Announcing a new version of SecureChat

I’ve just checked in a new version of SecureChat on the main branch at GitHub.

New features include:

  • A working Android client.
  • Various notification bug fixes.
  • Various iOS bug fixes.

Why am I doing this?

Even after all these months, since the Apple v FBI fight began, I’ve been hearing way too much stupidity about encryption. The core complaint I have is the idea that somehow encrypted messaging is the province of large corporations and large government entities, entities that must somehow cooperate in order to assure our security.

And it’s such a broken way to think about encryption.

This is a demonstration of a client for iOS, a client for Android and a server which allows real-time encrypted chatting between clients. What makes chatting secure is the fact that each device generates its own public/private key, and all communications are encrypted against the device’s public key. The private key never leaves the device, and is encoded in a secure keychain with a weak checksum that would corrupt the private key if someone attempts a brute-force attack against the device’s secure keychain.

Meaning there is no way to decrypt the messages if you have access to the server. Messages are only stored on each device, encrypted using the device’s private key–meaning a data dump of the device won’t get you the decrypted messages. And a brute force attempt to decode the device’s keychain is more likely to corrupt the keychain than it is to reveal the private key.

Security is a matter of architecture, not just salt that is sprinkled on top to enhance the flavor. Which is why there are so many security breaches out there: because most software architects are terrible at their job: they simply do not consider the security implications of what they’re doing. Worse: many of the current “fads” on designing client/server protocols are inherently insecure.

This is an example of what one person can do in his spare time to create a secure end-to-end chat system which cannot be easily compromised. And unlike other end-to-end security systems (where a communications key is generated by the server rather than on the device), it is a protocol that cannot be easily compromised by compromising the code on the server.

There is nothing new under the sun.

Well, the rant on TechCrunch has gone global: Tech’s Dark Secret, It’s All About Age.

Excuse me while I throw in my two cents, as a 44 year old software developer.

  1. Pretty much all of the useful stuff in Computer Science was invented by the 1960’s or 1970’s. Very little is out there today that is really “new”: MacOS X, for example, is based on Unix–whose underpinnings can be traced back to 1969, with most of the core concepts in place by the early 1980’s.

    Even things like design patterns and APIs and object oriented programming stem from the 70’s and 80’s. Sure, the syntax and calling conventions may have changed over the years, but the principles have stayed the same.

    For example, take the MVC model first discussed formally 20 years ago. The ideas behind that weren’t “invented” then; the MVC papers from Talgent simply codify common practices that were evolving in the industry well before then. One can find traces of the ideas of separating business logic from presentation logic in things like Curses, or in Xerox Parc’s work from the 1970’s. I remember writing (in LISP) calendrical software for Xerox as a summer intern at Caltech, using the principles of MVC (though not quite called that back then) in 1983.

    Or even take the idea of the view model itself. The idea of a view as a rectangular region in display space represented by an object which has a draw, resize, move, mouse click handler and keyboard focus handler events can be found in InterLisp, in NextStep, in Microsoft Windows, on the Macintosh in PowerPoint; hell, I even wrote a C++ wrapper for MacOS 6 called “YAAF” which held the same concepts. The specific names of the specific method calls have changed over the years, but generally there is a draw method (doDraw, -drawRect:, paint, paintComponent, or the like), a mouse down/move/up handler, a resize handler (or message sent on resize), and the like.

    The idea never changes; only the implementation.

    Or hell, the Java JVM itself is not new: from P-machines running a virtual machine interpreter running Pascal to the D machine interpreter running InterLisp, virtual machine interpreters running a virtual machine has been around longer than I’ve been on this Earth. Hell, Zork ran on a Virtual Machine interpreter.

  2. I suspect one reason why you don’t see a lot of older folks in the computer industry is because of self-selection. Staying in an industry populated by Nihilists who have to reinvent everything every five years or so (do we really need Google Go?) means that you have to be constantly learning. For some people, the addiction to learning something new is very rewarding. For others, it’s stressful and leads to burnout.

    Especially for those who are smart enough to constantly question why we have to be reinventing everything every five years, but who don’t like the constant stress of it–I can see deciding to punt it all and getting into a job where the barbarians aren’t constantly burning the structures to the ground just because they can.

    I know for a fact that I don’t see a lot of resumes for people in their 40’s and 50’s. I’m more inclined to hire someone in their 40’s as a developer than someone in their 20’s, simply because you pay less per year of experience for someone who is older. (Where I work, there is perhaps an 80% or 90% premium for someone with 4 or 5 times the experience–a great value.)

    But I also know quite a few very smart, bright people who decided they just couldn’t take the merry-go-round another time–and went off to get their MBA so they could step off and into a more lucrative career off the mental treadmill.

    I have to wonder, as well, where I would be if I had children. Would I have been able to devote as much time reading about the latest and greatest trends in Java development or Objective C or the like, if I had a couple of rug-rats running around requiring full-time care? (I probably would have, simply because I’d rather, on the whole, read a book on some new technology than read the morning paper. I would have probably sacrificed my reading on history and politics for time with my children.)

  3. There is also this persistent myth that older people have familial obligations and are less likely to want to work the extra hours “needed to get the job done.” They’re less likely to want to pull the all-nighters needed to get something out the door.

    But in my experience, I have yet to see development death marches with constant overnighters paid off in pizza that didn’t come about because of mismanagement. I don’t know another industry in the world where mis-managing the resource sizing, and demanding your workers work overtime to compensate for this failure to do proper managerial resource sizing and advanced development planning is seen as a “virtue.”

    And I suspect the older you get, the less likely you are to put up with the bullshit.

    Having seen plenty of product make it to market–and plenty not make it to market, and having lived through several all nighters and product death marches, I can see a common theme: either a product’s sizing requirements were mismanaged, or (far more commonly) upper management is incapable of counting days backwards from a ship date and properly assessing what can be done.

    The project I’m on, for example, was given nearly a year to complete. And Product Management pissed away 7 of those months trying to figure out what needs to be done.

    The younger you are, the less likely you are to understand that three months is not forever, and if you need to have something in customer hands by December, you have to have it in QA’s hands by September or October–which means you have to have different modules done by July. It’s easy if you don’t have the experience to understand how quickly July becomes December to simply piss away the time.

    So I can’t say that it’s a matter of older people not being willing to do what it takes–if upper management also was willing to do what it takes, projects would be properly sized and properly planned. No, it’s more a matter of “younger people don’t have the experience to do proper long-term planning to hit deadlines without working overtime,” combined with “younger people don’t have the experience to call ‘bullshit’.”

  4. There is also, as an aside, a persistent myth that it takes a certain type of intelligence or a certain level of intelligence to be successful in the software industry.

    I’m inclined to believe more in the 10,000 hour rule: if you practice something for 10,000 hours, you will become successful at that thing.

    Intelligence and personality could very well help you gain that 10,000 hours: the first few hours of learning how to write software or learning a new API or a new interface can be quite annoying and stressful. But if you persist, you will get good at it.

    Which means IQ and personality, while perhaps providing a leg up, doesn’t guarantee success.

    It’s why I’m inclined also to want to favor more experienced and older developers who have persisted with their craft. If we assume a 6 hours of actual development work (with the other 2 on administrative stuff), then a work year only has 1,500 hours–meaning 10,000 hours takes about 7 years to accumulate. Assuming you start out of college at 21, this means that anyone under the age of 28 will not have sufficient experience to be good at their craft.

    And that assumes they practiced their craft rather than just going through the motions.

The whole “it’s all about ageism” in the tech industry is an interesting meme–simply because it’s far more complicated than that.

The Mortgage Crisis.

When I started this blog, my intent was to limit my discussions to computer development and technical topics. However, in another life I’m also deeply fascinated by politics and economics, and I’m also fascinated by development, especially housing development issues. And today’s mortgage crisis is a perfect storm of problems that all land in my other areas of fascination.

So please excuse me while I indulge myself.

An overview of the Mortgage Crisis.

One of the most readable articles I’ve seen on the mortgage crisis comes from The Institute of Chartered Accounts in Australia: The collapse of the US sub-prime mortgage market.

This report does an amazing job describing all of the players in the U.S. mortgage market, describing the process of a mortgage and mortgage securitization through a set of fictitious players. Page 8 of that report gives a diagram of all of the players in the mortgage market, and later in the report (if you are an accounting geek, which I am thankfully not), a list of issues in U.S. Generally Accepted Accounting Practices which our mortgage crisis illustrates, such as the practice by GAAP to allow banks (such as “Insecurity Investment Bank” on page 8) to show on paper that it has no involvement (and thus no risk) when it is neck deep mediating payments on a CBO.

But I digress.

One thing the article does not describe, though it is relevant here, is the role that Freddie Mac and Fannie Mae play in the mortgage market.

On page 8, Freddie and Fannie play the role of “Insecurity Investment Bank” for conforming sub-prime mortgages. Back in 2003 as a result of an accounting scandal, Freddie and Fannie were given the additional mandate to increase its purchases of sub-prime mortgages to 50% of its overall purchases, in order to encourage low-income families to qualify for home loans.

This increased purchasing requirement created a market distortion, encouraging the other players in the diagram on page 8 to act in ways that would otherwise not be in their best economic interest. Because Freddie and Fannie were funding a greater pool of sub-prime mortgages, banks (“Last Bank & Trust” in the diagram) were encouraged to make more and more sub-prime mortgages safe in the knowledge that Freddie and Fannie would buy the loans. And because Freddie and Fannie were government sponsored enterprises chartered by the U.S. government, both bond insurers (such as AIG) and investors (“SPE Cayman Islands” in the diagram) insured and purchased the CDOs created by Fannie and Freddie thinking that these bonds were insured by the full faith and credit of the United States Government.

When some economists and politicians accuse the government of being in the middle of this whole mess, when you look at the diagram, you can see that in fact Freddie and Fannie were in the middle of this whole mess. The problem was not “deregulation” or “fat cats” preying on poor folks: if you dig through the discussion on the U.S. GAAP practices (which are driven by our tax code, the SEC, and regulations such as Sarbanes-Oxley), it should be clear that each actor in our economic disaster were doing what they believed to be legally correct–though part of the problem here was a lack of understanding by each of the players of the overall risk that each was exposed to.

But the basic problem was this: the bubble in the housing market starting earlier this decade hid the poor quality of loans being made. Freddie and Fannie could continue to drive the sub-prime mortgage market, and the banks and investors and insurance companies could continue to make money believing that the government backed the entire process.

While it is unclear the Freddie and Fannie’s “free money” drove housing prices up, it could not have helped the process: bubbles are often driven by “free money” being irrationally allocated. But it is clear that once that housing bubble popped, the entire market collapsed, leaving us the mess we have today.

Freddie and Fannie’s irrationality.

So why did Freddie Mac and Fannie Mae act against their own economic self-interest? Freddie and Fannie are GSEs, certainly–but that means that while their direction may be set by congress, they are responsible for showing a profit. Until a few months ago when they were effectively nationalized, they did not operate using taxpayer money.

Well, that all goes back to 2004, when the U.S. Department of Housing and Urban Development required Freddie and Fannie to purchase more “affordable” housing loans: How HUD Mortgage Policy Fed The Crisis.

Since HUD became their regulator in 1992, Fannie and Freddie each year are supposed to buy a portion of “affordable” mortgages made to underserved borrowers. Every four years, HUD reviews the goals to adapt to market changes.

In 2004, HUD reset the goal to 56% of overall purchases: that is, HUD required Freddie and Fannie to make 56% of its overall purchases in the sub-prime mortgage market in order to encourage poorer people to buy homes.

Unfortunately, as it turns out, those same poor people couldn’t afford the homes when the teaser rates started to adjust.

Politics: where the rubber meets the road

So one has to ask oneself why was it that banks stopped acting in their own economic self-interest? Even with Freddie and Fannie beating the bushes for sub-prime loans, they were not the only Investment Banks repackaging those mortgages. Part of the problem lands squarely on the Community Reinvestment Act, a law which nominally was supposed to end the practice of “red-lining” low-income areas. The problem is the act essentially created a “quota system” whereby banks operating in a given area had to show that their investment portfolio (including their mortgage portfolio) matched the region’s socio-economic profile.

On page 8 of the Chartered Accountants report, the CRA regulations directly affected the “Last Bank & Trust” in the diagram: it strongly encouraged Last Bank to make its loan to “Mr. & Mrs. Jones”, in order to meet Last Bank’s CRA quota requirements. The fact that the bank could make a buck off the transaction was a bonus–but even so, Last Bank was in the position that if they didn’t make these loans (which were not in the bank’s best economic interests), they could face protesters from various local community groups demanding greater CRA compliance.

And who took advantage of the CRA to force more sub-prime loans into poorer neighborhoods?

Spreading the Virus

Yet ACORN had only just begun. Two days later, 50 to 100 of the same protesters hit their main target – a House Banking subcommittee considering changes to the Community Reinvestment Act, a law that allows groups like ACORN to force banks into making high-risk loans to low-credit customers.

The CRA’s ostensible purpose is to prevent banks from discriminating against minorities. But Rep. Marge Roukema (R-NJ), who chaired the subcommittee, was worried that charges of discrimination had become an excuse for lowering credit standards. She warned that new, Democrat-proposed CRA regulations could amount to an illegal quota system.

FOR years, ACORN had combined manipulation of the CRA with intimidation-protest tactics to force banks to lower credit standards. Its crusade, with help from Democrats in Congress, to push these high-risk “subprime” loans on banks is at the root of today’s economic meltdown.

ACORN (Association for Community Organizations for Reform Now) is an umbrella organization whose goal is to make affordable housing available to poorer people. While their goals are completely laudable, like any powerful organization they had friends in Congress (largely Democratic) and their voter registration arm operates like any other special interest group, gaining votes for their congressional supporters so they can get legislation passed to support their own point of view. As such they are no different than any other organization such as the National Rifle Association.

And like any relatively sophisticated organization, when they ran into problems on the ground with insufficient funding of low-mortgage homes, they sought to resolve the problem in the system where they could:

As ACORN ran its campaigns against local banks, it quickly hit a roadblock. Banks would tell ACORN they could afford to reduce their credit standards by only a little – since Fannie Mae and Freddie Mac, the federal mortgage giants, refused to buy up those risky loans for sale on the “secondary market.”

That is, the CRA wasn’t enough. Unless Fannie and Freddie were willing to relax their credit standards as well, local banks would never make home loans to customers with bad credit histories or with too little money for a downpayment.

So ACORN’s Democratic friends in Congress moved to force Fannie Mae and Freddie Mac to dispense with normal credit standards. Throughout the early ’90s, they imposed ever-increasing subprime-lending quotas on Fannie and Freddie.

The Housing Bubble and the Great Unraveling.

In normal economic times, of course, all this repositioning, while creating a market distorting effect, worked fairly well: lower-income families were able to afford better housing, local communities improved, and the process of “gentrification” started to raise the standard of living for poorer families, especially in inner city areas the CRA was designed to help.

But when the housing price bubble started, the systems that were put in place to allow lower-income families to afford better housing kicked into high gear and created more and more bad sub-prime loans. Freddie and Fannie set standards for ARM mortgages–but to qualify a home owner only had to qualify for the fixed part of an ARM adjustable mortgage. Banks were required to meet CRA targets, which in 2004 were reset ever higher, which means they had to get more “creative” to meet those quotas–and Freddie and Fannie were there providing the funds. Investors bought more and more sub-prime loan CBOs believing they were backed by the full faith and credit of the United States.

And rising house prices were an economic price signal suggesting that the high cost of housing in areas like New York and California (driven by a genuine shortage of housing, in turn driven by high populations) was spreading to the rest of the country: the old rule that the average price of a house is about 3 times greater than average income in a local area went out the window.

Economic bubbles don’t last forever. And when this one collapsed, all the players were stuck holding the bag–including foreign banks who bought CBOs and, ironically, were some of the first players to collapse. (For example, Northern Rock PLC in England failed in 2006.)

But to suggest that this was a failure of deregulation is insane: even without regulations banks will not operate against their best economic interests, unless there are market-distorting reasons to do so. And in this case, Freddie Mac and Fannie Mae, combined with the CRA’s quota requirements to loan into poorer neighborhoods, masked (and partially driven) by higher home prices, created the overall disaster.

And when housing prices popped, the entire row of dominos, set in place by organizations like ACORN who was seeking affordable housing for the poor, by Freddie Mac and Fannie Mae looking to fund that affordable housing, and by laws such as CRA which sought to institutionalize sub-prime mortgages in the name of social justice, fell.