The Israeli/Gaza War

Let there still be hope.

Everyone wants everyone to say something about what is happening in Israel and Gaza. Here in Switzerland the conversation since the attack has been All Israel All The Time. Everyone around the world has an opinion, of course. Here in Switzerland, the discussion is thoughtful. You would not hear anyone defend Hamas’ murderous actions.

It’s one thing to have opinions; it’s quite another to be grieving the loss of one’s friends and/or family, and worrying about one’s children who have been called up. My employer’s Israeli offices are somewhat emptier for that reason.

President Anwar Sadat, Prime Minister Menachem Begin, and President Carter

I look up at my office wall these days and see a response from President Ford’s staff to a letter I wrote him in 1975 about Israel when I was a child. I remember writing him, suggesting that he throw both the Israeli and Palestinian leadership in a room and not let them out until they have a peace plan. Back then I knew I had the answers.

Prime Minister Itzak Rabin, Chairman Yasser Arafat and President Bill Clinton.

Over the years, there have been signs of hope. Seeing Sadat engage Israel, or the work that successive administrations undertook that led to the famous handshake you see here. Those days led to the hope that Israelis and Palestinians could live side by side.

Now I worry that this conflict will survive me and my generation, as it will have our parents. I hope and pray that it does not outlive our children, and that they will be more imaginative than us.

You may have seen my #MusicMonday list. Last week’s contribution was Hatikva. The Hope survived, even as many of the children in that video did not. The hope of peace and prosperity must survive for all. My only plea is for all parties, Israelis and Palestinians in particular, to work to preserve that hope.

Ain’t No Perfect. That’s why we need network protection.

If Apple can blow it, so too can the rest of us. That’s why a layered defensive approach is necessary.

When we talk about secure platforms, there is one name that has always risen to the top: Apple. Apple’s business model for iOS has been repeatedly demonstrated to provide superior security results over its competitors. In fact, Apple’s security model is so good that governments feel threatened enough by it that we have had repeated calls for some form of back door into their phones and tablets. CEO Tim Cook has repeatedly taken the stage to argue for such strong protection, and indeed I personally have friends who I know take this stuff so seriously that they lose sleep over some of the design choices that are made.

And yet this last week, we learned of a vulnerability that was as easy to exploit as to type “root” twice in order to gain privileged access.

Wait. What?

Ain’t no perfect.

If the best and the brightest of the industry can occasionally have a flub like this, what about the rest of us? I recently installed a single sign-on package from Ping Identity, a company whose job it is to provide secure access. This simple application that generates cryptographically generated sequences of numbers to be used as passwords is over 70 megabytes, and includes a complex Java runtime environment (JRE). How many bugs remain hidden in those hundreds of thousands of lines of code?

Now enter the Internet of Things, where manufacturers of devices that have not traditionally been connected to the network have not been expert at security for decades. What sort of problems lurk in each and every one of those devices?

It is simply not possible to assure perfect security, and because computers are designed by imperfect humans, all these devices are imperfect. Even devices that we believe are secure today will have vulnerabilities exposed in the future. This is one of the reasons why the network needs to play a role.

The network stands between you and attackers, even when devices have vulnerabilities. The network is best in a position to protect your devices when it knows what sort of access a device needs to operate properly. That’s your washing machine. But even for your laptop, where you might want to access whatever you want to access, whenever you want to access it, through whatever system you wish to use, informing the network makes it possible to stop all communications that you don’t want. To be sure, endpoint manufacturers should not rely solely on network protection. Devices should be built with as much protection as is practicable and affordable. The network provides an additional layer of protection.

Endpoint manufacturers thus far have not done a good job in making use of the network for protection. That requires a serious rethink, and Apple is the posture child as to why. They are the best and the brightest, and they got it wrong this time.

Taxing Bitcoin? IRS gets involved

Once again: is bitcoin a currency, and do currency rules apply? Or is it a capital asset and do those rules apply?

The Wall Street Journal is reporting that a large Bitcoin exchange Coinbase has been served with a so-called “John Doe” warrant in search of those people attempting to evade taxes. A number of privacy advocates are upset at the breadth of the warrant, because it demands access for an entire broad class of people, and not specific people.

Bitcoin is used for all sorts of nefarious purposes, including online ransoming. Tax evasion would be the least of its problems. Were Coinbase a bank, they would be required to inform the federal government of transactions greater than $10,000 or of those individuals believed to be structuring transactions to avoid the $10,000 filing requirement. These are anti-money laundering provisions that go hand in hand with tax enforcement.

And so my question: if it is wrong for the federal government to make such a demand of Coinbase, is it also wrong of them to make the same demand of banks? If it is not, then why should Coinbase be treated differently? And if Coinbase is not treated as a bank, is Bitcoin then not a currency? If it’s not a currency, should it be treated as a capital asset for taxing purposes? If that is the case, how would the IRS be able to enforce the reporting requirements associated with assets?

The alternative seems to be to trust people to not launder through Bitcoin. If history, including recent history, is any measure, that’s a bad idea. Either way, Bitcoin has already shown that privacy has its downsides.

Finding REAL News as Opposed to Fake News

Here are three simple tests to determine whether a site is a trustworthy news outlet. Are there multiple sections? Does it have multiple news bureaus? Does the site post corrections?

The great New York Senator Daniel Patrick Moynihan famously said that everyone is entitled to his own opinion, but not his own facts. Unfortunately, our democracy is being undermined by a combination of an epidemic of fake news and people being willing to believe the drivel.

What, then, are trustworthy news outlets? To start with, they have to have paid reporters. Determining the truth requires investigation with feet on the ground. It requires document searches, interviews, and research. That costs money.

Still, a well funded propaganda outfit could pay (or claim to pay) for “reporters”. How to tell the difference? Be suspicious of any site is primarily focused on national politics or any single issue.

Here are a three tests to guide someone as to whether a news outlet is likely legitimate for daily consumption. The tests themselves aren’t perfect, but they’re pretty good.

1. Does the outlet have many news bureaus?

A real newspaper will have at least one regional bureau for the region they are covering, and will often have an additional bureau for a state capital or for Washington. Fake news sources may not have any bureaus. A simple test is to type the name of the site and then “news bureaus” into a search engine and examine the results. Note that a regional paper will tend to have only a few bureaus outside their region. That’s okay, so long as they stick to news where they have those bureaus and more importantly reporters.

2. Does the outlet have multiple unrelated sections?

Real news sources will have sections such as weather, sports, obituaries, arts, finance, and region, as opposed to just politics. They may not have all of these sections: for instance, the Wall Street Journal doesn’t have a weather section, but their finance section is unparalleled.

3. Does the outlet ever publish corrections?

Even if the answer to the first two questions is “yes”, no one is perfect. But a good news outlet will recognize their imperfections and always seek to report the truth, no matter how embarrassing it may be. A good measure of an outlet’s trustworthiness is how regularly they correct themselves.

Let’s Test

Given these parameters let’s see whether a web site is a good source for news.

Source	Multiple Bureaus?	Unrelated Sections?	Corrections?
The New York Times	Multiple, throughout New York, US, and the world	NY region, sports, weather, obits, arts	Regularly at the bottom of an article online, or in a section in paper.
Fox News	Multiple affiliates	Sports, weather, numerous regions	Not too often.
Breitbart	Four bureaus	no	Very rarely
Wikipedia	No	Yes (vast)	Entries are continually edited
The Daily Caller	No	No	Never
NPR	Many regional affiliates along with international bureaus	Numerous	Regularly online and on radio
The Wall Street Journal	Strong presence in financial capitals	Finance, Travel, even some Sport	Regularly at the bottom of articles
Politico	Primarily national, with a few state and international bureaus	No	Very Rarely

Trust, of course, is not a binary. That’s why it’s important to get information from multiple sources, maybe not every day, but regularly. Also, just because something is not marked as a trustworthy news outlet doesn’t mean their lying. It does however, mean, that they’re something other than a trustworthy news outlet. A blog, perhaps, or an analysis site. Wikipedia is an interesting case because nobody gets paid, but the information tends to be reasonably trustworthy (or at least transparent).

All of this doesn’t get people off the hook from using their common sense. RT would easily pass the above tests, and yet they are a well known and well funded propaganda arm of Vladimir Putin. Probably not a good news source. Most blogs aren’t so well funded.

Should Uber require a permit for testing?

The Wall Street Journal and others are reporting on the ongoing battle between Uber and state and local governments. This time it’s their self-driving car. Uber announced last week that they would not bother to seek a permit to test their car, claiming that the law did not require one. The conflict took on a new dimension last week when one of Uber’s test vehicles ran a red light.

Is Uber right in not wanting to seek a permit? Both production and operation of vehicles in the nearly all markets are highly regulated. That’s because auto accidents are a leading cause of death in the United States and elsewhere. The good news is that number is falling. In part that’s due to regulation, and in part it’s due to civil liability laws. I’m confident that Uber doesn’t want to hurt people, and that their interest is undoubtedly to put out a safe service so that their reputation doesn’t suffer and their business thrives. But the rush to market is sometimes too alluring. With the pace of technology being what it is, Uber and others would be in a position to flood the streets with unsafe vehicles, possibly well beyond their ability to pay out damages. That’s when regulations are required.

There are a few hidden points in all of this:

As governments consider what to do about regulating the Internet of Things, they should recognize that much of the Internet of Things is already regulated. California did the right thing by incrementally extending the California Vehicle Code to cover self-driving vehicles, rather than come up with sweeping new regulations. Regulations already exist for many other industries, including trains, planes, automobiles, healthcare, electrical plants.
We do not yet have a full understanding of the risks involved with self-driving cars. There are probably many parts of the vehicle code that require revision. By taking the incremental approach, we’ve learned, for instance, that there are places where the vehicle code might need a freshening up. For instance, self-driving cars seem to be following the law, and yet causing problems for some bicyclists.
IoT regulation is today based on traditionally regulated markets. This doesn’t take into account the full nature of the Internet, and what externalities people are exposed to as new products rapidly hit the markets. This means, to me, that we will likely need some form of regulation over time. There is not yet a regulation that would have prevented the Mirai attack. Rather than fight all regulation as Uber does, it may be better to articulate the right principles to apply. One of those is that there has to be a best practice. In the case of automobiles, the usual test for the roads is this is whether the feature will make things more or less safe than the status quo. California’s approach is to let developers experiment under limited conditions in order to determine an answer.

None of this gets to my favorite part, which is whether Uber’s service can be hacked to cause chaos on the roads. Should that be tested in advance? And if so how? What are the best practices Uber should be following in this context? Some exist.