ALL ART BURNS

On the first day of one of my classes (“Human Experience in Design”), the instructor asked us to complete this sentence in 15 words or less:

“I want to be a designer because …”

He read aloud some of the answers people gave and he challenged us to answer the question every year and see how our answers changed during school and during our careers. I think this is a useful excercise no matter what your discipline, you should try answering this yourself and checking back every year.

In keeping with the original spirit, I’m going to keep my answer down to 15 words or less. I’m going to append five rules for acheiving the answer to my question and see how those change over time as well as the answer to the question.

I want to be a designer because I want to make things that people can use to improve their lives.

Five personal rules for acheiving that goal:

• Always remember that improving a person’s life is easy.
• Every project I work on should improve at least one person’s life, even if it simply entertains them.
• Never work on a product that a person will have to send to a landfill.
• Never attempt to convince someone to buy a product they do not actually need.
• Leave the world in a better place than it was in when I entered.

Technorati Tags: design, personal goals

The other day the mail carrier dropped off a 19″ x 16″ padded plastic envelope. The return address said “Sears”, but I couldn’t think of anything I’d recently ordered from them.

I opened it up and discovered that it contained four, 14″ x 12″ padded plastic envelopes.

After opening the first envelope, I remembered that weeks earlier I’d ordered the service and install manuals for the stove that was already in the house when we moved in.

One of the envelopes contained only a single sheet of paper: a schematic for the stove.

At this point I’m pretty peeved. I’ve got five envelopes made of plastic that I can’t recycle or reuse.

Then I got to noticing that the stack of paper I had was pretty light, possibly lighter than the weight of the packaging itself. I don’t know what the postage charge was, but the thought of paying to have stuff shipped to me that I can’t use or recycle really makes me cranky.

So I broke out the postal scale.

Stove documentation, 6.5oz:

Packaging, 7.5oz:

That’s 7.5 oz of plastic mailers to protect 6.5 oz of paper. I paid twice the postage for unnecessary packaging that will end up in some landfill.

Thanks, Sears!

Technorati Tags: overpackaging, Sears, sustainable design, waste

After some 15-odd years in the tech industry doing everything from programming parallel supercomputers to developing secure applications for consumer electronics I decided to go back to school for a BFA in Industrial Design. This journal, “ALL ART BURNS”, is as a public design journal and sketchbook. It might turn into my pro designer blog after I graduate or it might continue to be a journal and sketchbook. Either way, I hope this will be of use to other people interested in design or who are also on the path to becoming a designer. The name comes from one of the fire/art themed stickers I made back in 2002 for Burning Man.

The long version of how this came about is in the earlier journal entries. The short version is that I miss what got me sucked into computers and technology in the first place: making tools people can use to improve their lives. When I started developing software eons ago, I often did every phase of delivering a product: determine requirements, design both the architecture and what we now call the user interface, procure hardware, develop the software, build and run tests, write end-user documentation, and install and maintain the product.

Somewhere in the mid-90s, the technology world went through a sea-change. My IT projects turned into installing vendor-provided solutions so I moved into engineering. Engineering in the dot-com boom in the valley was not terribly fun: I had a choice of being either a minor cog in a machine or an ego-driven uber-geek. Neither suits me well and I’ve been a mediocre engineer as a result, with only my passions for hacking, security and privacy keeping me motivated (and employable).

A few years ago I started going to Burning Man and quickly adopted their philosophy of “no spectators”. I started making art for the playa; that quickly evolved into learning to work metal; and soon after the discovery that I really enjoy making physical things that people can interact with. Working over the summer on a project for Burning Man wasn’t enough, I wanted to make physical things year around. I considered going back to school for a degree in mechanical engineering or robotics but both of those felt rather sterile. One day I discovered what it is that industrial designers do, and realized that industrial design was what I’ve been wanting to do for a long, long time.

I still like technology and I’ll always be a hacker of some sort but I have little desire to write software as a full-time job for the rest of my life. I want to make physical things that people manipulate and understand how people interact with those physical things. It’s one thing to develop a new authentication mechanism, it’s another for that mechanism to be usable. Odds are that anything I make will contain some sort of technology and it’s likely that I’ll help design and implement some of that technology.

Technorati Tags: college, industrial design, personal

[More thinking-aloud about how tags and spimes will change things. I’m also in the middle of Everyware and am trying to finish this while reading that.

I said I’d be writing about security next, but I ended up thinking about about the future of data in terms of public policy and societal issues regarding collection and ownership of data. Security is in the queue, but I need to figure out the requirements and context before I think about the implementation.]

The Future of Data

A world filled with RFID tags, smart tags, readers, and spimes reveals a vast amount of easily accessible data not previously available to the individual. A store currently has an idea of its inventory, shrinkage, and daily sales, but I as a shopper wouldn’t know any of that information. A movie theatre would know how many tickets it sold while as a guy watching a movie I can only do a rough count of empty seats and make a guess.

In the near future you or I will be able to know these things, should we choose. We will be able to wander through a public place and automatically collect vast amounts of information in a form easily used by computers instead of tediously taking notes and making spreadsheets.

Think about the world we’re about to inhabit:

• Any object with a more than nominal monetary value has some sort of RFID-like tag used to track the object from creation thru the point of sale and afterwards into its usable lifespan. Not only will the merchant you bought a shirt from know you bought a shirt (and link that information to your customer account), they’ll know every time you wear it past or into their store. You didn’t just buy a shirt, you gave them a fair amount of useful marketing information when you used your credit card to buy the shirt and even more if you ordered it online and had it delivered. If you physically enter a store, the odds are that they’ll also be able to determine who made all the other items on your person and possibly what those items are, then tweak their sales pitch at an individualized level.
• Your PDBD is blasting out data to any device that queries it or broadcasting in cleartext to every device in range. So is everyone else’s, and simple proximity mapping will make it trivial to plot each step by each person through public and even private spaces.
• Readers are everywhere: every business or home has one at the entrance, and most have several inside that operate on different classes of tags using domain specific requirements. The door reader looks for all tags, the inside reader looks for local tags or those that meet a limited set of criteria. Think inventory tracking vs. employee tracking, then imagine every object worth more than a few bucks have its own unique serial number and tracking device.
• Really, readers are everywhere: every commercial delivery vehicle with have some sort of tag reading mechanism to track packages between being picked up and delivered. Reading the contents of those packages will be trivial, and delivery firms will not just have databases of who ships how many packages and to whom, but the contents of those packages will be known.
• Spimes and other types of smart objects (smobjects? smaarbjects?) are collecting data from their surroundings and reporting it back to their owner or the general public. “Data” is any information that can be collected and stored: location, time, temperature, number and type of other tags and spimes seen, data those smart objects have transmitted, etc.
• Proto-spimes are doing this now: A case of expensive wine can know if its been stored at the correct temperatures, a laptop will know if it’s been dropped, a shipment of fragile goods can know if it’s been subjected to improper environments. Take a look at Maxim’s iButtons for an inexpensive, common, off-the-shelf (COTS) example of the technology required to track environments of packages or equipment.

How Your Role Will Change

The technology to collect, store and analyze vast numbers of RFID or other smart tags is about to become very accessible to the masses, very portable and very easy to hide. RFID and other inexpensive tagging mechanisms won’t have the sort of security that a full-on spime has and will be easily readable by just about anyone. (To keep things simple, I’m going to lump publicly readable data from spimes in with data from RFID, bar codes, and other insecure tagging mechanisms and refer to them all as “tags”.)

In a short time — months or a couple of years at most — it will be trivial to build an advanced tag monitoring system that not only scans all nearby tags but call also passively eavesdrop on other scanners as they communicate with tags. Your involvement in the participatory panopticon will go from one of passive participation to active engagement. You no longer have to be just another data point, you can also be a collector, analyzer and interpreter of data and a distributor of information.

What happens today if you wander in with a pad of paper and start writing down a store’s inventory and pricing based on what’s on the shelves with the intent to post it to a web site? You’ll probably get kicked out of the store because most stores have policies about what data you can collect while you’re on their premises. (Try it at your local Wal-Mart if you don’t believe me.)

But what if data collection isn’t obvious? Today, you get kicked out of a store because you are obviously collecting data they don’t want you to collect. What if it just looks like you’re idly browsing through the racks and shelves? Will they kick you out for simply browsing?

In the near future, anyone will be able to wander in to a store with a PDA in their jacket or backpack and a tag scanner up their sleeve and start reading tags on any nearby merchandise. To any human, they will look like someone idly wandering around the store — the typical bored person waiting on their spouse to finish shopping. Perhaps a nearby tag reader would throw exceptions about tag reads that they didn’t request, but would any human get notified in a reasonable amount of time?

Data as Property

Who “owns” the data you just collected with your portable tag scanner and who can do what with it? Is it yours? Does it belong to the store? Facts can be copyrighted, is the state of the store’s inventory a fact that can be somehow put under copyright? Or do you now own a database of facts that you collected in a public space for which you own the copyright?

I can stroll up and down every aisle in a small store at the mall in a matter of minutes, plenty of time to scan not only the inventory on the shelves but the overstock under the shelves and maybe what’s in the back room. If I’m lucky I’ll also get data on other customers in the store and possibly record a few purchase transactions. (One would hope that purchase transactions use some sort of strong cryptography, but I can imagine plenty of systems that use weak or no security in the interests of saving a few pennies.)

When you enter a store and a monitor at the door reads all the tags on your person, what can they do with that data? Do they own it? Do you own it? If I sit in the middle of the food court at the mall with my laptop reading data on all the passersby, what can I do with that data? How about if I monitor the reads being performed by the scanners at the doors of businesses? What if I monitor my competitor’s reader across the way? Next time you’re in a shopping mall, notice at how close together doorways and cash registers are, how many are within line of site of one another, and how many of those businesses are competitors who would benefit greatly from this sort of data.

Hacking the Near Future

So far we’re just talking about COTS technology and most (all?) of these things can or will be done with commercially available tag reading software and hardware. If you want to start writing your own code or hacking your own hardware your data collection and distribution options are greatly increased.

Today you can build an extended range RFID “skimmer” that can poll tags well outside the normal operational range of a few centimeters (See Kirschenbaum and Wool, “How to Build a Low-Cost, Extended-Range RFID Skimmer”.) Yes, it’s bulky and obvious, but you could probably hide one under the counter at a cash register, near a doorway in your business, or in the backseat of your car.

As you’re collecting data from tags in the world around you, you’ll probably pick up a few that are authentication mechanisms of one sort or another. These are useful for replay attacks — when someone copies an authentication token and re-uses it at a later time without the owner’s permission. In the RFID and token world, this could be anything from a toll road account to an employee door badge.

Crimes, Hacking and Pranking

A high powered tag pinger that could query all tags within a meters feet would be a handy thing for me to have if I were of a criminal bent. Instead of guessing which bag to steal from a passerby, which locker to break into at the gym, or which package to steal from a delivery truck I can just wander around scanning things until I find a likely target.

From the other side of the data equation, what’s to stop someone from making bogus tags or making a device that responds as if it were a tag but with bogus data? Someone might notice me physically replacing the bar-code on an item in a store or trying to remove a security tag, but will they notice the RFID emulator in my courier bag? Will they be able to tell that I used it to drown out the tags of any items I have with me as I go through the checkout line or walk past the security scanners at the door?

Theft is a criminal act for which I can be prosecuted, but what if I just send out bogus data with no intent to commit forgery or fraud? Me and a few dozen of my pals looked like poorly dressed people who wandered in to a high end store, looked at a bunch of expensive merchandise and walked out out without buying anything. However, the tag reader at the door logged us as well dressed individuals carrying laptops or expensive cameras. When the store owners sit down to analyze all their demographic data, they’re going to be looking at some very bogus information that will probably lead them to make improper business decisions.

If I suspect my competitor across the way at the mall is snooping on tag activity at my store, what’s to stop me from generating false tag activity? Is it (or should it be) illegal to broadcast fake transactions or other data knowing that my competitors will collect and interpret that data?

Some Questions

These aren’t new issues, but the technology that makes business more efficient makes everything else equally efficient. Hacking, crimes, invasion of privacy, &tc all become more efficient as well. We need to answer some new questions and come up with new answers for old questions:

• What is data?
• What data can be owned and what is in the public domain?
• Who can own data?
• What safeguards does an owner of data have to take to prevent that data from being exposed to the public?
• How is ownership of data determined?
• Who can control data collection?
• Who should control data collection?
• What rights are there to collect data, if those rights even exist?
• What rights are there to prevent collection of data, if those rights even exist?

When I started writing this, I was thinking about securing tags, proto-spimes, and spimes by first determining the requirements created by their environment. I quickly realized that many of the questions I was asking were questions about public policy, laws and social agreements, not questions about technology. The security questions are important but they’re simple engineering problems and will be easily solved once we know the requirements. The questions about how public policy, legal and social agreements will change are much harder to answer than the security questions; our answers will have profound impact on what our world looks like in the coming decades.

Technorati Tags: spimes, RFID, privacy, everyware

Classes don’t start for a couple of months yet but I’m already getting in the back-to-school mental space.

I’m filling out more paperwork for Carnegie Mellon than I ever did for a public school and it’s amazing how much of it is, in fact, paper. Some of it I can do online, including applying for financial aid and course registration, but I still fill out paper forms to prove I have health insurance, my shots, etc. Online registration for courses is one of the best things to happen in the past 20 years — no getting up at o-dark-hundred just to wait in line for hours down at the administration building filling in bubble sheets and getting signatures from admins. (If you’ve only registered online, let me tell you about walking to school uphill in the snow both ways…)

A fair amount of my time in the past few weeks has also been spent researching student loans and other forms of funding. My employer has no sabbatical policy and little in the way of educational programs that I can use to pay for school. They’re good about flex-time and would probably pick up the tab for a specific class required by work, but that’s about it. I’m planning for the worst possible case: quitting my day job, starting school on loans, then picking up consulting work during the academic year as time permits.

Quitting could also be the best case if I can scrounge the cash for the first year and really focus on school. I’m going to school to get my core art and design skills whipped into shape by experts not just get some letters after my name (“BFA, IDSA”). I’d rather go to school for 3-4 intensive years and live cheaply instead of taking a night classes and dragging school out over ~8 years. It took me 7 years to get my first BA, I’d like to not repeat that process again.

Looking back at my last tilt at school, something that I really didn’t understand was money. My family never had much money and my father didn’t know how to manage what we had so I never learned how to manage money. I had no idea how finances worked, how to save or invest, why one should buy a house instead of rent, etc. In retrospect I didn’t have to go to a local city college, I could probably have gotten loans and grants for a much better school had I or my parents known how the system worked.

While I won’t spill the entire financial details of my life here, I think I will occasionally talk about some financial things. I’m probably not the only person so clueless about money that they didn’t even realize how clueless they were (are?) about money.

Ok, enough boring personal details. Next entry is about spimes and security, hope you like it.

Technorati Tags: Carnegie Mellon, debt