My Best Teaching Is One-on-One

一対一が僕のベスト

Of course, I team teach and do special lessons, etc.

当然、先生方と共同レッスンも、特別レッスンの指導もします。

But my best work in the classroom is after the lesson is over --
going one-on-one,
helping individual students with their assignments.

しかし、僕の一番意味あると思っている仕事は、講義が終わってから、
一対一と
個人的にその課題の勉強を応援することです。

It's kind of like with computer programs, walking the client through hands-on.
The job isn't really done until the customer is using the program.

まあ、コンピュータプログラムにすると、得意先の方に出来上がった製品を体験させるようなことと思います。
役に立たない製品はまだ製品になっていないと同様です。

Thursday, August 11, 2011

Entrepreneurship and Trust on the Internet

Have you seen kickstarter?

Well, it's an interesting concept, and I have wondered whether something like this might be part of the future way of doing business, after the current crop of robber barons and squatters get removed from the public commons that they are attempting to expropriate under the banner of "intellectual property". (This rant is threatening to get side-tracked, too.)

Not content with just wondering, I decided to set up a project, lay my ego on the line, and see if I could get funding for the clean-up work my BIF-C FORTH language project needs. But, ...

I live in Japan.

In order to run a project on Kickstarter, you have to register with Amazon's payment systems. This is good, because you can probably trust Amazon more than you can trust Kickstarter at this point. But that's not the primary reason.

Kickstarter requires you to set a target funding amount and goal date, and, through Amazon, holds the pledged money in escrow until the date set. If you meet your funding target by your goal date, Amazon gives you the money, minus service fees for both Amazon and Kickstarter. (The fees look reasonable to me, FWIW. But you have to remember the fees when you set your target.) If you don't meet your target, the pledges are refunded.

If you follow the link above to my BIF-C project over on sourceforge, you might notice that you can donate money to the project through pay-pal.

But why would you? You have no reason to trust me. Even if I took the time to make it look polished and presentable (whatever that might be), you don't have any guarantee that I would actually use the money to do more work on BIF-C.

You don't know who I am, and maybe it looks worthwhile to you, but you really don't know what anyone else thinks about the project.

If I put the project up on Kickstarter, I'm making a commitment to finish the project to a certain level, which I describe in my pages on the project. I'm putting my reputation on the line in a prominent way.

Moreover, you don't really have to rely on your own judgment alone. If I don't get a certain number of other people supporting me, you get your money back.

There are other ways that Kickstarter supports small-scale entrepreneurism, but these two points are, to me, the most important. Even though I don't personally know them and they don't me, they have provided an intermediary of trust.

But, ...

Amazon requires a USA credit card and address and bank account for their payment system.

(Never liked plastic money, didn't want to see the day it would become de-facto current money. GET OFF MY LAWN YOU YOUNG PUNKS! heh.)

Okay, I could claim a US address. (Have relatives in the States.) I could probably re-establish a relationship with a bank I used to use over there, maybe even get a credit card.

How do I tell the bank I used to use over there that I'm me? Send an e-mail? How do they know that the sender of the e-mail is not just a machine?

How do they tell me they decided to trust me (and someone over there who has an account there and told them that I'm me)?

E-mail is just plain, ordinary text. If you can read ASCII or Unicode, you can read ordinary e-mail. It has an envelope, but, speaking in physical terms, the envelope might as well be clear wrap. It's only intended to carry addressing labels, not keep prying eyes out.

That means that there are all sorts of people between me and the bank who could read that e-mail, people neither I nor the bank know, people that we have no reason to trust: people who work for Sannet (my provider) or the bank's provider, or Google or Microsoft or Yahoo or the North Korean government or some Nigerian ISP. (Sometimes e-mail goes almost straight from sender to receiver, sometimes it takes a round-about route. Otherwise, things tend to get stuck.)

(Oh, and, yeah, people who live in North Korea have to trust their government more than Google. It's not just about coerced preferences, they have no way of knowing enough about Google to trust them. And if you live in Nigeria, you'd better trust your ISP more than Google, or you'd better get a new ISP. Trust hangs a lot on acquaintance.)

And it's going to contain stuff like account numbers and passwords and other things that neither the bank nor I want to trust other people with. In the clear, where a random sysadmin for someone between me and the bank to see.

And that is not the worst of it. Since there is no handwriting in electronic communication, the mail could be intercepted, altered, and passed on. In fact, if someone interested in using my account for clandestine purposes (someone really bad) wanted to, he could invent mail to either me or the bank out of thin air. It's all plain text, and if no one checks my mail server or the banks before the logs are cleared, who is to know that the mail doesn't come from where it says it comes from.

(Handwriting. If you're thinking, pack up a gif of your signature, remember, that image can be borrowed by the same bad guy.)

PANIC! What to do? What to do!?!?!


Well, let's look at what is available. PGP provides some Pretty Good Privacy stuff. Maybe I can use it, but can you figure it out? I mean keys and algorithms and keystores, ...

keystores? huh?

Anyway, it takes two people (at least) to communicate. If you can't figure out how to use PGP, or if you can't afford the commercial contract and the IT support staff, it does you no good to know that it exists.

And it does me no good to know how to use gnupg, a free (as in libre) solution that is also available, at least when I want to talk to you.

Or the bank.

You see, the banks, for some reason (maybe related to "intellectual property" "owned" by Ronald A. Katz? Shot in the dark.), haven't tried to make communication using either PGP or gnupg available to their customers, for the most part. Instead, they rely on some of the hair of the dog that bit us.


You know how the web browser is not secure. You've heard all sorts of people tell you. They are too complicated. They have too many certificates, whatever those are. The have javascript, which is a security nightmare. Real Java, which would be (by no means perfect, but) much better, is not well integrated because Microsoft couldn't own Java (in spite of burning Sun down for it). (Oh, and C#, Microsoft's attempt to answer Java, well, it's better than javascript, we suppose.)


No, you don't really understand why. I could tell you why and you still wouldn't know why. But you do know that the Browser is not secure. At least, I will agree with you if you say you do. And you have seen Microsoft's Internet Explorer do funny things that you don't trust.


Well, a lot of the banks have gone to this company that built, not a single purpose browser, which would be the correct solution, but a clot of javascript that runs in MSIE and Apple's Safari (and, incidentally, Firefox, even on Linux). And they call it secure. 

They send it to you in an e-mail, as if that clot is any more dependable than plain text in an e-mail, likely from the parent corporation's IT department, whom you had never heard of until you got the e-mail. And they ask you to trust it. And what it does is send you to their server to get the "secure communication" from them.


If you're like me, you can look up the parent corporation and at least determine that the domain name is legitimate. If you don't know the "tricks" (technology, really) that I know, well, you end up trusting someone you don't know. 

And that is precisely what they tell you not to do relative to other clots of code that you've never seen arriving in your in-box from people with names that sort-of maybe look familiar, but you're not sure.

And all it does is connect you securely to their secure server. And you read their message over https (SSL/TLS). Which you could have done anyway. And they call it secure.


And what they use for an initial login ID, no, that is not supposed to be used that way. Puts the customer's data at risk. 

And the security theatre with the images they show you to "prove" they are they? PLEASE! That's not even they way that's supposed to be done, if you insist on doing that. There are better ways of proving themselves.


Then, just in case you forget your password or even your login ID, they tell you to specify a couple or three questions that end up being essentially alternative passcodes. And it's either/or, so the attacker gets three guesses instead of one.


And no human interaction. If you have problems, you have to call their toll free number (not toll free from out of the country) and try to work through their automated answering systems. In my case, my phone doesn't speak the same key-codes their machine does. (Are we still on pulse dial? is it still a couple of hundred yen cheaper here? Ouch).

What are they thinking of?


Signing up for Pay Pal is more secure, and more responsive.


(No I am not naming the banks because, from what I understand, most banks do the same thing.)


Maybe I'll figure out a way to use Kickstarter someday. Maybe I'll figure out a way to finish BIF-C on my own dime somehow. Maybe, someday, the mess that is the internet after Microsoft tried to own it will get straightened out.

No comments: