Category Archives: technology

The Role of Cycles in Charting the Unknown

After penning a paper on the insidious Sleeping Beauty problem last year, Giulio Katis returns to the Mule with this guest post exploring the central ideas of The Lean Startup: How Today’s Entrepreneurs Use Continuous Innovation to Create Radically Successful Businesses by Eric Ries. Starting with the immediate application to business startups, Giulio develops to a broader view: dealing with uncertainty itself.

When you are about to undertake some activity, how often do you typically question what you are about to do?

If you are like me, typically you’ll just “Do it” (to quote one of Ben Stiller’s screen characters), but occasionally you’ll take the time to plan and reflect on how you can optimize what you are about to do.

We have been taught that when faced with an activity or a challenge we need to frame the problem, dissect the problem, plan a solution (if we are really clever, collaborate) and then implement. But what do we do when the problem is poorly understood, or if we can’t get the answers we need upfront? Pretend we know everything anyway? Give up? Have a stab and hope for the best?

In the context of doing business, Ries’ best-seller Lean Startup presents a systematic approach to dealing with this situation in business.

This book is part of a general trend to update traditional approaches to business management to accommodate the uncertainty and pace of change which new technology has created – which covers product, service and new capability development in most businesses today.

Ries sees the method he presents as a scientific approach to doing business that updates and complements the ideas presented in Frederick Taylor’s 1911 classic the Principles of Scientific Management (which championed the importance of analysis, planning and task specialization in business management, and influenced corporate legends like Henry Ford and Alfred Sloan).

Ries is by no means the first to do this. In any discussion on Startups today we take for granted concepts such as “disruptive technologies” and “disruptive innovation”, which have become part of our common language since Clayton Christensen wrote about them in his best-sellers The Innovator’s Dilemma and The Innovator’s Solution. And, as the name suggests, the practices of Lean Startup are to be understood in the context of the Lean approach to business process management, as pioneered by Toyota in manufacturing (which among other things challenged the assumption that optimal process engineering involved linear chains of specialised functions). Also, Lean Startup is closely related to software development practices such as Agile (with its iterative and disciplined approach to development involving continuous feedback and learning loops, as opposed to the Waterfall one-shot “gather requirements, design, build, deploy” approach) and Continuous Deployment (a process whereby all code that is written for an application is immediately deployed into production).

The basic ideas of Lean Startup, however, can be explained without references to these developed software and business management practices, and Ries does this in a simple, powerful and readable way.

Ries’ book is written primarily from the lens of a startup (which typically has to navigate extreme uncertainty with very limited resources); but as he makes clear the principles and methods are applicable to large enterprises, especially those that need to adapt to changing circumstances and operate in uncertainty in a cost-constrained manner.

Lean Startup comes from the perspective that the problem is not whether we can build or create a product, service or capability—we’ve become pretty good at building things that are well defined (perhaps part of the problem is that we’ve become so good at this); but rather the problem is what exactly should we build or create—which requires us to answer more deeply why we should create or support the things we are committed to, and question the assumptions that have been driving what we have been delivering to date.

So while many past business process management principles addressed the problem of how to optimally execute or produce and deliver a well-understood product or service, the problem Ries is solving is how a business operating in some degree of uncertainty can simultaneously explore, learn, build and service to maximise expected future value creation and/or growth in a resource constrained context.

The solution he presents deeply embeds the experimental method into the management process. In a nutshell, when developing, modifying or maintaining a product, service or capability, Lean Startup suggests we should proceed as follows:

  • explicitly identify the assumptions driving the need (opinion is not fact)
  • pick a key assumption yet to be validated
  • create a set of metrics designed to validate and explore the assumption
  • design a ‘Minimum Viable Product’ (MVP), which might be a change or an enhancement to the existing capability, that will allow us to obtain the desired metrics to test the assumption
  • build and deploy the MVP
  • collate the metrics
  • review the validity of and re-consider the assumptions and what is being developed
  • repeat

This gives rise to the mantra ‘Build-Measure-Learn’ repeated throughout the book.

This feedback loop may sound like a recipe – but Ries points out that this framework is far from a recipe. Many of the steps above require critical thinking, context specific insight, brainstorming and in some cases courage.

On the point of courage, at the end of each loop there is a critical decision to be made which Ries describes in terms of having to choose whether to persevere or pivot. Pivoting involves “a course correction designed to test a new fundamental hypothesis about the product, strategy, and engine of growth”. Under Lean Startup, pivoting is not considered as failure (involving change of management, say), but rather a necessary and important part of doing business. Not pivoting enough before the startup (or project) capital runs out is typically the cause of failure.

This gives rise to the concept of startup time as opposed to calendar time. Ries notes that typically to measure how long a startup has left we take the capital left (e.g. $1mio) and divide by the burn rate ($100k per month) to get the answer (10 months); but an alternative measure, which may tell us something more about the likelihood of the startup’s success, would be to estimate how many Build-Measure-Learn loops or possible pivots the startup could perform before running out of capital. The central practical message of the book is that the faster a startup can get through a Build-Measure-Learn loop, the more it can learn and thus the greater the chance it will succeed before funding runs out.

What is learnt is obviously a function of both the questions asked as well as the way they are answered. In terms of the answers, a key distinction Ries draws is between what he calls vanity and actionable metrics. Vanity metrics (e.g. gross turnover, gross profit) are lagging indicators that tell businesses what they want to hear (until they don’t), and do not provide information that can be used to make constructive changes. Instead of focusing on these, Ries puts forward the concept of actionable metrics which are designed to answer questions about what is actually driving customer behaviour, turnover, cost, profitability etc. For example, actionable metrics on customer behaviour might give data on how the customer joined, what was their first experience, why they are leaving or being retained. As the name suggests, they provide insight into what needs to be changed to create more value and/or growth (and obviously should be used in any business, regardless of its size or maturity).

Perhaps one of the biggest challenges Ries’ asks (of anyone running a business) is to assess yourself not in terms of the quality of the products or services you have produced, and not even in terms of the growth or profitability you have achieved to date, but to assess yourself in terms of how much you have learnt about what is driving your customers, your costs, your profitability, your growth etc. To genuinely adopt this perspective would obviously require a radical and courageous mindshift for most managers.

How the Lean Startup method can be applied in a mature, large, complex business is not something Ries spends time on (Furr and Dyer’s The Innovator’s Method: Bringing the Lean Startup into Your Organization spends more time on this question). Even though this is a non-trivial problem, it would seem even in the context of a business unit that is focused on execution and optimization (as opposed to innovation), there is scope to apply Lean Startup methods. I say this because I believe there is a degree of uncertainty (and thus the need for learning) in just about all business areas. For example, in the NPR podcast From Harvard Economist To Casino CEO (which was brought to my attention by Mark Lauer quite some time ago), Gary Loveman describes his use of randomized experiments (e.g. A/B testing) in an established casino to understand what customers liked, what they didn’t, what would make them come back if they lost a lot of money one night, etc. (Gary Loveman was well-known, amongst other things, for recognizing the value of the repeat slot players over the high rollers.)

After reading Ries I found myself asking what the implications were for (business) strategy. It is often said that strategy is easy and implementation is the hard part. Nevertheless, there is still the myth of the business leader (read Steve Jobs) that had the strategic initiatives that guided the company exactly where it needed to go. But these types of strategic initiatives are typically just informed, inspired, or lucky guesses. If, however, a business leader can orchestrate the activities of their organisation so Lean Startup principles work concurrently along with all the other business management practices needed to effectively run their organization, in theory the strategic initiatives should evolve, accumulate, be generated by and selected for as a result of the way that the organisation operates and does business (read Build-Measure-Learn loops); with bottom-up (generative) and top-down (guiding, co-ordinating) forces connected by their own feedback loops.

Ries’ book is considered by many as a must read for anyone wanting to start up a business (making a couple of the Forbes top entrepreneur and business book lists in 2014); and no doubt will be on the reading lists (if it isn’t already) of many business managers in larger organizations that need to grapple with change and innovation. It’s also a good read for anyone who is interested in what’s going on “out there” at the moment in the land of entrepreneurs and business management theory. But I think part of the reason why it resonated so strongly for me (in addition to the practical value it has for my work) was that the book is written in such a simple and powerful way as to imply applicability and meaning more broadly than for business.

The importance of feedback and cycles in the Lean Startup approach should be obvious. Mathematicians, scientists, engineers and the military have long recognized the importance of feedback as a way of dealing with uncertainty (going back to Norbert Wiener, the originator of cybernetics). In fact, Ries mentions that the Build-Measure-Learn feedback loop owes a lot to ideas from manoeuvre warfare, in particular, John Boyd’s Observe-Orient-Decide-Act Loop. But even though these ideas have been explored formally for well over a century (and, no doubt, millennia informally), it feels like we have still a long way to go in understanding the role of cycles in nature. For instance, in 2011 the Edge asked a number of prominent thinkers to answer ‘what scientific concept would improve everybody’s cognitive toolkit’. Daniel Dennett’s response (which in my opinion was one of the most thoughtful responses the Edge received to the question) was the concept of cycles.  As he ended his response: “a good rule of thumb, then, when confronting the apparent magic of the world of life and mind is: look for the cycles that are doing all the hard work”.

Fundamentally, Lean Startup is a study in how to deal with the unknown—both “known unknowns” through experimental design and measurement as well as (as much as is possible) “unknown unknowns”, through the process of continuous experimentation and exploration.  In his 200 m.p.h. (and very readable) book Sapiens: A Brief History of Humankind, Yuval Harari asks the question ‘what potential did Europe develop in the early modern period that enabled it to dominate the late modern world?’. He makes the claim that (all the good arguments of Jared Diamond’s Guns, Germs and Steel notwithstanding) one way to understand Europe’s ability to expand and dominate was in terms of its approach to the unknown, as can be seen through the development of maps. He notes that before the fifteenth century unknown or unfamiliar areas were simply left out of maps, or filled with imaginary monsters and wonders. “These maps had no empty spaces… During the fifteenth and sixteenth centuries, Europeans began to draw world maps with lots of empty spaces—one indication of the development of the scientific mindset, as well as of the European imperial drive.” I would like to know (from someone familiar with this part of history) whether the European nations that were more successful at world domination were those that were in some sense able to more quickly and more effectively cycle through Build-Measure-Learn loops.

So, on reflection, the main message I took away from Lean Startup was not something specific to just business. Rather it was the reminder that no matter how much work we do to create certainty, the unknown is all around us—and that there are more and there are less constructive ways to engage with it.

Bitcoin and the Blockchain

It’s hard to believe that a whole year has passed since I last wrote on the topic of bitcoin, and my remaining 1 bitcoin is worth rather less than it was back then. During the week I presented at the Sydney Financial Mathematics Workshop on the topic of bitcoin, taking a rather more technical look at the mechanics of the blockchain than in my previous posts here on the Mule. For those who are interested in how Satoshi Nakamoto solved the “double spend” problem, here are the slides from that presentation.

Bitcoin and the Blockchain

As part of my preparation for the presentation, I read Bitcon: The Naked Truth About Bitcoin. If you are a bitcoin sceptic, you should enjoy the book. If you are a Bitcoin true believer, you will probably hate it. It is over-blown in parts and gets a few technical details wrong, but I am increasingly convinced by the core argument of the book: the blockchain is an extraordinary innovation which may well change the way money moves around the world, but bitcoin the currency will prove to be a fad.

Do Daleks use toilet paper?

I have been watching some (very) old Doctor Who episodes, including the first ever serial featuring the archetypal villains, the Daleks. In this story, the Daleks share a planet with their long-time enemies, the Thal. After a war culminating in the denotation of a neutron bomb, both races experience very different mutations. The Daleks have become shrunken beasts that get about in robotic shells, while the more fortunate Thals mutated into peace-loving blondes.

The Thals hope to make peace with the Daleks, but the Daleks have more fiendish plans and plot to lure the Thals into their city with a gift of food and then ambush them. It is a good plan, but it is the choice of gifts that left me bemused. There is plenty of fruit and some large tins whose contents remain undisclosed. These may be reasonable choices, although I do find it hard to picture the Daleks stacking melons with their plunger hands. But the trap also appears to feature stacks of toilet paper. Granted, toilet paper may be an appealing luxury for the Thal, who have been trekking through the jungle for a year, but the real question here is, why do Daleks even have toilet paper?

Dalek ambush

Qantas and Adobe

In my last post, I complained about the approach Qantas has taken to password security for its new Qantas Cash website. When I called Qantas to express my concerns, my query was referred to the “technical team”. I was assured they would be able to assuage my concerns. Here is the email response I received:

As I’m sure you’ll understand, we cannot discuss in any depth the security protocols and practices of our products.

However, I can assure you that your password is stored and encrypted on our server, is never transmitted and cannot be viewed by anyone.

The reason we use random ordinal characters rather than full password entry is because it is more secure as it makes harvesting passwords using keylogging software a much more challenging task.

Thank you for taking an interest in the product and we are certain you’ll find the site, the card and the product as a whole, a secure and useful addition to your payment options.

I tried to dig a little deeper, asking whether individual password characters were hashed. This did not help:

Thank you for your email. Your previous question has been queried with our technical team. They have advised that we cannot discuss in any depth the security protocols and practices of our products.

I am far from reassured. Security through obscurity is a poor strategy. Knowing how an effective security practice works does not make it weaker. Quite the contrary: the best security practices are well-known and have been tested and retested and have survived unscathed. The ones that do not pass these tests are discarded. If Qantas is keeping their security methods secret, it simply heightens my fear that they have been devised by web developers who are not experts in security and are vulnerable to attack.

Qantas and I are approaching the question of security very differently, with different threat models. Qantas is focused on preventing me from doing something silly that could compromise my account. Whereas I am worried about Qantas being hacked.

Only a few weeks ago, Adobe was hacked and up to 150 million encrypted passwords have been made public. Their encryption methods were weak (no salted hashing!) and password hints for all of the accounts were also leaked. Enthusiastic hackers are quickly reverse-engineering the passwords.

The same thing could happen to Qantas. If it does, and Qantas is moved to offer a heartfelt apology to their customers, I will not be too upset: I will not be one of those customers.

Security can be tricky

Qantas CashQantas has recently launched Qantas cash, a pre-paid Mastercard which you can charge up with cash in multiple currencies. The contemporary equivalent of traveller’s cheques, cards like this can be as convenient as a credit card with the added advantage of reducing the uncertainty associated with exchange rate volatility. If you have a rough idea of how much you will need in euro, you can charge up the card with euro at today’s exchange rate without having to worry about the Australian dollar dropping in value while you are half way through your trip.

As a Qantas frequent flyer account holder, I received a Qantas cash card in the mail and it seemed worth investigating. However after activating the card, my interest in the card itself was quickly displaced by disappointment in the insecure design of the Qantas cash website.

Computer security is not easy. It should be left to the experts. I am no expert myself, but I have listened to enough of the Security Now podcast to recognise poor security when I see it.

The first sign of trouble came with setting my password. The password had to be 6 to 8 characters long. A maximum of only 8 characters? The longer the password length, the more secure it is and 8 characters is far too short for a secure password.

Somewhat disconcerted, I pressed on, creating a password made up of 8 random characters. Random passwords are far more secure than real words (or even transparently modified “w0rd5”). They are also impossible to remember, but there are plenty of secure password storage tools (such as LastPass) that make that unnecessary.

Having set everything up, I was then prompted to log in. Unexpectedly, instead of being prompted to enter my password, I was asked to enter the “3rd, 4th and 5th character of the password”. Alarm bells started ringing. Quite apart from the irritation that this caused as it prevented LastPass from automatically filling in the password, it confirmed my initial fears that the website’s security model was flawed.

What I had realised was that Qantas servers must be storing passwords. For anyone unfamiliar with password security, this may seem blindingly obvious. If the servers don’t store the password, how can the website confirm you have entered the correct password when you log in?

In fact, there is a far more secure approach, which makes use of so-called “one way functions“. A one-way function takes a string of characters (a password, for example) as input produces a different string of characters as its output. The key feature of a one-way function is that it extremely difficult to reverse the process: given the output, working out what the input must have been is computationally highly intensive. Applying a one-way function is also known as (cryptographic) “hashing”.

Armed with a good one-way function, instead of storing passwords, a web server can store a hash of the password*. Then, whenever a user enters a password, the web site applies the one-way function and compares the result to its database. The password itself can be discarded immediately. The webserver’s user database should only ever contain hashes of user passwords and never the “plain text” original version of the password.

While this approach to password storage is well-established practice in the security community, many corporate websites are not designed by security experts. Back in 2011, hackers were able to get hold of more than a million passwords from Sony which had been stored in plain text.

Unfortunately, it would appear that Qantas cash is not following best practice in its website security. If the site was only storing hashed passwords, it would be impossible for the site to verify whether users were correctly entering the 3rd, 4th and 5th character of the password. Taking a password hash and trying to determine individual characters of the original password is just as difficult as reverse engineering the whole password.**

I then called Qantas cash to seek clarification. I was assured that all passwords were “encrypted” using the same security techniques that any other commercial website, such as Amazon, would use. Furthermore, the requirement to enter individual characters of the password was an additional security measure to prevent users from copying and pasting passwords.

This did not reassure me. Even if the passwords are encrypted, the Qantas cash server itself clearly has the capability of decrypting the passwords, which makes it just as vulnerable as Sony. I am also sure that Amazon does not use this approach. And preventing copying and pasting is a furphy. By preventing users from using secure password stores, this approach simply encourages the use of weaker passwords.

The Qantas cash developers may think they have come up with some excellent security features. But these developers are clearly not experts in security and, as a result, have produced a far less secure site. The call centre promised that the technical team would email me more details of the site’s security. My hopes are not high.

Needless to say, I will not be using the Qantas cash card. This is an e-commerce site, not a movie chat forum. When money is involved, security should be paramount.

Keep your eyes open for news about a Qantas cash website hack.

* Strictly speaking, a “salted hash” should be stored to add an additional layer of security and protect against the use of rainbow tables.

** In principle, Qantas could store hashes of three character combinations (56 hashes would have to be stored or 336 if order is significant). In practice I doubt this is being done.

ngramr – an R package for Google Ngrams

The recent post How common are common words? made use of unusually explicit language for the Stubborn Mule. As expected, a number of email subscribers reported that the post fell foul of their email filters. Here I will return to the topic of n-grams, while keeping the language cleaner, and describe the R package I developed to generate n-gram charts.

Rather than an explicit language warning, this post carries a technical language warning: regular readers of the blog who are not familiar with the R statistical computing system may want to stop reading now!

The Google Ngram Viewer is a tool for tracking the frequency of words or phrases across the vast collection of scanned texts in Google Books. As an example, the chart below shows the frequency of the words “Marx” and “Freud”. It appears that Marx peaked in popularity in the late 1970s and has been in decline ever since. Freud persisted for a decade longer but has likewise been in decline.

Freud vs Marx ngram chart

The Ngram Viewer will display an n-gram chart, but does not provide the underlying data for your own analysis. But all is not lost. The chart is produced using JavaScript and so the n-gram data is buried in the source of the web page in the code. It looks something like this:

// Add column headings, with escaping for JS strings.

data.addColumn('number', 'Year');
data.addColumn('number', 'Marx');
data.addColumn('number', 'Freud');

// Add graph data, without autoescaping.

[[1900, 2.0528437403299904e-06, 1.2246303970897543e-07],
[1901, 1.9467918036752963e-06, 1.1974195999187031e-07],
[2008, 1.1858645848406013e-05, 1.3913611155658145e-05]]

With the help of the RJSONIO package, it is easy enough to parse this data into an R dataframe. Here is how I did it:

ngram_parse <- function(html){
  if (any(grepl("No valid ngrams to plot!",
                html))) stop("No valid ngrams.") 
  cols <- lapply(strsplit(grep("addColumn", html,
                               value=TRUE), ","),
                getElement, 2)
  cols <- gsub(".*'(.*)'.*", "\\1", cols)

I realise that is not particularly beautiful, so to make life easier I have bundled everything up neatly into an R package which I have called ngramr, hosted on GitHub.

The core functions are ngram, which queries the Ngram viewer and returns a dataframe of frequencies, ngrami which does the same thing in a somewhat case insensitive manner (by which I mean that, for example, the results for "mouse", "Mouse" and "MOUSE" are all combined) and ggram which retrieves the data and plots the results using ggplot2. All of these functions allow you to specify various options, including the date range and the language corpus (Google can provide results for US English, British English or a number of other languages including German and Chinese).

The package is easy to install from GitHub and I may also post it on CRAN.

I would be very interested in feedback from anyone who tries out this package and will happily consider implementing any suggested enhancements.

UPDATE: ngramr is now available on CRAN, making it much easier to install.

Can I trust MtGox with my passport?

Liberty Reserve logoIn March 2013, the US Financial Crimes Enforcement Network (“FinCen”) published a statement saying that companies which facilitate buying and selling of “virtual” currencies like Bitcoin constitute “money service businesses” and are subject to reporting obligations designed to prevent money laundering and other financial crimes.

A couple of months later, the seizure by US authorities of Liberty Reserve has shaken money service businesses around the world, whether they deal in “real” or “virtual” currencies.

Two days later, the largest Bitcoin exchange, MtGox, tightened their anti-money laundering (AML) controls, posting the following statement on its website:

Attention Users: From May 30th 2013 all withdrawals and deposits in fiat [real] currency will require account verification. However withdrawals and deposits in Bitcoin (BTC) do not require verification.

What MtGox is attempting to do here is meet one of the most fundamental requirements of AML legislation around the world: know your customer. It is so fundamental that it too earns its own three-letter abbreviation, KYC.

So, how does an online business like MtGox verify the identity of its customers? After all, you can’t walk into the local MtGox branch with a fist full of paperwork. Instead, you must upload a scan of “proof of identity” (passport, national ID card or driver’s licence) and “proof of residency” (a utility bill or tax return).

MtGox are not alone in this approach. More and more online money service businesses are attempting to get on the right side of AML rules by performing verification in this way.

Here in Australia, there are still some Bitcoin brokers which do no verification whatsoever, including BitInnovate (who helped me buy my first Bitcoin) and OmniCoins. Australia’s AML regulator, AUSTRAC publishes a list of  “designated services”, which make business subject to reporting obligations including customer verification. The list includes

exchanging one currency (whether Australian or not) for another (whether Australian or not), where the exchange is provided in the course of carrying on a currency exchange business

So I strongly suspect that all local Bitcoin brokers too will soon be demanding scans of your driving licence and electricity bill.

But is the MtGox approach to customer verification a good idea? I don’t think so. I believe it is a bad idea for MtGox and a bad idea for their customers.

It is a bad idea for MtGox because scans of fake identity documents are very easy to come by. For example, one vendor at the online black market Silk Road offers custom UK passport scans with the name and photo of your choice, complete with a scan of a matching utility bill.

It’s a bad idea for the customer too, because it exposes them to increased risk of identity theft. Although my intentions were not criminal, I chose BitInnovate when I bought Bitcoin precisely because I did not have to provide any personal documents. How well do you know MtGox or any other online money service? How confident are you that they will be able to keep their copies of your documents secure? Securing data is hard. Every other week it seems that there are stories of hackers gaining access to supposedly secure password databases. I have no doubt that scans of identity documents will also find their way into the wrong hands.

So what is the alternative?

Third party identity management.

Using a passport or driver’s licence scan is effectively outsourcing identity verification to the passport office or motor registry respectively. Before the days of high quality scanning and printing, these documents were difficult to forge. A better solution is to retain the idea of outsourcing, but adapt the mechanism to today’s technology.

Here’s how it could work.

A number of organisations would establish themselves as third party identity managers. These organisations should be widely trusted and, ideally, have existing experience in identity verification. Obvious examples are banks and government agencies such as the passport office.

Then if I wanted to open an account with MtGox, its website would provide a list of identity managers it trusted. Scrolling through the list, I may discover that my bank is on the list. Perfect! When I first opened an account with my bank I went through an identity verification (IDV) check (ideally, this would have been done in person and, even better, the bank would have some way to authenticate my passport or driver’s licence*), so my bank can vouch for my identity. I can then click on the “verify” link and I am redirected to my bank’s website. Being a cautious fellow, I check the extended validation certificate, so I know it really is my bank. I then log into my bank using multi-factor authentication. My bank now knows it’s really me and it presents me with a screen saying that MtGox has asked for my identity to be validated and, in the process, has requested some of the personal data my bank has on file. The page lists the requested item: name, address, email address and nationality. I click “authorise” and find myself redirected to MtGox and a screen saying “identity successfully verified”.

MtGox is now more confident of my true identity than they would be with scanned documents and I have kept to a minimum the amount of information I need to provide to MtGox: no more than is required to meet their AML obligations.

This authentication protocol is a relatively straightforward enhancement to the “OAuth” protocol used by sites like Twitter and Facebook today. OAuth itself is subject to some controversy, and it may be better to create a new standard specifically for high trust identity management applications like this, but the tools exist to put identity management on a much safer footing.

* Today, unfortunately, banks and other private sector entities are not readily able to authenticate passports or driver’s licences. Once government agencies are able to provide this service, the options for third party identity management will be even greater.


BitTorrent Sync

BitTorrent Sync logoI have been a long-time user of Dropbox. It synchronises important files across computers, provides offsite backup and remote access to these files. But it does have its limitations.

A free Dropbox accounts gets you 2 gigabytes of storage (although persuading friends to sign up can earn you an an increase in this limit). If you need more space, paid plans start at $10 per month.

I have found a new solution for file synchronisation without the size limits. BitTorrent Sync is still in its beta stage of development, but so far I have found it works very well. It is fast, efficient and does exactly what I want it to do.

BitTorrent Sync is not a cloud storage system, so it does not offer all of the features of DropBox. But anyone with with more than one computer, or anyone who wants to regularly share files with a friend or colleague will quickly find BitTorrent Sync an invaluable tool.

So what exactly does BitTorrent Sync do, and what doesn’t it do?

Two-Way Synchronisation – YES

BitTorrent sync really does one thing and one thing well: synchronisation. Install BitTorrent on two computers, point it at a folder on each computer and it will ensure that the contents of the two folders stay in sync. Change a file on one computer and it will change on the other. Add a new file and it will quickly appear on the other computer.

I have a desktop machine and a laptop. They both have Dropbox installed, so I usually save documents in my Dropbox folder to ensure I have access from both machines. But my Dropbox account is getting full, so if I am working with a large dataset or large image files, I keep them out of Dropbox. I then inevitably find I need to use those files on a different machine. BitTorrent Sync has solved that problem for me.

Synchronisation works like a rocket on a local network, but will also work over the internet. As the name suggests, BitTorrent Sync makes use of the same technology use in BitTorrent and is extremely efficient when it comes to dealing with very large files. Synchronisation over the internet when users at each end are behind their own routers works well, thanks to similar “NAT traversal” techniques to those used by Skype. All file transfers, whether local or over the internet, are encrypted. As long as you keep your secret safe, your data is safe.

Setting up synchronisation is straightforward. When you first point BitTorrent Sync at a folder, a “secret” is generated. Secrets are strings of numbers and letters, like this: WBUAH4P6P41KAPJ7ERSAWXY5RB2BCT28. Then, when setting up other machines to share the same folder, all you need to do is enter the secret from the first computer. Multiple machines can share the same folder with the same secret and BitTorrent Sync can also manage multiple folders with different secrets.

One-Way (Read Only) Synchronisation – YES

While Two-Way synchronisation works well for sharing files with family and friends. Sometimes you will want to give others read access to files without allowing them to delete or edit the files. This is where one-way synchronisation comes in. Each synchronised folder has a “read only secret” in addition to the main secret. Give this read only secret to your mother and she can see all of your family photos and you need not worry that she will accidentally delete any of them*.

As far as I know, Dropbox does not offer one-way synchronisation.

Mobile Access – NOT YET

Dropbox offers apps for iPhone, iPad and Android devices which allow you to access files on the go. Mobile apps for BitTorrent Sync are not yet available, but they are under development.

Cloud Backup – NO

BitTorrent Sync directly syncs content machine to machine. Dropbox, on the other hand, syncs each machine with the Dropbox’s own servers. If all of your computers suffer catastrophic failure, you can still recover your data from Dropbox. BitTorrent Sync does not provide any cloud backup. Of course, you could always set up a Rackspace server and install BitTorrent Sync there…

Web Access – NO

With all of your files on their servers, Dropbox can easily provide web access to your files. BitTorrent Sync cannot. The files will only be available on machines with BitTorrent Sync installed.

Version Control – NO

Another useful feature offered by Dropbox is version control. If you make some drastic edits to your latest presentation, which you later regret, Dropbox allows you to recover previously saved versions. BitTorrent Sync will not help you with version control.

BitTorrent Sync does not do as much as Dropbox and other cloud backup services. But what it does do, it does very well. I expect to get a lot of use out of it.

* Two-way synchronisation does provide protection against accidental deletion: when a file is deleted on one machine, copies on other machines are moved to a hidden folder rather than deleted, so they can be recovered later.



Image searches

This week’s edition of Media Watch, “Pixelating protects identity? Think again“, examines the threat image search engines pose to anonymity. Drop a disguised photo into Google images and the chances are you will find the original in the search results.

Intrigued, I thought I would try it out. The pixellated the photo of Tom Waits was my second test. The first image I found to try was a golden pyramid. (It is from a presentation I recently pulled together on cognitive dissonance, but that is unlikely to be a helpful explanation).


In this case the search results came close to being artistic: an impressive array of alternative golden pyramids.


I can see that Google images could be rather fun.

Unblock Us

A few months ago, I complained that more and more online music sites have blocked access from Australia. Of course, the arcane licensing of intellectual property has also led to many other sites being blocked for Australians. Anyone living down under trying to access BBC TV via their iPlayer, or trying to stream US TV on Hulu will find themselves out of luck. The list of sites offering movies, TV shows and music online is a long one. The list of these available in Australia is a very short one.

However, I have now discovered a Canadian company offering one way out of these geographic shackles. For US$5 per month, Unblock Us will allow you to configure your computer or router so that, when you try to access a selection of media sites, your connection will pop out from a server outside Australia so as to ensure you will not be blocked from accessing the site.

But is it legal? That’s an excellent question, and one I do not know the answer to. Not being a lawyer, I will not even speculate. Where I am happy to speculate is on the question of the ethics of the site.

On Friday, a colleague said he was planning to watch a downloaded movie over the weekend. I asked him where he had downloaded it from. While he said he had bought it from the iTunes store, he did indicate that was not the only place he had downloaded movies from over the years. His philosophy was always to try obtaining movies legally first but if—and only if—all legal means failed, he would resort to shadier sources. To me, this seems like a fair approach, legal or not.

As I would be more than happy to pay the copyright holders for access to e-books, online music or videos, I find it extremely frustrating when this is impossible, simply because I am in Australia. In the absence of such legal means, loopholes like Unblock Us start to look very appealing.

There are a couple of other considerations before leaping in to using the service:

  • Privacy: since your internet requests would be initiated through Unblock Us, you would have to be comfortable with them knowing about the pattern of your internet usage, although they do note on their site ” will not actively monitor user activity for inappropriate behavior, nor do we maintain direct logs of any customer’s Internet activities”.
  • Performance: having the extra check for each internet request to see whether it should be bounced through Unblock Us could make your internet performance a little slower than going directly through your ISP. I do not know whether this would be significant.

I am certainly tempted.