Cross-posted from Web Insecurity

I often get into discussions about whether people really do care about privacy, given that they give away personal information regularly when they share with friends via Facebook or other services. A recent report suggests that people do care, at least when it comes to banking and shopping:

The Edelman study released in February 2012 shows that consumer concerns about data privacy and security are actively diminishing their trust in organizations. For instance, 92% listed data security and privacy as important considerations for financial institutions, but only 69% actually trusted financial institutions to adequately protect their personal information. An even sharper disconnect can be seen with online retailers, with 84% naming security of personal information as a priority but only 33% trusting online retailers to protect it.

The blog of the Office of the Canadian Privacy Commissioner (from which I drew this quote) sums it up in the title: Privacy: Not just good business, but good for business.

But I have to wonder, do these numbers indicate that privacy-preserving businesses will be winning customers, or will we simply see claims of privacy that aren't backed up by carefully constructed systems? Do consumers really care about privacy or do they just say they care? How will consumers evaluate potentially spurious privacy claims? In Canada we at least have the privacy commissioner who brings issues to light, and worldwide we have the Electronic Frontier Foundation, but while both organizations are astute and do their best, privacy claims are something that will need to be evaluated by organizations like Consumer Reports that are used by consumers when making decisions about where they spend and keep their money. Right now, by and large, we only hear about the relative privacy of an organization when a breach occurs.

I attended a talk on Internet voting yesterday and the speaker quoted an official in DC who claimed that, "voters like internet voting, so it must be secure," which is really quite a terrifying quote if you think about it. The speaker joked, "does this mean that because my kid likes cake, it must be healthy?" It really clearly demonstrates first that users of the system have very little understanding of its safety (despite strides in the area, internet voting as currently implemented is rarely secure) but also that officials who roll out such systems have little understanding of the flaws of the system and are much too willing to overlook them for convenience sake. If this is the case with voting, it's hard to believe that business would avoid such cognitive mistakes.

Honestly, I think I make more resolutions after GHC than I do at new year's. I'm always so inspired!

Thing 1: Pushing the development of the GNU Mailman UI

Two things came together for me at the conference:

1. One thing I heard frequently while working the free and open source software booth is that there are plenty of folk interested in getting involved with open source, but they're not sure where to start.

2. I came home with a suitcase full of paper prototypes and pictures from the Mailman 3.0 part of the codeathon for humanity on Saturday. I was looking at spending my evenings digitizing them and turning them into functional prototypes.

So... I asked for help! Transcribing paper prototypes isn't the most glamorous of work, but it's a great place for a beginner to start, and given that we're hoping to have a Mailman 3.0 release as soon as possible, new contributors would have a chance to ramp up to doing real code commits very quickly. Plus they'd be able to see their code go out and be used in the real world sooner rather than later!

I posted to the Systers list knowing I wasn't the only one feeling the post GHC rush, and I posted to the Mailman list knowing we had a would-be contributor who wanted to help.

What I wasn't expecting was that I'd have talked to NINE volunteers in less than 24 hours. How awesome is that? And most of them are women as well!

Now I have the problem of making sure I have enough for everyone to do, but with a variety of skill levels I'm sure we won't have any trouble finding stuff for everyone. I'm so excited, and I hope they are too!

Associated goals:
- Allocating more of my time to serious Mailman development.
- Getting more women involved in open source.
- Improving the usability of Mailman 3.0
- Speeding up development of the Mailman 3.0 UI.
- Doing some teaching/mentoring since I love it but won't be doing it at work this year.

Thing 2: e-textiles

The first thing I did after I got home from GHC11 was sleep. But when I woke up in the middle of the night, the second thing I did was order stuff from SparkFun. :)

I've ordered a couple of simple e-textiles kits and the goal will be to play with them. I made an awesome monster at the GHC e-textiles workshop and I was eager to do more. The end goal is to build a set of lights into my new coat that respond to my movement in some way (See the tentative wishlist), but for now I'm going to make a lit cuff/armband for walking at night and experiment with the neat little aniomagic chip 'cause it looks like so much fun!

Associated goals:
- meeting more people in the local community
- actually becoming a member of a hacklab to support my projects
- making it safer for me to walk home in my beautiful-but-not-visible new black coat
- experimenting with e-textiles
- doing some more hardware-oriented projects
- making sure I had a project that would take me away from the computer

Not-quite-a-Thing 3: Not biting off more than I can chew

A common theme at GHC is reminding people that we have to really be careful about time management so that we don't get overloaded, so I'm choosing those two things that cover lots of my personal goals, and I'll aim to do them well and save the other things I want to try for later. Wish me luck!

I'd love to hear how other people are using what they learned at GHC11!

I got an audiobook to play on my MP3 player today, and it was a chore and a half with around 5 hours worth of upgrades. I could write a post about the procedure, but that's been done.

Brad Colbow's comic pretty much sums up the DRM problem best, I think. Getting DRM-protected content sucks, but libraries often have such systems in place to allow lending. I hate DRM, but I like my library, and I really like the idea of libraries being able to lend electronic content in a way that makes sense.

What I want to know is "what we are doing about it?" I know plenty of folk interested in open technology/culture... do any of you know of alternative software available to libraries? Resources they could use that would be more awesome and still enable lending?

(Related reading: Across the Digital Divide talks about why the whole "print is dead" thing leaves a lot of people in the dust. If you think about it in that context, making it easier to lend electronic resources in the future could be a bigger deal than you'd think.)

Usually I see people recommend you donate to the EFF or somesuch. And that's a good idea in general, but... I mean, I know I'd like to just have a world that was DRM-free. But apparently this is not a solution that works for my library, or more to the point it's not a solution that works for the places where my library obtains content. I want DRM to be dead, but I also would like to be able to borrow electronic resources a little sooner than never, thanks. Surely there are folk out there who are willing to sideline the ideology for now and just try to make something that's actually good?

So... what *are* we doing to make it easier for libraries to lend us electronic stuff?

One last blog post for today, I promise!



I've been completely remiss in mentioning this. (I blame thesis, as usual.) My friends Mary and Valerie have started the Ada Initiative to support women in open technology and culture, and they're looking for a few more donors to round out their initial funding round.

I regret that right now I don't have money to support them financially or time to be a bigger part of what they're building, but what I can do right now is tell you why those of you who can donate should do so.

Some of you may already know one or both of them. If you don't, you should know that Valerie and Mary are both awesome at getting things done.

When Mary was running Linuxchix, not only did she keep things in basic working order, but she also had a great vision for driving things ahead and doing more. While the new coordinators have done a good job of keeping things going, I'm really sad that when she left we lost that extra push to go beyond our original mission. After a women-in-tech BoF Valerie organized (and I attended) at the Linux Symposium, she went on to write the HOWTO Encourage Women in Linux, making sure that the things we'd discussed could be brought to a wider audience. They go beyond the level of keeping afloat as non-stereotypical geek, and towards making things better.

There's a lot of frustrating things that come up as a geeky woman, some big, some small. I'm trying to do my part by writing for geek feminism and bringing attention both to the good and bad. But Valerie and Mary believe they could have an even bigger impact on the problems if they worked on this full time rather than relying on all of us already busy people to work that second shift.

These are women who can recruit teams of top-notch volunteers, build networks, and seriously make a difference in the world, so if you're interested in supporting women in open tech and culture and want to know your dollar's going to have an impact, The Ada Initiative is a great cause.

From The Advantage Of Dual-Identities (A Case Study of Nabokov), I bring you this quote:

It’s also important to note that the advantage of having a “dual-identity” – being both a novelist and a scientist, for instance – isn’t limited to Nabokov. According to a study led by Jeffrey Sanchez-Burks, a psychologist at the University of Michigan, people who describe themselves as both Asian and American, or see themselves as a female engineer (and not just an engineer), consistently display higher levels of creativity.

So as a female, half-asian all-canadian researcher, I'm clearly better at creativity than all those boring white dude researchers?

... I don't even know exactly where to begin on this. So I'm going talk about Bones for a minute. I've been watching it with my sister lately while we do other things (crochet, do mending, wander around looking for things in an mmo, eat dinner, etc.) and the other day she pointed out that she loves how the show deals with Angela, or really, how it doesn't. See, Angela Montenegro is the team's artist: she does sketches of the victims. But she doesn't stop there: she also coaxes data off broken camcorders and swallowed flash drives doing digital forensic work. She's an adept computer programmer who writes software that helps visualize and model what happened during a crime. What's cool about Bones is that it's totally taken for granted that she can be an artist and a coder. (And really, pretty much whatever else she wants to be.)

So I guess while I fundamentally agree that having multiple "identities" is a huge asset to my work and creative abilities, I sort of feel like... why are they making such a big deal about this, as if it's some hugely abnormal thing. Why can't they just accept that Angela can draw and code? Why do people insist on compartmentalizing people into single skill sets? I can drive a car and code and no one thinks that's weird, but plenty of people have commented with surprise that I can edit a magazine (yes, I used to do this) and write code. Hello, world?

The article just makes me a little uncomfortable. This worst part is the paragraph about how the US will be overrun by mixed-race folk like me with superior creative skills -- awkward racial superiority with a different spin -- but even the study methodology doesn't quite sit right with me at a first reading. But maybe the article is simply a journalistic reflection of research into of a real logical fallacy that people often employ: the assumption that one must specialize in only one skill to be the best person one can be. That's one of those things that might be true for programs, but I really haven't seen much evidence of it being true for people.

Despite my issues with the article, I think it's got a nice take-away message: it's a-ok, normal, and maybe even superior to have and use your multiple identities. And don't let incredulous folk tell you otherwise.

A friend pointed out this sort of fun take on wishlists. I like especially that there's no need for the request to be physical items so much as help with something, so I've been thinking about things I want that maybe other people could help with...

1. A new web design for http://list.org. I've been promised near-complete creative control if and when I'd like to redo it, but haven't had the time, and if someone could hash out a design or two for me to start with it'd save a lot of trouble. Or you could do the whole thing including reorganizing the content -- that's even more time I don't need to spend! It'll have to be highly standards compliant, and preferably fairly simple/minimal/clean -- absolutely no flash, probably no JavaScript even. I can sit down with someone and explain my vision for this project and known issues with the existing site in more detail if necessary.

2. Beautiful demos and/or integration of my students' code into Mailman 3. I have some students who did some lovely work on the archives of Mailman (you can read their summer of code blogs here and here) but haven't had time to integrate it. I really want to do this myself, but if I wait for me to have time it may not get done 'till summer of code starts up again... The code is in python, and even if you're not a coder doing some nice web design for the UI to show off the functionality the students have built would also be amazing.

3. Someone to drive Now We Must Fight forwards. This means someone who can organize a location to start shooting with sufficient light and space, as well as coordinate the schedules of a handful of fighters, choreographers and crew. In a similar vein, someone to coordinate readers and recording for HL. I just haven't sat down to get people over for a recording session and could use someone to set a date in mid-January and possibly edit the resulting audio recordings. I have new project books and can host, I just need a nudge to set up a time (likely mid-january).

4. I *was* going to say find me the perfect job when I started writing this list, but since I currently have an offer in hand, I think perhaps that would not be a tactful request. However, I do have a few friends who are job hunting and would love leads. Three who might be able to find help here: a highly experienced DBA (esp. Oracle) who would like to stay in Ottawa, a (mostly windows) system admin who would prefer to stay in Ottawa (but might be more flexible for the perfect job), and finally a senior(?) software developer who is more mobile.

5. I'm looking for a miniature figure for my current role-playing character in our d&d 3.5 campaign. She's human, a favoured soul of Kord, and will probably be wearing heavy armour and wielding a greatsword. I hate stupid fantasy armour (e.g. must protect the boobs, not display them), and I don't like minis that look angry. Bonus if you can also find a mini for my sister's character, who is a rogue/swashbuckler who likes to use atypical weapons (I think she's currently using a halberd?). Again, no stupid armour. You don't have to buy said figure: pointing out models that might work would be awesome. :) Painted would be nice, since I haven't had much time for detail work myself. Sketches of the two characters adventuring together would also be fun for our (private) game website!

6. I could use some coding help with my thesis work (currently using webkit/chromium). I actually *can* delegate some of my code to someone else if you'd like to be an unpaid (but credited) research assistant, but what I really could use right now is pointers to good tutorials and documentation for my own edification. I'm currently interested in modifying CSS and co-opting the HTML5 iframe sandbox implementation. I'll likely be interested in creating chrome/chromium plugins too. By the time I get back to this from the theory work I'm doing now, I'll probably have forgotten all I know, so even lower-level tutorials would be awesome.

7. Recommendations of graphic novels/manga that are neither too dark nor too inane. Think of stuff like Girl Genius, Meridian, early Elfquest (wow, their site is irritating), even Ex Machina (which is actually somewhat dark, but with a lot of light shining through). I periodically get good recommendations for darker stuff, but I've been craving sweeter stories with happier endings and less angst and gore of late.

8. http://planeteria.org/wfs/ seems to be down, and I miss the aggregator of women in free/libre open source software that used to be there. Can someone tell me what happened? Anyone want to start a new one? I'd like it to use software that can do the aggregation and let users sign up and edit their own feeds, with a few folk having editorial control to keep spammers from taking over. I can volunteer to help with the editorial control if needed.

9.Help understanding US medical insurance and other minutiae about moving to the US as a foreign national. I have an offer that I'm really excited about, but I feel barely qualified to understand the benefits package, let alone what the conditions on my working in the US will likely be, or even how I go about paying taxes (and who gets what?). Are there good "immigrating to america as a tech worker" resources I should be perusing?

10. And just so there's one thing that fits the stereotypical consumerist mould for wish lists... I really want this necklace of pi to 35 decimals. Really really want it. Wouldn't turn down the excellent Fibonacci necklace either. ;)

If you can help with any of those, I would very much appreciate it! And I'd love to see your wishlists too!

Valerie and a number of my feminist friends have been working on a generic Conference anti-harassment policy which can be adapted to suit specific events. This is a response to quite a number of incidents that seem to crop up in geekdom. (And those are just the ones we know about and have recorded -- many people prefer not to talk about problems publicly for various reasons.)

You can read about the conference anti-harassment policy on geek feminism, and even hacker news has picked it up with the free link to the article on LWN.

I want to urge conference organizers to take a look at the policy and consider adapting it, even if you don't know of any problems at your event. Here's a few reasons:

1. It's a signal that you're serious about the safety of the folk at your event. How can that possibly be a bad thing?
   
   
2. It helps your staff recognize when there may be a problem. This makes it easier for them to do their jobs!
   
   
3. It gives your staff a starting point for what to do if something happens. That also makes it easier for them know how to respond appropriately.
   
   
4. It makes it clearer to attendees what constitutes appropriate behaviour at your event. This is a courtesy since explicit rules are much easier to follow than implicit ones!
   
   
5. Remember that a number of geeky folk have particular trouble sussing out unspoken rules, whether that's due to being non-neurotypical, just being so focussed on geekery that other more social rules get missed, or any other reason. It's easier if people don't have to guess the rules.
   
   
6. The point of the policy is to prevent problems from occurring in the future. Implementing it isn't going to imply to anyone that you've been hiding incidents, and being asked to implement it doesn't mean that people think you've been inviting skeezy, scary folk to your events. It's probably just an explicit statement of rules that you thought were obvious.
   

Think of it like a seatbelt: hopefully you'll never need it, and maybe it'll make a few folk uncomfortable, but you'll be happy it was there if you have to slam on the brakes. Wearing your seatbelt isn't an admission that you're a bad driver, it's just an admission that you can't control the behaviour of other people, so you might as well do your best to stay safe.

Starbucks' Christmas Bokeh
by pierofix.

Engineer Gary LosHuertos decided to try Herding Firesheep in New York City: He sat down in a Starbucks, opened up his laptop and started gathering profiles, then sent messages to people whose facebook accounts he could access warning them of the security flaws. Some people closed up and left, but some just ignored his message and went on with their day. Confused, he sent another message, but they just didn't seem to care and continued using their accounts.

He was appalled that people, even when warned, would ignore a security flaw, but it's actually well known that people reject advice. The interesting part of the story comes with Cormac Herley's paper "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users" -- it turns out that it makes perfect sense that people refuse to do security things, and fixing the flaws that firesheep draws attention to is just another example of where security advice just isn't worth following.

You can read the full version of this post on Web Insecurity: Apathy or sensible risk evaluation: why don't people care about security?

This has been cross-posted from Geek Feminism, but I found this research really fascinating so you're getting a full copy here too.


You might think if you put together a lot of smart people, you'd get a smart group, but new research into group intelligence shows that's not always the case. (For those of you who don't have access to online journal subscriptions through your local library or university, there are more details in the Carnegie Mellon University press release.)

What we found is that the intelligence of the team members was not significantly related to the collective intelligence, either positively or negatively.

[...]

Our first observation and the one that surprised us the most was that the proportion of females in the group seemed to be strongly predictive of the collective intelligence of the group.

However, when they looked more closely they realised that it wasn't the gender that mattered, but rather the social sensitivity of the group members (previous studies had shown that women tend to score more highly in social sensitivity).

It's not the intelligence of the group members that matters; it's their social sensitivity.

So the more your group members were socially sensitive, the better the group performed in measures of collective intelligence. The key here was that group members need to collaborate, and to do that they needed those social skills to help them work together. This includes some different conversational patterns: groups where one or two people dominated conversations exhibited low collective intelligence, while groups where more people contributed had higher collective intelligence.

This scientific research is potentially a big blow to the standard "meritocracy works" theory often espoused in open source and computing groups. Standard meritocracy rules say you do clever things and you get accepted, and this will make for perfectly good teams. But given that there's often bias that dismisses "soft skills," it turns out that folk may actually be using typical geek meritocracy rules to weed out some of the people we need to make the group most effective as a whole.

Some of my female colleagues would like to conclude that you simply just need to hire more women. While that might be easier, what it really suggests is that you need to pay attention to what people refer to as these "softer skills" and thinking about who's going to be a good team player, not necessarily focused solely on individual achievement, individual accomplishments.

So if you want to claim that the best way to build tech teams is meritocracy... you might want to think more carefully about how you define merit.

The quotes in this article are drawn from Bob McDonald's conversation with Dr. Anita Williams Woolley, the lead author, on the Quirks and Quarks interview aired October 9. You can download the podcast of the segment on collective intelligence here.

I really enjoyed this post titled Manifesto: I Am Not a Brand.

It makes me sort of want to make a list of all the other things I'm not that I keep getting suggested to me.

#1. I am not an entrepreneur. Yes, I have great ideas. Yes, some of them could make money. No, I'm not interested in sacrificing my life and sanity to push them. Some people really get a kick out of that sort of thing, but the idea of doing that stuff makes me feel vaguely ill. I know, there's all these studies touting the awesomeness of women entrepreneurs, and that's lovely, but I'm Not One Of Them. Thank you very much.

#2. I am not Japanese. No matter how much you want me to be, no matter how small my eyes are and dark my hair is, no matter how much genetically came from that country if you go back far enough, it's just not true. When I tell you I'm Canadian, I mean it, and it's the only ethnicity that really tells you anything useful about me. Accept it and move on.

I'll bet I'll think of more throughout the day, but those are the two that get shoved in my face most often of late.