If you go to a meeting room at a Microsoft office these days, you’ll quite likely see a sticker that talks about fixed mindset meetings and growth mindset meetings:

Click the image to see it at full size.

Here’s a closer look at that sticker:

Click the image to see it at full size.

Kudos to Microsoft for encouraging the growth mindset!

Also worth checking out: The difference between failing and being a failure.

{ 0 comments }

I’m still looking for work, so I thought I’d show off my coding skills and improve on Robbie Leonardi’s high-concept interactive platform game-style resume by making a resume that was also an actual game. It’s still a work in progress, but I thought I’d show you a preview.

I used the Phaser game framework that I learned about this weekend and put together a quick, single-screen sample in a hour. The real version will show my entire résumé and be more extensive. If you’re viewing this page on a desktop or laptop computer (right now, it responds only to the arrow keys on a keyboard) you can try out the preview:

 

Use the ⬅️  and ➡️  keys to move and the ⬆️  key to jump.
This game currently works with desktop/laptop computers only;
mobile-friendly version coming soon!

More conventional ways to find out about me

I’m looking for my next great job! If you’re looking for someone with desktop, web, mobile, and IoT development skills who can also communicate to technical and non-technical audiences, or a marketer or evangelist who also has a technology background and can code, you should talk to me.

{ 0 comments }

Exit Emil Michael (and not a moment too soon)

An updated image from my February post titled The Uber story that everyone’s talking about right now, and some helpful background info.

Emil Michael, the worst executive at Uber — and remember, Uber is essentially an Olympics for worst executives — is finally out of the company.

If the name doesn’t ring a bell, the Uber dinner party controversy of 2014 might. That’s when he floated an idea to counter their negative image in the media by spending “a million dollars” to hire opposition researchers and journalists to look into “your personal lives, your families” and as Buzzfeed puts it: “give the media a taste of its own medicine.” When someone at the dinner pointed out to him that such a move would be a problem for Uber, Michael replied: “Nobody would know it was us.”

Buzzfeed, who had an editor present at the dinner, wrote:

Michael was particularly focused on one journalist, Sarah Lacy, the editor of the Silicon Valley website PandoDaily, a sometimes combative voice inside the industry. Lacy recently accused Uber of “sexism and misogyny.” She wrote that she was deleting her Uber app after BuzzFeed News reported that Uber appeared to be working with a French escort service. “I don’t know how many more signals we need that the company simply doesn’t respect us or prioritize our safety,” she wrote.

At the dinner, Michael expressed outrage at Lacy’s column and said that women are far more likely to get assaulted by taxi drivers than Uber drivers. He said that he thought Lacy should be held “personally responsible” for any woman who followed her lead in deleting Uber and was then sexually assaulted.

Then he returned to the opposition research plan. Uber’s dirt-diggers, Michael said, could expose Lacy. They could, in particular, prove a particular and very specific claim about her personal life.

What finally got him removed

Michael’s removal is likely one of a set of recommendations resulting from an investigation into Uber’s workplace environment, which is led by former U.S. Attorney General Eric Holder.

The as-yet-unannounced recommendations were approved unanimously by Uber’s board members in an emergency meeting on Sunday (yesterday at the time of writing). It’s generally believed that the report from the investigation, which will be released Tuesday (tomorrow at the time of writing) will paint a picture of a “Lord of the Flies” workplace, filled with retaliation-as-business-as-usual, sexism and sexual harassment, and other corporate “rules are for the little people”-style hijinks. Michael fits in all three buckets quite well.

Recode put it very well in their intro to this article:

If you ask most competent executives what they would do if an employee brought them a potentially controversial file that was part of a criminal investigation, the answer is always the same.

Which is: You do not read it or even touch it. You order that it be given to the company’s lawyer immediately. You quiz the employee as to the provenance and consider firing that person if you suspect it was illegally obtained.

So why did it take so long for his bosses at Uber to find out why and how a top executive named Eric Alexander, the now former president of business in the Asia Pacific, managed to acquire the confidential medical records, along with a police file, concerning the case of a woman who was violently raped in India in 2014.

Alexander showed the dossier to fellow executives, including CEO Travis Kalanick and yes, Emil Michael, and Recode reports that “numerous executives at the car-hailing company were either told about the records or shown them.” IEven the writers of Silicon Valley might not have written what actually happened in response: in spite of the fact that none of Uber’s execs have medical training, they still raised questions about the incident based on the illegally- and unethically-acquired medical report.

There’s also his presence at the now-infamous night at the Seoul karaoke/escort bar where “executives reportedly selected women to be their companions for the night by the numbers hanging around their necks.” In case you were wondering, CEO Travis Kalanick was also there.

His departure email

It’s standard damage-control departee boilerplate, and was likely vetted by team of legal and PR flacks:

Team –

Yesterday was my last day with Uber. Starting today, David Richter, our current VP of Strategic Initiatives, will be the new SVP of Business. David is an extremely talented leader and I have high confidence in his ability to help drive the company forward.

I signed on with the company almost four years ago and it has truly been the experience of a lifetime helping Uber become the fastest growing company of all-time — spanning 75 countries with over 14,000 employees.

I am proud of our business team’s part in contributing to the company’s overall success. We have fueled our growth by raising more money than any other tech company in history; we completed one of the most valuable mergers in American/Chinese tech history with the Didi deal; and we have secured ground-breaking partnerships with automobile companies all over the world to support our autonomous vehicle efforts.

But I am most proud of the quality of the team we have built. Beginning with my first day at Uber, I have been committed to building a diverse Business Team that would be widely recognized as the best in the technology world: one that is welcoming to people of all genders, sexual orientations, national origins and educational backgrounds. I am proud that our group has made so much progress toward these goals and is a leader in the company in many of these categories. As an Egyptian immigrant who was taken under the wing of a great business leader like Bill Campbell, I have an abiding belief that we all should pay it forward by ensuring that our workplace represents all types of people.

Uber has a long way to go to achieve all that it can and I am looking forward to seeing what you accomplish in the years ahead.

Sincerely,

Emil

What happens next, and why they may soon be “self-driving”

As a recent article on Medium put it, your company’s culture is who you hire, fire, and promote. Uber’s culture, by and large, is based around emulating its founder and CEO, whose future is now murky. As a tacit approver of all of Uber’s wrong-doings and the symbol of the worst kind of people in Silicon Valley, the only way he can elicit any sympathy right now is the result of bad luck: his mother was killed and his father was injured in a boating accident in late May.

The board has the option to fire him, but they probably won’t. Kalanick probably has too much useful tacit knowledge and understanding of Uber’s game plan to dismiss outright. They’ll probably make him take some time off — with the stated reason being that he needs to mourn his mother and take care of his father — and bring him back into the company in a new, less-public-facing role.

Here’s where Uber management stands at the moment:

That’s a lot of people not at the wheel, or as Hemal Shah put it on Twitter:

Recommended reading

Here’s how you can delete your Uber account, courtesy of David Heinemeier Hansson:

And finally, here’s Cracked’s excellent video, Why Uber is Terrible:

{ 0 comments }

You may want to read (or at least skim) these two article before reading this one:

The original analogy

Last week, I posted an article featuring images from my slides based on Panayotis Vryonis clever way to explain public-key cryptography, a.k.a. asymmetric cryptography, to non-techies, as covered in his blog post, Public-key cryptography for non-geeks. The analogy uses a public key, a private key, and a box with a special lock:

Here’s a quick visual summary of how the box analogy works:

As I said earlier, it’s clever. Not only have I had great success using it to help non-techies understand what the whole public key/private key deal is all about, but those non-techies have also had great success doing the same.

The analogy’s flaw

The analogy was just fine, but then this guy had to jump in and ruin everything:

That’s Dr. Robin Dawes, my computer science professor at Crazy Go Nuts University, who has forgotten more about traversing graphs than I will ever learn.

He tweeted about a flaw in the analogy:

Or, to summarize the flaw graphically:

The flaw in the analogy can also be used to fake a digital signature:

Of course, that’s not how public-key crypto actually works, but the flaw adds some confusion to the analogy.

So I made an analogy where there are two locks — one for encryption, one for signing — that use the same public/private key pair:

My approach works, and it even lets you demonstrate both signing and encrypting the same message — you lock the same box with both locks. The problem is that in using two locks, you lose a key point made by Vryonis’ analogy’s use of a single lock: that public-key crypto does both encryption and digital signatures.

Back to the original analogy…with a twist!

Here’s a solution proposed by Matthew Ernest in a comment to the original article:

The change I would propose is to replace the two unlocked states/one locked state with one unlocked state/two locked states.

a) It is clearly shows that there is no way to apply the same key twice and end up in an unlocked state

b) It matches the system being modeled in that the output is different when encrypting with public vs. private key (two different locked states), but unlocking results in the same plaintext (only one unlocked state) if you start from the matching encrypted output and does nothing if you do not start form the matching encrypted output.

My reaction:

Tim and Eric 'Mind Blown'

So here are my revised graphics, based on Matthew’s suggestion:

Thanks, Matthew! That was an excellent suggestion.

Credit where credit is due

Once again, I’d like to extend my thanks to…

Panayotis Vryonis, who came up with the analogy that’s been so incredibly helpful…

Dr. Robin Dawes, who chimed in about the flaw in the analogy (and being a wonderful professor)…

Matthew Ernest for his excellent suggestion (I don’t have an image for him, so he gets Batman)…

…and the two gentlemen pictured above. No, they’re not extras from That 70s Show; they’re Martin Hellman and Whitfield Diffie, the computer scientists who pioneered public-key cryptography, without whom we wouldn’t have all sorts of things including secure communications, ecommerce, and this article.

{ 0 comments }

Here’s what’s happening for developers, technologists, and tech entrepreneurs in and around the Tampa Bay area this week…

Monday, June 12

Tuesday, June 13

Wednesday, June 14

Thursday, June 15

Friday, June 16

Saturday, June 17

{ 0 comments }

A quick recap

Yesterday, I wrote about my favorite way to explain public-key crypto to non-techies. It’s a clever analogy that Panayotis Vryonis devised and put forth in his blog entry, Public-key cryptography for non-geeks.

The analogy features:

  • a box equipped with a special lock that has three positions, as shown in the picture above,
  • two keys that can turn the lock:
    • One that can only turn the lock clockwise, called the private key, and
    • One that can only turn the lock counterclockwise, called the public key:

Public-key crypto is used in both sending secret messages and digital signatures, and the combination of the special three-position lock and two keys allows the analogy to work for both uses.

Here’s sending a secret message…

…and here’s digitally signing a message:

To get the full story, you should read:

The limits of the analogy

Oh yeah, I went there.

“The map is not the territory,” the saying goes. In a similar vein, an analogy is not the thing it represents; push it far enough, and you’ll get to a place where it falls apart.

Suppose you want to send me a secret message. In the analogy, you’d put it into the box, lock it with my public key, which can only turn the lock in the counterclockwise direction, and then send it to me:

You unlock the box with the private key, which is the only key that can turn the lock clockwise. So far, so good.

The problem with the analogy is that there’s another “unlocked” setting at the 9:00 position. Couple that with the fact that the public key turns the lock counterclockwise, it’s all too easy for an unauthorized party to intercept the message:

Of course, this isn’t how actual public-key crypto works, as evidenced by the fact that ecommerce exists (it uses the SSL protocol, which uses public-key crypto) and that my delinquent friends haven’t replaced the stuff in my GitHub repo with these David Hasselhoff centerfolds (I use SSH, which uses public and private keys, to log into GitHub):

I repeat: Oh yeah, I went there.

I didn’t make this discovery — credit for that goes to my computer science prof at Crazy Go Nuts University, Robin Dawes:

It’s been 25 years, and I’m still getting schooled by the prof whose “algorithms and data structures” and “ethical/legal/social issues for computer scientists” courses I took. Talk about getting value for your tuition fees!

My proposed tweak

Public-key encryption’s two main uses — sending secret messages and digitally signing them — are explained quite well with Vryonis’ analogy. But how do we get around the problem pointed out above, or the problem illustrated below?

My proposed tweak involves splitting the lock into two locks:

  • One for encryption, and
  • the other for signatures

…and both use the same set of keys:

  • The private key, which only turns clockwise, and
  • The public key, which only turns counterclockwise

Here they are:

Using two locks gets around the problems introduced by a single three-position lock, and also lets you illustrate the simultaneous use of encrypted messages and digital signatures. For example, if I wanted to send you a secret message with the assurance that it was genuine, I’d send it to you in a box with two padlocks:

  • An orange “secret message” padlock locked with a copy of your public key, and
  • A blue “signature” padlock locked with my private key

If you had the correct keys and couldn’t open both padlocks, you should treat the contents of the box as suspect, and for good measure, you might want to hold the messenger for questioning.

So — Mr. Vryonis, Dr. Dawes, and you, the Gentle Reader — what do you think of my proposed tweak?

{ 5 comments }

Have you ever tried to explain public-key cryptography (a.k.a. asymmetric cryptography) or the concept of public and private keys and what they’re for to non-techies? It’s tough, and I’ve spent the last little while trying to come up with an analogy that’s layperson-friendly and memorable.

It turns out that it already exists, and Panayotis Vryonis, pictured to the right, came up with it. Go over to his blog and check out the article titled Public-key cryptography for non-geeks. Whenever I have to explain what private keys and public keys are for to someone who’s new to cryptography, I use Vryonis’ “box with special lock and special keys” analogy. Not only does the explanation work, but it’s so good that the people I’ve used it on have used it themselves to explain public-key crypto to others.

I’ve recently used Vryonis’ analogy in a couple of presentations and thought I’d share images from my slides. Enjoy!

The crypto everyone gets: Symmetric cryptography

Everyone “gets” symmetric cryptography. It’s an easy concept to get because it’s got a counterpart in real-world locks (as pictured above), which typically have two positions:

  • Unlocked, which is analogous to unencrypted data
  • Locked, analogous to encrypted data

With both real-world locks and symmetric encryption, there’s a single key that does both the locking (encryption) and unlocking (decryption).

The tougher-to-explain crypto: Asymmetric (a.k.a. public-key) cryptography

Public-key crypto is counterintuitive, so Vryonis came up with an analogy in which we’re asked to imagine a box equipped with a special lock with three positions:

  • A: The “9:00” position, which is unlocked
  • B: The “12:00” position, which is locked
  • C: The “3:00” position, which is unlocked

The special lock can accommodate not one, but two different varieties of key.

First, there’s the private key, which can only turn the lock clockwise — from position A to position B, or position B to position C.

As the name implies, the owner of the lock keeps the private key and does not share it.

Then there’s the public key, which can only turn the lock counterclockwise — from position C to position B, or position B to position A.

As the name implies, the owner of the lock shares any number of copies of the public key with the world. It doesn’t matter whether it’s one copy with a friend, or a million copies left willy-nilly all over the place.

The public key is the counterintuitive thing about public-key crypto, since it goes against everything you’ve heard about physical security (don’t give out copies of your house keys or the combinations for your locks) and digital security (don’t share your bank card PIN or passwords, and don’t make them easy to guess). But it’s the public part of public-key crypto that makes it so useful, as you’ll soon see.

Of course, none of these things — the special lock, the private key, and the public key — exists as a physical entity. The special lock is an encryption/decryption algorithm implemented in software, and both the public and private keys are data that you feed into that software.

The public and private keys are are used together by the encryption/decryption algorithm to encrypt and decrypt data. A message that has been encrypted with a public key can only be decrypted by its matching private key. A public key and its corresponding private key are mathematically related to each other, so they must be generated as pairs. Even though they’re related, there’s a fair bit of clever mathematics that goes to ensuring that it’s exceedingly difficult to compute the private key from its corresponding public key.

Enough theory — let’s see public-key cryptography in action!

Using public-key cryptography to send secret messages

Suppose you want to send me a message that only I will be able to read. In our “box with special lock and special keys” analogy, you’d put it into the special box and lock it with a copy of my public key that I’d given you (or hey, a copy of my public key that you’d found lying around because I’d left them everywhere). Remember, in this analogy, the public key can only turn counterclockwise, so to lock the box, you’d turn the key from the rightmost position (unlocked) to the center position (locked). Once that’s done, you’d send the box to me.

The digital world equivalent would be to use public-key encryption software to encrypt the message that you want to send using my public key. The software would take the message and mathematically combine it with the public key, transforming it into an encrypted message, which you would then send to me.

When I receive your message, I will be unable to read it as-is. In our “box with special lock and special keys” analogy, I’d first have to unlock the box it came in by using my private key. Unlike the public key, which I copied and gave away like candy, only I have the private key. In the analogy, the private key can only turn clockwise, so to unlock the box, I’d turn the key from the center position (locked) to the rightmost position (unlocked).

The digital world equivalent would be to use public-key encryption software to decrypt the received encrypted message using my private key. The software would take the encrypted message and mathematically combine it with the private key, transforming it back into the original message, which I would then be able to read.

Using public-key cryptography to digitally sign messages

Public-key crypto is also useful for digital signatures. I should define what digital signatures are before talking about them any further.

Handwritten signatures — like the kind that you use to sign paper letters or contracts, or paper credit card receipts — are supposed to uniquely identify you, because they’re difficult to duplicate (in theory). The presence of my signature on a message that I send is proof that it indeed was written by me and not someone else (again, in theory).

Digital signatures are also used as proof that a message that I sent was written by me and not someone else. The difference is that it’s much, much, much harder to forge a digital signature.

Suppose I want to send you a message that you can be certain came from me. In our “box with special lock and special keys” analogy, I could do it by putting it into the special box and locking it with my private key. In the analogy, the private key can only turn clockwise, so to lock the box, I’d turn the key from the leftmost position (unlocked) to the center position (locked). Then I would send the box to you.

The digital world equivalent would be to use public-key encryption software to sign my message using my public key. The software would take the message and mathematically combine it with the private key, transforming it into a signature that would be included with the message, which I would then send to you.

When you receive my message, you’d want to verify it by checking the signature. In our “box with special lock and special keys” analogy, you’d use my public key to attempt to unlock the box. In the analogy, the public key can only turn counterlockwise, so to unlock the box, you’d turn the key from the center position (locked) to the leftmost position (unlocked). If the message really came from me, my public key would be able to unlock the box; if it didn’t, you wouldn’t be able to. You’d know that it came from me because only my public key would be able to unlock a box I had locked with my private key.

The digital world equivalent would be to use public-key encryption software to verify my message using my public key. The software would take the message and mathematically combine it with the public key, producing a result that would let you know if it had been signed with my private key or not.

A quick summary

Public-key crypto uses matching pairs of keys:

  • The private key, which you keep to yourself, and
  • The public key, which you share freely.

To send a secret message, you use the recipient’s keys:

  • The sender uses the recipient’s public key to encrypt the message, and
  • The recipient uses their private key to decrypt the message.

To sign a message, you use the sender’s keys:

  • The sender uses their private key to sign the message, and
  • The recipient uses the sender’s public key to verify the signature.

A public key caveat

You need to be able to trust the source of any public key you use.

Public-key encryption works only if you know for certain that you’re using the actual public key of the person that you’re communicating with.

Suppose you wanted to send secret messages to your friend Alice, and I wanted to intercept those messages. I could do that by generating my own private/public key pair and then give you the public key while saying it was Alice’s. You’d then encrypt the message using what you thought was Alice’s public key, but was actually mine. I could easily decrypt that message using my private key.

In order to avoid this problem, you should make sure that any public keys you use come from trusted sources — either the owner or a trustworthy third party, such as a certificate authority.

Further reading

Here’s a quick list of layperson-friendly guides to public-key crypto:

{ 1 comment }