The code less trav­elled

Jonni Bid­well had never talked to any­one who pro­grammed BA­SIC for he­li­copters. Un­til he met Eleanor McHugh…

Linux Format - - CONTENTS -

Eleanor McHugh takes us on a jour­ney from a physics de­grees to Vis­ual Ba­sic he­li­copter nav­i­ga­tion, to the idea that a right to pri­vacy is a delu­sional ideal Jonni Bid­well should let go.

on want­ing to join the arms race… “This was in the 1980s and there was huge amounts of money in Strate­gic De­fense Ini­tia­tive-type projects, and re­ally I wanted to build rail guns and gamma ray lasers”

Eleanor McHugh de­scribes her­self as a pri­vacy evan­ge­list and free­lance re­al­ity con­sul­tant. Her “ac­ci­den­tal ca­reer” has seen her work­ing on avion­ics, satel­lite comms, broad­cast TV and, lat­terly, dig­i­tal iden­tity sys­tems. She’s also a speaker at Ruby and Go con­fer­ences. We met her at the O’Reilly Soft­ware Ar­chi­tec­ture con­fer­ence in Oc­to­ber 2017 to find out more. Linux For­mat: You’ve had quite an il­lus­tri­ous ca­reer path: trained as a physi­cist, worked on air­craft sys­tems and are now in­volved with dig­i­tal iden­tity man­age­ment. It’s quite dizzy­ing just think­ing about it. Can you tell us a bit more of your story? Eleanor McHugh: It’s a purely ac­ci­den­tal ca­reer. When I went to univer­sity I wanted to go off and build rail guns. LXF: I can sym­pa­thise. EMcH: This was in the 1980s and there was huge amounts of money in Star Wars type projects [see Strate­gic De­fense Ini­tia­tive], and re­ally I wanted to build rail guns and gamma ray lasers. Un­for­tu­nately, I spent too much time at uni hack­ing on com­put­ers and not enough time pay­ing at­ten­tion to elec­tron­ics lec­tures. I dis­as­trously ru­ined my de­gree the first time and had to re­sit it. At that stage, the only thing that I was qual­i­fied to do as a main­stream job was ad­vise on the safety and con­trol sys­tems of nu­clear re­ac­tors, which isn’t a par­tic­u­larly broad mar­ket. LXF: Hey now, if it’s good enough for Homer Simp­son… EMcH: Yes, and I must ad­mit I’ve watched him over the years and thought to my­self, “If only”. But I don’t think I could be trusted with that re­spon­si­bil­ity in the long term. So af­ter a cou­ple of years of do­ing the kind of stuff you do when you fin­ish uni and haven’t got any­thing to do, I fig­ured that I’d spent all of my life play­ing around with com­put­ers any­way – I’ve been cod­ing since I was about 11 – so I thought, “Why don’t I do that? How dif­fi­cult can it be to earn a liv­ing as a pro­gram­mer? They’d be pay­ing me to do what I love.”

Ex­cept that’s not re­ally how it turned out. I drifted through an MSc, and then by ac­ci­dent a friend was work­ing on air­craft con­trol sys­tems. He in­vited me to do a very short project for three months that would’ve paid for my MSc. I needed a dis­ser­ta­tion topic and I needed the money, and he in­sisted it would only be three months. So two and a half years later when I fi­nally got out of that par­tic­u­lar field I was a burnt-out wreck. Yet I had cre­ated some­thing that I’m still in­cred­i­bly proud of, but which shouldn’t ex­ist: a cock­pit nav­i­ga­tion sys­tem writ­ten in Vis­ual Ba­sic 5. LXF: I am at once im­pressed and ter­ri­fied. EMcH: It was cer­ti­fied for use in emer­gency ser­vice he­li­copters in Der­byshire, Durham and Strath­clyde. Real lives be­ing saved by this damned thing I made. As I say, I emerged from that a burnt-out wreck. I think a lot of peo­ple’s first pro­gram­ming job was like this: work­ing stupid hours, not sure what you should say no to.

So I drifted through a cou­ple of projects with a team do­ing satel­lite com­mu­ni­ca­tions, then over into real-time broad­cast con­trol net­works for tele­vi­sion. I got burnt out on that, too: four years of deal­ing with a client who was very, er, spe­cial left me not want­ing to deal with peo­ple any more. I think I went for about seven months with­out speak­ing to any­one.

Then I was sucked into this weird project by a friend. He was the CTO of an ISP based up in Cam­den – it was the only cer­ti­fied ISP that could do DNS reg­is­tra­tion. Be­cause he was my best friend’s fiancé she bul­lied me into go­ing to a project for him be­cause he needed some work do­ing and couldn’t re­ally af­ford it and I would do it on the cheap. Friends… they don’t care about your mort­gage. He jumped ship from there be­cause he got this bril­liant of­fer to CTO an­other project with an­other com­pany. I was left be­hind with this thing, they just sold the com­pany, and the peo­ple that bought it didn’t want to build it. I didn’t re­ally want to build it ei­ther. But they did want to keep pay­ing me for three months so that they at least had the op­tion to build it.

In that time he put to­gether this team to work on some­thing called dotTel. The idea was that ICANN wanted to prove DNS that could be used for more than just look­ing up ma­chines. So it was re­ally the start of the whole move to­ward nov­elty do­mains. I think at the time they were called spon­sored gTLDs. And it was a to­tally mad project, be­cause what they re­ally wanted to do was take a global ad­dress book sys­tem, which they wanted to im­ple­ment as an

iden­tity sys­tem. They’d been try­ing to do it with LDAP, and un­for­tu­nately LDAP doesn’t scale to the world.

So they just ported the de­sign into DNS, they brought in two very highly re­garded DNS ex­perts who were re­spected IETF mem­bers, who also hated each other and couldn’t work to­gether. If one said “black” the other would say, “I’d go for white, but white isn’t far enough away from black.”

Up un­til then I had mostly spe­cialised in large projects, but as the only de­vel­oper on them. Rapid de­vel­op­ment to see what was pos­si­ble, and then putting that into pro­duc­tion if it worked and when it was ready. So they wanted me to build pro­to­types of all these sys­tems that were go­ing to sit be­hind it and do all the pro­vi­sion of DNS and ev­ery­thing. It was my first pri­vacy project, al­though we didn’t re­ally think of it as a pri­vacy project, and it’s where I first worked with my cur­rent busi­ness part­ner. LXF: What did you work on? EMcH: Some re­ally weird stuff. The trou­ble with com­ing from a physics back­ground is that you’re al­ways look­ing to fig­ure stuff out. And not in an engi­neer­ing sense of, “Let’s get it to where it works.” There’s al­ways this lurk­ing de­sire to find some grand the­ory be­hind things, ide­ally one that will cut down your work in the fu­ture.

I worked for this com­pany for nine months, then it sacked me, then it paid me for six months as a con­sul­tant to fin­ish build­ing the pro­to­types, but I wasn’t al­lowed in the build­ing. Un­for­tu­nately, the orig­i­nal CTO died and the new guy wanted a clean sweep, a whole new ap­proach and a whole new team. He was happy to throw money at a large or­gan­i­sa­tion to build all their soft­ware, but no­body could build it be­cause no­body could un­der­stand the doc­u­men­ta­tion. No­body ex­cept me.

So I ended up pro­to­typ­ing this thing in Ruby, which by and of it­self was weird, but hey, at least it’s not Vis­ual Ba­sic. My busi­ness part­ner was work­ing on this project be­cause he’s a cryp­tog­ra­pher. So we started try­ing to solve prob­lems around all these peo­ple us­ing this pub­lic data store, but at the same time keep­ing per­sonal data pri­vate to just them and peo­ple they wanted to “friend”. This was around 2005-6, just when Face­book was be­com­ing a thing.

So ev­ery­one was ob­sessed with try­ing to solve this friend­ing prob­lem, and you re­ally didn’t want to put friend­ing in DNS, be­cause that’s the last place you wanted to put your friends’ data. I will ad­mit that I wasn’t nec­es­sar­ily in the best state of mind when I got out of that project, so I went off and did some stuff that was prop­erly dull by com­par­i­son – a few bits of con­sul­tancy and some pub­lic speak­ing about real-time soft­ware. LXF: But you’re back in­volved with pri­vacy stuff now? EMcH: Yes, and again it was more or less by ac­ci­dent. When we parted ways my busi­ness part­ner and I de­cided that we wanted to build a de­cent net­work dis­trib­uted op­er­at­ing sys­tem. It’s a prob­lem we both had an in­ter­est in, but also a prob­lem that’s a bit like, “How long is an end­less piece of string?” It’ll never get done. But it en­abled us to con­tinue do­ing pri­vate re­search to­gether out­side the scope of our com­mer­cial work.

In 2012 I was ap­proached by a mar­ket­ing com­pany to do some work for it. It was sup­posed to do with global scal­ing stuff, be­cause it pro­vided back-end sys­tems for large multi­na­tional com­pa­nies’ mar­ket­ing op­er­a­tions. And lo and be­hold, within about three weeks of start­ing with this firm, up pops a project for a coun­cil that re­quired a deep knowl­edge of cryp­tog­ra­phy in or­der to build a data store.

So I did that, then up pops this re­quire­ment from a tier one bank: ”We’ve got this global mar­ket­ing com­pe­ti­tion sys­tem, we need to do sin­gle sign on (SSO).” So the next thing I know I’m writ­ing this SSO iden­tity sys­tem for global de­ploy­ment on this one aw­ful Rackspace box (host­ing two VMs) that was never up to the job.

That got me back into the crypto stuff, and off the back of it took our re­search in dif­fer­ent di­rec­tions. And we thought maybe

we could do this global iden­tity sys­tem prop­erly. We knew what went wrong with it the first time, we’ve seen an ex­am­ple of how we can do anony­mous to­ken ex­change for this SSO. My busi­ness part­ner’s back­ground in­volves a lot of pub­lic key in­fra­struc­ture (PKI) so he’s seen how PKI doesn’t re­ally work for smart­cards, iden­tity cards and all these sorts of things. So we had a whole list of stuff that we knew not to do, so we thought, “If we just don’t do those things, then surely we’ll have stepped for­ward,” at least com­pared to what ev­ery­one else was think­ing.

We spent a cou­ple of years work­ing with a client on a par­tic­u­lar project that found our­selves in­volved with pri­vacy in way that most peo­ple work­ing in the area just aren’t. Rather than try­ing the an­gles that peo­ple have tra­di­tion­ally used to solve this prob­lem, we opted for build­ing from the ground up us­ing anonymity.

So for the past three years I’ve been roam­ing the world blath­er­ing to peo­ple about pri­vacy and show­ing off prac­ti­cal chunks of code for do­ing var­i­ous tricks, along­side talk­ing about pro­gram­ming lan­guages that I’m in­ter­ested in, which hap­pen to be Ruby and Go. It’s a weird sort of a ca­reer, prob­a­bly not by any stretch of the imag­i­na­tion what most peo­ple would even call a ca­reer.

I mean, I re­fer to my­self as a free­lance re­al­ity con­sul­tant. I’m the ul­ti­mate dilet­tante in IT: I drift from one project I’m in­ter­ested in to an­other. And it just so hap­pens that there’s been this com­mon thread – do­ing a de­cent scal­able iden­tity net­work – that I can now look back and say has tied this work to­gether over the past ten or more years. We still aren’t there yet. The trou­ble is you spend two and a half years de­sign­ing some­thing, but then you also spend that same amount of time fig­ur­ing out all the at­tacks on it. LXF: It seems like at least the ideas be­hind blockchain tech­nol­ogy have some use, but that per­haps the tech­nol­ogy isn’t de­vel­oped enough, or maybe the prob­lems it solves don’t ex­ist yet? Even now (nearly one year af­ter this in­ter­view took place) it’s hard to see be­yond the hype. We keep hear­ing about how blockchain is go­ing to help sup­ply lines and au­then­ti­ca­tion dilem­mas and all sorts of other things, but all that seems far away at this stage. EMcH: All those claims lead to some quite choppy wa­ters. I’ve given pro­gram­ming talks at a con­fer­ence here in Lon­don for the past three or four years. The way con­fer­ence book­ing works is for the first cou­ple of years you have to bat­tle your way in and come up with the best pos­si­ble pro­posal. Then at some point they give up and de­cide that they just like hav­ing you around, es­pe­cially if you’re a bit loony.

So I’ve reached that point with this par­tic­u­lar con­fer­ence, be­cause they asked me to talk about blockchain. I thought, “I know noth­ing about blockchain.” I mean, I’ve avoided it for years. So I ended up putting to­gether a talk, and by the time I’d fin­ished it I thought, “What the heck is ev­ery­one mak­ing all this fuss over?” I un­der­stand that [Satoshi Nakamoto’s] pa­per was rev­o­lu­tion­ary when it came out, be­cause at that point no­body was talk­ing about proofs in au­dit trails. But the un­der­ly­ing tech­nol­ogy is very sim­ple.

The trou­ble is the un­der­ly­ing tech­nol­ogy re­lies on crypto that’s too ex­pen­sive to run in very small de­vices. So rather than try­ing to solve the prob­lem of how we can get proof from these small de­vices, with­out hav­ing that heavy cryp­to­graphic stack, peo­ple are in­stead try­ing to find ways of shov­ing that crypto into the small de­vices.

Even­tu­ally, all the small de­vices will be so pow­er­ful that yes, you can do that, but even­tu­ally the uni­verse will end too. And I’m not sure which will hap­pen first. The more places you put com­plex crypto, the more places you’re likely to run into prob­lems. Even this week there was a story on Ars Tech­nica (­flaws 1) about the Es­to­nian ID cards. It turns out In­fi­neon, which re­ally does know what it’s do­ing, for the past five years has been ship­ping a li­brary with its smart­card chips that doesn’t pro­duce proper RSA-hard­ened primes. As a re­sult, some­one will­ing to run a 1,000-node bot­net is prob­a­bly crack­ing a lot of 1,024-bit keys per day.

I show peo­ple how to do stuff with stan­dard cryp­to­graphic al­go­rithms, be­cause if they’re bro­ken you can then take the prin­ci­ples and use them with the next al­go­rithm that comes along and re­places them. Good cryp­tog­ra­phy and good se­cu­rity aren’t nec­es­sar­ily about strong al­go­rithms. They’re about good ar­chi­tec­ture for what you do with the data. We mustn’t let the data stand still for very long and when it does stand still, we must make as lit­tle as pos­si­ble see it.

Those are prin­ci­ples that a 10 year old can get. In fact, some of the maths that crypto re­lies on, my nine year old (who was an eight year old up un­til re­cently), he was learn­ing about mod­u­lar arith­metic in class, with lit­tle clock di­a­grams. There’s noth­ing re­ally com­plex about the the­ory be­hind the low-level stuff.

on be­ing a cod­ing ma­gi­cian… “So for the past three years I’ve been roam­ing the world blath­er­ing to peo­ple about pri­vacy and show­ing off prac­ti­cal chunks of code for do­ing var­i­ous tricks”

LXF: It’s funny be­cause when you try and teach that stuff – the Eu­clidean al­go­rithm and the Chi­nese Re­main­der The­o­rem and such – to un­der­grads, they re­ally don’t get it. EMcH: No they don’t. They’ve been fairly ru­ined by then. They’ve al­ready done cal­cu­lus so they al­ready as­sume that ev­ery­thing has to be com­pli­cated. Last year some­one claimed to have come up with a tech­nique for spot­ting graph iso­mor­phisms, which would rev­o­lu­tionise a lot of prime fac­tori­sa­tion stuff and at the same time screw up a lot of cur­rent be­lieved-trusted in­fra­struc­ture.

So all of this stuff is very frag­ile: we’re be­holden to whether or not devel­op­ers are im­ple­ment­ing it well. There’s a very small num­ber of peo­ple on the planet who are build­ing crypto li­braries and we just have to trust that they know en­tirely what they’re do­ing. And we also have to trust that all those peo­ple we don’t know about, in or­gan­i­sa­tions that we know have lots of cryp­tog­ra­phers, know what they’re do­ing but don’t know how to break what we don’t want them to. LXF: A lot of peo­ple are con­cerned about GDPR. It seems like it’ll be even more night­mar­ish for a dig­i­tal iden­tity ser­vice than for many oth­ers. How is your busi­ness han­dling that? EMcH: I’m not a GDPR expert. The way our busi­ness breaks down is that my busi­ness part­ner does the cryp­tog­ra­phy and the le­gal side. He’s spent most of this year tied up with var­i­ous clients, just get­ting them to a state where they’ve got all the pro­ce­dures and the back-end busi­ness pro­cesses in place so that they’re able to sur­vive GDPR. Which is very dif­fi­cult, even for busi­nesses that com­mit to it. I’m on the soft­ware ar­chi­tec­ture side, so I get these things as re­quire­ments: “How do we do this, how do we do that?”

So GDPR is a big stick. It’s been de­lib­er­ately de­signed as a big stick, and it’s bad leg­is­la­tion I think, be­cause it’s not en­tirely clear what that stick is for. In my opin­ion it just as much pre­vents you from whis­tle-blow­ing crim­i­nal ac­tiv­ity (be­cause that could fall within the bound­ary of pri­vate data) as it does pre­vents you from leak­ing per­sonal data. I could be wrong on that: the courts could end up in­ter­pret­ing it very very dif­fer­ently. But that’s what it feels like when I look at the re­quire­ments.

It also runs against it­self. If I want to build a sys­tem that pre­serves pri­vacy, the last thing I want to be able to do is ac­tu­ally find data for a user, un­less that user is do­ing some­thing to en­ables me to find it. And yet sub­ject ac­cess re­quests come in as pieces of pa­per. The right to be for­got­ten, won­der­fully noble though it is, re­quires that I com­pro­mise my crypto sys­tem be­cause I have to prove that I’ve for­got­ten ev­ery­thing. And I can’t prove that with­out first re­mem­ber­ing ev­ery­thing I know.

The crypto side is ac­tu­ally quite sim­ple: one-time pads, fresh key per piece of data, sec­ond sys­tem that main­tains those keys that’s only trig­ger­able with the right keys, a few to­kens go­ing around… I say it’s triv­ial, it’s ac­tu­ally a pain in the arse, but the prin­ci­ples are triv­ial. I don’t think that’s prac­ti­cal un­der GDPR. I could be wrong, I haven’t yet had a chance to build some­thing that tries to match all of GDPR’s re­quire­ments. Be­cause un­til peo­ple start get­ting sued no one’s go­ing to put the money up to do that ex­er­cise.

I think they should’ve gone for full en­force­ment the mo­ment it en­tered law, as op­posed to next May. I think there’ll be some high-pro­file cases and a lot of scared peo­ple, be­cause four per cent of global rev­enue or €20 mil­lion (whichever’s larger) is a big deal if you’re not IBM.

As for what counts as per­son­ally iden­ti­fi­able data, this now in­cludes char­ac­ter­is­tic psy­cho­log­i­cal data. Well, that to me sounds like usage pat­terns. On

the one hand that pushes back against a prob­lem that ev­ery­body has: the meta­data prob­lem. There are lis­ten­ing sta­tions all over the world that are con­duct­ing flow anal­y­sis on traf­fic and they can find out much more from just look­ing at how the traf­fic be­haves than know­ing what’s in it.

The Nazis were brought down by this in the 1940s. It was the Hut 6 stuff that de­stroyed the Re­ich, not the Turin de­crypts. If that stuff worked then with­out fast com­put­ers to do the data crunch­ing – where as now ev­ery­one wants to play with R, ev­ery­one wants to do data min­ing, ev­ery­one wants to build con­vo­lu­tional neu­ral net­works with deep learn­ing – then we’re cre­at­ing a sit­u­a­tion.

Yes, we should be pre­vent­ing cer­tain kinds of anal­y­sis of usage data, pre­cisely be­cause it’s like fit­ting a glove to it: you can’t have anonymity. In sys­tems like Bit­coin which is pseudonony­mous, that’s fine, run a ma­chine-learn­ing al­go­rithm down the blockchain and in a few months I know ev­ery­thing about gen­eral usage pat­terns and in­ter­ac­tions. I only need one piece of phys­i­cal, real-world ev­i­dence and sud­denly I’ve pulled a whole net­work of peo­ple who are trans­act­ing to­gether. We can ac­cept that it’s rea­son­able for Bit­coin be­cause we ac­cept that peo­ple aren’t us­ing it to carry out cash trans­ac­tions anony­mously, don’t we? LXF: Err, I’ve heard some peo­ple might do some­thing like that… EMcH: The thing is, for me to know whether or not I’m stor­ing data that’s per­son­ally char­ac­ter­is­tic of be­hav­iour, I’d have to run some al­go­rithms my­self and ex­tract that data. That once again puts me in the po­si­tion of if I want to com­ply with the law that tells me not to do that, but at the same time I want to prove that I’ve not done it. Iron­i­cally, the only way to prove I’ve not done it is to ac­tu­ally do it with some kind of au­dited anony­mous process that I can’t then get the data back out of, only the proofs. But now I’m go­ing to have to run the very at­tacks I’m sup­posed to be pre­vented from be­ing run!

I think the leg­is­la­tors are try­ing to im­pose a right of pri­vacy that just doesn’t fun­da­men­tally ex­ist. It’s not a hu­man right – it can’t be be­cause it’s im­pos­si­ble to en­force. It’s as non­sen­si­cal as say­ing, “Ev­ery­one has a right to a rocket ship”. Fine. Coun­tries that have pri­vacy laws – Ger­many and France, for ex­am­ple – it leads to all kinds of weird­ness. I think fun­da­men­tally, cer­tainly in our ju­ris­dic­tion and other com­mon law ju­ris­dic­tions, it runs so counter to the idea that if a crim­i­nal of­fence oc­curs, then you’re al­lowed to pull all this data out, ev­ery­thing you can get. Courts are en­ti­tled to look at ev­i­dence.

And that’s an­other part of what we spend a lot of our time try­ing to fig­ure out. How can you bal­ance that? Ev­ery­one else in the in­dus­try takes the po­si­tion, “Well, the courts mustn’t look at this stuff.” That’s fine un­til you’re the vic­tim of fraud, or vi­o­lent crime, then come and tell me courts aren’t al­lowed to look at that CCTV footage. Un­til you’re a vic­tim of crime or know peo­ple who are the vic­tims of crime, you don’t re­alise that if you go the ab­so­lute crypto route, then you’re build­ing a prison for all the peo­ple who are law-abid­ing, in which all the peo­ple who aren’t law-abid­ing can do what­ever they like.

I think the leg­is­la­tors that put GDPR to­gether are com­ing from that same mind­set that a lot of peo­ple in the an­ar­chocrypto com­mu­nity do. That govern­ment and courts them­selves are some­how the prob­lem. Whereas, if there’s one thing that seems to work okay, it’s the courts. Maybe not the po­lice, maybe not the govern­ment, maybe not any­thing else, but the courts ac­tu­ally do what they say they’re go­ing to do. They do ‘Jus­tice’, and some­times they get jus­tice wrong. We know that, but at least they’re mak­ing an hon­est at­tempt with clearly laid-out laws. I think some of the wider im­pli­ca­tions of GDPR are go­ing to be dif­fi­cult to en­force for the courts.

on the re­al­ity of pri­vacy “I think the leg­is­la­tors are try­ing to im­pose a right of pri­vacy that just doesn’t fun­da­men­tally ex­ist. It’s not a hu­man right – it can’t be be­cause it’s im­pos­si­ble to en­force”

Eleanor McHugh takes Jonni through the ups and downs of her event­ful work­ing life.

Eleanor is a joint di­rec­tor at In­no­va­tive Iden­tity So­lu­tions.

Good cryp­tog­ra­phy and good se­cu­rity aren’t nec­es­sar­ily about strong al­go­rithms, be­lieves Eleanor.

Eleanor doesn’t ap­prove with how GDPR has been im­ple­mented.

Golang re­cently re­branded, but the orig­i­nal go­pher mas­cot is still very much a part of the com­mu­nity.

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.