What can we learn from Craigslist?

Ref: Why Craigslist is such a mess?

There is lots to ponder, learn and unlearn from Craigslist in this new information age. The following are a  few simple lessons that i extracted from the following quotes in the above referenced article on Craigslist. The article is a great read.

Lesson 1:  We may not have a single definition for doing good business but we can all agree on the fact that businesses exist to serve the public.

But seen from another angle, craigslist is one of the strangest monopolies in history, where customers are locked in by fees set at zero and where the ambiance of neglect is not a way to extract more profit but the expression of a worldview.

Lesson 2: David(s) have, are and will always trump Goliath(s) in every age.

It is difficult to overstate the scale of this accomplishment. Craigslist gets more traffic than either eBay or Amazon .com. eBay has more than 16,000 employees. Amazon has more than 20,000. Craigslist has 30.

Lesson 3: People work the best when they are allowed to work.

The long-running tech-industry war between engineers and marketers has been ended at craigslist by the simple expedient of having no marketers. Only programmers, customer service reps, and accounting staff work at craigslist. There is no business development, no human resources, no sales. As a result, there are no meetings. The staff communicates by email and IM. This is a nice environment for employees of a certain temperament. "Not that we're a Shangri-La or anything," Buckmaster says, "but no technical people have ever left the company of their own accord."

Lesson 4:  If there are sufficient economic incentives, things will get done. Doesnt matter what side of the fence you are.

Captchas—distorted words that can be interpreted by humans more easily than by machines—tamed spam on craigslist for a while. Then it came back full force, not because the spammers had solved the difficult problem in artificial intelligence but because they had hacked an easier problem in global economics

Lesson 5: Simplicity and usability go hand and in hand. K.I.S.S always works.

Without a computer science research department to work on evil-fighting algorithms, or a call center to take complaints, Buckmaster has settled on a different approach, one that involves haiku. The little poems he has written appear on the screen at times when users might expect a helpful message from the staff. They function as a gnomic clue that what you are seeing is intentional, while discouraging further conversation or inquiry.Attempt to post a message that is similar to one you've already entered, and this may appear:

a wafer thin mint
that's been sent before it seems
one is enough, thanks

The slight delays in cognitive processing that these haiku cause are valuable. They open a space for reflection, during which you can rethink your need for service.

My critique of the article "Religion, Marxism and Slumdog

My comments on this article "Religion Marxism and Slumdog" by Francois Gautier.

1. I disagree with the notion that "Slumdog Millionaire" conveys an utterly negative image of India and should be protested by the Indian Government (like the Chinese would have done). I dont understand why? The film shows the real life of people living under those conditions. Slums, poverty, corruption are an unfortunate part of our society today and we cannot run away from it. By not showing it we would not be getting rid of it. And in todays connected world (in the age of google and youtube), i am not sure information can be controlled anyways.
2. Why should we be like China? Comparison between a Communist and a Democratic government is an apple and orange case. If China would have responded, its because they want to maintain a controlled global image irrespective of what happens inside their country. India cannot do it because we are a democracy and rightly so.
3. Leaving aside the missionary part, which of the following : caste, poverty, child marriage, superstition, widows, sati, are a virtue of Hinduism? They may have served a purpose centuries back when the society was different but they have no purpose now. The mere fact that these are still used by upper caste people as exploitation tools is infact a huge shame on us. There is no doubt that missionaries have capitalized on this. But, what will the lower castes who become the victims of these vices do? For many of these people, escaping into another religion was probably the only answer.
4. Author says, "Today, billions of dollars that innocent Westerners give to charity are used to convert the poorest of India with the help of enticements such as free medical aid, schooling and loans." But, who is responsible for this? It is we ourselves. Everyone dreams of a good life and so do the poor. If the Government cannot fulfill its promises for the poor, the poor are going to find some other means of fulfilling their needs. I think instead of blaming the missionaries (whose work can be viewed as both good and bad in different contexts), we (the people of India along with the Government) have to solve our problems of poverty and caste. If that is done, there wont be any incentive for anyone to either get converted or convert others.
5. Author says that western authors portray detrimental images of India and especially talk of 'Hindu fundamentalism'. I personally believe that fundamentalism of any kind is wrong be it Hindu, Islamic, German etc.. What i would defend is "Hinduism" and its core principles and not fundamentalism. What RSS,Bajrang Dal and Shiv Sena do in the name of Hindutva is precisely what Osama Bin Laden does in the name of Islam. This is what Hitler did half a century ago. Do you agree with them?
6. The immediate paragraph says "Hinduism has given refuge throughout the ages to those who were persecuted at home: the Christians of Syria, the Parsees, Armenians, the Jews of Jerusalem, and today the Tibetans, allowing them all to practice their religion freely." The author is now talking of Hinduism here and not of any extremist philosophies and he is absolutely right now.
7. The notion that India only belongs to Hindus is complete bullcrap and Hinduism does not say anything like that. "Hindu Fundamentalists" say that.The central idea should be for people to unite and live in harmony irrespective of their religion, caste and color.
   
8. Finally, author asks, When will the West learn to look with less prejudice at India, a country that will supplant China in this century as the main Asian power? My question is why do we need an approval from the west. If we eradicate our own vices and solve our problems, everything will fall in line automatically. I believe that asking this question is what makes us subservient to the west more than anything else.

I found this article completely off. The line of reasoning did not appeal to me at all and the conclusions drawn do not follow from the arguments.

Frank W. Abagnale and the irony of security industry

If you remember that name then most probably you have seen the epic movie Catch me if you Can starring Leonardo DeCaprio and Tom Hanks. In short, the movie is about this guy Frank Abagnale, (played by DeCaprio) who figures out novel ways to commit check fraud and embezzle money posing as various people (as a pilot, as a doctor and as a lawyer). The movie is all about how the hacker mindset works and is a must watch if you are in the information security field. The movie is replete with examples of social engineering tricks that determined hackers so often use. Its a good way to train ones thinking in the ways of the hacker.

This movie not a work of fiction but is based upon a real guy who did these things in real life. This is the website of the real Frank Abagnale, who is now, not surprisingly, one of the world's most respected authorities on the subjects of forgery, embezzlement and secure documents. Check out his website for more details on his lifes work in the last 30 years. Ironically, the guy who literally started check-fraud has been at the helm of defending against it for the better part of his life.

This irony presents itself in the security industry again and again with the guys who now defend the world were the ones who were once defended against. There is nothing wrong with it and maybe thats the way it should be but i just found the thought very interesting.

The Rise and Fall of Gas!

People who have been following the economy know the state of gas (petrol) prices. But, I can provide a visual reinforcement of that fact, clearly showing the bumpy ride that gas prices have followed over the year. The following graph is plotted using data collected by me over the last one year on gas prices in the Southern California region (in Los Angeles County and Orange County). The way i collect the data is by diligently recording the date, the mileage since the last fuel fill, price of gas, gallons filled and location every time i visit a gas station to refill my car . This data helps me keep a check on my car's fuel efficiency and also serves as an early warning diagnostic system for problems. (As an aside, i once noted a consistent drop in my mileage over a period of 2-3 weeks. It turned out to be due to carbon buildup in my EFI system. Quick action probably helped me save some engine life :) ).

The plot clearly shows that gas prices started around $3.0 per gallon beginning of year, climbed all the way upto $4.7 / gallon in mid of 2008 and are falling to less than $3.0 / gallon at the end of year.

Can one predict which direction the curve is headed now ? I cannot.

The Anonymity Paradox

Scott McNealy, the former founder CEO of Sun Microsystems, once famously remarked on Privacy : 'Get over it'. This was a very bold statement to make especially for the CEO of a reputed company but he nevertheless spoke out of his experience. Its almost ten years since that statement was made and anyone who even barely uses the internet today wouldnt disagree much with Scott, though all of us would still want to believe in a perfect world.

As an aside, Privacy and anonymity are closely linked though there are subtle differences. Anonymity is keeping ones identity secret while privacy can imply keeping identity plus other information secret. For the purposes of this post i will consider privacy and anonymity the same and use them interchangebly.
In my opinion, privacy and connectivity are complimentary ideas i.e. both cannot coexist. The moment you are connected to the internet, your privacy ceases to exist. I believe that this is an unfortunate but true fact and one that people often find hard to digest. But believe it or not, total privacy does not exist in a connected world. At some level, privacy is just like security i.e. there is nothing like total privacy just as there is nothing like total security.

I can offer many reasons for this :

• Every time we do an online transaction and give out our Name, Address and Credit Card details, we are essentially "hoping" and trusting that the website will not leak out our data. Some informed users may go one step further and check if the website displays a secure logo like HackerSafe or McAfee Secure etc. Unfortunately, as detailed in this blog, it turns out that these certifications are mostly useless and can be easily sidestepped.
  

But name, address and credit cards are not the only definitions of identity and hence privacy. There are still many ways of inferring identity. A few of them are :

• Almost all websites that you browse will always log your IP address which can always reveal you or your ISP or your Organization. That is, you can almost always be tracked back.
• With the explosion of social networks and Wikis, we are getting into the habit of revealing too much information about ourselves, our families, pets and everything that was once personal to us to a much wider audience. This voluntary discloure of information is in effect resulting in very complex attacks on privacy as witnessed in the Sarah Palin and Paris Hilton case.
  
• The notion of Googling for information has caught on so much that we inadvertently reveal "stuff" about ourselves to google when we type in the search bar.
• Every time we open our gmail account and browse our emails, we also get with it some relevant advertisements placed alongside our emails. What this means is that there is a program out there that is parsing our emails and trying to "understand" us.
  
• Websites that measure website usage statistics such as Google Analytics also impact privacy in some way by storing information about your visits to websites(tracked by your IP) on its servers.

All this is fine, but where is the paradox in all this?

To state simply, my Anonymity Paradox is :

While it is difficult to maintain anonymity on the internet for the common user, the same internet offers a magical cloak of anonymity for hackers.

I was myself amazed when this realization struck me. Users find it difficult to keep their identies secret but hackers get away with their mischief without hardly ever being tracked down. The big reason for existence of the malicious hacking industry is because of this cloakability that the internet offers. Purists might argue that the law has been able to track down hackers but i do not think they will disagree over the fact that the ratio of captures to hacking incidents is very apalling at best. Hackers typically get caught when they themselves make a stupid mistake which compromises their anonymity (for instance see how Palins hacker was caught).

So at one end we have people cribbing about privacy on the internet while at the other end we have bad elements basking in the glory of the anonymous internet. To me, it looks like this is the way it is going to stay. Just like fire does not know intent and it just burns whatever it is asked to burn, the internet just does what its being asked to.

Does this all make sense ?

The NEWS Equation

Our life today is controlled by media. Be it newspaper, television, radio or the internet, we depend on news for a lot of our day-to-day decisions and sometimes even blindly. This fact is well understood by Media companies, Governments and Businesses alike. Unfortunately, it is also being used actively to mislead the common man.  News today is no more the simple raw information but it undergoes a complex process of editing and mixing before being delivered. Thinking over it for some time, i feel that the Media companies operate a  huge mixer which continuously churns out news according to the following equation 

NEWS = x% Information + y% Hype + z% Personal Biases + w% Political Biases 

Different media companies use different values for x, y, z and w and yield different types of news. A case in point is the recent news about the bootup of Large Hadron Collider (LHC) in CERN. A channel called Aaj Tak in India ran a TV series which would have made a layman believe that the bootup of LHC would destroy the world.  In this case, their percentage of hype was very high and little factual information was presented. Even if they would have done a simple google search for LHC and the myths surrounding LHC, they would have realized that speculations about formation of massive black holes have been long dismissed by emminent Scientists. But the media today is more interested in their own TRP ratings and very little interested in presenting facts. 

When will people learn ?

Airtel (one of India's leading cell phone providers) has recently tied up with Apple to offer the iPhone 3G in Indian market. Everything is good but is the following sort of sales pitch necessary to sell of iPhones?? Airtel is quoted here as saying :

"even the most deadly hackers on the planet won't be able to crack the
codes that support the iPhone's Airtel applications with rival company
SIMs."

My question is : WHY ???. Even if you really have provided tamper-proof security, throwing a n open challenge to the highly skilled and distributed hacker work force on the internet is nothing short of the proverbial "hitting the axe on your own leg". Such stunts may be good to test your products before entering the market but not once the products are already out there. Such stupidity has surely attracted the bees and its just a matter of time before the bees sting.

On predicting futures

You read it right. Its 'futures' and not 'future'. As historians and futurists would likewise agree, there is only one history but many futures. To put the remaining post in perspective, the post was prompted by an article on wired called 5 Things Wired Pronounced Dead Prematurely. From the article,

Web browsers (March 1997) Push media was about to supersede browsers. Or not. If we could push this claim from the archives, we would. (Original Article)

Its not so important that they got this wrong but the larger point being that, as humans we are very bad at predicting future events. As Nassim Taleb (author of The Black Swan) puts it, the future is non-linear and thus any attempts to predict it with the available knowledge and available trends is futile. This point chimes in with the earlier point of there being one history and many futures. The main idea behind these arguments is that, there are some unpredictable events that can completely change the course of progress.

I believe the browsers could not be obsoleted by push media for the following reasons:

1. Emergence of Firefox and its wonderful plugin framework
   
2. Emergence of blogging
   
3. Syndication of content via protocols like RSS
4. Emergence of Web 2.0 (stuff like Ajax, Web Services etc)
   
5. Google's efforts to turn the browser into a "operating system" by providing critical business software from within the browser.

What we see more often today is that push has merged itself into the browser instead of obsoleting it.

Surfing in a hostile world !

To get a hostile view of the world we surf in, here are a few statistics about all the current day malware forms coexisting with us.

A few highlights (as of today)

1. There are around 3000 botnet command and control servers active at any time in the day.
2. There are around 100K bot machines (using a 30-day age value of each bot).
3. US has around 4500 bot C&C's (the largest in the world ). Interesting to see that China is way down the list with only 115.
4. There were around 3.5 Million unique malware binaries seen in October 2007 with the number of unique binaries being atleast 1 Million every month ever since.
5. The 0-day detection stats for Antivirus vendors is very interesting. Out of the 68000 samples of new malware that were tested against wellknown vendors in the last 24 hours, the really well known ones like Kaspersky, McAfee etc. were able to detect only 70% of them while AntiVir detected around 98% of them. Curiosly, Symantec is not on the list.

These statistics are from ShadowServer. Shadowserver's statistics are generally considered very reliable in the security community.It is not clear to me as to what percentage of the address range they monitor but the stats are nevertheless very revealing.

Technological Singularity: Warning in disguise? - [Part 1]

I was recently reading about technological singularity that a lot of who's-who in the field of AI/Robotics (Ray Kurzweil, Hans Moravec, Vernor Vinge etc.) are talking about. The June'08 IEEE Spectrum runs a special feature on this called "Rapture of the Geeks". Reading through the articles (and also having read Ray Kurzweil's The Singularity is near) i have a few questions on some of the predictions that futurists are making. I am trying to get feedback on these issues from some well known folks in the field and will post them as and when they become available.

• One popular view of technological singularity predicts that machine intelligence will surpass human intelligence in the next few decades and we will have machines building more intelligent machines presumably not under human control. This means that humans would have succeeded in building something which can replace us at the top of the intelligent species list. If this is indeed true, then wouldnt it make human existence meaningless and eventually result in our extinction? Or worse, we may end up being pets to a superior intelligent species :) . My point
  is, if humans are smart, why would they let this happen?
  
• Ray Kurzweil predicts that singularity is just 3-4 decades away. He builds up his arguments based on the technological revolutions in Genetics, Nanotechnology and robotics. Innovations in these areas may help us build machines smarter than ourselves but they all would lack the consciousness that sets humans apart. Thus they can all be efficient than us but presumably not "street smarter" than us. Some scientists also predict that we will be eventually able to give our consciousness to these machines. But what would that help us achieve? Will it will help us better our own lives or extinct us?
  
• Assume that the singularity does eventually happen, what makes us feel that we will be able to build a set of guiding principles under which our intelligent innovations will work? And why would those conscious intelligent beings follow our guidelines instead of inventing their own efficient guidelines? Isn't this similar to humans having children, children growing up and then deciding themselves on whats right and wrong? The only difference here being that these android offsprings would be far more capable (and lethal) than human children.
  
• The final question is, if our technological progress is indeed pointing towards a singularity, then should we take it as a sign of progress or a warning for our future?

Security is all about breaking assumptions !

Anyone with a slight understanding of security would appreciate the fact that security is all about breaking assumptions. Any system is always built with certain assumptions because otherwise the system requirements will tend to be infinite. Hackers always target the assumptions to break the system. It thus becomes very important for system and process designers to be very careful about the assumptions they make for their system. I believe that systems which stand the test of time are the ones that have their assumptions clearly laid out and which provide their users a clear understanding of the strengths and weaknesses of the system.

While one may say that the above is clearly very logical and there is nothing surprising about it, reality indicates that not many get this simple axiom right. But there seems to be a paradoxical situation here. I said that a system cannot be built without assumptions and also that security is all about breaking assumptions. So that would imply that there is nothing called 100% secure !!! And as it turns out, that is precisely the point.
Vendors who claim that their products provide 100% security or are 100% secure are essentially trying to fool the customers or maybe even themselves.

A case in point, there was a very recent incident in the US involving the company LifeLock (read this). LifeLock is a company which guarantees protection against identity theft. Infact, its CEO advertises his own Social Security Number on the website and claims that their service guarantees complete protection against identity thefts. They do this by setting fraud alerts at the three major Credit Bureaus namely, Experian, TransUnion and Equifax. They thought that by doing this , anyone who tries to use a SSN not belonging to himself will get caught. But they made a very very big assumption here that any of the outfits like CreditCard companies, banks etc. will always run a credit check before activitating services for an individual. Guess what ! they were proved wrong in a really stupid way. Someone stole the CEO's own identity from his website and took a $500 loan in the CEO's name. The reason the fraud alerts did not get tripped was because the loan company did not bother to run a credit check at all !!

The take home message from this post is thus two-fold

1. If you are a customer, carefully evaulate the security assumptions yourself without getting sold to the vendors advertising.
2. If you are vendor, make sure that all your assumptions are clearly stated and avoid hidden ones.
   

A case for reconfigurable work spaces !

If you feel that you are a very efficient space utilizer/designer, please reconsider after watching this video !. The following video on youtube would make a very good case for "reconfigurable work spaces". I dont know if there is such a term already but i cooked it up after seeing this video. Watch it till the end ! Its a scene shot by someone in Bangkok.