1. If you are logged into Facebook but then surf around the web, you will be transmitting personal details from your facebook presence to the other web sites
2. When other people surf the web, they will be transmitting data about their relationship to you. This seems like the worst example.
3. Trying to improve your privacy settings requires negotiation of a dozen pages with 170 different privacy settings.

There is now an organized protest to avoid logging in to facebook on 6/6/2010. That’s an easy one. I think it’s time to dial back and see what it feels like to not use facebook. Unfortunately I’m logged in on so many places that it will require a witchhunt to log out everywhere. Anyway, this blog post will still eventually show up there, but I won’t.

One of the recent events that annoyed me is that people have been giving one of my email addresses to facebook in trying to add me as a friend. This was apparently caused by someone uploading their email contact list, but in doing this they gave private information between the two of us to a third party, namely facebook. I am always appalled by how freely people will give away private information belonging to someone else, and think nothing of it. Facebook is openly preying on this ignorance. Shame on both of you.

Anyone out there interested in dissecting a potentially rogue PDF file?

If you try to shop on craigslist, you regularly come across semi-obvious scams, and there are even more scams that are fairly well concealed. I am now getting several spammers a day following me on twitter, and my spam folder on my personal email account typically has 5,000 spam messages in it (I never look at them).

All of this is a reminder that a lot of people on this planet try to make their living from fraud and other criminal activities. Technology has become an enabler for these scams, and the most chilling offender in my mind is voice over IP, which makes phone calls from countries like Ghana essentially free. People who are naive or lonely or otherwise vulnerable (particularly senior citizens) are going to fall victims to this criminality. It used to be that if you wanted to avoid crime, you could mostly do this by sequestering yourself in a civil part of the world. The Internet is making that more difficult.

A long time ago a banker explained to me that bankers didn’t hold money – they were in the business of managing trust. They conveyed trust to their depositors and investors, and they held trust in their borrowers. In order to make a business out of this, they had to be shrewd in estimating the value of risk. In the old days they were able to apply their knowledge of social relationships and markets in order to come up with reasonable values. Bankers in a community generally knew who was a good risk for a loan, either because of their relationship in business or through their track record in fulfilling previous commitments.

Unfortunately, the mortgage business was taken over by a set of people who had no way to accurately quantify trust. This is one of those areas where sound human judgement was replaced by algorithmic quantitative analysis, and the results have not been pretty. I always looked suspiciously at the “science” of risk assessment. I’m amused by the fact that the wikipedia entry on risk assessment contains an automatically generated message saying that it contains “weasel words”.

The underlying problem in risk assessment is trying to estimate the probability of an extremely rare event – perhaps an event that has never even been observed to happen. Such estimates are by their very nature wild speculations, with variances that are larger than the mean. Any estimate of the probability of such an event has to be taken with a grain of salt the size of a dump truck.

The application of unsound algorithmic practices and gut instincts has resulted in a massive erosion of trust in our society. In the pursuit of profits, mortgage lenders through out sound predictive methods and substituted unsound analytic techniques instead. When Bush stands up and says that our economy is in a crisis, everyone remembers that he used the same argument for going to war in Iraq. When banks start to question whether borrowers will pay back their loans, they start to hoard their assets and financial liquidity evaporates. When investors (including myself) see a rapid and unpredictable erosion of value in the stock market, they pull out rapidly, further eroding the value of the stock market.

The question is – what will restore this vacuum of trust? Trust is something that is easily lost, but hard to gain. What can be lost in moments will sometimes take years to recover. The U.S. currency is imprinted with the slogan “In God we trust”. That may be true for some, but I think the correct slogan would be “In experience we trust”. We need some better experiences in order to regain our trust.

The invited talks were a pleasant part though. Gilles Brassard gave a nice historical account of the development of quantum cryptography. I always thought that it was a very nicely motivated topic, providing a nice alternative to the Shannon Information-theoretic model and the well worn complexity-theoretic model based on Turing machines. I was somewhat suspicious of the claims that it is economically viable, but customers generally end up resolving that one.

Adi Shamir gave a nice talk about algebraic attacks on crypto algorithms. His fundamental observation that crypto algorithms can be expressed as boolean polynomials provides a nice mathematical framework to work in, but it wasn’t clear to me from the presentation when it will be practical. I guess that’s part of the fun – trying to linearize things for analysis.

The rump session featured a nice talk on faith-based cryptography. It reminded me that many people in the field still throw around the term “provable security” in spite of the fact that the term is misleading. For most cryptographers their goal is to produce theorems rather than security, so they are completely satisfied if their output is “A implies B”, even if the majority of users of cryptography have little reason to believe in A. I guess you have to have faith.

In the end I concluded that I made the right decision to concentrate my creative energies outside of cryptography. Theorems are nice, but most humans have no use for them.

Over the years I think cryptography has become less interesting to me, in part because of the formulaic trends of the mathematics, and in part because there is very little integration with the needs of humans. In reality the demand for cryptography is much less than it would seem, and few people are willing to pay extra for it, or change any of their habits. If cryptography is going to have any greater impact in the world, it is going to have to be better integrated with how humans think about and interact with information.

I still make the annual pilgrimage to Santa Barbara, but this year it is vacation and it’s primarily a social visit. I still like the subject, but I fear that the impact of the field stopped growing at least ten years ago. Most of the papers that are presented are devoid of any discussion about real systems or human interaction with information, but there are still interesting ideas that emerge. I’m looking forward to it.

Email providers are largely distinguished today by their ability to accurately filter out spam. There is a huge of amount of absolute crap that is sent, but most of this is easy to handle. The problem is around the fringes, with organizations that cleverly piggyback their spam on top of other things and squeeze their way into your attention.

I recently came across the following cartoon, which is a joke that is so obscure that few people will get it (you need to know what sql injection attacks are). Still, if Frank Zappa could name his daughter “Moon Unit” (sister of Dweezil), and David Bowie could name his kid “Zowie Bowie”, then I suppose hackers should have the right to choose equally amusing names.

(it has been commented that this originally came from xkcd.com, but I found it elsewhere on the net. The only reason it is hosted on my site is to make sure it is persistent.)