Cyberweekly #116 - Are we paving the path our users desire?

Published on Sunday, August 23, 2020

AI, Blockchain, Quantum Computing. These are technologies that are "set to revolutionise the world", and yet, half the time I don't feel like the world is very revolutionary.

I spend a lot of time looking at future looking technology and trying to work out how it can apply, or should apply in our working lives. How can we take advantage of it, and also importantly, how do we not get caught up in hype for exciting technology and miss fundamental but boring technology changes. But the most important part of this is looking at what the social impact of this technology has for us. At trying to determine if it makes a difference.

William Gibson once said that "The future is here - it's just not evenly distributed", and our advances into the future of technology does feel like that on a regular basis. I can pay for almost anything with my watch, hop in a car that can park itself, work 8 hours from home with a webcam and microphone, and ask an AI system to write me SQL queries but yet many problems still seem to be the same today as they were 10 years ago.

My old manager at a previous job always used to tell me that "It's never a technology problem, it's always a people problem you've got to solve". It didn't matter how technical the ask was of the development team, behind that request was always a people and process problem. People love to see new technology as solving what they perceive to be the problems in their lives. But most of the problems in our life come out of far more fundamental problems in how we engage with other people, how we coordinate work and how we trust or don't trust them.

I see this manifest in the way that many security people struggle to understand why their users don't take their advice. In their heads, their security advice is good advice, but the users are not to be trusted and just fail to follow the advice. When security issues inevitably happen, the takeaway that these professionals have is "if only they had listened to me and followed my process". For some reason, we have a blind spot about how well people can follow our processes. We tend to think that if someone isn't following the path that we laid down, then that's because we haven't forced them hard enough to follow our path.

Desire Path Closed - A photo of a worn path over grass, with a sign saying sidewalk closed on it

The path that people want to follow is a clear indication of how they actually move around. In user experience and interface design, we tend to call these "desire paths", and they come from the study of physical architecture. People tend to want to go from A to B in the most obvious route possible. You can put fences and bushes and things in the way, but all that does is irritate the pedestrians, and they tend to forge their own paths instead. It's better to identify where people are going to go, and make that safe and paved instead of laying out what we think is the correct path.

I've seen the same behaviour from security people as I've seen from project managers in the past. The exclamations of "The project would have been successful if only we'd gotten the requirements right", or "The predictions should have been correct, but our staff lie about how productive they are" and so on.

As technologists and security specialists, we need to understand that our processes and tools fail when they meet users, not because we didn't nail down the processes and people well enough, but because we need to have a better understanding that underneath it all, there's a set of individuals, people, who have needs and desires. We need to acknowledge those, build our tools and processes around improving the experience of people where they are, and make sure that we are paving the paths that users want to follow, not where we think they should go.

    Blockchain, the amazing solution for almost nothing - The Correspondent

    Meanwhile, Bloomberg estimates the worldwide blockchain industry at around $700m (over €600m). Large companies like IBM, Microsoft and Accenture have entire divisions dedicated to this revolutionary technology. In the Netherlands there are all sorts of subsidies available for blockchain innovation. 

    The only thing is that there’s a huge gap between promise and reality. It seems that blockchain sounds best in a PowerPoint slide. Most blockchain projects don’t make it past a press release, an inventory by Bloomberg showed. The Honduran land registry was going to use blockchain. That plan has been shelved. The Nasdaq was also going to do something with blockchain. Not happening. The Dutch Central Bank then? Nope. Out of over 86,000 blockchain projects that had been launched, 92% had been abandoned by the end of 2017, according to consultancy firm Deloitte.


    So what about that pioneering town of Zuidhorn, wasn’t blockchain successful there?

    Well, not quite. I had a look at GitHub – a site where programmers post their software – and there was very little resembling blockchain under the hood of the children’s aid package app. At any rate, there was one lonely miner working away, on a server, not connected to the internet, for internal research. But what those families living in poverty and shopkeepers were using was a very simple app, using very simple code, running on very simple databases.

    I called Maarten Velthuijs.

    Hey, I noticed that your app doesn’t actually need blockchain at all.

    Velthuijs: “That’s right.”

    But isn’t it strange that you won all those awards, even though you aren’t actually using the blockchain?

    Him: “Yes, it’s weird.”

    So how is it possible?

    Him: “I don’t know. We keep trying to tell people, but it doesn’t seem to stick. You’re calling me about it again now … ”

    A useful reminder that blockchain serves only one purpose. The hype and sell an otherwise boring technology project and look good in presentations.

    Coca-Cola Using Hyperledger and Ethereum - Crypto Rand Group

    Coca-Cola is no longer in its infancy in the field of blockchain technology, for example, in 2019, some of its bottlers in North America started production of a privately owned blockchain – based on Hyperledger Fabric.

    The objective of the project was to “streamline” the exchanges between the franchised bottling companies in the supply chain. The implementation was carried out by the technology partner of twelve of Coca-Cola’s leading bottlers, CONA Services.


    As project partner Unibright points out, the goal is to establish a “Coca-Cola Bottling Harbor” or trusted network for Coca-Cola bottling suppliers. And this time it will bring together internal and external players.

    “This not only streamlines the ability of internal bottlers and suppliers to supply products to the bottling network but also external suppliers (e.g. raw material vendors who supply cans and bottles) can benefit from an integrated, private and distributed network,” says the company.

    This is an interesting use of blockchain, to essentially perform business process automation, ensuring that the supply chain is providing digital records for what bottles are produced where and improving the bill of materials. I don't see any part of this where blockchain, hyperledger or etherium are necessary to the solution, but it's an interesting one to watch anyway.

    How NAT traversal works · Tailscale Blog

    We covered a lot of ground in our post about How Tailscale Works. However, we glossed over how we can get through NATs (Network Address Translators) and connect your devices directly to each other, no matter what’s standing between them. Let’s talk about that now!

    I'm a networking nerd, and I did NAT traversal when I was programming computer games back in the day (it was a massive problem for peer-to-peer computer games played over the internet). But knowing how this works is important for detecting weird behaviour on your network and knowing why packets are doing what they do. This is a great writeup of some particularly arcane bits of networking that's readable and easy to understand.

    degoogle | A huge list of alternatives to Google products. Privacy tips, tricks, and links.

    It’s a shame that Google, with their immense resources, power, and influence, don’t see the benefits of helping people secure themselves online. Instead, they force people like us to scour the web for alternatives and convince our friends and family to do the same, while they sell off our data to the highest bidder.

    Hopefully this guide can serve as a starting point for those new to privacy, or be a good refresher for the experts.

    This is a very thorough list of alternatives to Google products, normally where the alternative is aimed at providing privacy as a primary concern (as compared, to say competing with Google on mining your data).

    AWS Announces General Availability of Amazon Braket |, Inc. - Press Room

    Today, Amazon Web Services, Inc. (AWS), an company (NASDAQ: AMZN), announced the general availability of Amazon Braket, a fully managed AWS service that provides a development environment to help customers explore and design quantum algorithms. Customers can use Amazon Braket to test and troubleshoot quantum algorithms on simulated quantum computers running on computing resources in AWS to help them verify their implementation. When ready, customers can use Amazon Braket to run their quantum algorithms on their choice of quantum processors based on different technologies, including systems from D-Wave, IonQ, and Rigetti. Both simulated and quantum hardware jobs are managed through a unified development experience, and customers pay only for the compute resources used.

    AWS BRaket should allow teams to explore and experiment with Quantum computing without having to go through the effort of buying or building a quantum computer themselves. While not actually revolutionary (You've been able to use IBM's Q Experience platform for simulated and real Quantum compute for a while, and Google provides some emulators in their Quantum playground), but it does open it up to a much wider audience.

    Of course, for most users, there isn't a great need for a Quantum computer. You'd need just the right kinds of mathmatical problems to need to be solved, as Quantum computing isn't ready for general purpose computing yet.

    But this brings hybrid computing much closer to reality, allowing normal general purpose systems to make calls to Quantum computers to process hard problems at the backend.

    Tempering Expectations for GPT-3 and OpenAI’s API | Max Woolf's Blog

    GPT-3 has two notable improvements from GPT-2 aside from its size: it allows generation of text twice the length of GPT-2 (about 10 paragraphs of English text total), and the prompts to the model better steer the generation of the text toward the desired domain (due to few-shot learning). For example, if you prompt the model with an example of React code, and then tell it to generate more React code, you’ll get much better results than if you gave it the simple prompt.

    Therefore, there are two high-level use cases for GPT-2: the creative use case for fun text generation at high temperature, as GPT-2 once was, and the functional use case, for specific NLP-based use cases such as webpage mockups, with a temperature of 0.0.

    GPT-3 was trained on a massive amount of text from all over the internet as of October 2019 (e.g. it does not know about COVID-19), and therefore it has likely seen every type of text possible, from code, to movie scripts, to tweets. A common misconception among viewers of GPT-3 demos is that the model is trained on a new dataset; that’s not currently the case, it’s just that good at extrapolation.

    The excitement about how good GPT-3 is interesting, especially given the OpenAI's desire to build and deploy AI-as-a-service, meaning you won't need to build your own model. But because everyone shares the same model, it means that you may well find that others can get the same outputs as you fairly easily.

    This covers a large number of the potential pitfalls, including the ethical concerns about the model including various biases, without coming across as naysaying or overly down on the whole thing.

    How GPT3 Works - Visualizations and Animations – Jay Alammar – Visualizing machine learning one concept at a time.

    The tech world is abuzz with GPT3 hype. Massive language models (like GPT3) are starting to surprise us with their abilities. While not yet completely reliable for most businesses to put in front of their customers, these models are showing sparks of cleverness that are sure to accelerate the march of automation and the possibilities of intelligent computer systems. Let’s remove the aura of mystery around GPT3 and learn how it’s trained and how it works.

    This is a good peek under the hood of GPT-3, explaining roughly how it, and GPT-2 works.

    GPT-3, Bloviator: OpenAI’s language generator has no idea what it’s talking about | MIT Technology Review

    All GPT-3 really has is a tunnel-vision understanding of how words relate to one another; it does not, from all those words, ever infer anything about the blooming, buzzing world. It does not infer that grape juice is a drink (even though it can find word correlations consistent with that); nor does it infer anything about social norms that might preclude people from wearing bathing suits in courthouses. It learns correlations between words, and nothing more. The empiricist’s dream is to acquire a rich understanding of the world from sensory data, but GPT-3 never does that, even with half a terabyte of input data.

    As we were putting together this essay, our colleague Summers-Stay, who is good with metaphors, wrote to one of us, saying this: "GPT is odd because it doesn’t 'care' about getting the right answer to a question you put to it. It’s more like an improv actor who is totally dedicated to their craft, never breaks character, and has never left home but only read about the world in books. Like such an actor, when it doesn’t know something, it will just fake it. You wouldn’t trust an improv actor playing a doctor to give you medical advice."

    If you haven't seen what GPT-3 from OpenAI is capable of, you should checkout the examples site. Some of these applications are mind blowing, the ability for GPT-3 to build SQL queries from english statements, create dialog trees, and create stories from some initial prompts.

    However, as this article points out, while it feels like magic, GPT-3 doesn't necessarily have a good grip on the real semantics of the world and the words we use. It can construct amazingly lifelike sentences, but doesn't really understand what it is saying.