Monday, December 29, 2014
The Latin phrase "Quis custodiet ipsos custodes?" means "Who will guard the guards themselves?" It may have originated with the Roman poet Juvenal, who flourished around the first century A. D., but the problem it highlights is much older than that. Those who are charged with enforcing a law always experience a temptation to abuse the power that enforcement confers. The case in point here is the use—and abuse—of so-called red-light cameras that photograph alleged runners of red lights and produce traffic citations that are mailed to the registered owner of the vehicle in question.
By the 1990s, the technology making these devices practical was sufficiently advanced that cities began installing them. According to an article in a recent issue of National Review, over 500 cities in about half the states in the U. S. now use them. Although the professed reason for adopting red-light cameras is to reduce the number of red-light runners, studies have shown that the evidence for lowering accident rates at intersections with red-light cameras is mixed. Traffic engineers have noted a perverse counter-incentive at intersections where drivers know a red-light camera is installed. Some drivers get so jumpy at seeing a yellow light at a camera-equipped intersection that they jam on their brakes prematurely and get rear-ended by a less paranoid driver behind them.
What is not in dispute is that the red-light cameras are real moneymakers, both for the municipalities that install them and for the companies that often install and operate them for the government free of charge, taking a portion of the fine proceeds as payment. The city of Newark, New Jersey gets $4 million per year in revenue from red-light cameras, while Chicago averages about $50 million a year. Chicago's city government does not have a reputation for being squeaky-clean, so it is not surprising that earlier this month a man named Martin O'Malley was convicted of giving a $2 million bribe to a city transportation official. The money came from Redflex Traffic Systems, which up to last year operated the city's red-light cameras.
Redflex also offers a related service to school-bus systems: a stop-arm violation camera. In most states, it is illegal to pass a stopped school bus while its red flashing lights are on and the stop-arm is extended, but many people do it anyway. Redflex will install video cameras and wireless downloading and evaluation systems free of charge on every school bus in exchange for a percentage of the fines assessed for violations. This type of system has also proved popular and has been installed on school buses across the country, including right here in San Marcos, Texas.
The red-light and stop-arm cameras can be viewed simply as technological aids to conventional means of law enforcement. But they differ from other security-camera systems such as those that catch convenience-store robbers in one significant respect: the absence of a police officer at the scene. If a live patrolman pulls you over for speeding, there is a human-to-human interaction, and technically you can haul the officer into court and subject him to cross-examination at trial. The fact that most people don't bother doesn't change the principle. But when there is nothing but photographic evidence for a violation, there is nobody to subpoena, and correcting mistaken identifications and other errors can become a more complex matter.
Besides the potential for error, there is the temptation to shorten the duration of yellow lights to increase revenue. City governments in Florida and Illinois have been caught quietly lowering the duration of yellow signals below the federal guideline of three seconds at red-light-camera-equipped intersections, and in Florida things got so bad that the state legislature passed a law prohibiting the practice.
Beyond the immediate temptation to abuse the system in government's favor at the expense of private citizens, there is the larger question of whether it is a good thing to use technology in a way that incentivizes governments to enforce laws, not mainly because enforcement benefits society as a whole, but because it generates revenue for the government.
We have just experienced the Christmas season. According to the Gospels, Joseph and Mary, the mother of Jesus, had to travel from their home in Nazareth to Bethlehem, where Jesus was born, to fill out some government tax form. In ancient Rome and its colonies, taxes were collected by private contractors called publicans. The deal was that publicans would bid for the right to collect a specified amount of taxes in a given region. If you won the bid, it was up to you to collect at least the amount of taxes you were assigned, and anything you collected over your expenses and what Rome needed was yours to keep. The potential for abuse in such a system is obvious, which may be why Jesus in later life used the hated figure of a publican in a parable as an example of someone who would have plenty of sins to ask forgiveness for.
Firms such as Redflex are not exactly in the position of the publicans of ancient Rome, but the system under which they operate is edging toward a publican-like tendency of open-ended revenue collection that profits both the firm and the government it works for, at the expense of the public at large. The abuses of the publican system came to an end with the Roman republic itself. I am not recommending such a radical fix here. But we can take the advice and examples of Juvenal and Jesus to give a hard look at technological systems that create perverse revenue incentives that reward abuse on the part of governments and firms that provide the technology.
Sources: John J. Miller's article "The Red-Light District" appeared in the Dec. 31, 2014 print edition of National Review, pp. 24-26. I also referred to an article on stop-arm cameras posted by a Fox News TV station in Washington, DC at
http://www.myfoxdc.com/story/23344373/2013/09/04/redflex-takes-aim-at-violators-of-school-bus-stop-arms, and to the Wikipedia articles on Juvenal and "Quis custodiet ipsos custodes?"
Monday, December 22, 2014
On November 22 of this year, employees at Sony Pictures Entertainment were greeted by images of skulls on their computer screens, and experienced other problems that severely compromised the company's IT systems. A message accompanying the hack warned that "secrets" would soon be disclosed to the world. The firm was in the last stages of preparing for release on Christmas Day a film called "The Interview," which includes an unflattering portrayal of North Korean dictator Kim Jong Un. Back in June, after the film's planned release was announced, North Korea called it an "act of terrorism" and threatened consequences if the film was released as planned.
A group calling itself "Guardians of Peace" claimed responsibility for the hacks, and expanded their efforts by revealing reams of private emails and video files of both released and unreleased films, all stolen from Sony through sophisticated hack attacks. When the Guardians issued threats to movie theaters that dared to show "The Interview," major theater chains began telling Sony that they would not run the film. Faced with this situation, last week Sony announced that they were cancelling the release altogether. Sony executives received a message from the Guardians on Dec. 18 congratulating them on their "very wise" decision to cancel the release. The FBI has confirmed that the attack originated from North Korea, which has denied that it has anything to do with it.
The situation is this: Sony made a movie poking fun at Kim Jong Un, and Kim Jong Un retaliated with probably the most serious cyberattack on a non-governmental entity in history. And he got more or less what he wanted—Sony cancelled the film's release.
I have not yet seen any estimates of the monetary damage Sony has sustained in this attack, but it clearly amounts to many millions of dollars, both in potential revenue lost from the film's cancellation and in the illegal downloading of other intellectual property of Sony's made possible by the massive cybertheft operation. I have also not seen anyone comment on the Japan-Korea angle of this attack. From 1910 to 1945, what was then the united country of Korea was essentially a Japanese colony, and forced conscription and other abuses soured the relationship between the two countries. Sony is a Japanese firm, and so there may be a settling of decades-old grudges mixed into this situation, in which the U. S. assets of Sony are simply a means to an end.
Whatever North Korea's motivation was, the fact remains that they succeeded not only in a transnational cyberattack of unprecedented size, but also in blackmailing Sony to cancel the release of a major film. Was this a prudent and "very wise" measure on Sony's part, or an act of cowardice?
I say it's neither. What this situation says to me is that the United States government has failed in this instance to carry out its constitutional obligation to "provide for the common defense."
If North Korea had managed to shoot a missile across the Pacific and blow up Sony headquarters in Culver City, everyone would recognize that as a clear act of war in which a state's boundary was violated and assets destroyed by the concerted action of a foreign country. But cyberattacks are so new, and their heritage so different from conventional acts of war, that we have trouble recognizing them for what they are.
As far as Sony is concerned, the firm has sustained serious damage at the hand of a foreign power. One of the essential functions of modern states is to provide security for its residents against attacks by foreign powers. The U. S. government clearly dropped the ball in the case of the Sony hack. In the absence of any assured forthcoming protection against similar attacks in the future, I understand why Sony pulled the picture, and why theater chains refused to show the film. Fears of physical attacks on individual theaters were probably exaggerated, but now that most movies are digitally projected and shipped around as bits rather than celluloid, theaters are potentially as vulnerable as Sony to cyberattacks as well.
Now that the gangster regime of North Korea has shown it can attack U. S. assets with impunity, it is time to admit that the U. S. military, or something like it, needs to have a cyber-corps to defend U. S. citizens and corporations against cyberattack. At present the situation is rather like the following.
Suppose the U. S. military did a good job of protecting the country against attacks by land and sea up to, say, 1910. But then, private firms began flying airplanes, and, wonder of wonders, someone figured out how to drop bombs from an airplane. Suppose the U. S. government had said in response to this innovation, "Look, we'll fight foreign attackers if they cross our borders on land or by sea, but as for attacks from airplanes, you're on your own. Everybody has to have their own private AD (air defense) department, and if you're attacked by air successfully, well, we may be able to tell you where the planes came from, but you just weren't paying enough attention to your air defense and we're sorry. And the President will badmouth you in a news conference if you cave to the attacker's demands."
Fortunately, this fictional history of private air defense didn't happen. The Wright Brothers flew their first flights on U. S. soil, and America arguably led the world in air defense and attack, which was a major reason why we won World War II and defeated the international thug and blackmailer Hitler.
But something like the above wacko private-AD scenario is going on right now with regard to cyberattacks on U. S. firms by foreign countries. The U. S. government is into a lot of things that it probably has no business being involved in, but if there is one thing almost everyone except the deepest-dyed libertarians can agree on, it's the fact that defending the nation against attacks by foreign powers is one of the federal government's main responsibilities.
We have just seen a demonstration that at least one foreign power can attack and blackmail a major U. S. firm with impunity. Perhaps Sony was low-hanging fruit in terms of cyber security. At least one report mentioned the possibility that the attackers had some inside information, but spies have been around ever since warfare has been around, and there are ways of dealing with them too. The fact remains that North Korea has revealed a serious vulnerability in our national defense, one that needs to be addressed with a serious rethinking of what cybersecurity of a nation really means, and what we are willing to give up in order to have it.
Unless we want to get used to the idea that cyber-blackmail by foreign powers is going to become a way of life in America, we need to wake up to the reality that cyber assets are just as valuable as brick-and-mortar assets. And a government that protects one and not the other is simply not doing its job.
Sources: I relied on two recent reports of the Sony hack and its consequences, one from CNN on Dec. 19 at http://money.cnn.com/2014/12/19/media/insde-sony-hack-interview/index.html and another from the BBC at http://www.bbc.com/news/entertainment-arts-30512032. The Wikipedia article "History of Japan-Korea relations" has some information on the complex backstory of Japan's dealings with Korea and Koreans.
Monday, December 15, 2014
One of the recurring themes in engineering ethics is that power and privilege entail responsibility. Those in positions of influence over millions of users of a technology should recognize the responsibilities that go along with such influence. This is especially true of individuals and organizations that control mass media such as newspapers, radio, TV, cable systems, and entities such as Google and Facebook.
In this connection, I would like to bring to your attention a principle of human nature that I have observed in action on many occasions over the years. To my (admittedly limited) knowledge, no one has taken the trouble to state this principle succinctly, so I'm going to favor you with such a statement. And because every good principle needs a name, I will modestly term it Stephan's Law. It is this:
"Every mass medium eventually advertises its controlling organization."
I will now describe the latest instance in which I observed this principle in action.
At the end of every fall semester, I attend the winter graduation ceremonies of Texas State University for the School of Engineering graduates. This takes place in a nice indoor coliseum where the basketball games are played, in which a few years ago they installed one of those giant LED TV screens colloquially called Jumbotrons. This one is mounted on a large blank wall behind the stage, and in past years has been used to show closeups of the speakers and graduates as they cross the stage to receive their diplomas. In the last couple of years, the video has also been live-streamed to the Internet. So it's fair to say that when you have a crowd attending graduation, and they watch the Jumbotron, it's a mass medium, because everybody in the coliseum sees more or less the same thing, as well as the Internet viewers. So far so good.
Up to the graduation I attended last Friday, you saw nothing on the Jumbotron that you couldn't have seen elsewhere in the coliseum: the band playing, the president speaking, graduates graduating. But yesterday, something new was added. Just after the provost introduced himself and the platform guests, he asked us all to give our attention to what followed.
All of a sudden I flashed back on a Lone Ranger video we watched the other night that was made in 1949—the very early days of U. S. television. The way that program segued to an ad was to switch from the Lone Ranger shooting at some bad guy, to a peaceful scene of a field of wheat while the narrator intoned a phrase that went something like "And now we ask for your interest and attention." Why a wheat field? Turns out that the sponsor of the Lone Ranger program was General Mills. Wheat—Wheaties—General Mills—get it? Anyway, you can tell that the producers weren't quite sure how people would take television ads, so they soft-pedaled them and gave the viewers some time to readjust their psychologies away from the Old West before hitting them with the sales pitch.
Sure enough, as I watched the Jumbotron, the provost disappeared and we all watched a three-minute ad for Texas State University. It was nicely done—a female chorus sang a bouncy holiday tune in the background, we saw familiar landmarks on campus, both still and live action, and it wound up innocuously with best holiday wishes for all. But here was a new mass medium, and although it had taken a few years, it eventually complied with Stephan's Law—it ended up advertising its controlling organization.
The first time I noticed an example of this law was when the old National Educational Television (NET) transformed into the Public Broadcasting System (PBS) in the late 1960s. Back then, there was a sort of unwritten rule observed by educators that the classroom was no place for overt advertising. So for the first few years of its existence, NET carried no ads of any kind, even for itself, at least none that I recall. But once educational TV stations realized that they could take some of that valuable air time and run pledge drives for themselves, well, the horse was out of the barn, and now self-promotion is a routine part of the business of PBS.
Note that Stephan's Law makes no moral judgment. As far as that goes, I do it myself—after all, now and then I have links to my own blogs. Morality comes into play only when you take other considerations into account. For example, does the medium present itself as strictly neutral and unbiased? It's hard to be that way when you're telling people about how great you are. So in that case, there's the danger of hypocrisy. And while the amount of time that an external advertising sponsor can buy in a given medium is limited by the sponsor's resources, the organization that operates the medium has no natural limit to its own self-advertisement efforts. Something close to that limit is approached by a particular cable news channel we watch, Time Warner Cable News. Although the channel carries ads from external sponsors as well, I think about half of the non-content time on it is devoted to self-promotion. Of course, I don't have to watch that channel if I don't want to. But if I choose to, I'm going to see a whole lot of ads for Time Warner Cable in its various guises.
If I knew more of the writings of a communication studies guru like Marshall McLuhan, I would probably find that Stephan's Law was discovered centuries ago after Gutenberg put an ad in his Bible for upcoming new editions, or something along those lines. (Note to incunabula specialists: I have no idea whether Gutenberg self-advertised or not, but it wouldn't surprise me.) But in my state of happy ignorance, I present this principle to you free of charge, and challenge you to watch for the next example of it that comes to your attention. The more media there are, the more chances there are for Stephan's Law to be verified, and in this media-saturated culture, it's hard to go for very long without seeing an example of it in action.
Sources: I looked for an example on YouTube of the Lone Ranger-General Mills segue, but for reasons that may have to do with copyright, it doesn't show up there. However, some DVD collections of old Lone Ranger TV episodes have it, which is where I saw it. The word "Jumbotron" is actually a registered trademark of Sony Corporation, according to Wikipedia, but since Sony quit making those devices in 2003 the word has passed into the language to mean any large electronic display board.
Monday, December 08, 2014
Of the millions of engineers worldwide, only about 14% are women. To some, this statistic is prima facie proof that women are unjustly prevented from joining what is generally regarded as a desirable and socially beneficial profession. To others, it merely shows that the difference between men and women extends to aptitudes and career choices. But to Stanford mechanical-engineering graduate Debbie Sterling, that statistic represents a challenge she is tackling with her company, GoldieBlox.
The firm's mission statement, prominently displayed on their website below a pie chart showing the infamous 14% number, says that its goal is to "get girls building." GoldieBlox's line of construction toys are designed to appeal especially to girls, and come with storybooks about female engineering role models. These kits include "GoldieBlox and the Dunk Tank," "GoldieBlox and the Movie Machine," and a GoldieBlox zipline action figure—the character herself as a doll with long blonde tresses, dressed in a tee shirt and overalls and definitely not possessed of a Barbie-doll-like figure. Although I have not bought toys for young children for many years and my judgment on such matters is therefore suspect, the kits look a little on the pricey side to me. You can lay out as much as a couple hundred bucks for the Solid Gold(ie) Package, which includes nearly every item in their catalog. But hey—if it can really turn your little Mabel or Doris into an engineer, it's worth it, isn't it?
GoldieBlox has been around for only a couple of years (Sterling founded it in 2012 with help from Kickstarter), and so it is too soon to tell whether the firm, and other similar girl-oriented science-technology-engineering-math (STEM) products now available, will push that 14% number higher. But GoldieBlox, as a privately funded self-supporting free-enterprise company, is a welcome addition to the sometimes heavy-handed efforts of the federal government to do the same thing. While I have not received funding from the U. S. National Science Foundation for many years, I have kept up with its various programs and policies enough to know that the paucity of women in engineering and other STEM fields is of great concern to that agency. According to one source, NSF will spend over $800 million in fiscal year 2014 on education and human resources, and it is safe to say that a good fraction of that will go toward programs aimed at increasing the participation of women in STEM fields at all levels.
Rarely does any discussion of this topic stray into the fundamentals of the ethical concerns involved, so I will try to do a little of that here. One argument in favor of increasing the number of women in engineering is purely utilitarian. It has two premises and a conclusion. Premise One is "Women and men are equally capable of being engineers." Premise Two is "Only 14% of engineers are women." The conclusion is "A lot of women who could be engineers are not becoming engineers." At this point, the pleas from industry that they cannot find enough good engineers are brought in to justify spending tax money on special programs designed to encourage women to enter STEM fields.
This argument has the advantage that it relies on statistics. Premise Two is an undeniable statistical fact, and as for Premise One, you can find psychological and educational studies that support the contention that women as a group have the brainpower needed to do most engineering jobs. But to get from the conclusion of this syllogism, which is factual, to a call to action—"we should get more women into engineering"—requires that we either ignore all the other possible things that the potential-engineer women could do with their lives, or perform a complex global optimization problem involving the entire working population. So this argument doesn't take you as far as it seems to promise at first, at least without a lot of public-policy help smuggled in at the last minute.
Another argument, which in my view is much stronger, is based on the generally accepted notion that irrational prohibitions and thoughtless misallocation of opportunities and role models are wrong. To give a personal example of the first, my wife was the daughter of a highway engineer. When she was in high school in the 1960s, she wanted to take a drafting class, because she had seen the kind of drawings that her father did at work and she thought that might be a good thing to learn. She was told that "girls don't take drafting," and ended up in a home economics class. While the feminist movement of the 1970s had has many far-reaching effects, not all of which were positive, I think it is a good thing that such arbitrary sex-related employment exclusions are largely a thing of the past.
The lack of opportunities and role models for women is a similar problem, although these fall more into the category of sins of omission than commission. As GoldieBlox founder Sterling learned when she was a girl, construction toys were made and marketed for boys, not girls. Now that her company is around, that is no longer the case, although time will tell whether enough enlightened parents will buy GoldieBlox kits for their daughters to make a difference.
Programs that connect up girls with working women engineers can make a tremendous positive difference here. Just meeting a woman who was able to make it through engineering school and get an engineering job can be a great encouragement to a young woman who finds attending mostly-male engineering classes intimidating. The NSF money that is spent on those sorts of encouraging activities addresses these sorts of passive injustices. While statistics proving their effectiveness may be hard to come by, you can talk to women who are now engineers to whom such things made their careers possible.
By and large, engineering is a profession that contributes to human flourishing. As mothers, women have historically done most of the work in contributing to the flourishing of the class of humans called children, and so it is no great stretch for women to contribute also in the more indirect way of an engineering career. I wish GoldieBlox well, and hope that in future years I may end up teaching some women who can fondly recall the time they discovered GoldieBlox and the Dunk Tank, and their lives were forever changed.
Sources: I learned about GoldieBlox and its founder, Debbie Sterling, from an article by Nicole Villalpando that appeared in the Austin American-Statesman print edition on Dec. 5, 2014. (Full access to the online article requires a subscription.) I also referred to the American Association of Universities website at http://www.aau.edu/WorkArea/DownloadAsset.aspx?id=14335 for statistics on the NSF budget, and the GoldieBlox website www.goldieblox.com.
Monday, December 01, 2014
The bomb exploded as the car reached the intersection of Park Place and Forest Park Boulevard in Fort Worth, Texas. The explosion was loud enough to be heard at an elementary school a couple of blocks away, and I was one of several students who got to the scene before emergency crews had cleaned it up. From the front doors rearward the car looked nearly normal, but there was just a blackened pile of junk where the front end used to be. The driver was killed instantly. From what I recall, later investigation of this mid-1960s incident turned up ties to organized crime, and I'm not sure but what the criminals put the bomb in the wrong car. Even the Mafia makes mistakes.
To commit that crime, someone had to make a powerful time bomb and gain physical access to the car in order to plant it. In the near future, it will be logically possible to wreck a car and kill the driver without ever laying a finger on either one. Once wireless networking and Bluetooth communications are integrated in new models of automobiles, a sufficiently dedicated hacker might be able to wrest control of the car from the driver and do anything he likes, including driving the car off a cliff or into a gravel truck.
So far as anyone knows, no one has committed a successful crime by hacking into a car's software. On the other hand, automotive software hacking for benign purposes has been around for a decade or more. While teens of an earlier generation would get greasy in a garage staying up till midnight to hop up a '57 Chevy for drag racing, today's hot-rodders hack into the valve-control software and tune up the timing to suit their purposes. The keyhole for this activity is the OBD-II port—the place an auto tech plugs a computer into your car to diagnose why your check-engine light is on.
In a demonstration for the U. S. military, cyberhackers showed how they could use the port to exert virtually total control over a current-model car, locking the brakes or even killing the engine. This kind of hacking requires extensive knowledge of the car's software and a good deal of reverse engineering, so it is currently not cost-effective for the bad guys to do it. And with non-networked cars, it still requires physical access to the car. But automotive-industry leaders are trying to anticipate the day when new cars are totally networked and become part of the Internet, which will open them up to attacks from anywhere in the world.
According to recent press reports, automakers are organizing an automotive version of an Information Sharing Advisory Center (ISAC), similar to the ones that the banking and other information-critical industries have formed to promote the sharing of news about cyber-threats among competing firms and to develop countermeasures fast. Just as significant as their actions is the fact that they are publicizing their actions. One could speculate that the car companies are trying to send a signal to potential automotive cyber-attackers that the industry is not sitting idly by, waiting for the first fatality before something is done to prevent such attacks. Instead, they are putting defenses in place well before any attack occurs—a sound military tactic.
There may be a lesson here about the tendency of organizations to lose effectiveness with time. Computers have been used in cars for less than a generation. But cars have had ignition keys for close to three generations. The GM ignition-switch failures, with their resulting fatalities and massive recalls, stem from the negligence of engineers who have been doing basically the same thing since the 1930s, although the details have certainly changed over the years. But the engineers in charge of computer security have grown up in an environment where hacking and cyberattacks are an ordinary part of life, and to pretend otherwise would be a mark of incompetence. So it is no great surprise to hear that car companies are trying to get ahead of computer criminals by forming an ISAC.
Even so, you can imagine situations in which the mere threat of such an attack would be profitable for criminals. Say you're the CEO of UPS, and one day near the peak Christmas-shipping season you get an email instructing you to deposit two million dollars in a certain Swiss bank account by a certain time. If you don't, the sender promises to throw a digital monkey wrench into your entire fleet of trucks, all at once. The CEO would at least have to take such a threat seriously.
I feel like taking a mental bath after putting myself into the mindset of a cybercriminal that way, but unfortunately, that is what competent computer-security people have to do in order to come up with ways to thwart such attacks. The only sure defense against such blackmail is to have enough encryption and other measures in place so that no conceivable attack will stand a good chance of working. There is always a chance that some evil super-genius will figure out a way to hack the best defenses, but statistically, such people are rare and most cyber-threats involve only the average amount of cleverness.
The organizers of the first automotive ISAC are to be congratulated for their foresight in anticipating what could be a really messy and dangerous problem, and I hope that automotive cyberattacks are prevented before they can even get off the ground. But no one knows exactly how cars will interact with the Internet in the future, and depending on how the systems develop, the best efforts of the good guys may be foiled sooner or later by a bad guy. Let's hope that day is a long way off.
Sources: Justin Pritchard's report on the organization of an automotive ISAC and successful test attempts at automotive cyberattacks was distributed by the Associated Press and carried by numerous news outlets such as ABC News on Nov. 25, 2014 at http://abcnews.go.com/Technology/wireStory/computer-hackers-dissect-cars-automakers-react-27132494. The online edition of Auto News carried another report from a Society of Automotive Engineers conference announcing the formation of the industry's first ISAC, at http://www.autonews.com/article/20141021/OEM11/141029957/auto-industry-forming-consortium-to-fight-hackers. My blog on the GM ignition switch recall appeared on June 9, 2014 at http://engineeringethicsblog.blogspot.com/2014/06/the-switch-from-hell-gms-barra-and.html.