On Government Communications Surveillance

There’s no lack of evidence to show that there are people in the world who think that an appropriate response to the misdeeds of the West is to bring the death and destruction back and throw it in our faces. I fail to understand this logic of revenge, but unfortunately there are many who embrace it. Humanity has a long history on the failure of using evil to counter evil, but we never seem to convert this knowledge into wisdom.

This might be surprising, but because of this I’m not entirely opposed to governments communications surveillance for security reasons, even the communications of their own citizens – after all most acts of terror come from hateful people within our culture, not from the stereotypes the media is so enamoured with. (more…)

Silicon Valley – Adjusting to the Internet’s Long Tail?

Over the past year or so there’s been an unusual amount of public navel gazing on the investor side of Silicon Valley (and by proxy most of the North American venture capital space). Venture capital companies have an image of being slow, demanding, and cumbersome; solely focused on big wins with huge valuations. So called “super” angels have emerged to fill a void in the VC deal space, and new hybrid models like that of YCombinator have emerged.

As Max Levchin observes, angels have an interest in lower valued exits. He concludes that the positioning of super angels as VC alternatives has resulted in a “lack of visible significant innovation”. While Levchin’s observations are correct, I’m not certain that it’s the angel’s fault.

Instead, I think we’re reaching the “long tail” of the Internet, and we need to look for innovation elsewhere. The big hits in the Internet space have all had to do with providing analogues of existing human behaviours, and the number of untapped behaviours is diminishing. A preponderance of incremental innovations with corresponding low exits is only to be expected.

We have been so focused on Internet related innovation for the past decade and a half (and software for the decade previous) that for a lot of investors seem to have forgotten that there are alternatives.

It’s not that there’s a shortage of demand for innovation. There are many areas that need great minds and risk capital. Unfortunately those aren’t the opportunities that can be exploited by a bright kid with six months programming experience. They’re big, capital intensive, long term projects that need teams of highly skilled people to address them. Some of these problems are critically important. They need to be solved if we’re going to preserve our current lifestyle, if not ensure our survival.

If the investment community wants to innovate, it’s going to have to stop looking for the ultimate solution to determining how to rank “influence” on Twitter, and instead look for better transportation solutions, better solar power generation, methods to scrub carbon dioxide out of the atmosphere, local power generation and distribution, and solutions for other truly important problems.

While North America becomes increasingly concerned about it’s own relatively trivial problems like how to make an even cooler handheld device, our ability to innovate our very concept of innovation is collapsing in on itself like a dying star. Meanwhile, Asia is fast becoming the true leader in innovation and unless we pull out of this “make it big on the Internet” vortex, it won’t be long before we’re buying critical technology from abroad.

Let’s not blame the angel investors. Levchin says “we should aim higher.” He’s right. The question is whether or not we know which way is up.

Assisted Suicide: YouTube Helps Music Goliaths Become Irrelevant

A few days ago, YouTube began muting the audio tracks of videos that contained “unauthorized” copyright material. Some videos will now have the notice “This video contains an audio track that has not been authorized by all copyright holders. The audio has been disabled.” displayed beneath them.

This is a good move for YouTube. It will help absolve them from any liability for “broadcasting” content that the RIAA cabal deems worthy of protection.

It’s not such a good move for the RIAA and similar groups. A music track is an essential part of many videos, and we can be pretty sure that not many people who produce them are going to go to the trouble of obtaining copyright clearance. Instead, they’re going to seek unencumbered music. This is going to drive up the demand for “open” music, which will in turn cause more musicians to provide the same in exchange for some small promotional credit on the video.

Thus a win-win is born. Video creators will have access to more music they can use, musicians will have a showcase for their work with a potential for global profile that would otherwise be difficult to obtain. How long will it be before this exposure results in a musician who “makes it” in the mainstream? It will only be a matter of time.

How will these musicians feel when a big label comes along to offer them a contract that pays a fraction of the revenue they actually generate while insisting that they turn their backs on their roots by joining the copyright cartel? Some will buy in to the promises and sign up, but some won’t. Instead they’ll seek new methods and revenue models for distributing their work. Perhaps they will make the bulk of their money from live performance, or maybe they’ll find other ways to do it, but they will eventually succeed at it.

Once a successful formula has been found, those who seek to maximize revenue by controlling distribution will have lost the final step in their battle. They will have successfully spawned a revitalized industry that makes them irrelevant. This has always been inevitable, but YouTube’s move will certainly accelerate the process. To me it is amazing how, blind to reality, this industry continues to find ways to kill itself off with ever greater efficiency.

Kudos to YouTube; still yet another dunce cap to the established music distribution business.

The Anatomy of a Security Breach

“Joomla!” had an extremely serious security issue arise earlier in the week. I’m pretty deeply involved in the project, and I happened to be on the Bug Squad chat when the news broke. The issue was not a SQL injection problem, as many sources have assumed but reported as fact. Ironically, it had to do with defeating a session security feature. The security problem was a programming error. “Joomla!” goes through extensive procedures to defend against SQL injection, and from version 1.5 onward, such a vulnerability in the core code is highly unlikely. [Extensions are another matter. I strongly recommend that users only install open source extensions that have either been audited or that have broad community support.]

Even though this problem caused a fair bit of damage, I’m very proud of how the “Joomla!” team responded to the problem. This was a worst-case scenario: the exploit was published with no advance notification, and it was dead simple to implement.

The first we heard of it was a post on the Dutch “Joomla!” forums. One of the Bug Squad team mentioned this in chat on August 12th at 15:50 EST. We immediately took steps to verify the issue, and then once confirmed, to remove the details from the forum post. A patch was made available for testing at 16:10. A full package release was made available for testing at 18:19. Announcement of the release was made on joomla.org at 18:57, and by 19:40 update packages were also available. That’s three hours and 50 minutes from report to full public release. If that’s not a record I’ll be surprised.

What is distressing is that a large number of security focused sites reported this as a SQL injection vulnerability, along with a variety of other erroneous or misleading information. Almost a week later, many have corrected their errors, but several have not. Considering that the “Joomla!” team responded so quickly, and that complete information was posted as the first item on the joomla.org web site before the exploit became widely known, this suggests that many of these sites simply repeated each other’s misinformation, rather than taking even the smallest steps to verify the report.

Granted a sample size of one event is not sufficient to draw conclusions, but if this is any indication of how “trusted” security information sources behave, then it is no wonder that whole security field has a serious credibility issue. These kinds of reports are extremely serious matters, with a lot of potential for damage. Certainly the timeliness of information is critical, but hopefully not at the expense of accuracy. The security community has a deep obligation to perform the simplest verification of facts before rushing to publication.