You should probably read this before going any further.

I am the someone who read the Parable of the Gronkulated Fleebwanger. I want to say it was palecur who sent it my way but it might have just been Facebook or something. I believe we were at my girlfriend in the Bay Area's place last summer when I found it, and I handed it to thequux, who remembers binging on Ari's entire blog hardcore while we were there, a decision which I had independently made I think an hour or two before sending the post to thequux. So there's where the initial connexion came from.

I am sort of bad at starting conversations with people whose writing I admire, but if there is somebody who is really really good at starting conversations, it is my friend Willow Brugh, who came up with the idea behind this event uh, a few months ago I think?, and who talked about it with me fairly early on. I wasn't physically there — thequux had a business meeting in Berlin and I went with him because fuck yeah working remotely anyway — but I was ready and willing to remote in if that could be arranged. About three days before the workshop, in the middle of talking about how it could be (the notion of borrowing a telepresence robot from the MIT Media Lab was floated, but we ended up using Google Hangouts and that worked out well enough), I facepalmed mid-chat conversation and brought up the fleebwanger post.

"She's in Boston," I said. "Boston's not that far from NYC, a train would be easy, I could ask Pilo if she could stay at the Pilopad," the Pilopad being where thequux and I lived in downtown Manhattan when we were there for like six months in 2012 (aka the end of my tenure at Red Lambda and the start of my current gig at Nuance), by quirk of the universe's sense of humour also the time when we were housemates with weev.

I went and talked to Pilo, and showed him the workshop announcement and the fleebwanger post and explained the situation, and he said "of course" because he's also friends with Willow, so this was basically just the social graph doing its thing, announcing itself in apparently kinda strange enough of a way (i.e., last-minute) as to be eyebrow-raising (for, I mean, perfectly understandable reasons) but turning out to be yes actually a genuine workshop being done on the cheap. This is sort of how hackers roll.

I would probably not have had the "ask Pilo for crash space" intuition had I not read Ari's blog back to front last summer; I'd have to hunt to find them, but the indexing algorithm that my brain apparently has for things I read brings up a couple of hits on observations of hacker culture that registered as accurate to me, and I mean she is a sociologist and everything and it was fucking amazing to finally get to talk with her some about how brains tell us things about other people, which is apparently a subject of great interest to us both.

I am kind of a machine for solving logistics problems sometimes, and apparently I have some decent intuitions about what kinds of trust are transitive, I'm just kind of bad at doing the social parts of executing on them myself on occasion. This can be awkward except when you can delegate, which happened because Willow is awesome, and yeah, it was actually pretty great to be in a hotel room all day for two of the days I was in Berlin, being "The Internet" (along with thequux and another fellow — pics eventually) in a workshop about social dynamics and game theory and other stuff that is Highly Relevant To My Interests. Delegation can work. Whoda thunk.

(The following, plus a few side anecdotes, was delivered at SIGINT 13, Cologne, Germany, July 5th, 2013. Here's the video.)

About a year and a half ago I was in Brussels for a workshop that Google and Privacy International hosted. The goal of this workshop was to develop policy language around privacy that Google could use in negotiating with governments -- I'm guessing trade agreements and things like that, no one was especially able or willing to give me specific details -- about user privacy, what sort of protections have to be applied to data on the wire, data at rest and so on, and what governments can and can't do with respect to the data that private (or publicly traded) companies collect and use in the course of their business.

Now, this workshop was held under the Chatham House rule, which says that I can quote things that people said, but I can't attribute them directly. On the first day of the conference, they offered two tracks, a technical track and a policy track. There were a bunch of really sharp technical people there, academics and industry people and independent researchers and like half of the Tor Project. While I didn't know most of the policy people, there were a whole lot of folks from the EFF and other good-guy kinds of organizations, and I have to figure if they managed to pick up a qualified slate of technical experts they probably did a decent job on the policy side too. But you could go to whichever track you wanted, it wasn't segregated by specialty or anything like that.

So we all meet up, it's about 9 o'clock in the morning, there's coffee and about half an hour to meet-and-greet, and then they sit us all down and give us an overview of the next two days and tell us we can go to whichever room we want, technical or policy. And I notice that every hacker I recognise, along with the computer science academics and so on, they're all headed into the tech room. And I'm like "hmm." Because sure I know a thing or two about Tor, but they've already got half the Tor Project. Not to mention, the academics there knew everything I know about privacy and then some, and there were enough people who knew enough about langsec that even if it came up they didn't really need me, and apart from that I'm not really sure what I have to offer. So I decide okay, since the point of this whole affair is to produce policy language anyway, I'll go see if I can contribute to that. Make sure there's an engineering perspective represented, that kind of thing.

Now remember, Chatham House rule, so I can't directly attribute quotes. But what I can tell you is that maybe 45 minutes, an hour into the discussion, some fuckup (ahem) who'd been sitting there fidgeting at the way things had been going pipes up and says, "Can we take as axiomatic that it's a bad idea to just up and break the Internet?" And the whole room turns and says, "NO." I mean, it wasn't quite as direct as that, there was some spirited discussion, but it very quickly became clear that to everyone in the room that was willing to open their mouth apart from this one fuckup, the very idea of a global interconnected network was something like a lump of modeling clay that you could squish and mold, shape and reshape by fiat. Never mind that there was only a thin wall between them and a whole room minus one full of engineers talking about the incredibly intricate details and constantly moving parts of this really-quite-fragile-when-you-think-about-it putative lump of modeling clay.

A little later, this same fuckup was having lunch, and got into a conversation with one of the other people from the policy room, during which the other person advanced the claim -- and I am pretty sure they were not being ironic -- that mathematics had to be subordinated to national sovereignty.

That was the point where I said to myself shit, y'all, we've got a problem.

Because as far as I can tell, every single person at that workshop was supposed to be one of the Good Guys. But when the Good Guys can't even agree on what reality is, how far can they really get toward agreeing what good is?

So now it's 2013, and the front page of pretty much every major metropolitan newspaper has been carrying articles for weeks on PRISM, on Edward Snowden, on the NSA's actions in Germany and the rest of the EU. It's tempting to think that the lines are really clear: the NSA violated everyone's rights not to mention EU data protection laws, therefore NSA bad, therefore everyone else good, which includes Edward Snowden, therefore what the hell are all these other countries doing hiding behind excuses like "he has to apply for asylum from within our country"? And then Venezuela comes into the picture and there's some arguing about trade agreements, and all of Europe's foreign ministers are suddenly very preoccupied and there's bad news out of the European Central Bank again and we all come off looking like sellouts. And everyone around the world feels vaguely unsatisfied.

Crucially, nothing has actually happened.

Perspectives may have changed. Opinions may have changed. But Edward Snowden is still somewhere in the transit zone at Sheremetyevo, and PRISM is, as far as we know, still in operation. Enormous amounts of cogitation have been expended over this topic. Millions of man-hours of human computation -- and at least an equivalent amount of CPU computation -- have been devoted to it. People obsess over the ins and outs of the rights and wrongs of what Snowden did, or of the legality or the illegality of the NSA's actions, and meanwhile the ingestion systems merrily continue ingesting.

Because nearly everything that matters is a side effect.

I should explain, at this point, exactly what it is I mean by side effect, but I'm going to have to start with a counterexample. In pharmacy, for instance, there's this notion of the clinical effect and the side effect, where the clinical effect is the effect you want to produce, like reducing pain or cooling off a fever, and the side effect is something that you don't want to produce, like a metabolic product that's incredibly toxic to your liver. This is the usage that's made its way into everyday language, and it carries with it this notion that there are always tradeoffs. You can take just enough paracetamol to take away your headache without also killing your liver, and this is reliable enough across the entire human population that we feel comfortable selling it over the counter and giving it to children. And we end up thinking about side effects as something that we manage, in the case of paracetamol adding up to a few hundred thousand emergency room visits per year due to accidental overdose. But I'll get back to this.

In computer science, what we mean by side effect is anything that changes the state of the system. If the intended result of your computation produces some change in state, then it's actually a side effect. If an unintended result of your computation produces some change in state, it's also a side effect. Intent means nothing whatsoever. You could have given that person a third dose of paracetamol after they threw up the first two because you were trying to help them with their fever and didn't realise how quickly the stomach absorbs paracetamol -- this actually happened to a friend of mine -- or you could have been straight-up trying to murder them; computer science only acknowledges the side effect of the person landing in the emergency room with a failing liver. (She survived, by the way.)

So this is why, the other day when a Belgian business news reporter interviewed me about PRISM and finished off by asking for my #1 piece of security advice for Belgian companies, I told him, "Follow the OWASP best practices and focus on your responsibility to your customers." And he got that, which I thought was encouraging. If you're a European company and a copy of your trade-secret algorithm is sitting on an NSA hard drive right now because somebody's git traffic transited through the US, it'll still be sitting there tomorrow and there's not a hell of a lot you can do about that. But you can take steps to harden the machines that algorithm is executing on, and those steps are persistent side effects. They have lasting impact. They matter.

And there's an extent to which I feel like I'm preaching to the choir here, because we get that. It's almost like a sense you develop when you observe a system over a long period of time, whether we're talking about a telephone trunk system or the time-sharing systems at MIT or the early ARPAnet -- which is all way before my time, but that's fine, because it's not a sense you have to be in some particular time or place to acquire. I got mine on IRC. It's network proprioception. Boxes come up, boxes go down, the shape of the network changes, and as you interact with that network and start learning what all its little flags and options do, how change propagates, you develop an awareness of the state of the system that I think it's really only fair to compare to your awareness of the state of yourself. Certainly from a philosophical standpoint they're about equally hard to talk about. But I think it's fair to say that hackers who know what they're doing -- reasonably competent hackers, let's say -- correlate inputs to a system with outputs from that system and, when they can, internal state changes in that system, in much the same way that people who are reasonably self-aware can think abstractly about what they experience, consider their internal responses, and produce some outward response (or not, as the case may be). And, for that matter, learn from their mistakes! I think that in much the same way as Douglas Adams characterised the knack of flying as learning to throw yourself at the ground and miss, it's entirely fair to characterise the knack of hacking as learning how you yourself can fail more quickly until whatever you're analysing fails in exactly the way you want it to.

But having this kind of mindset at all -- which is really just the scientific method all over again, nature being obeyed in order to be commanded and all that -- turns out to be rarer than you'd expect, at least if you're me, which, to be fair, means that most of the people you spend any time with at all are scientists, hackers, or both. This is not all that large of a sector of the population to begin with. And we're in a funny situation here, where for the last couple of years there's been an unusually large proportion of international attention paid to the hacker community and hacker culture by people who don't have the faintest fucking idea how we think. There's a saying for this in the United States, "armchair quarterbacking"; the metaphor refers to the guy who's sitting there in his armchair at home, drinking beer and shouting at his big-screen TV what he thinks the quarterback ought to be doing. Maybe he's played some football, maybe he even coaches kids on weekends or something, but there's this tacit understanding that for all his rhetoric -- even when he's right -- he's still just there in his armchair, if he really understood how to coach a team to glory he'd be out there in the game putting that understanding into practice.

This gets murky in the world of policy, where you can have economists like Felix Salmon who wax rhetorical about Bitcoin without having the first fucking idea what a hash function is, much less how one functions as a component of a billion-dollar financial system. He literally does not understand what he is talking about, but he understands enough about money -- or, at least, what "money" means in the parlance of the modern international finance system -- that he thinks he understands what he's talking about, and worse, that people should listen to him, even though what he's actually talking about and what he thinks he's talking about are systems as wildly disparate as ... two very disparate things. If Bitcoin is going to make any sense to you, you have to accept the notion that the levers and dials that financial regulators are used to being able to fiddle with just aren't there. The currency itself is inherently resistant to regulation, because Satoshi Nakamoto built that system like a Deist God; the parameters of the system, from block difficulty to reward halving time, were built into that system from the moment the genesis block got written out to disk.

And every time I hear one of these armchair cryptocurrency specialists -- who may be top-notch economists, but who crucially spend so much of their time thinking about how to manage systems where "unit of account" and "unit of exchange" mean the same thing that the very idea of decoupling those concepts is crazy moon language -- talking about how inherently doomed Bitcoin is, I kind of want to come back with "so how many billion-dollar financial systems have you built in the last couple of years?" Think about that for a second. We live in a world where if somebody comes up with a useful enough idea, and reduces it to practice in code that other people can actually use, and enough other people decide it's also a useful idea, a couple of years down the line it becomes a billion dollars of monetary capacity. Obviously I'm not going to pretend that's a billion dollars worth of state change -- a billion dollars worth of side effects; a lot of the volume that goes into making that number that large is people chasing bubbles, and it's reasonable to expect the usual sort of outcomes you get from chasing bubbles, namely other floating currencies disappearing into thin air when people decide it's time to get out. But I've also lost count of how many times I've heard the usual pundits predict that surely, this Bitcoin price spike is going to be the one that kills the golden goose ... and every time, like clockwork, the damn thing crashes, dusts itself off, and keeps going. It's almost as if being able to move units of exchange around internationally without having to pay rent to the established financial system is something people find value in.

So it should surprise approximately no one that the next line of defense is, of course, regulation. What surprises me is that it's taken as long as it has. Satoshi did an amazing, unprecedented thing: he designed a protocol that inherently resists tampering. In fact it's so inherently tamper-resistant that you can't actually regulate Bitcoin; you have to either take over the entire network or take a step back and regulate the exchanges where people turn other currency into Bitcoin and vice versa. And I get where the Winklevoss twins are going when they say that regulation means that Bitcoin is maturing as a financial instrument, but I don't for a moment think that's necessarily good for users. If Bitcoin "maturing" means that the majority of its users have to rent their liquidity from a regulator-approved set of oligarchs, then Bitcoin's advantages against other currencies will evaporate. If that happens, the status of the financial system remains a lot closer to quo than it otherwise would. And I can't think of many things that an established rentier likes more than the status quo.

Because nearly everything that matters is a side effect.

Now, I'm hardly going to fault Satoshi for not solving the liquidity problem in addition to not only solving the double-spending problem in a distributed setting, but also doing it in a way that people ended up using. One side effect at a time is fine, especially when you expect it's going to be a big one and you want to find out whether it even works the way you anticipate it will. But this leads me to the next category of people who are suddenly especially interested in What Hackers Do without giving much thought to why, and that's people who desperately want to stave off any kind of side effects at all.

Let me give you a recent example. Maybe a week or two ago on Hacker News, I came across an impassioned article about the difference between science and technology. The author's primary claim was that although the process of scientific discovery and the process of technological creation -- say, performing an experiment to test a hypothesis versus designing and implementing a protocol -- are both performed by humans, who have politics, therefore these processes have political effects, the outcome of the scientific process is apolitical because nature remains the same no matter what your view of the world is. And I'd even agree with that. But then he advances this claim:

TCP/IP et al are technologies created by people (smart, well paid white guys, typically) with politics (as much as they deny it, because they're scientists). You can probably say they've made a blip in our politics.

They are inherently political, we need to work out what their politics is, what they encourage or discourage, before we use them to solve political problems.

Okay, Mr. Smart, Well-Paid White Guy. (Dude, do not give me that look. You live in the western hemisphere and have a blog; you are paid better than most of the planet.) We'll just tell damn near everyone in the Middle East, not to mention every single Kenyan who's been coming up with uses for GSM that the makers probably never even imagined much less intended since long before there was an Arab Spring to vex your stony political sleep, that they need to put down their mobiles and back away from Twitter, because the Flying Spaghetti Monster only knows what those beastly protocols might encourage or discourage. (Hosni Mubarak had a few ideas, which is why he decided to shut them down entirely. You can see how well that worked out for him.)

I'm used to reactionaries; I grew up in Texas. I'm just not used to reactionaries coming in from the left. I suppose it's a sign that the left is maturing, in much the same way that Bitcoin is maturing, which is to say becoming part of an established system that finds side effects existentially threatening. And if you can con someone into holding still for fear of what waves they might make if they were to move, whether it's through guilt or fear or what-have-you, you no longer have to worry about their side effects. It's the liberal version of "fuck you, got mine."

Now, I got my first taste of this right around 25c3, when there was some press coverage of the biohacking work I'd been doing with lactobacillus. If you ever want to see a Democrat supporting gun rights, telling him one of his neighbours is doing synthetic biology in their kitchen seems to work -- I have never gotten more death threats than I did when the Huffington Post picked up that article. And we can talk until we're blue in the face about why that is, but I think what's most interesting is that when presented with a sufficiently large example, people will blithely throw away what up until then they'd considered some of their most cherished beliefs, like guns being evil or murder being wrong, at least for the sake of argument. Obviously no one's come up and shot me yet, so apparently no one's completely pitched those beliefs out the window, and I'll take that as a good thing. I'm in favour of not being shot. But I'm also in favour of change I can see, not merely change I can believe in. If that means poking the status quo with a stick to see what it does, I'm more inclined to do that than not. And if it responds, I'm just as inclined to do it again, like that XKCD comic with the electric shock button. Maybe I find out a little more about how it works. Maybe I find out a way it breaks. Either way, I've learned more about it than I knew before. And, crucially, I never would have found out if I hadn't picked up that stick.

You can think of the human brain in a lot of ways, but probably the most useful way I know of to think about it is as a massively parallel pattern-matching machine. Your neocortex learns to recognise patterns, and it builds an ontology out of those patterns, so that from light and shadow you can discern edges and from edges you can discern shapes and from shapes you can discern whether what you're looking at is something you've already identified or something novel. We quite literally spend the first couple of weeks of our lives learning how to see and hear: the machinery is there, we've already been using it in utero, but now we have to adapt to this weird outside-the-uterus environment and that means learning how to use those senses all over again. But the secret is, you never stop learning. The human brain is amazingly plastic, well on into adulthood, as long as you're willing to continue exposing it to novel experiences that it has to learn to pattern-match. Preferably lots of them, so that you don't over-train to an input set that's too small.

I can't tell you what a "social sense" feels like, at least not the way I can describe network proprioception. I was born without one and I'm still working on putting one together from the parts I have available. But I want to know what we could build if we had people who developed proprioception for, if you will, the body politic. We may very well already be creating those people, given that Western children now grow up in a society where social graphs as graphs are a major input on a daily basis. I look forward to seeing them grow up. But if those kids aren't kicking the tires -- which is what kids are supposed to do in the first place, and I guess what we never grew out of -- where are they going to find the side effects that will tell them how these network effects behave?

Apart from being one of our nation's founding documents and an eloquent call to resistance against tyranny, the Declaration of Independence happens to be a great template for how to structure a logical argument as a springboard for further action. Its form is that of a syllogism, one of the oldest methods of deductive reasoning. First it establishes the major premise, a proposition which sets up the second half of the conclusion. Paraphrased, it looks like this:

All governments which fail to protect the natural rights of their citizens, or derive their powers from their citizens' consent, must be altered or replaced.

Then the minor premise, a proposition which sets up the first half of the conclusion. I'll just quote directly this time:

The history of the present King of Great Britain is a history of repeated injuries and usurpations, all having in direct object the establishment of an absolute Tyranny over these States.

Now the rules of inference apply: the King's actions harm his American citizens; citizens who are being harmed by their government have a duty to alter or replace that government; therefore, the inevitable conclusion is

That these United Colonies are, and of Right ought to be Free and Independent States; that they are Absolved from all Allegiance to the British Crown, and that all political connection between them and the State of Great Britain, is and ought to be totally dissolved; and that as Free and Independent States, they have full Power to levy War, conclude Peace, contract Alliances, establish Commerce, and to do all other Acts and Things which Independent States may of right do.

But right now I'm not as interested in the overall logical structure as I am in the snapshot of history that occupies the twenty-seven points that Jefferson included as support for the minor premise. Why? Because they're the first entries in the United States' bug tracking system. Each one is a complaint from users, and more importantly, the Constitution provides patches for each one. A few examples:

• "He has refused his Assent to Laws" — Article 1, Section 7. Congress can override a presidential veto.
• "He has made Judges dependent on his Will alone" — Article 3. The judiciary and its independence are established by Constitutional authority, not that of the executive.
• "He has affected to render the Military independent of and superior to the Civil power" — Article 2, Section 2. The president is Commander-in-Chief of the military and it is subject to the executive branch.
• "For Quartering large bodies of armed troops among us" — Third Amendment. Bans this practice entirely.

The Declaration calls out the abuses of tyrannical individuals, and the Constitution aims to establish a system of government — a protocol, if you'll forgive the nerdy indulgence — that is resistant to bad actors. But over the last 200+ years, we've discovered a terrible, terrible thing: the Constitution is not sufficiently Byzantine-resistant.

No, no, put the guns down, we're not being invaded by ancient Greeks. If a protocol is Byzantine-resistant, then it still does what it's supposed to even when some pieces fail on their own or are compromised by an outside party. The checks and balances established in the Constitution are an early example of this: if any one branch is compromised, the other two can halt or reverse actions taken by that branch. The judiciary can even revert actions taken by a compromised legislature and executive acting in concert, as long as a member of the citizenry is willing to bring action — the extra check on the incredible power of the judiciary is that the people have to invoke it.

But all these systems have a lot of moving parts, and what we've discovered, to our horror and disbelief, is that it's not necessary for an attacker to compromise an entire branch of government in order to bend the government to its interests without regard to the interests of the citizenry. In fact, the amount of effort required is comparatively quite small. We can break this down with a small abstract example. Suppose that there's a network made up of several thousand nodes, of types A, B, and C. Controlling the entire network so that it always spits out whatever output you want, in any situation, requires you to take over at least half of the A nodes, at least half of the B nodes, and some number of C nodes. However, if you only want to control some outputs in certain situations, then you only need to subvert a particular 10%¹ of the A nodes and a particular 10% of the B nodes. If you control any C nodes, that's gravy.

Oh, and each node advertises its function.

Since it's easy to identify which nodes to target, a smart attacker will compromise only the exact nodes it needs to control in order to get the results it wants. Anything else is a waste of effort. This beautiful system, designed to resist tyranny by making all actions contingent upon the will of an accountable majority, has a giant, gaping flaw that renders it vulnerable to having its actions controlled by a small but clever minority.

The name of this vulnerability is regulatory capture.

Regulations are established by offices within the executive branch. They are not laws. Congress can amend regulations, but there is no public accountability for the regulations themselves. Nor is there any accountability for other actions regulatory agencies take; the populace cannot vote in a different chairman of the FCC during the next election cycle if the previous one refused to investigate telcos that conspired with the NSA to wiretap U.S. citizens illegally, nor can they call for a vote of no confidence in P.J. Crowley or Janet Napolitano for dropping millions of dollars on possibly dangerous and widely hated full-body scanners peddled by former DHS head Michael Chertoff when it turns out that the scanners don't even do what Chertoff claims they do.

It isn't in the telcos' interests to let their customers know "oh, by the way, we were snooping on your phone calls and email." It's bad for business. It is in Rapiscan's interest, as well as Michael Chertoff's personally, to grab as big a piece of the TSA's $300 million advanced-imaging-technology pie as they possibly can. The safety, privacy, and other fundamental human rights of the citizens — whose interests are supposed to be protected by the regulatory agencies! — have been left by the wayside, because the agencies have fallen victim to regulatory capture.

Now, there are perfectly good practical reasons to have regulatory agencies. If you're going to have publicly funded infrastructure of any kind, it follows that there will be policies on how money will be spent on building and maintaining that infrastructure, how the infrastructure will be operated, &c. The postal service (whose regulatory authority over the mails is implied in the Postal Clause of the Constitution) is one of the less broken examples of this; it's run afoul of the First Amendment in the past, but the Supreme Court has been vigilant about this in the last century. However, the postal service is almost unique among United States regulatory agencies in one respect: it regulates itself and individuals, but not corporations. USPS holds nearly no regulatory authority² over Federal Express, UPS or DHL. (Technically, these aren't even mail carriers. USPS holds a legal monopoly over non-urgent letters.) This is why you never hear anyone railing about "postal special interests" on the news, the way you do about the pharmaceutical industry or the insurance industry. There is little that a package carrier can do to stack the deck in its own favor. (The flip side, of course, is that USPS can't make guarantees about contract carriers. You have a guarantee of privacy in USPS-delivered mail that you don't from FedEx. Except from postal inspectors, of course; who watches the watchmen? Which is why I said it's less broken.)

Cue defendants of regulatory agencies citing all the reasons why the FDA, FCC and so on were established in the first place. You'll talk about it in the comments anyway and far be it from me to stop you, but keep in mind, I'm already well aware. I've read my Upton Sinclair, and when it comes to the FCC you might say I'm a little obsessive. We attempted to establish regulatory agencies to protect the rights and interests of citizens. This intention is noble, but the implementation has failed. The onus now is on us, as citizens, to track down the bug — or bugs — that allow regulatory capture attacks to succeed, file the report, and if the current maintainers are unable or unwilling to implement a patch, replace the maintainers with ones who will.

If we can't pull that off, I suppose we could just fork the codebase.

ETA: bramcohen tweets a fascinating article about spontaneous order, superlinear growth, and economies of scale with respect to cities. Tangentially related, but related all the same.

¹10% is probably a huge overestimate in terms of raw numbers. However, the cost to compromise a node varies, tending to increase as you go up in the bureaucratic hierarchy. It takes a lot of social capital, and probably a lot of money, to influence the Secretary of the Interior. It takes a lot less to influence the director of a national park, so if you want that contract to build a new lodge, you're better off schmoozing the director. And if all you want to do is dump hazardous waste, you can probably buy off a couple of park rangers much more cheaply than disposing of it properly would cost.
²USPS gets to decide what constitutes a hazardous good, e.g., ammunition.

I owe the Berlin trip a proper writeup, but some highlights: talk went extremely well, saw many old friends and acquaintances, came up with yet another paper we need to write with Dan Kaminsky, had some interesting discussions about a computer science curriculum that emphasizes security from the get-go, narrowed down the scope of some tools I need to write in the very near future in such a way that I can put together a proper spec now, got invited to give our talk or something very much like it again at Dartmouth. enochsmiles and I co-present extremely well, which bodes well for future joint presentations (which I enjoy better than solo presentations, when they go well at least).

We also sort of got stuck in Berlin after seeing foxgrrl off at TXL, as it turns out that trains from Berlin to Leuven are not to be had after about 2 pm; the farthest west we could have gotten was Liège. A glance at a rail map suggested a wild possibility: Saarbrücken, so on a wild shot I called oralelk's office and got him on the first ring. Despite not having had much contact at all over the last, um, five years (bad Meredith, no cookie!) he was still quite happy to have us crash on his couch for the night, even coming out to meet us at 11:30 at night, staying up to chat, and putting off going in to work until well past 11 am despite having quite a lot of work to do. It was rapidly discovered that Saarbrücken is one of the least convenient places in Germany to get to Belgium from; our options were basically the ICE high-speed train to Paris and the Thalys to Brussels, or a bus to Luxembourg and two trains for roughly a quarter the price. Thus I have now been to Luxembourg, making that eight countries so far this year.

I have also just received notification that our Black Hat talk has been accepted. Thus, I will be both there and at the Open Science Summit in Berkeley immediately thereafter, July 29-31. (Current plan is to arrive in CA on the 30th.) Unfortunately, this will mean missing DEFCON, for me at least; I'm not sure about enochsmiles.

It is going to be a wild summer, with tools to write and a journal article to finish and a couple of big chewy proofs to prove on top of all my normal work. But I'm excited!

mycroftxxx: Oh, btw, I got my zipit z2 working. I now have a debian desktop that I can fit in my mouth.
maradydd: Pics or it didn't happen.

Yours expectantly,
Meredith

Waking up with a solution in mind for a leftover bug from last night's hacking session, getting it implemented within ten minutes of being sufficiently caffeinated to work, and discovering that one of the subsequent items on my TODO is actually as simple as I thought it would be.

Dear LJ Genie,

I'm trying to build a Debian package that has some kind of weird properties, and could use some help.

If someone out there is especially clever with debuild and/or pbuilder, would you be so kind as to drop me a line? CDBS is probably not going to help, as autoconf is not involved and really doesn't need to be.

Love,
Meredith

ETA: I think I've sorted it, though I still wouldn't mind talking to any Debian packaging whizzes.

I basically skipped out on the Internet for most of last week. This was mainly because last year's router decided it was no longer interested in putting out a consistent enough signal for my WLAN interface to stay stapled to it long enough to do things like, oh, open a webpage. I am happy when things consistently work, I can troubleshoot them when they consistently don't work, but intermittent functionality interspersed with HA HA ONLY KIDDING makes me want to break stuff. Last year's router is now no more broken than it got to be on its own, but it has been replaced with 2007's never-used router, which was picked up at a Fry's in Vegas for something like $15, preemptively disassembled in case we needed it for a project we were working on that Defcon, and put back in its box still in pieces with a few extra bits attached. All the solder points are neatly covered in electrical tape, and it has red and black wires soldered to the pins of the 5V jack; I guess if we have a power outage we can run it off batteries. Also it works, which is always nice to discover when you put something back together. Clearwire, I take back most of the bad things I ever said about you; you are actually rather fast and reliable when used with non-gimpy hardware. Perhaps this summer we will share the internet on the beach at Oostende after all, with the help of the battery-powered router.

The router needs a name. For the last few years our naming convention has been "places that do not exist" -- thus far Arcadia and Erehwon. I am leaning toward Ruritania or possibly Latveria, though I note that Uncyclopedia's list of nonexistent places includes Belgium. The humour is hit or miss, but I cannot deny the truth of the following excerpt:

Belgium is the worst place to live during a Zombie Apocalypse due to the fact that there's more dead soldiers buried there than people.

I mean, if you're in Colma when the zombie apocalypse happens, the odds are stacked against you, but you'll be up against zombie hippies and dotcommers. I suppose our only hope will be if the zombie French and Germans hate each other more than they want to eat the brains of living Belgians.

The other cool discovery, in addition to Working!Router, was the SMT tweezers that I apparently also picked up during that Fry's expedition. These are no ordinary tweezers; they are large and sturdy with a business end that comes to needle tips, suitable for performing reconstructive surgery on fruit flies. I suppose I should really get round to converting a toaster oven into a reflow oven, since I now have most of the other tools I need to do serious tiny-circuitry work. The local hardware store even sells ferric chloride, though not in the handy solution form that Radio Shack dispenses -- no, here it comes in foul-smelling rusty orange lumps and must be weighed out by the gram. I can also obtain a wide assortment of useful acids, bases, and salts, in addition to the standard sodium hydroxide and 30% hydrochloric acid that they sell in the grocery store to clear out drains. I feel like I'm living back in Thomas Edison's day, when you could get kicked off a train for having your chemistry set accidentally set a boxcar on fire.

This weekend was also enochsmiles' and my third wedding anniversary, which would have been great had I not woken up with some gastrointestinal weirdness that forced me to instead spend the day puking myself stupid. (If you find that resultative construction unusual, I defy you to maintain any kind of intelligence while lurching to the sink every half hour to retch bile.) We are planning to celebrate this weekend instead; it will also be my little sister briaer's birthday, so that's two reasons to celebrate.

Finally, in the last bit of router-related news, now there are router botnets. This should surprise approximately no one -- "I bet I can put Linux on that" metamorphosed into "I bet I can drop a botnet on that" some time back, for values of "that" which can connect to the Internet -- but seriously, people, password your fucking routers already.

While visiting my parents, I had the opportunity to take apart a Swiffer WetJet mop, a $20 gadget (which seems to be sold on the "give away the razors, sell the blades" model) that has a really nice peristaltic pump/motor assembly in it and is very easy to take apart. I'm planning to build a robotic micropipettor out of mine (perhaps designing a Contraptor head for it); mycroftxxx wants to build a bar-bot.

Here's how to do it.

An enterprising open-source hacker who goes by the moniker Famulus, using polywell plasma confinement, has achieved desktop-scale nuclear fusion.

There are some really lovely photos of plasmas and lab equipment on the blog, and all the STL files for the polywell itself, plus Ruby source code for running the thing, are available on github. Go to.

ETA: That's fusion full stop, not "a sustained fusion reaction producing more energy than is consumed by plasma containment". I'd wager my left temporal lobe that he's running at a net energy loss. However, polywell confinement is one of the more promising technologies out there for net-gain fusion; interested parties should check out the work that EMC2 Fusion is doing.