My friend Yvonne Burgess helped me move out of my house in Berkeley in 2010.

Moving is something I'm very bad at (even though I do it a lot), and something she's very good at. I went back to Calif with about a week to pack up the house, give away a lot of my stuff, put the rest in storage, before turning it over to the new owners and returning to New York. I went there having no idea how I was going to do it. Yvonne saved my ass. It was an amazing experience.

One of the things I left behind was a drawer full of fortune cookies. Every time I ordered takeout, apparently, I saved the fortunes, in a special drawer in the kitchen. I have no memory of doing this. Yvonne did something beautifully creative with this collection, turning it into a collage, which she sent to me in NY in August of this year. Here's a scan of it.

Click on the image to see a full-size version of it on Flickr.

And here's Yvonne's blog post about the collage.

What an amazing thing to have a friend like this.

PS: Yvonne is a programmer. So much for me remembering all the programmers I've ever worked with.

9/8/2013; 3:18:44 PM

First question.

I have an app that's written in JavaScript and runs in the user's browser.

How can I be sure the code isn't changed as it passes through the NSA gateway?

I'm currently using an Amazon S3 bucket over unencrypted HTTP.

Clearly it's not secure, and the code could be modified as it passes through any of the gateways it has to pass through to get to the user.

I like S3 because it's inexpensive, reliable, easy and efficient. But not, in this sense, secure.

I don't think there's an answer today for even this very simple use-case.

But I'm certainly open to ideas.

Update: To be clear, if Amazon S3 had easy and inexpensive secure HTTP, that would take care of this issue, it seems to me.

9/8/2013; 12:38:41 PM

Disclaimer: To be clear, up front, I am not a security expert. My area of expertise is in editorial systems and content management.

First, I want to commend the Guardian for adding technical expertise to their team that's trying to make sense of the NSA disclosures. I've been saying this for a long time, you can't separate politics and technology, yet reporters have been trying to do that, even smart diligent reporters like Glenn Greenwald.

They brought on Bruce Schneier who is widely regarded as a security expert. He is someone I'm willing to listen to, and even follow, but I wonder if he's ready to lead.

There's a big job in front of us in the technology world, to try to put back together a semblance of security. Or else we don't have a banking industry, as one example. Want to make an airline reservation on a wide-open system where anyone can read any record at any time? I don't want to fly on that kind of airline, yet we are, and have been.

It's so wrong that the government has done this to us in the name of security!

Anyway, I have only met Schneier once, in public at an O'Reilly conference in 2002. He said something very wrong about a protocol I was a co-designer of. Making mistakes is okay, but you have to be willing to listen when an authority on the subject says you made a mistake. Schneier wasn't willing to listen. He had a couple of snappy dismissive responses. This isn't how you lead.

http://scripting.com/2002/05/16.html#shneierSunSoapReed

That was eleven years ago. Let's hope if Schneier is going to lead us now, that he's got a more sensible view of who can and can't be trusted. I think we're on the same side, he and I, for simpler protocols, easier to understand, and trustworthy computer networks. And, I hope, empowered people.

Back then, and now, I am a content management guy, not a security guy. I was searching for any network protocol that would let us connect users' machines with the servers that stored and rendered the content. The work we were doing then led to some pretty important things, in retrospect.

The first I heard that Schneier had a problem with our work was sitting in the audience at a major conference, where he offered a conclusion about our ethics, not a question, or even better a suggestion. It's true, we did want our messages to go through firewalls, because our users were not generally people who knew how to configure them, or who were trusted to do so in their organizations. Further, we wanted developers to be able to use scripting languages to build implementations of the protocol, and most of them at the time had HTTP support built-in. Finally, our application was publishing, the data flowing over our wires were blog posts and feed items. Imho this is exactly the kind of stuff HTTP was meant to carry, and didn't in any way represent a security issue.

Later, people wanted to use these protocols for banking systems. I guess Schneier's issue was with them, not me. But it didn't come out that way, and the people who came to hear him speak that day, and presumably on other days when I wasn't in the audience, got the wrong impression, and imho bad advice. My guess is that Schneier doesn't think in terms of content management, which is fine. But have the perspective to understand that there are uses of networks other than those you understand. There is specialization in networking, that should not come as a surprise.

We can't fight among ourselves this way anymore. We never should have in the first place. Let's work together, patiently and generously. That's why I'm writing this piece today.

9/8/2013; 9:08:50 AM