of implementation that the destination has all of the physical resources required by your hardware, all of the compute resources required by your software, and all of the network resources, including IP address space, required to connect it all together. An actual visit to the site by your Systems Engineers is a really great idea. Never assume that the destination is a “typical” configuration or that the customer knows the difference.

Don’t assume that tests in the lab will duplicate conditions in the field.
Boy Howdy! This assumption ranks right up there with “no customer would ever do that” as a surefire path to failure. The point is that the lab, by definition, is an artificial environment. Sure our QA engineers do the best job they can to simulate a real world environment, but the key word here is simulate. It’s pretty hard to simulate things like network latencies or ATM noise in the lab. Remember your lab techs are good, not god. What a difference that “o” makes.

Read all the relevant blogs, forums and bulletin boards before implementing.
Not that this has ever happened to me, mind you, but I’ve heard of engineers that actually believe the promo literature and design the system around that, assuming that all the details are handled. I mean how much difference can there be between Server 2K3 and Server 2K3 R2? Yeah. Just do the homework. That’s called “due diligence” in business speak.

Don’t underestimate the sophistication of local technology and expertise at your destination.
As engineers we always like to think we’re way smarter than the mere mortals we tolerate in our presence. But never fool yourself into believing that you can understand the ins and outs of a customer’s infrastructure as well as they do. You may think they are yokels, but they are yokels with way more relevant experience than you. And they are the ones who control your payday. Just suck it up and let them make it easier (or possible) for the project to succeed.

So there you have it. Excellent advice from a 16-year-old who has already learned some important lessons. Well done Derek.

Everybody knows that social networking sites are notorious for their ill-advised exhibitionism. Folks who are reasonably demure and respectable in person get their freak on when it comes to FaceBook or MySpace. Yep, insert an internet connection between them and the world and the gloves come off. Or rather only the gloves stay on. I’ve written about this phenomenon before and warned of the need to take your online shadow seriously. But increasingly the exposure these social network exhibitionists face is more than simply embarrassment and ridicule on a worldwide scale. Prosecutors  have discovered a veritable treasure trove of unprotected self-incriminating evidence on social networking sites. This entry in the Electronic Discovery Law blog describes just such a case.

Defendant was found guilty of murdering a two year old girl left in his care and was sentenced to life in prison without parole.  On appeal, [he] argued that the trial court improperly admitted evidence from his MySpace account in violation of Ind. R. Evid. 404(b).  Taking up the “novel question” of the propriety of admitting such evidence, the Supreme Court of Indiana ruled that the trial court did not err in admitting the evidence, particularly where [his] own testimony made his character a “central issue” of his defense.  The verdict and sentence were therefore affirmed.

Yikes! Hoist by his own petard as it were. While most Web 2.0 exhibitionists are no doubt posers and certainly not murderers or child abusers, it’s going to be a little embarrassing - not to say legally damaging – if they are ever find themselves a defendant in a criminal or legal proceeding where their chief defense is good character and their FaceBook page proclaims “Gangsta 4Evah!”.

But there are further exposures as well as illustrated in this entry by Christopher Boyd on the SpywareGuide blog.

Yesterday I happened to see a particularly creepy advert containing a number of rotating images claiming to offer “Hacked Facebook and Photobucket accounts” for a price.

Yes, the site is actually called “Hackedsluts.com” and claims to offer up an endless series of images from “hacked” accounts including Myspace, Photobucket and Facebook in return for a monthly fee.

Just when you think they can’t possibly get any creepier or salacious, [they] throw in dubious claims of hacked accounts / stolen images AND [they] lob in a blood splattered “Too extreme” banner supposedly covering up some of the pictures. While this is clearly a piece of Lame Marketing 101, the overall effect of the site is extremely disturbing.

Disturbing indeed. While I agree with Christopher when he concludes that the bulk of the content on “Hackedsluts.com” is made up of stock pornographic content and almost certainly not the result of hacking social networking sites, the fact that there is an actual market for such content is a very distasteful realization. We all know what happens when you mix unsavory and illicit demand with criminal entrepreneurs. Clearly there are people out there who would pay to see you acting the tart. Only you don’t get paid (like a proper tart). That’s being a pro-bono hooker, which is just stupid. And what happens when your future boss turns out to be a Hackedsluts.com aficionado? Good luck with those sexual harassment claims. Or how about when your future ex-spouse sues for custody of your kids?

So the next time you feel like exposing yourself to the world, kick it old school and just get naked, throw on a trench coat and flash the neighbors. The indecent exposure misdemeanor will be way less exposure than an ill-considered photo on MySpace.

Strange days have found us
Strange days have tracked us down
From “Strange Days” by the Doors

I spend most of my time in the Peoples Republic of Boulder, so I’m pretty blase about strange stuff. I mean this is a place where a candidate for city council can file a campaign finance report with $14.37 to “Only Natural Pet Store” for dinner for his campaign manager, a cat named Sita. And nobody thinks twice about it. Needless to say, my Bizarro-meter is calibrated way higher than most. Nevertheless, events of this last week have pretty much pegged it.

First there was the whole Balloon Boy saga. As if a runaway helium filled mylar flying saucer thought to have a six-year-old stowaway aboard wasn’t bizarre enough, it turns out to be an elaborate hoax for purposes of snagging a reality TV show. Move over John and Kate plus Octomom. This totally raises (or lowers) the weird-stuff-fools-do-to-get-on-TV bar. Here is a timeline of this odd affair.
Oct 20:
FAA investigating Colo. balloon flight
Griego: A better image of parenthood
Hollywood acquaintances say balloon boy’s dad always wanted fame
Oct 19:
Balloon boy saga “absolutely … a hoax,” Larimer sheriff says
Sheriff admits misleading the media to win trust of balloon boy’s family
Oct 18:
Fort Collins parents face felony charges in “balloon boy” case
Balloon escapade a hoax police say
“Balloon boy” responders dealt with roller coaster of emotions
Experts say TV cameras alter family dynamics, like in “balloon boy” case
Sheriff expects charges to be filed against Colorado family in “balloon boy” case
Oct 17:
Charges pending in “balloon boy” saga
Balloon family has pushed for television spotlight
Sheriff has questions, says he believes family
Oct 16:
‘Balloon boy’ found safe at home
Oct 15:
Feared lost in balloon, boy found at home

Yep. It just keeps getting weirder and weirder. Culminating in what will no doubt be the most popular Halloween costume of 2009 and this YouTube spoof Real Men of Genius: Heene. Just think, all this took place in the normal part of Colorado.

And then there was this pair of stories about insurance company craziness. In the first, an infant was denied coverage due to pre-existing condition: “obesity”. In the second a two-year-old was denied coverage due to another pre-existing condition: “underweight”. Yeah, that’s what I thought too. I gotta tell ya, this doesn’t do a lot for the credibility of insurance companies in my mind. Although I have no problem believing that insurance prices will go up if the health care legislation currently being debated in congress is passed. Or not. Whatever happens I’m pretty sure that they’ll find a way to take more of our money and deliver less coverage.

And in the “Best Job Ever” category Westword, a Denver alternative newspaper posted an ad for a reviewer of the state’s marijuana dispensaries and their products. Hey, they don’t call it the Mile High city for nothing!

All this during the week that the Denver Broncos went 6-0 in a seasons where most of us thought they would be lucky to win 6 at all. If this isn’t concrete evidence of the existence of a God who watches over His Broncos I don’t know what is.

Oh, I almost forgot. Microsoft released their long-awaited new OS – Windows 7 which was Amazon UK’s biggest pre-ordered product of all time. Unseating the previous title holder Harry Potter and the Deathly Hallows. Now if businesses will just follow the consumer herd, Microsoft will be golden. And I will totally need to re-calibrate my Bizarro-meter even higher.