Minimize Ladder Length over Wall

Some time ago somebody had to solve this math optimization question for their studies and told me about it.

So there is a wall with height h, which has the distance a from a very high "building" and your task, should you accept it, is to find the shortest ladder over the wall that touches the ground and the "building".

So the function to minimize is L = sqrt((x+a)^2+(h+y)^2).
Because we know that y/a = h/x it follows that y = ah/x.
Using this the length become L = sqrt((x+a)^2+(h+ah/x)^2)
The minimum of that function is not changed if we leave out the sqrt and the derivation of (x+a)^2+(h+ah/x)^2 is (2 (a + x) (-a h^2 + x^3))/x^3
So the minimum x is where this function equals zero, which is if x³ = ah²,
and the length then is L = (a^(2/3) + h^(2/3))^3
 
Now the thing that I
Continue reading "Minimize Ladder Length over Wall"

Data is the New Love

dat is the new love

Personal data, that is.

Because it’s good to give away—but only if you mean it.

And it’s bad to take it, even it seems to be there for the taking.

I bring this up because a quarter million pages (so far) on the Web say it “data is the new oil.”

That’s because a massive personal data extraction industry has grown up around the simple fact that our data is there for the taking. Or so it seems. To them. And their apologists.

As a result, we’re at a stage of wanton data extraction that looks kind of like the oil industry did in 1920 or so:

It’s a good metaphor, but for a horrible business. It’s a business we need to reform, replace, or both. What we need most are new industries that grow around who and what we are as individual human beings—and as a society that

Continue reading "Data is the New Love"

The 10-Year Platform: Shutting Down KRE

Summary: The original pico engine, KRE, is no more. But the ideas and capabilities of the platform live on in the new pico engine.

A few years ago, I announced on this blog that Kynetx was done. But the platform we'd created, the Kynetx Rules Engine, or KRE, lived on. Today I am annoucing that KRE is dead too. We shut it down last week.

Despite the demise of Kynetx, the platform continued to be open and available. Fuse was still running on it and my students were using it for class and research. But Fuse stopped working for good last spring when the MVNO we were using to process cellular data from the car devices shut down. And the new pico engine is working so well that we use it for everything now.

KRE was started in 2007 and envisioned as a cloud-based programming platform for events. While we Continue reading "The 10-Year Platform: Shutting Down KRE"

The 10-Year Platform: Shutting Down KRE

Summary: The original pico engine, KRE, is no more. But the ideas and capabilities of the platform live on in the new pico engine.

A few years ago, I announced on this blog that Kynetx was done. But the platform we'd created, the Kynetx Rules Engine, or KRE, lived on. Today I am annoucing that KRE is dead too. We shut it down last week.

Despite the demise of Kynetx, the platform continued to be open and available. Fuse was still running on it and my students were using it for class and research. But Fuse stopped working for good last spring when the MVNO we were using to process cellular data from the car devices shut down. And the new pico engine is working so well that we use it for everything now.

KRE was started in 2007 and envisioned as a cloud-based programming platform for events. While we Continue reading "The 10-Year Platform: Shutting Down KRE"

Is Sovrin Decentralized?

Summary: To determine whether Sovrin is decentralized, we have to ask questions about the purpose of decentralization and how Sovrin supports those purposes.

People sometimes ask "Is Sovrin decentralized?" given that it relies on a permissioned ledger. Of course, the question is raised in an attempt to determine whether or not an identity system based on a permissioned ledger can make a legitimate claim that it's self-sovereign. But whether or not a specific system is decentralized is just shorthand for the real questions. To answer the legitimacy question, we have to examine the reasons for decentralization and whether or not the system in question adequately addresses those reasons.

This excellent article from Vitalik Buterin discusses the meaning of decentralization. Vitalik gives a great breakdown of different types of decentralization, listing architectural decentralization, political decentralization, and logical decentralization.

Of these, logically decentralized systems are the most rare. Bitcoin and other Continue reading "Is Sovrin Decentralized?"

A dark review for United’s Boeing 787

I’ve been wanting to fly on the Boeing 787 “Dreamliner” ever since I missed a chance to go on an inaugural junket aboard one before Boeing began delivery to the airlines. But three days ago I finally got my chance, aboard United Flight 935 from London to Los Angeles.

Some context: United is my default airline by virtue of having flown 1.5 million miles with them, which has earned me some status. Specifically, I get on shorter lines, don’t get charged for bags, and have some choice about where I sit, which defaults to Economy Plus: the section of Economy that features a bit more leg-room and is typically located which is behind business/first, now called Polaris.

And that gets me to my first problem with United 787s. According to SeatGuru, the whole Economy Plus section is over the wing on both the airline’s configurations: 787/8 and 787/9.

Continue reading "A dark review for United’s Boeing 787"

Initial Working Group Draft of Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs)

IETF logoThe initial working group draft of the Proof-of-Possession Key Semantics for CBOR Web Tokens (CWTs) specification has been posted. It contains the same normative content as draft-jones-ace-cwt-proof-of-possession-01. The abstract of the specification is:

This specification describes how to declare in a CBOR Web Token (CWT) that the presenter of the CWT possesses a particular proof-of-possession key. Being able to prove possession of a key is also sometimes described as the presenter being a holder-of-key. This specification provides equivalent functionality to “Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)” (RFC 7800), but using CBOR and CWTs rather than JSON and JWTs.

I look forward to working with my co-authors and the working group to hopefully complete this quickly!

The specification is available at:

An HTML-formatted version is also available at:

“Using RSA Algorithms with CBOR Object Signing and Encryption (COSE) Messages” is now RFC 8230

IETF logoThe “Using RSA Algorithms with CBOR Object Signing and Encryption (COSE) Messages” specification is now RFC 8230 – an IETF standard. The abstract for the specification is:

The CBOR Object Signing and Encryption (COSE) specification defines cryptographic message encodings using Concise Binary Object Representation (CBOR). This specification defines algorithm encodings and representations enabling RSA algorithms to be used for COSE messages. Encodings are specified for the use of RSA Probabilistic Signature Scheme (RSASSA-PSS) signatures, RSA Encryption Scheme – Optimal Asymmetric Encryption Padding (RSAES-OAEP) encryption, and RSA keys.

Some of these values are already being used by the sixth working draft of the W3C Web Authentication specification. In addition, the WebAuthn specification defines algorithm values for RSASSA-PKCS1-v1_5 signatures, which are used by TPMs, among other applications. The RSASSA-PKCS1-v1_5 signature algorithm values should also be registered shortly.

Thanks to Kathleen Moriarty for her Area Director sponsorship of the specification!

Let’s get some things straight about publishing and advertising

Yesterday Digiday published The GDPR will help or hurt publishers, depending on who you ask, by Ross Benes (@RossBenes). I was one of the people Ross asked, and the piece includes a quote from me.

His question went this way:

I saw this blog you wrote about the topic.

http://blogs.harvard.edu/vrm/2017/09/03/good-news-for-publishers-and-advertisers-fearing-the-gdpr/

Do you think advertisers will pay enough for SafeAds to offset the losses publishers will have from selling fewer targeted ads due to privacy regs? 

It’s a good question. (That’s what people say when they don’t have an answer, or there isn’t an easy one.) Here’s how I replied:

Yes, and then some.

They’ll do it because there is more brand value to SafeAds.

The bigger question is for publishers: what business do they want to be in?

Do they want to operate barrels of “content” full of tracked fish baited there so

Continue reading "Let’s get some things straight about publishing and advertising"

Equifax and Correlatable Identifiers

Summary: We can avoid security breachs that result in the loss of huge amounts of private data by creating systems that don't rely on correlatable identifiers. Sovrin is built to use non-correlatable identifiers by default while still providing all the necessary functionality we expect from an identity system.

Yesterday word broke that Equifax had suffered a data breach that resulted in 143 million identities being stolen. This is a huge deal, but not really too shocking given the rash of data breaches that have filled the news in recent years.

The typical response when we hear about these security problems is "why was their security so bad?" While I don't know any specifics about Equifax's security, it's likely that their security was pretty good. But the breach still occurred. Why? Because of Sutton's Law. When Willie Sutton was asked why he robbed banks, he reputedly said "cause that's where Continue reading "Equifax and Correlatable Identifiers"

OAuth Authorization Server Metadata spec incorporating Area Director feedback

OAuth logoThe OAuth Authorization Server Metadata specification has been updated to incorporate feedback from Security Area Director Eric Rescorla. Thanks to EKR for his useful review. A number of defaults and restrictions are now better specified.

The specification is available at:

An HTML-formatted version is also available at:

Sovrin Self-Sustainability

Summary: For Sovrin to become a global, public utility that helps everyone create and manage self-sovereign identities, it must be independent and self-sustaining. This post outlines four idependence milestopnes for Sovrin Foundation.

The Sovrin Foundation began life about a year ago. We launched the Sovrin Network just last month. For Sovrin to achieve its goal of providing self-sovereign identity for all, the Foundation and the Network have to be independent and self-sustaining.

The idea for Sovrin-style identity and the technology behind it was developed by Evernym. To their credit, Evernym’s founders, Jason Law and Timothy Ruff, recognized that for their dream of a global identity system to become reality, they’d have to make Sovrin independent of Evernym. At present, Evernym continues to make huge contributions to Sovrin in time, code, money, and people. Our goal is to reduce these contributions, at least as a percentage of the total, over time.

Continue reading "Sovrin Self-Sustainability"

Some new ways to look at infrastructure

Nothing challenges our understanding of infrastructure better than a crisis, and we have a big one now in Houston. We do with every giant storm, of course. New York is still recovering from Sandy and New Orleans from Katrina. Reforms and adaptations always follow, as civilization learns from experience.

Look at aviation, for example. Houston is the 4th largest city in the U.S. and George Bush International Airport (aka IAH) is a major hub for United Airlines. For the last few days traffic there has been sphinctered down to emergency flights alone. You can see how this looks on FlightAware’s Miserymap:

Go there and click on the blue play button to see how flight cancellations have played over time, and how the flood in Houston has affected Dallas as well. Click on the airport’s donut to see what routes are most affected. Frequent fliers like myself rely on tools like this

Continue reading "Some new ways to look at infrastructure"

How the personal data extraction industry ends

Who Owns the Internet? — What Big Tech’s Monopoly Powers Mean for our Culture is Elizabeth Kolbert‘s review in The New Yorker of several books, one of which I’ve read: Jonathan Taplin’s Move Fast and Break Things—How Facebook, Google, and Amazon Cornered Culture and Undermined Democracy.

The main takeaway for me, to both Elizabeth’s piece and Jon’s book, is making clear that Google and Facebook are at the heart of today’s personal data extraction industry, and that this industry defines (as well as supports) much of our lives online.

Our data, and data about us, is the crude that Facebook and Google extract, refine and sell to advertisers. This by itself would not be a Bad Thing if it were done with our clearly expressed (rather than implied and checked off) permission, and if we had our own valves to control personal data flows with scale across all the companies we deal Continue reading "How the personal data extraction industry ends"

What happened to nonviolence?

Two graphs tell some of the story.

First is how often “nonviolence” and “non-violence” in books:

Second is search trends for “nonviolence” and “non-violence” since 2004, which is when Google started keeping track of trends:

Clearly nonviolence wasn’t a thing at all until Mohandas Gandhi started bringing it up in 1918. And it became a big thing again in the 1960s, thanks to Martin Luther King Jr. and the civil rights movement he led during the Vietnam war.

Then, at the close of the 60s, it trailed off. Not that it ever went away, but it clearly retreated. (At least in books, which Google doesn’t track past 2008, which is when I guess they quit scanning them.)

But online the story is similar. There seems to be a seasonal-ish rhythm to searches for the two terms, but non-violence has been going steadily down while nonviolence has flattened since Continue reading "What happened to nonviolence?"

Elseware

eclipse

I’m blogging mostly at doc.blog these days. Just letting you know.

Nothing wrong here. Partly it’s easier there. I can just post, y’know? Like tweeting, but without the icky limits.

But mostly it’s that I see the future of blogging there, rather than on WordPress and platforms like it.

I mean, they’re fine for publishing, and I won’t stop doing that, here and in other places.

But I want to get back to blogging. Like I did in the old days at doc.weblogs.com, only for the Now we all live in.

I’ll explain more later. Right now I have an eclipse to drive to.

CBOR Web Token (CWT) specification addressing all known issues

IETF logoA new CBOR Web Token (CWT) draft has been published that updates the diagnostic notation for embedded objects in the examples. Thanks to Samuel Erdtman for making these updates. Thanks to Carsten Bormann for reviewing the examples!

This addresses all known issues with the specification. I believe that it is now time to request publication.

The specification is available at:

An HTML-formatted version is also available at:

The Case for Decentralized Identity

Summary: We cannot decentralize many interesting systems without also decentralizing the identity systems upon which they rely. We're finally in a position to create truly decentralized systems for digital identity.

I go back and forth between thinking decentralization is inevitable and thinking it's just too hard. Lately, I'm optimistic because I think there's a good answer for one of the sticking points in building decentralized systems: decentralized identity.

Most interesting systems have an identity component. As Joe Andrieu says, "Identity is how we keep track of people and things and, in turn, how they keep track of us." The identity component is responsible for managing the identifiers and attributes that the system needs to function, authenticating the party making a request, and determining whether that party is authorized to make the request. But building an identity system that is usable, secure, maximizes privacy is difficult—much harder than most Continue reading "The Case for Decentralized Identity"

The passive usefulness of public photography

toureiffel

While I’m recovering more slowly than I’d like from some minor eye surgery, reading is too much of a chore; but searching for stuff isn’t. So here’s a list of articles and postings leveraging public photos I’ve shared, Creative Commons licensed to require only attribution. Always interesting to see where these turn up:

  1. Why Indigenous Civil Resistance has a Unique Power By Molly Wallace, originally published by Waging Nonviolence. The photo is of melting tundra somewhere in Canada.
  2. Suicide or Murder? A Young Woman Investigates Her Mother’s Tragic Death, by Sarah Mangiola in The Lineup. The photo is of a bathtub in Nevada.
  3. Upheaval Dome Located in Canyonlands National Park, in The Earth Story. The photo is of the actual impact crater, which isn’t a dome, or caused by upheaval.
  4. House panel rejects Trump’s Great Lakes cuts, by Greg Hinz in Crain’s. The photo is from this set Continue reading "The passive usefulness of public photography"