Following is the essay you can designate as Volume 10, Number 24 of
This Week’s Clue, based on the e-mail newsletter I have produced since
March, 1997. It would be the issue of June 11.
Enjoy.
As a family cook I know the phrase "mise en place."
It’s French, loosely translated as everything in its place. It means you get your ingredients and tools all together before you cook. For professionals it means you take care of your station, making sure you have everything you need (including knowledge of what you’re to do) before dinner service begins.
The Fox TV show Hell’s Kitchen deliberately ignores the lesson of mise en place. Instead they throw a bunch of untrained goofs into a kitchen, open the doors and tell them to cook gourmet meals. It’s ridiculous. Everyone knows that rehearsal is an essential ingredient in mise en place. But it’s more fun watching young dreams crumble, or watching a perfectionist be cruel. Like most reality shows, it’s completely unreal.
When most of us go on the road, the world becomes something like
Hell’s Kitchen. We lose track of our mise. It’s not just our passwords,
but our screensavers, wallpapers, the order of our applications, our
calendar and phone directory — it only exists on one computer, yours.
The short-term answer is to keep everything on one laptop and take
it with you. That’s what my lovely wife does, and I’ve learned that
many companies are now going this route. She has a docking station at
work, a big keyboard and mouse at home, and she lugs the box 90 minutes
each way, on her back, every day. In the winter, she puts a cloak over
her backpack to protect the laptop, and looks like the Hunchback of
Notre Dame. (I think she looks cute.)
You know the danger in this. If the laptop which holds your mise en
place is lost, stolen or broken, you’re hosed. I have the same problem,
only these days it’s on a desktop.
Curing the lack of mise en place in our working lives is one of the great technical challenges of our time.
The Google method for doing this is through the Web. Make everything
a Web service. Sign in to Google and there are your files, there is
your mail, and there are your applications. Problem solved.
Well, problem not solved. Google authentication is through a simple
password. Maintaining your identity on the network makes you
susceptible to truly awesome identity theft and (if you’re paranoid)
police seizing of all your stuff. All you need is one person calling
you a potential terrorist or sex offender and your life is an open
book. Big brother, heck. What about little brother Google. They promise
not to do evil, but our definitions of evil differ. Maybe they would
think they’re doing good. Bush thought he was doing good when he
invaded Iraq.
What happens in corporate networks that adopt the Google approach is
that just part of your life lives on the network, the work part.
Everyone learns to self-censor themselves. Don’t put the important stuff on the office network. Compartmentalize yourself. It’s schizophrenia as policy.
Beyond this, how do you customize Google? Sure, they have some
features for ordering things on the page. But it will never look like
your stuff, it will look like Google’s stuff.
There is a ton of stuff we all have which we find we need when we
sit down. User names and passwords. Bookmarks or favorites. Our email.
The calendar. Our phone directory. Our applications, in the places we
like them. The specific set-up for our mouse (I keep mine on the left,
but set the buttons as though I’m right-handed.) There are hundreds of
such things.
Why not put them on a stick?
The idea is not original. There are now software programs which are designed to run on stick memories or "thumb drives." Roboform
has a version of its password software for sticks. And stick memory,
unlike most other things today, is giving you the full benefit of
Moore’s Law. It’s amazing how each time I go by Fry’s, I find them
advertising new, higher-capacity sticks, and at lower-and-lower prices. Last year I was happy with a 512K stick. Now I wouldn’t walk across the street for one with less than 2 GB. Next year I want 8.
So you can put a lot more than passwords on a stick. Why not put all
the stuff you need to get working? Then you can walk up to any PC, plug
your stick into the USB port, and the computer becomes yours. Go
offline, pull out the stick, and every evidence of you goes into the
stick.
A lot of this gets wrapped into the question of identity, of proving
who you are. It’s a discussion most Americans don’t even want to have.
They’re afraid of it. They’re afraid that if they are identifiable,
they’re also traceable — big brother, little brother, or ex-wife can
swoop down and cart them off at a moment’s notice.
As the problem of mise en place is the technical challenge of our
time, so this problem of identity is a key political challenge. Credit
cards, passports, drivers’ licenses, papers of all sorts, all require
better, ongoing proofs of identity than we’re politically willing to
offer. Instead we argue about how all these protections can be broken
— fingerprints can be forged, iris scans can be copied, everything is
so intrusive.
And here we come to the greatest irony of our time, the force which
seems to have stopped Moore’s Law in its tracks. Politics. So many
things which look at first like technical challenges turn out to have
political dimensions, and politics turns out to be intractable. We
argue around the problems, we set laws we can’t enforce, and we deny
progress in the name of political desire.
Somehow, through this era of political crisis, we need to get our mise en place. In another era we’d say we need to get our shit together.
I’m not sure the memory stick is an improvement over the laptop. Sure it’s easier to carry, but it is also easier to lose/have stolen. They’re both fairly easy to break. Both can be backed up and heavily encrypted to mitigate lose and theft. Of course if you use heavy encryption, your memory stick may not work fast enough on just any computer anymore. Meanwhile, Google is far from the alpha and omega of online storage/applications. Happily, technology seems to be moving forward nicely and providing us with several developing options. On the political front, a key battle will be keeping strong encryption legal for the private citizen (a freedom your beloved Dems have tried to take away before).
I’m not sure the memory stick is an improvement over the laptop. Sure it’s easier to carry, but it is also easier to lose/have stolen. They’re both fairly easy to break. Both can be backed up and heavily encrypted to mitigate lose and theft. Of course if you use heavy encryption, your memory stick may not work fast enough on just any computer anymore. Meanwhile, Google is far from the alpha and omega of online storage/applications. Happily, technology seems to be moving forward nicely and providing us with several developing options. On the political front, a key battle will be keeping strong encryption legal for the private citizen (a freedom your beloved Dems have tried to take away before).
Dear Dana,
I believe that your concerns about the risks of web applications are sound, but I also believed (and proved) that “zero-knowledge” web apps are possible.
Clipperz is an online password manager, but it mainly gives a practical demonstration of a new breed of web applications: the “zero-knowledge” web apps.
Applications where the provider is simply in charge of delivering the Ajax code to the user’s browser and then storing user’s data in an encrypted form on its servers.
Clipperz lets you submit confidential information into your browser, but your data are locally encrypted by the browser itself before being uploaded.
Detailed information about the crypto foundations.
The “zero-knowledge” paradigm could be used for a wide range of applications: a personal finance manager, a confidential to-do list, patient records for physicians, …
Clipperz does not use homemade cryptographic algorithms but implements standard strong encryption schemes (AES, SHA2, Fortuna, SRP, …).
Since Clipperz is a huge Javascript application, you can review the source code anytime you like. The whole source code is downloaded to your browser before you sign-in, so you can easily check if it is a genuine version.
More info about performing a security code review.
You can even include the Javascript code of our crypto primitives in your web applications since we packed them into the Clipperz Crypto Library, released under a BSD license.
I would be honored to know your opinion of Clipperz and of “zero knowledge” web apps.
best regards,
Marco
Clipperz co-founder
Dear Dana,
I believe that your concerns about the risks of web applications are sound, but I also believed (and proved) that “zero-knowledge” web apps are possible.
Clipperz is an online password manager, but it mainly gives a practical demonstration of a new breed of web applications: the “zero-knowledge” web apps.
Applications where the provider is simply in charge of delivering the Ajax code to the user’s browser and then storing user’s data in an encrypted form on its servers.
Clipperz lets you submit confidential information into your browser, but your data are locally encrypted by the browser itself before being uploaded.
Detailed information about the crypto foundations.
The “zero-knowledge” paradigm could be used for a wide range of applications: a personal finance manager, a confidential to-do list, patient records for physicians, …
Clipperz does not use homemade cryptographic algorithms but implements standard strong encryption schemes (AES, SHA2, Fortuna, SRP, …).
Since Clipperz is a huge Javascript application, you can review the source code anytime you like. The whole source code is downloaded to your browser before you sign-in, so you can easily check if it is a genuine version.
More info about performing a security code review.
You can even include the Javascript code of our crypto primitives in your web applications since we packed them into the Clipperz Crypto Library, released under a BSD license.
I would be honored to know your opinion of Clipperz and of “zero knowledge” web apps.
best regards,
Marco
Clipperz co-founder
Dana, as usual, you hit the nail on the head with a big bang.
Dana, as usual, you hit the nail on the head with a big bang.