Sunday, 17 December 2017

Does Autonomous = Small?

The Clyde Puffers had a crew of 3 and capacity of about 6 TEU

Wage bills have been a factor driving for ever-larger lorries and container ships. The transport companies have successfully externalised the  knock-on costs of ever-larger ports, depots, and warehouses, and the impact on city streets. Removing the wages bill could open the way to a radical reduction in size. The perennial problems of inter-modality could perhaps also be eased. Changing the scale of logistics could open the way to better 'last mile' operations.

Using cargo bikes to replace or complement vans is an example of the scope for changing scale, and thought is being given e.g. here for the need to standardise small containers (no I'm not proposing autonomous cargo bikes for city centres). Such containers will hopefully be compatible with urban mobility platforms on the lines of M.U.L.E (not the US military MULE project).

Thanks to  @thinkdefence there is a discussion of small container standards; see the section on JMIC. These would be great for mobility platforms but are not for cargo bikes.

The huge electric autonomous trucks being investigated in the USA may have a long-haul role there, but perhaps the real market is for something much smaller.

If delivery drones are ever to gain scale, there needs to be standardised landing pads, preferably palletised and compatible with small scale standard containers e.g. biscuit tins

More speculatively, we can envisage a 21st Century replacement for the Clyde Puffer; small Autonomous Ro-Ro vessels (Damen have some starting points), some Mexeflote where local infrastructure is missing, and M.U.L.E like platforms to local depots.

Operations at this more human scale are likely to be more sustainable, and with lower knock-on costs. The trick will be getting the incentives right for it to happen, supported by timely standardisation.

Monday, 27 November 2017

Turning 'Meaningful Human Control' into practical reality

The Fake News

The ambiguity in 'Meaningful Human Control' (MHC) may have been good for generating discussion but it is no good for system design or operation. Rules Of Engagement are bad enough without adding more ambiguity. Some folk seem surprised that 'ethics' needs converting to a technical matter - how else do they think 'ethics' will be implemented at design or run time? The legal viewpoint is not the only one that matters, and expertise in design, support, operation, training, seems thin on the ground to date. This post attempts to make a start on describing the way ahead and practical issues to be faced.

Doug Wise, former Deputy Director, Defense Intelligence Agency “There are human beings that actually fly the MQ-9 drone – people are actually observing and make the decisions to either continue to observe or use whatever is the lethality that is inherent in the platform. There are human beings at every stage. Now lets assume that at some point the human beings release the platform to act on its own recognizance, which is based on the basic information on the payload that it carries and the information that it continues to be updated with. Then it is allowed to behave in a timescale to take data, process it, and make decisions and act on those decisions. As the platforms become more sophisticated, our ability to let it go will become earlier and earlier.” There will be people involved in all stages of the killer robot lifecycle.  The discussion around killer robots, like the discussion around other autonomous platforms, has an unhelpful focus on the built artefact - the robot itself. As UNIDIR has pointed out, a 'system of systems' approach is needed.

The Good News

"What assurances are there that weapon systems developed can be operated and maintained by the people who must use them?" This question, from Guidelines for Assessing Whether Human Factors Were Considered in the Weapon Systems Acquisition Process FPCD-82-5, US GAO, 1981, might be a more useful framing. Assurance requires a combination of inspecting the design, evaluating performance, and auditing processes (for design, operation etc.). Many military systems need something resembling MHC - aircraft cockpits, command centres etc. In fact it is hard to think of a system that doesn't. Not surprisingly, therefore, there is a considerable body of expertise in Human System Integration (HSI) aimed at providing assurance of operability.

Quality In Use (QIU) is defined as:The degree to which a product or system can be used by specific users to meet their needs to achieve specific goals with effectiveness, efficiency, freedom from risk and satisfaction in specific contexts of use. ISO 25010 (2011). The term is part of a well-formed body of quality and system engineering standards (civil and military) aimed at providing assurance of QIU. In practical terms, this approach is the way ahead (because it exists). Pre-Contract Award Capability Evaluation is likely to be the a useful tool in helping to build and operate systems with MHC.

The Bad News

The reason most people do not recognize an opportunity when they meet it is because it usually goes around wearing overalls and looking like Hard Work.” Henry Dodd
Reliance on coming up with a good definition of  MHC won't work for the folk at the sharp end of killer robot operation. The test of whether good intentions have translated into good deeds will be after things have gone wrong. There is a need to improve military accident investigation (with some notable exceptions). Unless there is good Dekker-compatible practice for accident investigation of smart systems and weapons, more good folk who put their lives on the line their country are going to be used as fall guys. Mock trials with realistic case material would be a good start - overdue really. Sensible investigation of the 'system of systems' is bound to find shortfalls in numerous aspects of both human and technical design and operation. Looking for clear human/machine responsibilities at the sharp end is no more than scapegoating.

It’s generally hopeless trying to clearly distinguish between automatic, automated and autonomous systems. We use those words to refer to different points along a spectrum of complexity and sophistication of systems. They mean slightly different things, but there aren’t clear dividing lines between them. One person’s “automated” system is another person’s “autonomous” system. I think it is more fruitful to think about which functions are automated/autonomous.” Paul Scharre. The critical parameter for automatic / autonomous is 'context coverage' which considers QIU in both specified contexts of use and in contexts beyond those initially explicitly identified. For autonomous vehicles, it is becoming recognised that the issue is not 'when' but 'where'. A similar situation will continue to apply to smart weapons. The safe and legal operation of smart weapons will remain context-dependent.

'Ordinary' automation is usually done badly, and has not learned the Human Factors lessons proffered since the mid-1960's. There are many unhelpful myths that continue to bring more bad automation into operation e.g. 'allocation of function', 'human error', 'cognitive bias'.  Really, MHC of ordinary automation is far from common.

HSI is practiced to a much more limited degree than it should be, so the pool of expertise is smaller than would be needed. The organisational capability to deliver or operate usable systems is very variable in both industrial and military organisations. Any sizeable switch to 'Centaur' Human-Autonomous Teamwork will hit cultural, organisational, and personnel obstacles on a grand scale.
The current killer robot exceptionalism will be unhelpful if it proves to be a deterrent to applying HSI, or if it continues to be a distraction from the wider problems of remote warfare now we have said Goodbye Uncanny Valley.

Back in the days of rule-based Knowledge Based Systems, the craft of the Knowledge Engineer involved spending 10% of the time devising an appropriate knowledge representation and 90% of the time trying to convince engineers that the human decision making approach was not flawed but contained subtleties that allowed adaptation to context, and that the proposed machine reasoning was seriously flawed. With the current fashion of GPU-powered Machine Learning (ML), this may not be possible. Further, XAI (explainable AI) is a long way from a proven remedy for the opaque nature of ML  ML can be brittle and fail in unexpected ways; The claim that the X part of the system will be able to generate an explanation under this circumstance is an extraordinary claim without extraordinary evidence.

Friday, 13 October 2017

Walkable urbanism vs. the Robocar

A developed country is not a place where the poor have cars. It's where the rich use public transportation.” - Gustavo Petro
"Planning for the automobile city focuses on saving time. Planning for the accessible city focuses on time well spent." - Robert Cervero
‏ "In the walkable city, people gather in a piazza, plaza, or square. In the automobile city, they're called...intersections." - Taras Grescoe
 Motocracy (noun, plural-cies) “Government by the motorists; a form of self-governance in which authority/powers of agency is vested in individual motorists and exercised directly by them or by their co-drivers/riders in order to uphold law and liberty on the road.”
"This bill is one of the biggest assaults on 1966 federal safety act that’s ever occurred."- Former NHTSA chief @JoanClaybrook on the AV bill.


For a technology without an obvious customer or regulator pull, robocars are seen as big business. Because of the lack of pull, this is not a sure thing, and indeed we may be seriously past 'peak car'. The temptation to Volkswagenize (cheat) may be  irresistible to the motor industry/ SV combo driving the robocar narrative. The cheat will be to control the environment to make it easier for robocars to operate. The controls on streets and pavements will make towns and cities much less friendly to humans. The controls will be sold as a 'moral imperative' to reduce deaths. Such claims lack any convincing evidence.

Robocars as autogamous technology

 "Autogamous technology; self-pollinating and self-fertilizing, responding more and more to an inner logic of development than the needs and desires of the user community". Gene I Rochlin
Robocars are mostly about money, not technology; keep the share price up in the face of Google and Tesla. "If the driverless economy is imminent, and the endgame is fleets of fully utilized robot vehicles that create radical reductions in personal vehicle ownership, why would a car company be complicit in undermining its own market? The answer is that it wouldn’t. No car company actually expects the futuristic, crash-free utopia of streets packed with Level 5 driverless vehicles to trans­pire anytime soon, nor for decades. But they do want to be taken seriously by Wall Street as well as stir up the imaginations of a public increasingly disinterested in driving. And in the meantime, they hope to sell lots of vehicles with the latest sophisticated driver-assistance technology."
Pew research has shown the lack of customer pull for robocars: "In the case of driverless vehicles, 75% of the public anticipates that this development will help the elderly and disabled live more independent lives. But a slightly larger share (81%) expects that many people who drive for a living will suffer job losses as a result. And although a plurality (39%) expects that the number of people killed or injured in traffic accidents will decrease if driverless vehicles become widespread, another 30% thinks that autonomous vehicles will make the roads less safe for humans...Nearly six-in-ten Americans say they would not want to ride in a driverless vehicle ."
MIT research has found that people don't really want robocars: "The 2017 data suggest a proportional shift away from comfort with full automation. Across all age ranges, a lower proportion of respondents were interested in full automation when compared to 2016. This trend was particularly notable for younger adults aged 16-44. A higher proportion of respondents indicated comfort with systems that actively help the driver, without requiring the driver to relinquish control." Follow the money
Big motor has its eyes on some high value income: "The worldwide auto industry took in $2.3 trillion in revenue in 2016, but revenues associated with mobility services—a term the covers everything from Uber to traditional taxis and buses—totaled $5.4 trillion."

GM has said the autonomous vehicle and mobility business could be a potential $7 trillion global market.
The "Passenger Economy" is likewise reported to be a $7 trillion market  " A recent study conducted by Strategy Analytics for Intel estimates that the "Passenger Economy" created by the advent of autonomous vehicles will swell from $800 billion in 2035 to a whopping to $7 trillion by 2050, driven by services such as robo-taxis, automated delivery of everything from pizzas to prescription drugs, and captive marketing to idle car occupants."
  There is a 'billion dollar war on maps'  where the emphasis on robocars may be to our collective detriment.

Options for the way ahead

Consider two competing narratives for the future of urban mobility.
1. Networked urbanism (see) where cities are driven by big data analytics and networks controlled in part by machines. The 'smart city' as technological solutionism, with everything connected, automated, and lots of big data. You might expect the car makers to be happy with this as a future, but the bad news is,  even here, car ownership and use may fall. Ouellette on the reinvention of urban space: "If, for example, your existing urban space reality is Rob Fordian—one where cars rule while pedestrians and cyclists serve—then that model is about to be turned on its head. Car culture as the macro force of cities is on the way out. Waiting in the wings are an ever-increasing number of smart, digital technologies working synergistically to make the auto-centric urban model obsolete."Networked urbanism can be dressed up as faster, smarter, greener, but it is still pushing the corporate panopticon into our streets and lives. Big business likes AVs but needs to make long-busted claims about V2V to assemble a case.
The life in such a world sounds like that of the 'insiders' in A Very Private Life by Michael Frayne. A life tended by the kindness of corporate automata.
2.On the smart citizen side of the street, there is walkable urbanism - the "Life Sized City". This is gaining in popularity round the world. Paris for example “journee sans voiture” . "The car-free day fits within a comprehensive strategy to improve mobility while reducing motorized traffic. Hidalgo and her predecessor, Bertrand Delanoe, have enacted bold policies to prioritize transit, bicycling, and walking on city streets, resulting in a 30 percent drop in traffic over 10 years." Change is coming to the streets of Motown - alternatives to cars are going to be right in the face of the good ol' boys, and Copenhagenize Design Co has designed the bike infra network for City of Detroit.  Cities are starting to end the dominance of the traditional car, and word of the success of Copenhagen and the Netherlands is spreading. Resources for walkable urbanism are being supplemented by resources for cyclable urbanism e.g. Velotopia.The real disruption is the bicycle not the robocar.
The benefits of urban bike infrastructure are being recognised for business here  for traffic flow here, and for health here and here. A summary of ten reasons for reducing car dependency is here. Progress down this route is non-linear: "Getting from 0 to 5% bike mode share is really hard. Getting from 5 to 15% is a piece of cake." - @copenhagenize. "There are 3 million pedelec bikes in use in Germany. 3.7% of population. Adoption about to enter hockey stick...3.3 million Ebike units will sell in 2023, Europe. (2 million in 2016, 100k in 2006).." Horace Dediu‏ @asymco.
So far, progress has been largely out of the public eye; reaching 2 million EVs met with huge publicity, but 200 million eBikes in China alone is invisible. In India,  "Today, India has over 25 million four-wheeled cars, jeeps and trucks registered to private owners, escalating by about 2 million new vehicles every year. The same data registry of 2013 by the Ministry of Road Transport also recorded more than 130 million two-wheelers plying on Indian roads. A staggering number by any measure, and greater than the number of four-wheelers by a factor of five."
 Dockless bike hire has real potential, and big money behind it.  "For all the talk of autonomous cars transforming cities it’s entirely possible that another high-tech form of transport – free-floating rental bicycles – could get there first. ...  In China, a dockless bike-share boom is reducing car use in cities and even leading to forecasts that less fossil fuel will be burned in the future. "
Walkable, cyclable urbanism might look unstoppable, but its threat to the motor industry and the big data corporates is likely to bring a response.

People are messy, and difficult for robocars to deal with

"The randomness of the environment such as children or wildlife cannot be dealt with by today’s technology" - Markus Rothoff, Director of Autonomous Driving, Volvo
Apart from Volvo's trouble with kangaroos, there are many aspects of robocar / people interaction that are difficult, see here. Robocars need to interact with e.g. pedestrians. This is difficult, expensive, and culturally alien to the nerds building the cars (Cefkin at Nissan is a rare anthropologist in the business).  In robocarland, nobody can hear you scream: It’s No Use Honking. The Robot at the Wheel Can’t Hear You "If the cars drive in a way that’s really distinct from the way that every other motorist on the road is driving, there will be in the worst case accidents and in the best case frustration," he said. "What that’s going to lead to is a lower likelihood that the public is going to accept the technology."
The cheat is: Just get rid of the people around cars, so you don't need to solve these problems. 

The cheat is coming - they are after our infrastructure

"If you doubt self-driving cars are coming, you haven’t paid attention to the rate of human ingenuity and technological progress. Conversely, if you believe more than 1% of the statements coming out of Detroit, Germany, Japan and Silicon Valley about when they’re getting here, you’re as deluded as their investors. The question isn’t when, it’s how and where." Alex Roy
"There are fourteen major car companies in the world. No one believes they can all survive, and Morgan Stanley believes only five or six will. The big ones are hedged against any delay in the adoption of self-driving cars." Alex Roy

An example of the 'moral imperative' being used to destroy walkable urbanism (and much more) is here. The slippery slope starts with 'modest changes' of course. "In summary, safe autonomous cars will require modest infrastructure changes, designs that make them easily recognized and predictable, and that pedestrians and human drivers understand how computer driven cars behave." All for benefits that are vapourware.
There are reports of dedicated infrastructure already. "In the new report, the group says this transformation will occur in three stages. First, AVs will be allowed to share HOV lanes. The study’s authors say that this phase could be implemented today and note that California law already allows self-driving cars to use carpool lanes. Step two would involve creating a lane dedicated to AVs. Step three: converting all I-5 lanes to be used exclusively by self-driving cars."
The vision of a people-free dedicated robocar environment is being set out  "For example, when all riders are focused inward and the driving is handled by a sensor network, indicators like road signs, brake lights, and lane separators become unnecessary. If there are no human drivers, we won’t have a need for these visual guides... With awareness of approaching vehicles and traffic, intersection traffic lights become less necessary. Night sensor driving reduces the need for streetlights on highways. Road signs and lanes disappear, with roadway intelligence built into vehicles. Highway lanes expand and contract automatically for high-traffic times. Autonomous-only highways allow for much higher rates of speed.."
Completely unfounded expectations of AV performance and safety being used to influence infrastructure. For example   "Currently the average safe driver leaves ‘one car length per 10 miles per hour’ between vehicles (at least they have been taught to do so) but the automated (and autonomous) systems can react much faster than humans and can therefore safely travel much closer together. As a larger and larger percentage of the vehicle fleet becomes capable of safe travel in less space, the real capacity of the roadway increases. As the demand for highway infrastructure is predicated on the safe traveling distance under human control and traffic and revenue predictions are based on these assumptions, highway capacity manual assumptions will be increasingly inadequate as autonomous features are introduced. " This article combines unfounded claims with moral blackmail "Every day that goes by without driverless cars, people die. The truth is that humans are bad drivers, and driverless cars are safer. To ensure that we reach mass adoption as soon as possible, we need to sort out these issues of trust," Since we don't have driverless cars yet (or even safety requirements for them) this claim is unfounded and is being used to sell big business and technology. Also, he hasn't got the Alex Roy message on 'trolley problem' nonsense, saying "In other words, manufacturers must choose whether to make morally utilitarian cars, or preferentially self-protective ones."

The pavements / sidewalks will not be free, either.

Do watch this video testimony about a delivery robot on a railway platform.
This Guardian article is good on delivery robots:“If there really were hundreds of little robots,” Ehrenfeucht said, “they would stop functioning as sidewalks and start functioning more as bike lanes. They would stop being spaces that are available for playing games or sitting down.” Ehrenfeucht pointed out that 130 years ago, streets were not yet divided into lanes for traffic, parked cars, pedestrians and bikes, and that the introduction of robots to the streetscape might require a reimagining of the available space, possibly with a designated lane for robots....Sidewalks are often a hotly disputed space, and conflicts are bound to arise as new uses are proposed. Many cities across the US have adopted sit/lie ordinances, which criminalize resting or sleeping on the sidewalk and are generally considered to be targeted specifically at homeless people. At the same time, urbanists have tried to promote new uses of sidewalk space with features like “parklets”. ..“We really see this as a privatization of the public right of way,” said Nicole Ferrara, executive director of pedestrian advocacy group Walk San Francisco, who wants to ban robots from the sidewalk. Ferrara argued that walking has social, health and economic benefits, while robots could pose a hazard to senior citizens and people with disabilities....“We’re not excited about the idea of engineering walking out of our lives,” she said. “People live in urban centers not because they want to sit at home in their house and have their toothbrush delivered to their door, but because they have a pharmacy around the corner that they can walk to.”
A welcome (and rare) sight was an article pointing out the risks of robocars...."there has been very little public discussion of whether selfdriving vehicles will coexist or collide with long-standing principles of accountability, transparency, and consumer protection that collectively constitute the Personal Responsibility System."
Further reading on the moves underway to rid the streets of people are here and here. A tinfoil hat may be required, but the arguments are highly plausible.


 Robocars are part of the tech utopia nobody wants, but there is money and momentum behind them. The solutionism is at work co-opting good causes to make robocars critical to their lives.
If we want walkable urbanism (and we should), we will have to make a stand.

Monday, 18 September 2017

Safety requirements for Autonomous Vehicles

The voices advocating a transition to Self-Driving Vehicles / Autonomous Vehicles / robocars claim they will eliminate '1 million deaths per year'. I have been told there is a 'moral imperative' to use AI for driving because of this. However, as pointed out by @SafeSelfDrive on Twitter, robocars are not a response to user pull or a safety initiative. Robocar started at google, and the motivation for the initiative is somewhat unclear in this interview with Chris Urmson. I am reliably informed that everyone else is just reacting to Google. All in all, there was not an obvious case for this massive investment, despite the crowd now shouting for ending 1million deaths.

Nick Reed of TRL has an interesting piece on robocar safety, pointing out the difficulties of proof by testing. (Of course, test is only part of a safety critical system life cycle).  He tells us that in the UK there are 180 million miles between fatal accidents. Vehicles in UK do about 324 billion miles a year (see here). People say they are unhappy with the current driving death toll, so what would be a better number? The EU has a strategic target of halving road fatalities, so let's use that i.e. fatality every 360 million miles. People distinguish voluntary risk (driving) from involuntary risk (being transported) by a factor of 1000, so the target for robocars is a fatality every 360 billion miles i.e. a bit less than one a year in UK. My uninformed guess is that this is the right order of magnitude.
A comparison with rail might help. People now travel about 40 billion miles by rail in the UK (a big increase over recent years). There has been 1 passenger fatality since 2006. Some crude arithmetic: 1 fatality per 10 years, and 40 billion miles p.a. gives us a fatality every 400 billion miles, which isn't so far off the robocar target.

In 2014, there were 315 fatalities on the rail network, 89% of which were suicides. It is important that the boundaries for robocar fatalities are set and monitored appropriately. John Adams has pointed out that, while car occupant fatalities have decreased, pedestrian and cyclist fatalities have increased.

Chris Urmson has this to say about safety criteria:
"But when we think about the rate at which bad things happen, they’re very low. So you know in America, somebody dies in a car accident about 1.15 times per 100 million miles. That’s like 10,000 years of an average person’s driving. So, let’s say the technology is pretty good but not that good. You know, someone dies once every 50 million miles. We’re going to have twice as many accidents and fatalities on the roads on average, but for any one individual they could go a lifetime, many lifetimes before they ever see that. So that experience with the technology and kind of becoming falsely comfortable with the safety of it is one of the challenges they face."
Talking about doubling the accident rate is rather different to the breathless hype from the million deaths a year crowd.
In a dazzling piece about driving in India, Alex Roy says:
"Because in the absence of a technical or regulatory definition of “safety”, manufacturers—who have invested billions in self-driving—will be forced to decide what level of self-driving is safe enough to bring to market, and market it.
The mobility industry and clickbait media supporting it are almost totally invested in the concept of the Zero Day, the day when self-driving cars reach a mystical tipping point and “take over the world,” which I also refer to as the Autonomotive Singularity. The truth is that their utopian, winner-takes-all narrative is no more than a velveteen vision of good intentions guided (and blinded) by ham-fisted profit
The idea of manufacturers setting their own safety criteria based on marketing does not appeal to me one bit.

The right approach in the UK is, of course, an ALARP safety case with a good understanding of 'grossly disproportionate costs', supported by use of appropriate standards. A decent profile audit against Automotive SPiCE would help.

Tuesday, 6 June 2017

Urban mobility - harmonising platforms and infrastructure

Y’know, watching government regulators trying to keep up with the world is my favorite sport.”
Neil Stephenson, Snow Crash, 1992.
Technology metals and new materials offer the promise of a 'Cambrian explosion' in forms of urban mobility. Too many examples to list, but see the options at the end of this , or this. If we can co-develop infrastructure and mobility platforms in a functional way, then we may achieve remarkable levels of Quality In Use [1]. I have been unable to find any signs of work towards this aim, so this post has been written in haste  as a call for someone to point me in the right direction. It must be happening, surely?
Decent bicycle infrastructure was achieved in Denmark and the Netherlands only with a struggle; still to happen in the UK by and large.  Innovative approaches to bicycle infrastructure seem the right place to start, e.g. by expanding this, this and this.
The UK history of regulating innovative platforms is pretty patchy e.g. this or this on Segways and hoverboards, and this or this on microcars. Ebikes and pedelecs already seem a bit of a regulatory mess e.g. see this, this, this or this. Note also that speed is an important determinant of Quality In Use, and current standards may not be right, as discussed by Copenhagenize here.
For Système Panhard vehicles and their 20th Century derivatives, the Silicon Valley obsession with technology may not be a cost-effective approach (there are folk who claim a moral imperative to use AI to reduce accident rates - such folk are dangerous). Simple speed limiters might be better (though less popular).
Much of the current regulation seems arbitrary and appear to be based on (unstated) assumptions that are (or will become) very questionable, and use their own specialist language (invalid carriages, pedelecs etc.). They don't seem exoskeleton-ready. Modern platforms offer the potential to meet multiple regulatory categories at the press of a button or automatically. New types of platform need appropriate places in the infrastructure. At the time of writing, San Fransisco is considering a ban on delivery robots on the pavement (sidewalk there). Functional regulation is required to spare us from inappropriate regulations such as the urban myth of London taxis needing a bale of hay in the boot for the horse. This project between MIT,  the National University of Singapore, and the Singapore-MIT Alliance for Research and Technology (SMART) is worth a look. They converted a mobility scooter to operate autonomously. In two months.


Walkable urbanism


  • Accept that an integrated approach to platforms and infrastructure is the best route to safety, low cost access, and innovation. There is currently some very limited acceptance of multi-mode platforms for both invalid carriages and pedelecs/e-bikes, but way short of what is desirable. The potential for innovation may be best implemented with a major extension of multi-mode platforms operating according to the lane they are in.
  • Human Centred Design [2], prototyping inc. VR, AR, and consultation (Holmston Rd, Ayr I'm looking at you). Accept that designing for difficult use cases (disability, elderly etc.) benefits everyone else, and benefits difficult use cases by reducing costs. This code of practice may help (I have not examined it yet).
  • Regulatory capture [3] (e.g. Uber in London) to be treated with extreme prejudice. The public highway is to remain a public commons, and not to be privatised. Data and algorithms relating to the safe use of roads and pavements ditto.
  • Functional allocation of streets, and speed related lanes should lead to new opportunities for platforms with light regulation of design and operation for low speed platforms.
  • Accept that the US is an outlier in terms of urban design and public transport provision, and 'solutions' from the US should be treated with considerable caution, including their fascination with putting electric propulsion and advanced computing in 20th Century cars.
The approach to design implementation would seem to start with functional street categories, giving combinations of lanes. The potential use of new platforms needs to be aligned with an evolution of types of lane. A suggested arrangement is as follows:

Lane 1 - Pavement updated (UK pavement = US sidewalk); design speed 4 mph

Pedestrians, unpowered prams, buggies, trollies, carts, wheelchairs etc. Platforms up to two feet wide (legged, wheeled, hover - whatever) with a mode that limits speed (no licence, lights, horn etc required, but enough visibility and audible warning of approach, minimal regulation and liability), inc. autonomous PLatforms with or without people. Platforms without people need to behave appropriately e.g. for blind pedestrians. Platforms that can also operate in other lanes are fine here when in the Lane 1 mode.

Lane 2 - Cycle lane updated; design speed 10 mph

This is an average urban cycling speed and doesn't surprise other people. Having lanes 1 and 2 next to each other with just visible distinction seems to offer the most flexibility. Platforms with and without human assistance, with and without people. Platforms with no people will need some sort of official safety approval.

Lane 3 - Urban street updated; design speed 20 mph

If the functional design of the street has this as the upper speed limit, then lanes 1, 2, and 3  can be combined with no separation (cf. this), but platforms that travel at speeds higher than Lane 2 speed will need proper Type Approval, licencing etc.Lane 3 only platforms can be two people wide.

Lane 4 and above

Platforms capable of appropriate minimum speed, with suitable visibility, audible warning, protection.

Question - Folk must be working on harmonising platforms and infrastructure. Who is?


[1] Quality In Use is defined as:The degree to which a product or system can be used by specific users to meet their needs to achieve specific goals with effectiveness, efficiency, freedom from risk and satisfaction in specific contexts of use. ISO 25010 (2011)
[2] Principles of Human-Centred Design:
  • A clear and explicit understanding of users, tasks and environments
  • The involvement of users throughout design and development
  • Iteration
  • Designing for the user experience
  • User centred evaluation
  • Multi- disciplinary skills and perspectives
[3]  "When you try to regulate markets the first thing to get bought and sold are the regulators"  P.J. O'Rourke

Friday, 2 June 2017

Some reflections on 'Sully'

The movie 'Sully' received some criticism for taking artistic licence with the NTSB inquiry, and the NTSB complained about how they were portrayed. Additionally, some of the cockpit actions were criticised as incorrect - not according to procedure. This note rebuts such complaints and criticisms.
When I hear 'failed to follow procedures' this is the picture that comes to mind.

It is as important to examine appropriateness of the procedures as it is to examine the appropriateness of the crew behaviour.
There were no procedures for the situation they faced (See Airbus report here), so criticism of flap selection seems more than niggardly hindsight. This article has the following:
"The NTSB recommended changing the location of the rafts to ensure capacity for all passengers, since it's unlikely the rear rafts would be available. The FAA rejected that, saying that if Sullenberger had followed Airbus' directions on descent speeds for ditching, the rear rafts would have been usable. The NTSB said the ability of pilots to achieve those descent speeds has never been tested and can't be relied on. "
There are also questions as to the extent the investigation recommendations have been acted on.
As regards the NTSB moaning about being seen as adversarial, this from the scriptwriter has the ring of truth to it.
The key was, I had to do three layers of research," he says. "One was everything about the NTSB investigation, two was Sully's book...but then really the third level was memorizing Sully and Sully's willingness to share the stuff that he had not shared before - what he went through that was behind the scenes, that's was the wrenching and crushing investigation, the attempt, not out of ill will, but the honest attempt to try and find something that would affix blame. That’s really what they were looking for. You know, you look at 99 percent of these cases, the investigation, it always says at end, ‘pilot error.’ That’s the expectation even if someone is not going to speak that that's somewhere in the bloodstream of the investigation - pilot error. There was no pilot error to find. But it didn’t keep them from looking.”
Recall the press release for the incident report on Flight 447; it put 'human error' on the front pages of newspapers round the world (or at best 'pilot and technical error'). If you read this compelling analysis of the incident, a different picture emerges:
  • Two co-pilots flying rather than pilot/co-pilot, with #3 pilot as Flying Pilot.
  • The Air Data System froze (a known problem). Type Approval for Air Data Systems had not changed since the days of propellor aircraft flying at half the height and half the speed. This caused the Flight Computer to go into some sort of emergency mode.
  • None of this had been in the training and simulation for the pilots.
  • The Flying Pilot held the joystick right back; the other pilot would not have been aware of this, since the joysticks weren't coupled.
  • The hindsight interpretation of the stall warning appears to be controversial. It would appear that the manufacturer was keen to state that the situation facing the pilots was straightforward (i.e. human error) "The situation was not ambiguous and the stall was obvious,". The BEA investigators did not think matters were so straightforward, see here and here. Not surprisingly, there were 66 pages of discussion at PPRuNe
A remarkable incident of pilots vs. automation, where the pilots survived to tell their side of the story, can be found here.
To quote Sidney Deker 'Human error is a symptom of trouble deeper inside a system' - a consequence not a cause of accidents.

Tuesday, 14 February 2017

Getting started with a password manager and 2 Factor Authentication (2FA)

BLUF;A password manager offers some potentially useful/ essential functionality. It is a technical tool, not a solution, and certainly not a panacea. It is impossible for the user to estimate the risks associated with its use, making comparisons with other approaches difficult. Yubikey U2F as an approach to 2FA has some way to go before it can be considered a usable tool for the individual. There are no particular grounds for believing the necessary progress will be made. More generally, will automation bring us usable security in the near future? Probably not; the forces against it are too big, and there is a pretty complete lack of good tools and guidance that start with the context of use.
I picked Dashlane. Why Dashlane? U2F with Yubikey got high praise from people I respect on security. Dashlane has an edge over its competition in this regard, and it has good reviews for being a usable password manager.
The first interaction with Dashlane is fraught with problems; it asks you to create a strong password. "WTF, I thought that was your job". It does NOT tell you that you are creating your Master Password (capital M capital P). Given that 'creating a strong password' is an extremely difficult thing (and the reason for buying a password manager), and this is the one password to rule them all, there needs to be considerable user support here.
As reported here "It's worth noting, however, that just like any software, password managers are vulnerable to security breaches. In 2011, LastPass experienced a security breach, but users with strong master passwords were not affected."

"The automation's fine when it works" Margareta Lützhöft.
After trying some unimportant passwords, I tried to use Password Changer; it turns out this is a utility that only works with some websites and none of the ones I had tried. For password managers (and 2FA) to work effectively, there needs to be some standardisation in the infrastructure, which is unlikely to happen quickly. To a novice user, "credentials not supported" is a meaningless message.
Once you have passwords generated by Dashlane, there is a sense of complete dependency on the machine. Quite a wrench. The other scary thing is the loss of physical security at the computer; get distracted and the kids are into Amazon, the flatmates are watching your pr0n etc. On a Windows machine, there is no visible status indication of whether Dashlane is active or not. There are settings to simplify logging out, and to adjust the inactivity time before it switches off, but there are contexts of use where it may still be a risk. Logging out regularly and logging in with secure passwords is a feature of working on secure networks, but is probably not a habit most folk have.
There are some quirks. On a finance website where I had what I thought was a strong password, this seemed to confuse Dashlane, and it didn't add the password. On a shopping site with a weak password, I went to the 'change password' dialogue on the site. Dashlane didn't offer me the option for it to create a strong password. There is no generic function to generate a strong password on request.
When putting in a wrong password that a site rejects; Dashlane offers to save it. On subsequently entering the right password, Dashlane doesn't re-offer. It does, of course, provide distracting alerts just at a time of anxiety and uncertainty.
Dashlane auto-fill opts to 'stay signed in' on say Ebay, which I don't want.
I went to change my Google password; successfully (I think) got Dashlane to enter a strong password. Dashlane then offered 'replace' and 'save as new' as options, with the latter as default. I took the default option, which was wrong. Why might I want 2 Google passwords for the same account?
Sometimes Dashlane would appear at a PayPal checkout, and sometimes not. Workarounds when it doesn't are a) log in to PayPal separately or b) use the Dashlane control panel to save the password.
There have been some anomalies that might be me or Dashlane.
Dashlane runs in the background when not logged in (using 224MB) and offers to save passwords entered manually. I don't see any risk from this, but I'm not an expert.
Finance sites with customer numbers and arrangements where you enter specified parts of the password seem to defeat Dashlane, not surprisingly.
The assessment of password strength by Dashlane is a black box to the user. My suspicion is that it is aimed at brute force attacks. Changes to a password that don't add much entropy can make a big difference in estimated strength, speaking as a complete beginner.
The Dashlane website offers: " Get security alerts sent straight to your device when any of your accounts may be compromised. Update your old password & stop hackers in their tracks." I don't know where they are going to get their data from, but I am not optimistic. It sounds like an invitation to sue them when they miss one.
As regards backups, Dashlane offer this "If you disabled Sync in Dashlane and would like to back up your data – to be sure not to lose anything in case your computer stops working – , we recommend using the Dashlane secure archive format. When using this format, all your Dashlane data are saved into one simple archive file protected by your master password. Keep this file in a safe place (on a USB key or on an external hard drive) and make regular backups. Note that you will have to use Dashlane again to import and restore your data from this file. Keep in mind that Dashlane will always remain free to use, so it should not be a problem!"  It is possible to avoid complete machine dependency by exporting and/or printing the passwords and other data stored in Dashlane. Dashlane offer this advice: "Excel and CSV exports are unsecured and that it is not a safe way to keep a back-up of your data. We strongly recommend that you delete these exports as soon as you are done with them....If you prefer to print it to keep a hard copy of your data, you can also export it in Excel or CSV format. Remember to keep this in a safe place!"
Starting to use a password manager after some years of internet use does not produce instant security, but it does provide the means for making steady improvement.

Yubico don't do usability.This Amazon review captures the heart of the matter qute well. This getting started article illustrates the required level of geekiness.
My hopes for Dashlane with Yubikey were dashed.
The video here and accompanying text make it all look so easy and effective. Alas, Dashlane was not telling me very much of the truth - the video is a lie, basically. If Dashlane and Yubikey want my trust, then they need to become trustworthy. To get started with Yubikey as 2FA for Dashlane, you first install an app such as Authy on your phone (this requires SMS 2FA) and then show the Dashlane QR code to the phone and enter the resulting code. All do-able given time, but I had to ask Dashlane support several times to have this explained as it is not on the website. The loss of trust was considerable. The expansion in security related infrastructure was unwelcome and cannot be good. No explanation or rationale was offered.  This page assumes that Yubikey is being added to a 2FA app - weird.
Before you start, you need to decide whether to use 2FA only when using your Dashlane account on a new device, or every time you log in. If you change your mind, you have to go through the exercise again. The logic for 2FA on a new device is presumably to counter the risk of someone gaining your Master Password and logging in from somewhere else. The logic for using it every time you log in is less clear. Dashlane say "Use 2-Factor Authentication for maximum protection. 2-Factor authentication is the ultimate security mechanism as it requires you to validate, or authenticate, your identity on a 2nd device before being granted account access."I am not sure in what contexts that matters. I had expected to use it for every password use, to remove the problem of password theft. Not an option as things stand. The pervasive lack of risk-driven information on computer security includes that supplied by Dashlane. Doesn't the computer security community understand how to use risks? Apparently not.
I hadn't expected Yubikey to be a replacement for the little keypads supplied by banks, and sure enough it isn't. I see HSBC is now offering the nightmare of speaker recognition as an option. The reviews of Authy on Play Store were sad to read; lots of folk wanting it to use fingerprints.

In summary, U2F looks like a busted flush and will join PGP as a niche interest. Shame, it could have been a contender. Password managers seem unavoidable as a partial solution, and can be an aid to containing the risks of computer security. Their vulnerability to keylogging is bound to make keylogging a bigger threat; I don't know what we do then to stay one step ahead. For many contexts of use, countering the increased physical risks need more support than Dashlane provides.
For sites offering Yubikey as a form of 2FA (Google, Facebook), I have not been prompted by Dashlane to add 2FA. I haven't investigated using Yubikey separately from Dashlane as yet. I find it hard to do the risk assessment if I now have an 'unhackable' password.

Update: Dashlane now using 36% CPU of an i5 laptop and no longer working on Firefox.

Passwords and usable security

Some notes on my exploration of password usability, password managers and Two Factor Authentication (2FA).
It appears we have a problem.
"Passwords are the most prevalent form of authentication in the digital age, and are the first line of defense against unauthorized access in most systems. Even if you are using some other form of authentication for a particular service, there’s still a password in the chain somewhere — it all comes back to relying on something somewhere being password-protected. But after 50 years of computing evolution, 123456 and password still top the list of most frequently used passwords. More than a billion passwords have been compromised in 2016, and we’ve seen breaches from companies such as Adobe, Twitter, Forbes, LinkedIn, Yahoo, LivingSocial, and Ashley Madison over the past years. Clearly, we have a systemic problem with password authentication – and it’s not going away any time soon."
We could Just give up: 123456 is still the world's most popular password.
We could: Follow the money -  Ross Anderson:
"Systems are often insecure because the people who guard them, or who could fix them, have insufficient incentives Bank customers suffer when poorly-designed bank systems make fraud and phishing easier. Casino websites suffer when infected PCs run DDoS attacks on them. Insecurity is often what economists call an ‘externality’ – a side-effect, like environmental pollution"
We should start with Bruce Schneier. Why are we trying to fix the user instead of solving the underlying security problem? "We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do." John Podesta could not have used 'password' for his google email account because google won't let folk do it.

The threats

What are the threats to passwords? UK government guidance has the following:
Approaches to discovering passwords include:
  • social engineering eg phishing; coercion
  • manual password guessing, perhaps using personal information ‘cribs’ such as name, date of birth, or pet names
  • intercepting a password as it is transmitted over a network
  • ‘shoulder surfing’, observing someone typing in their password at their desk
  • installing a keylogger to intercept passwords when they are entered into a device
  • searching an enterprise’s IT infrastructure for electronically stored password information
  • brute-force attacks; the automated guessing of large numbers of passwords until the correct one is found
  • finding passwords which have been stored insecurely, such as handwritten on paper and hidden close to a device
  • compromising databases containing large numbers of user passwords, then using this information to attack other systems where users have re-used these passwords.
It has been pointed out that this does not include " data breaches. No matter how good a password if the attackers bypass it by stealing personal data from poorly-protected databases the technology becomes powerless. It is ridiculous that passwords and credit card numbers are encrypted but people’s personal data usually isn’t. Passwords are only one part of the issue."
Good real-world advice on threats for ordinary folk is to be found here:
There are a few ways your account passwords can be compromised.

  • Someone's out to get you. There are many people who might want to take a peek into your personal life. If these people know you well, they might be able to guess your e-mail password and use password recovery options to access your other accounts.
  • You become the victim of a brute-force attack. Whether a hacker attempts to access a group of user accounts or just yours, brute-force attacks are the go-to strategy for cracking passwords. These attacks work by systematically checking all possible passphrases until the correct one is found. If the hacker already has an idea of the guidelines used to create the password, this process becomes easier to execute.
  • There's a data breach. Every few months it seems another huge company reports a hacking resulting in millions of people's account information being compromised. And with the recent Heartbleed bug, many popular websites were affected directly.
The risks to the user clearly depend on the context of use. This does not seem to be considered in the literature. Possible use cases could include:
  • A US Secretary of State who steps out of the SCIF to use her personal Blackberry.
  • A bitcoin miner whose mobile phone account is hijacked to exploit SMS 2FA.
  • A Cambridge Professor of Security Engineering who refuses to use online banking with good reason
"...if you fall victim to an online fraud the chances are you will never see your money of the banks’ most extraordinary feats of recent years has been their ability to shift liability away from themselves and on to the customer – aided by a Financial Ombudsman Service (FOS) that they claim rarely challenges the banks following a fraud."
  • A journalist talking to dissidents in a dangerous country.
  • Grandma logging into Facebook while staying with her daughter.
  • Grandma wanting to put her online affairs in order for her estate.
  • A student wanting to prevent his flatmates using his pr0n account when he is out.
  • A businessman going to the toilet while doing online business with the free wi-fi in a coffee shop.
  • A Civil Servant wanting to do home banking while at the office.
  • An agency ICU nurse called in at short notice needing to look up patient records.
  • A homeless person using a mobile phone to claim benefits and pay bills.
  • Someone on a list entering the USA and being asked to provide their passwords.
The threat is clearly feasible. How I became a password cracker shows this.
"At the beginning of a sunny Monday morning earlier this month, I had never cracked a password. By the end of the day, I had cracked 8,000. Even though I knew password cracking was easy, I didn't know it was ridiculously easy—well, ridiculously easy once I overcame the urge to bash my laptop with a sledgehammer and finally figured out what I was doing."
For cracking experts, it is frighteningly easy:
The ease these three crackers had converting hashes into their underlying plaintext contrasts sharply with the assurances many websites issue when their password databases are breached. ...The prowess of these three crackers also underscores the need for end users to come up with better password hygiene. Many Fortune 500 companies tightly control the types of passwords employees are allowed to use to access e-mail and company networks, and they go a long way to dampen crackers' success.

"On the corporate side, its so different," radix said. "When I'm doing a password audit for a firm to make sure password policies are properly enforced, it's madness. You could go three days finding absolutely nothing."... As Ars explained recently, the problem with password strength meters found on many websites is they use the total number of combinations required in a brute-force crack to gauge a password's strength. What the meters fail to account for is that the patterns people employ to make their passwords memorable frequently lead to passcodes that are highly susceptible to much more efficient types of attacks.

"You can see here that we have cracked 82 percent [of the passwords] in one hour," Steube said. "That means we have 13,000 humans who did not choose a good password." When academics and some websites gauge susceptibility to cracking, "they always assume the best possible passwords, when it's exactly the opposite. They choose the worst."

The state of guidance

I looked around for guidance that ordinary non-geeky folk might find and use. The state of guidance is Hmmm. A critical issue is lecturing folk about 'strong passwords'. Given the material above, what would a strong password look like? Some serious explaining is required. From my beginner situation, this and this from Good Housekeeping aren't great, and neither is this from Saga.
This looks good from CNET - but would folk find it?
This from Money Saving Expert has some interesting points, but it is hard for the lay person to evaluate the differences from other experts. The material from GetSafeOnline makes some assumptions about strong passwords, but has good points. This from the BBC has advice from Angela Sasse but is likely to be filed under "too difficult". All in all, the CNET advice looks good to me, but there is a real paucity of well-informed actionable advice (apart from what folk might find by Bruce Schneier).
I leave the last words to Eleanor Saitta ‏@Dymaxion "... Increasingly believe teaching security tools without a comprehensive systems literacy foundation is harm reduction at best, maybe harmful".

Update: Good material from Google here