Read more of this story at Slashdot.
Read more of this story at Slashdot.
Just like $2.5 trillion worth of companies around the world, the company publishing the story you are now reading is owned by private equity firms. Most people have little idea what the private equity industry actually does. The truth is terrifying.
The difference between anecdotal evidence and data is overstated. People often have in mind this dividing line where observations on one side are worthless and observations on the other side are trustworthy. But there’s no such dividing line. Observations are data, but some observations are more valuable than others, and there’s a continuum of value.
I believe rib eye steaks stakes are better for you than rat poison. My basis for that belief is anecdotal evidence. People who have eaten rib eye steaks stakes have fared better than people who have eaten rat poison. I don’t have exact numbers on that, but I’m pretty sure it’s true. I have more confidence in that than in any clinical trial conclusion.
Hearsay evidence about food isn’t very valuable, per observation, but since millions of people have eaten steak stake for thousands of years, the cumulative weight of evidence is pretty good that steak stake is harmless if not good for you. The number of people who have eaten rat poison is much smaller, but given the large effect size, there’s ample reason to suspect that eating rat poison is a bad idea.
Now suppose you want to get more specific and determine whether rib eye steaks are good for you in particular. (I wouldn’t suggest trying rat poison.) Suppose you’ve noticed that you feel better after eating a steak. Is that an anecdote or data? What if you look back through your diary and noticed that every mention of eating steak lately has been followed by some remark about feeling better than usual. Is that data? What if you decide to flip a coin each day for the next month and eat steak if the coin comes up heads and tofu otherwise. Each of these steps is an improvement, but there’s no magical line you cross between anecdote and data.
Suppose you’re destructively testing the strength of concrete samples. There are better and worse ways to conduct such experiments, but each sample gives you valuable data. If you test 10 samples and they all withstand two tons of force per square inch, you have good reason to believe the concrete the samples were taken from can withstand such force. But if you test a drug on 10 patients, you can’t have the same confidence that the drug is effective. Human subjects are more complicated than concrete samples. Concrete samples aren’t subject to placebo effects. Also, cause and effect are more clear for concrete. If you apply a load and the sample breaks, you can assume the load caused the failure. If you treat a human for a disease and they recover, you can’t be as sure that the treatment caused the recovery. That doesn’t mean medical observations aren’t data.
Carefully collected observations in one area may be less statistically valuable than anecdotal observations in another. Observations are never ideal. There’s always some degree of bias, effects that can’t be controlled, etc. There’s no quantum leap between useless anecdotes and perfectly informative data. Some data are easy to draw inference from, but data that’s harder to understand doesn’t fail to be data.
I applied for a job at the National Security Agency in 2006.
I was about to finish my undergrad degree in Mathematics. My favorite classes were abstract algebra, a subject whose only footing in reality is cryptography. I also felt some amount of national pride: my high school was a boarding school in Connecticut, so I experienced September 11, 2001, with many friends from New York City.
There’s an inscription in the marble floor of the building at my alma mater that houses the Mathematics department: "Reality favors symmetries and slight anachronisms". Only now do I appreciate that quote, since I received my full-time offer from Google while I was in the interview process with NSA.
I e-mailed my NSA recruiter and said thanks but no thanks.
I’ve still got that memory of what it feels like to have nationalistic pride in an organization that’s on the forefront of mathematics, computer science, and engineering. Sadly, that power has now been turned inward, but I think it’s possible to fix NSA’s image, and use it to make America a better place.
It should go without saying that NSA needs real oversight, and needs to stop spying on Americans. After that, though, I think there are some concrete things that NSA could do to redeem itself, and maybe even attract talent.
Open Source Code
For 99.9% of developers, cryptography is very easy to get wrong. Even in well respected open source packages, there are obscure issues, like the OpenSSL Pseudo-random Number Generator bug that broke SSH badly. It was caused by a developer removing some seemingly do-nothing code at Valgrind’s recommendation.
Recommendation 1: NSA could provide open source reference implementations of cryptographic and other security-sensitive code.
Open source, and thus peer-reviewed code provided by the largest body of elite mathematicians and cryptographers in the world? Yes, please. One less thing to worry about it.
Public Key Signing for American Citizens
NSA seems to have a problem identifying the communications of American citizens. If you think about it from a machine intelligence perspective, that’s pretty hard indeed.
Furthermore, PGP users have a difficult time with key exchanges. How do I know the public key you sent me is really your public key? Ideally, it’s been signed by somebody I trust.
This is a place to kill two birds with one bureaucratic stone.
Recommendation 2: NSA could provide an optional service to sign PGP keys as belonging to American citizens.
I already have federally-issued documentation of my citizenship, my US Passport. There ought to be a way to get my PGP key signed by the government, so I can sign my messages as an American citizen, having the government be the trusted authority on that matter.
This is interesting because it doesn’t compromise my privacy. My private key is still private, but the government, through a verification process similar to the passport process, has declared they trust me to be an American citizen.
This could be added as a signal for NSA collection systems, since the NSA ought to trust its own key-signing authority, it can be absolutely sure that an encrypted communication it intercepts is from an American citizen, and thus discard it.
This is a less-terrible-more-useful version of a National ID card, since it doesn’t expose my secrets, but allows me to assert my identity to other parties. Nothing would force me to use NSA’s key-signing service, just as nothing forces me to get a passport or a Facebook account.
Security Training for American Developers
Like I said, cryptography is very hard to get right. Not just algorithms, but protocols as well. What if NSA could help us Americans get it right?
Recommendation 3: NSA could provide a training program for American software and IT professionals on security best practices. For bonus points, the cost of this program could be tax-deductible.
American developers have a security responsibility to keep our trade secrets within our borders, and NSA can help us with that. It’s not reasonable to allow NSA to patrol our electronic borders itself, but it could help on-the-ground implementers do it right.
I think it’s possible, with the right amount of congressional and judicial oversight, for the NSA to genuinely make America a better place.
We rely on government services for things that ought to be essential to a productive society, like a court system, a military, and infrastructure. Security is becoming one of those fundamental things, as we rely more and more on computers.
China is hacking us. Russia probably is, too. The NSA could be a point of pride and utility for us Americans to keep our economy strong, and safe from foreign invasion.
Until then, though, I’m done using Google products, e-mail, and unencrypted text messaging.