Thursday, June 27, 2013

The strange case of Barrett Brown

This article about journalist Barrett Brown is currently trending on Hacker News.

Following the trail of links in the comments, I came across the following page from Project-PM on Google cache.

Endgame Systems

From Project PM
Jump to: navigation, search
Endgame Systems (founded 2008) has been of interest to this investigation due to the firm's close association with corrupt HBGary CEO Aaron Barr, their stated intent to avoid public attention towards its work with the federal government, its longtime collaboration with Palantir employee Matthew Steckman (whom Palantir fired in the wake of the Team Themis affair, quite improbably claiming that Steckman had acted on his own), and its creation of a report on Wikileaks and Anonymous which was provided to Team Themis for use in its campaign against both entities. In July of 2011, an investigation by Business Week revealed the probable reasons for the firm's secrecy:
People who have seen the company pitch its technology—and who asked not to be named because the presentations were private—say Endgame executives will bring up maps of airports, parliament buildings, and corporate offices. The executives then create a list of the computers running inside the facilities, including what software the computers run, and a menu of attacks that could work against those particular systems. Endgame weaponry comes customized by region—the Middle East, Russia, Latin America, and China—with manuals, testing software, and “demo instructions.” There are even target packs for democratic countries in Europe and other U.S. allies. Maui (product names tend toward alluring warm-weather locales) is a package of 25 zero-day exploits that runs clients $2.5 million a year. The Cayman botnet-analytics package gets you access to a database of Internet addresses, organization names, and worm types for hundreds of millions of infected computers, and costs $1.5 million. A government or other entity could launch sophisticated attacks against just about any adversary anywhere in the world for a grand total of $6 million...
Endgame’s price list may be the most important document in the collection. If the company were offering those products only to American military and intelligence agencies, such a list would be classified and would never have shown up in the HBGary e-mails, according to security experts. The fact that a nonclassified list exists at all—as well as an Endgame statement in the uncovered e-mails that it will not provide vulnerability maps of the U.S.—suggests that the company is pitching governments or other entities outside the U.S. Endgame declined to discuss the specifics of any part of the e-mails, including who its clients might be. Richard A. Clarke, former Assistant Secretary of State and special adviser to President George W. Bush on network security, calls the price list “disturbing” and says Endgame would be “insane” to sell to enemies of the U.S.

Endgame bills itself thusly:
Endgame Systems provides innovative software solutions to meet customers security needs in cyberspace. Our products include real-time IP reputation data, protection of customers' critical information, proactive data analysis, and cutting edge vulnerability research. Endgame's highly skilled workforce provides a full range of engineering services and solutions that raise awareness of emerging threats, and help prevent and respond to those threats globally. The company was founded by a proven leadership team with a record of success in the information security industry and is headquartered in Atlanta, GA.
Endgame's clients have included a number of U.S. intelligence agencies including the NSA. The firm has a subsidiary called ipTrust. Beyond a presence at Shmoocon 2012, little has been heard from the company publicly since they deleted their website in summer 2011 following the release of this text and presumably after inquiries by Business Week on the subject of their offensive capabilities and price list.
Compare to Team Cymru.

Contents

Secrecy

Endgame is intent on remaining under the radar and otherwise seeks to avoid public attention, as show by the e-mail excerpts below:
Aaron Barr to Brian Masterson of Xetron: "But they are awfully cagey about their data. They keep telling me that if their name gets out in the press they are done. Why?"
CEO Chris Rouland to employee John Farrell: "Please let HBgary know we don't ever want to see our name in a press release."
John Farrell to Aaron Barr: "Chris wanted me to pass this along. We've been very careful NOT to have public face on our company. Please ensure Palantir and your other partners understand we're purposefully trying to maintain a very low profile. Chris is very cautious based on feedback we've received from our government clients. If you want to reconsider working with us based on this, we fully understand."
Aaron Barr to John Farrell: "I will make sure your [sic] a 'silent' partner and will ensure we are careful about such sensitivities going forward."

Company Aspects

Note: The following was written before Business Week's July article, which provides additional context and is linked and excerpted above.
Although little info has been obtained regarding the specifics of Endgame's operations, e-mails taken from the small firm Unveillance indicate similarities in at least one capacity to another firm called LookingGlass. In one e-mail, the CEO of Unveillance is told, "One thing I could have said is that your data is the main feeder for LookingGlass and Endgame." Earlier in the same exchange, more clues appear when the following statement by a "friend/contractor in the pentagon [sic]" is presented: "They [Unveillance] were discussed yesterday at a meeting about the CSFI project on Syria. Frankly, I wasn’t all that blown away. Not sure what makes them better than LookingGlass or Endgame."
Other clues are available in the same e-mail set, there being discussion of a potential purchase by Endgame of a troubled firm called Defintel, from which the CEO of Unveillance proposes to "'cherry pick' the talent" in order "to run the sinkhole/data creation component of our firm."
From another e-mail exchange:
14 Apr 2011 16:53:54 -0400
From: Wayne Teeple 
To:"khijazi@unveillance.com" 

Hi again Karim,

I was able to meet with Keith today, not much to say other than business as
usual. He was very reserved, but open enough, but not  enough if you know what I
mean. He did confirm that Chris Davis has sold himself to Endgame along with his
datafeed, and that Morrigan  Research Inc is dissolved - see attached.  Hence, I
believe he sold his "IP" directly as an individual because Morrigan is 
dissolved as oppose to shares acquired by Endgame.

Keith had nothing real to contribute other he is staying out of everything and
just focusing on Defintel biz, he did state that he  does not require the
datafeed at all to execute the Nemesis cloud service, and that he has a
"non-compete" with you, Endgame, and  Morrigan.  Also, he is in touch with
Davis, and I get the impression that Davis may recommend Endgame acquiring
Defintel for Nemesis  code - although that could be Davis blowing smoke up
Keith's you know what!!  Keith did state that he is light on technical support.

Finally, we both agreed that Ginley is a lone wolf and a gun for hire by anyone.

All and all, I am very concerned about presenting this solution any further to
my clients, nor did I get a complete warm and fuzzy  that he was completely on
the up and up.

Cheers
wayne
Keith above refers to Defintel CEO Keith Murphy.
Compare the above statements on Morrigan and DefIntel to this tweet from Chris Davis.

Brian Masterson of Xetron worked with Endgame for quite a while and made a number of references to the firm to Barr:
"They told me that they did 10M last year. Said they were working for NSA, Navy, and USAF. Also mentioned another customer who we do work with. While I was at their place getting briefed by Chris, Gen. Patraeus' exec called three times to set a follow-up meeting."
"EndGame did offer up a cut of their US data."
"Doing the botnet is not that difficult but doing it to the degree that EndGame says that they have is what is impressive."
Barr himself had long sought to include Endgame in his proposed "consortium" of firms, which itself would provide intelligence capabilities to clients (and which eventually came about in the person of Team Themis, made up of HBGary, Palantir and Berico, with Endgame having provided the team an unusually accurate report on Wikileaks and Anonymous. E-mail excerpts from Barr:
"I know we are going to talk to some senior folks in Maryland in a few weeks and would very much like to take a combined Endgame/Palantir/HBGary product."
"I think I had mentioned the idea of a cyber consortium to you when we had lunch. That idea is coming together. We will start with cyber intelligence then when we have the capabilities fused build in the hooks for cybersecurity. Need the information before you can act.
here are the companies on board and their area of expertise. Application - HBGary Host - Splunk Network - Netwitness External - EndGame Systems Social/Link - Palantir"
John Farrell of Endgame Systems to Aaron Barr, 2/8/10:
"for now, let's focus on:
1. OSI RFP response - dan ingevaldson and I will work with you on this
2. EGS/Palantir integration - we talked to Matt Steckman last week and we're looking into next steps on this
3. customer briefings and new business opportunities like ARSTRAT, etc."

A June 2010 e-mail sent from Ted Vera to fellow HBGary employees after a phone meeting with Endgame provides additional data:
I tried to keep notes during the call -- my chicken scratch follows: EndGames is tracking 60-65 botnets at this time. They have a ton of conflicker data, they're plugged in and pull millions of related IPs daily. Their data is generally described in their tech docs. They are pulling in data from IDS sensors, rolling in geolocation information, and anonymous proxies / surfing next Quarter. EndGames does not do any active scanning -- all passive. They intercept botnet messages and collect / log to their database. The "SPAM" category is a generic filter that indicates the IP has been used to pass SPAM. Higher chance for false positives with SPAM filter. They try to correlate SPAM activities to known botnets, if they cannot correlate, then the event gets a generic SPAM label. Confidence %: Documented in technical docs. Primarily time-based. Looking at the overall length of infection for a given IP. Looking at half-life / decay of infections on specific IPs. The algorithm is currently very simple and time is the highest weighted factor, although the nature of the event is also weighted, ie conficker has higher weight than SPAM event. Plan to start discriminating between end-user nodes with dynamic IPs vs Enterprise / static IPs. Static IPs would decay slower than dynamic. EndGames gets malware data from various sources and REs it to pull out C2 and other traits that can be used for signature / correlation. They have Sinkholes for Conficker A and B which collect IPs of infected hosts.Cannot provide samples because they do not collect samples from specific IPs. They are ID'ing based on their observations of IPs, taking advantage of their hooks into various botnets. That said, they could probably gest us some samples and or manual tests for Conficker A and B which we could use to verify / eliminate false positives or negatives.

Dates

April 5, 2010 - John Farrell tells Aaron Barr he will no longer be accessible @ Endgame
October 2010 - Raised 29 million USD from Bessemer Ventures, Columbia Capital, Kleiner Perkins Caufield & Byers (KPCB), and TechOperators, for web-based malware detection services: iPTrust.
October 28, 2010 - Endgame announces the launch of ipTrust, "the industry’s first cloud-based botnet and malware detection service ... that collects and distills security data into a reputation engine."
February 2011 - Endgame announces partnerships with HP and IBM to use their IP Reputation Intelligence service within HP’s TippingPoint Digital Vaccine service and IBM’s managed services offerings.
June 2011 - Endgame begins trying to purge its presence from the Web, taking its site offline and deleting Linkedin profiles.

Management

Christopher J. Rouland
Mr. Christopher Rouland, CEO and Co-Founder of Endgame Systems has over 20 years of experience in the field of information security. Mr. Rouland previously held the position of CTO and Distinguished Engineer of IBM Internet Security Systems after IBM purchased Internet Security Systems, Inc. in 2006. Prior to the IBM acquisition of ISS, Chris held the position of CTO of ISS where he was responsible for the overall technical direction of the ISS product and services portfolio. Prior to his executive roles at IBM and ISS, Chris was the original Director of the famed X-Force vulnerability research team which was responsible for the discovery of hundreds of security vulnerabilities.
Daniel Ingevaldson
Mr. Daniel Ingevaldson, SVP of Product Management and Co-Founder of Endgame Systems was previously the Director of Technology Strategy with IBM Internet Security Systems. Prior to the acquisition of ISS by IBM in 2006, Mr. Ingevaldson held various positions within the ISS Professional Services organization where he lead the X-Force Penetration Testing consulting practice, and as Director of X-Force R&D where he helped expand the research capacity of the X-Force zero-day vulnerability identification and disclosure program.
Raymond Gazaway
Mr. Raymond Gazaway, Senior Vice President and Co-Founder of Endgame Systems was previously the Vice President of Worldwide Professional Security Services with IBM Internet Security Systems. Ray joins Endgame Systems with over 30 years of government and commercial services experience and executive management positions with IBM, Internet Security Systems and Dun and Bradstreet.
David Miles
Mr. David Miles, Vice President of Research & Development and Co-Founder of Endgame Systems, brings nearly 10 years of experience in information security and was previously the Director of R&D within ISS Professional Security Services managing strategic security research engagements, designing and delivering custom cyber security products and solutions, as well as assisting in emergency response services and forensic investigations. Prior to that, in X-Force, he designed and implemented processes and procedures for delivery of hundreds of security content updates for the entire ISS product portfolio.
Mark Snell
Mr. Mark Snell, Chief Financial Officer of Endgame Systems, oversees all aspects of Finance and Administration including financial planning, reporting and analysis, investor relations, human resources, information technology and office management. Prior to Endgame Systems, he was Corporate Controller at Suniva, a solar cell manufacturer based in Atlanta, Georgia. At Suniva, he helped to develop the financial infrastructure and systems to manage a business that would quickly become recognized as one of the fastest growing private companies in the Southeast. Earlier in his career, Mark served as Corporate Controller of Servigistics, a software developer in the service lifecycle space and in various positions of financial management for IBM and Internet Security Systems. Mark holds an MBA from Georgia State University and a Bachelor of Arts from the University of Virginia. Mark is a Certified Public Accountant in the State of Georgia.
Rick Wescott
Rick Wescott, Senior Vice President of Worldwide Sales and Marketing, brings over 20 years of technology sales and management experience to Endgame Systems. Before joining Endgame Systems, Rick served as Vice President & General Manager of Federal Operations for ArcSight (acquired by HP for $1.5 billion in late 2010), which he joined pre-revenue in 2002 and was instrumental in identifying and closing key foundational sales. Rick helped to manage and grow the company's revenues to $170 million and saw the company through its Initial Public Offering (IPO) in 2008 and $1.5 billion acquisition by HP in 2010. Prior to his tenure with ArcSight, Rick lead sales efforts at several leading industry firms including VeriSign, Entrust, Sybase and IBM.
David Gerulski
David Gerulski, Vice President, Commercial Sales & Marketing at Endgame Systems

Board Members and Advisors

Thomas Noonan- Chairman
Tom Noonan is the former chairman, president and chief executive officer of Internet Security Systems , Inc. , which was recently acquired by IBM for $1.3B, at which time Noonan became GM of IBM Internet Security Systems. Noonan is responsible for the strategic direction, growth and integration of ISS products, services and research into IBM's overall security offering. Tom Noonan and Chris Klaus launched ISS in 1994 to commercialize and develop a premier network security management company. Under Noonan's leadership, ISS revenue soared from startup in 1994 to nearly $300 million dollars in its first decade. The company has grown to more than 1,200 employees today, with operations in more than 26 countries
http://cryptome.org/0003/hbg/HBG-EndGames.zip (got the this^^ from the PDF in the zip)
New Hires
Senior Software Engineer
Matt Culbreth Came from... Yield Idea, President
Agency Director
Pete Hraba Came from...
ArcSight, Account Manager
Executive Assistant
Zodie Spain Came from...
Helios Partners, Executive Assistant/Office Manager
http://www.linkedin.com/company/endgame-systems (deleted)

Investors

  • Kleiner Perkins Caufield & Byers LLC
  • Bessemer Ventures
  • Columbia Capital
  • TechOperators

Contact Info

Corporate Headquarters
817 West Peachtree Street
Suite 770
Atlanta, GA 30308
t. 404.941.3900
f. 404.941.3901

451 Group Report on Endgame & ipTrust

Josh Corman
November 3, 2010
You can take a person out of X-Force, but you can't take X-Force out of the person. A group of former ISS X-Force veterans at Endgame Systems has been very busy doing security research of consequence for the federal space since 2008. Via a new division called ipTrust, it plans to take some of its botnet and IP reputation capabilities to drive value into the commercial space. Similar to Umbra Data, ipTrust is delivering this value with a 'zero touch' modality – requiring no on-premises or capex appliance. However, rather than licensing an intelligence feed like Umbra Data, ipTrust has opted to share its research via an API, which may make it more accessible for new use cases. As we were writing up this report, news broke that parent company Endgame Systems closed a series A round of $29m. With no appliances or heavy back-end capex requirements, this stands out as an oddly large round, and has, therefore, piqued our curiosity.
As we recently noted with Umbra Data, there is high concern over botnets, but the demand for solutions is greater than the appetites for buying a dedicated appliance to augment the blind spots in traditional AV and other legacy tools. Well beyond script kiddies, attacks like Stuxnet, Zeus, BredoLab and Vecebot have people concerned – and those are all publically known ones. Adaptive persistent adversaries employ a number of techniques to avoid detection by mainstream adopted countermeasures. Several CISOs have told us they want the capabilities of anti-botnet and command-and-control identification to be delivered via their existing security investments or in other opex-consumption models. Perhaps both Umbra Data and ipTrust are hearing the same. By delivering intelligence via an API, ipTrust may find itself called out to by all sorts of Web applications to inform how trustworthy an endpoint is and adjust the interactions accordingly. We see this as an interesting delivery model, and are encouraged by the embrace of modern Web-scale technologies. Given that, the large series A funding is a bit odd. We will have to watch carefully how that is leveraged – with our first thought being: Which acquisition target would fit within that budget?

Context

IpTrust is a new division of Atlanta-based Endgame Systems. While the 32-person Endgame Systems was more focused on federal and cyber security clientele, ipTrust aims to leverage its experience, research and platforms for commercial consumption. Endgame Systems was founded in 2008 by several Internet Security Systems (ISS) X-Force Alumni with the research chops to tackle emerging threats. Cofounders include former ISS CTO Christopher Rouland as CEO, Daniel Ingevaldson as COO, Raymond Gazaway as SVP, and David Miles as VP of engineering. Former ISS CEO Tom Noonan serves as chairman. Coinciding with the reveal of ipTrust, Endgame Systems just closed a series A round for $29m, involving Bessemer Venture Partners, Columbia Capital, Kleiner Perkins Caufield & Byers, and Noonan's own TechOperators. The round adds two new board seats for Bessemer Venture's David Cowan and Columbia Capital's Arun Gupta.

Technology

IpTrust is a new commercial division of Endgame Systems; it leverages a lot of the back-end technology and methods that have fueled Endgame's federal offerings since 2008. The enabling technology has three basic pieces: a collection method for identifying botnet-compromised end nodes, a scoring system to generate a confidence rating for the implicated IP address and the exposition of the results of the analysis to clients via an API.
Since the bulk of botnets use DNS to find their command and control servers, ipTrust's primary collection method for identifying compromised systems is to preregister or work with registrars to create sinkholes to redirect network traffic. From the vantage point of its many sinkholes, ipTrust can find new infected systems 'phoning home' for the first time or other reasons. The sinkholes tracked by ipTrust are a combination of its own and those from third parties. It is important to note that not all botnets communicate through DNS command and controls. Some use peer-to-peer, some use covert channels and some have one or more alternative command-and-control channels in case some are blocked or detected. We fear that this sinkhole method may miss existing infected systems that phoned home initially, but are participating on more dynamically assigned servers. While this is true, ipTrust pointed out that many samples are pretty chatty and do end up talking back to default phone-home targets in the current samples. Beyond the sinkhole method of harvesting compromised IPs, ipTrust studies the malware and spam data for clues, as well as employing honeypots and honeynets. Although attribution is nearly impossible, ipTrust also captures Geolocation information as well as proxy and satellite link details when available.
IpTrust claims its collection methods net massive amounts of data – so it needed modern, cloud-based Web-scale technologies to analyze it all. Some of the vital stats it claimed included scoring 255 million IP addresses for risk. The company claims to have 75TB of stored security events – adding more than 1TB of malicious events per week. To scale all of this data, it leverages (and contributes to) Hypertable, an open source clone (GPLv2) implementation of Google's BigTable leveraging the Hadoop Distributed File System (HDFS). Through high-performance map reduction in the colocation hosted infrastructure, ipTrust is able to apply its reputation engine's scoring algorithms in a continuous fashion. A floating-point integer confidence rating is assigned per IP, along with myriad other data, such as domain, company, country code, and security events involving known botnets and variants. Given the fleeting and transient nature of the Internet, this confidence score continually degrades unless preservation is merited by the analysis. As such, consumers of the IP reputation score can make graduated nonbinary decisions on how to contextually handle trust associated with that IP.
Finally, the reputation confidence score can be exposed via an XML-RPC/REST-based API. IpTrust touts a sub 100ms response time and more than 3,000 queries per second. Supported output formats include XML, JSON and CSV. As an API, developers of applications could make Web 'look-aside' calls to determine how risky a transaction may be with a specific endpoint and either terminate or place limits on the interaction. For example, a questionable reputation may lead a banking application to deny funds – or perhaps to cap the maximum transaction amount via some predetermined policy.

Products

IpTrust offers three levels of product: ipTrust Web, ipTrust Web Premium and ipTrust Professional. IpTrust Web Premium is not yet released. IpTrust Web is free service, capped at up to 1024 IP addresses for 24/7 monitoring. When available, ipTrust Web Premium will allow for unlimited IPs and will tentatively be priced by IP per month, we're told.
IpTrust Professional allows full access to the reputation engine via the aforementioned API, with bulk IP submission for current and historical scoring as well as the supported output formats. At the moment, the API currently shares the compromised IP, but not the details about the command-and-control channel. IpTrust claims it is planning to add more actionable information in the future, such as port information and user-agent strings in HTML, which may assist other security tools in spotting or stopping command and control. Pricing for ipTrust Professional has plans starting at $1,000 per year – or less than $0.01 per query. IpTrust claims it is already working with a hosting provider and a financial services firm – with betas getting underway in healthcare, large enterprise, managed security services providers (MSSPs) and early stage security OEMs.

Strategy

IpTrust plans to go to market with a mix of direct sales and a series of strategic partners. Primary targets to consume its ipTrust intelligence include hosting providers, MSSPs, VARs, and specific technology partnerships. The 451 Group has covered such power alliances, with Fidelis Security Systems XPS leveraging Cyveillance intelligence feeds.
As an API, ipTrust may also be able to tap into systems integrators and application-development communities. Within the context of a specific application, contextual risk decisions can be made in the natural flow of the transaction. This may be of value to SaaS and PaaS players trying to differentiate themselves.

Competition

IpTrust may not be apples-to-apples competition with anyone; it will likely compete for limited budget within a few pockets. Most users seeking anti-botnet capabilities are currently looking at Atlanta-based Damballa or FireEye. FireEye uses virtualization to spot new unknown malware with botnet participation. Umbra Data is fresh out of stealth, offering an XML intelligence feed alternative to appliance purchases. Service providers, MSSPs, and security OEMs may choose more than one intelligence feed or API.
Traditional antivirus players continue to leverage their incumbency (and sometimes stall with it), so people may simply deal with Symantec, McAfee (soon to be a division of Intel) Trend Micro, Sophos, Kaspersky Lab and others. Commtouch touts being well plugged-in to the internet backbones to give its Web and mail security offerings visibility into botnets and compromised systems. Most Web and mail security gateways, like Cisco (both ScanSafe and IronPort), M86 Security, Websense, Blue Coat Systems, Barracuda Networks (and Purewire), Zscaler's hosted Web proxy, etc., leverage one or more reputation and open source intelligence feeds to operate. This fact make them both more likely to take limited wallet share, but also more likely to benefit from ipTrust's APIs. The same could be true for enriching the value of other security appliances and products. The classic example we shared was with data loss prevention. We see sensitive content leaving the network – should we block it? Imagine now adding knowledge about whether the source or destination is a known compromised system.

SWOT analysis

Strengths
The former ISS/X-Force heavy hitters are no strangers to advanced threats, and have been cutting their teeth with federal clients since 2008. It is also aggressively embracing disruptive, cloud-scale IT innovations – while many others have been resistant.
Weaknesses
While there is value in anti-botnet and IP reputation, the spending climate is unfriendly to noncheckbox-compliance products and services. We're also surprised by the size of the recent series A round without a stated use for it.
Opportunities
In addition to ipTrust's stated strategy, we believe the API could find ESIM uptake. It would take effort, but it could gain traction with SIs, and SaaS and PaaS players.
Threats
The market may perceive that it is already receiving similar capabilities from incumbents. Customers may also simply resist adding new vendor relationships to manage.

Thursday, May 9, 2013

Why Anti-Authoritarians are Diagnosed as Mentally Ill

This is a repost of a fantastic article I found somehow.
In my career as a psychologist, I have talked with hundreds of people previously diagnosed by other professionals with oppositional defiant disorder, attention deficit hyperactive disorder, anxiety disorder and other psychiatric illnesses, and I am struck by (1) how many of those diagnosed are essentially anti-authoritarians, and (2) how those professionals who have diagnosed them are not.
Anti-authoritarians question whether an authority is a legitimate one before taking that authority seriously. Evaluating the legitimacy of authorities includes assessing whether or not authorities actually know what they are talking about, are honest, and care about those people who are respecting their authority. And when anti-authoritarians assess an authority to be illegitimate, they challenge and resist that authority—sometimes aggressively and sometimes passive-aggressively, sometimes wisely and sometimes not.
Some activists lament how few anti-authoritarians there appear to be in the United States. One reason could be that many natural anti-authoritarians are now psychopathologized and medicated before they achieve political consciousness of society’s most oppressive authorities.
Why Mental Health Professionals Diagnose Anti-Authoritarians with Mental Illness
Gaining acceptance into graduate school or medical school and achieving a PhD or MD and becoming a psychologist or psychiatrist means jumping through many hoops, all of which require much behavioral and attentional compliance to authorities, even to those authorities that one lacks respect for. The selection and socialization of mental health professionals tends to breed out many anti-authoritarians. Having steered the higher-education terrain for a decade of my life, I know that degrees and credentials are primarily badges of compliance. Those with extended schooling have lived for many years in a world where one routinely conforms to the demands of authorities. Thus for many MDs and PhDs, people different from them who reject this attentional and behavioral compliance appear to be from another world—a diagnosable one.
I have found that most psychologists, psychiatrists, and other mental health professionals are not only extraordinarily compliant with authorities but also unaware of the magnitude of their obedience. And it also has become clear to me that the anti-authoritarianism of their patients creates enormous anxiety for these professionals, and their anxiety fuels diagnoses and treatments.
In graduate school, I discovered that all it took to be labeled as having “issues with authority” was to not kiss up to a director of clinical training whose personality was a combination of Donald Trump, Newt Gingrich, and Howard Cosell. When I was told by some faculty that I had “issues with authority,” I had mixed feelings about being so labeled. On the one hand, I found it quite amusing, because among the working-class kids whom I had grown up with, I was considered relatively compliant with authorities. After all, I had done my homework, studied, and received good grades. However, while my new “issues with authority” label made me grin because I was now being seen as a “bad boy,” it also very much concerned me about just what kind of a profession that I had entered. Specifically, if somebody such as myself was being labeled with “issues with authority,” what were they calling the kids I grew up with who paid attention to many things that they cared about but didn’t care enough about school to comply there? Well, the answer soon became clear.
Mental Illness Diagnoses for Anti-Authoritarians
A 2009 Psychiatric Times article titled “ADHD & ODD: Confronting the Challenges of Disruptive Behavior” reports that “disruptive disorders,” which include attention deficit hyperactivity disorder (ADHD) and opposition defiant disorder (ODD), are the most common mental health problem of children and teenagers. ADHD is defined by poor attention and distractibility, poor self-control and impulsivity, and hyperactivity. ODD is defined as a “a pattern of negativistic, hostile, and defiant behavior without the more serious violations of the basic rights of others that are seen in conduct disorder”; and ODD symptoms include “often actively defies or refuses to comply with adult requests or rules” and “often argues with adults.”
Psychologist Russell Barkley, one of mainstream mental health’s leading authorities on ADHD, says that those afflicted with ADHD have deficits in what he calls “rule-governed behavior,” as they are less responsive to rules of established authorities and less sensitive to positive or negative consequences. ODD young people, according to mainstream mental health authorities, also have these so-called deficits in rule-governed behavior, and so it is extremely common for young people to have a “duel diagnosis” of AHDH and ODD.
Do we really want to diagnose and medicate everyone with “deficits in rule-governed behavior”?
Albert Einstein, as a youth, would have likely received an ADHD diagnosis, and maybe an ODD one as well. Albert didn’t pay attention to his teachers, failed his college entrance examinations twice, and had difficulty holding jobs. However, Einstein biographer Ronald Clark (Einstein: The Life and Times) asserts that Albert’s problems did not stem from attention deficits but rather from his hatred of authoritarian, Prussian discipline in his schools. Einstein said, “The teachers in the elementary school appeared to me like sergeants and in the Gymnasium the teachers were like lieutenants.” At age 13, Einstein read Kant’s difficult Critique of Pure Reason—because Albert was interested in it. Clark also tells us Einstein refused to prepare himself for his college admissions as a rebellion against his father’s “unbearable” path of a “practical profession.” After he did enter college, one professor told Einstein, “You have one fault; one can’t tell you anything.” The very characteristics of Einstein that upset authorities so much were exactly the ones that allowed him to excel.
By today’s standards, Saul Alinsky, the legendary organizer and author of Reveille for Radicals and Rules for Radicals, would have certainly been diagnosed with one or more disruptive disorders. Recalling his childhood, Alinsky said, “I never thought of walking on the grass until I saw a sign saying ‘Keep off the grass.’ Then I would stomp all over it.” Alinsky also recalls a time when he was ten or eleven and his rabbi was tutoring him in Hebrew:
One particular day I read three pages in a row without any errors in pronunciation, and suddenly a penny fell onto the Bible . . . Then the next day the rabbi turned up and he told me to start reading. And I wouldn’t; I just sat there in silence, refusing to read. He asked me why I was so quiet, and I said, “This time it’s a nickel or nothing.” He threw back his arm and slammed me across the room.
Many people with severe anxiety and/or depression are also anti-authoritarians. Often a major pain of their lives that fuels their anxiety and/or depression is fear that their contempt for illegitimate authorities will cause them to be financially and socially marginalized; but they fear that compliance with such illegitimate authorities will cause them existential death.
I have also spent a great deal of time with people who had at one time in their lives had thoughts and behavior that were so bizarre that they were extremely frightening for their families and even themselves; they were diagnosed with schizophrenia and other psychoses, but have fully recovered and have been, for many years, leading productive lives. Among this population, I have not met one person whom I would not consider a major anti-authoritarian. Once recovered, they have learned to channel their anti-authoritarianism into more constructive political ends, including reforming mental health treatment.
Many anti-authoritarians who earlier in their lives were diagnosed with mental illness tell me that once they were labeled with a psychiatric diagnosis, they got caught in a dilemma. Authoritarians, by definition, demand unquestioning obedience, and so any resistance to their diagnosis and treatment created enormous anxiety for authoritarian mental health professionals; and professionals, feeling out of control, labeled them “noncompliant with treatment,” increased the severity of their diagnosis, and jacked up their medications. This was enraging for these anti-authoritarians, sometimes so much so that they reacted in ways that made them appear even more frightening to their families.
There are anti-authoritarians who use psychiatric drugs to help them function, but they often reject psychiatric authorities’ explanations for why they have difficulty functioning. So, for example, they may take Adderall (an amphetamine prescribed for ADHD), but they know that their attentional problem is not a result of a biochemical brain imbalance but rather caused by a boring job. And similarly, many anti-authoritarians in highly stressful environments will occasionally take prescribed benzodiazepines such as Xanax even though they believe it would be safer to occasionally use marijuana but can’t because of drug testing on their job
It has been my experience that many anti-authoritarians labeled with psychiatric diagnoses usually don’t reject all authorities, simply those they’ve assessed to be illegitimate ones, which just happens to be a great deal of society’s authorities.
Maintaining the Societal Status Quo
Americans have been increasingly socialized to equate inattention, anger, anxiety, and immobilizing despair with a medical condition, and to seek medical treatment rather than political remedies. What better way to maintain the status quo than to view inattention, anger, anxiety, and depression as biochemical problems of those who are mentally ill rather than normal reactions to an increasingly authoritarian society.
The reality is that depression is highly associated with societal and financial pains. One is much more likely to be depressed if one is unemployed, underemployed, on public assistance, or in debt (for documentation, see “400% Rise in Anti-Depressant Pill Use”). And ADHD labeled kids do pay attention when they are getting paid, or when an activity is novel, interests them, or is chosen by them (documented in my book Commonsense Rebellion).
In an earlier dark age, authoritarian monarchies partnered with authoritarian religious institutions. When the world exited from this dark age and entered the Enlightenment, there was a burst of energy. Much of this revitalization had to do with risking skepticism about authoritarian and corrupt institutions and regaining confidence in one’s own mind. We are now in another dark age, only the institutions have changed. Americans desperately need anti-authoritarians to question, challenge, and resist new illegitimate authorities and regain confidence in their own common sense.
In every generation there will be authoritarians and anti-authoritarians. While it is unusual in American history for anti-authoritarians to take the kind of effective action that inspires others to successfully revolt, every once in a while a Tom Paine, Crazy Horse, or Malcolm X come along. So authoritarians financially marginalize those who buck the system, they criminalize anti-authoritarianism, they psychopathologize anti-authoritarians, and they market drugs for their “cure.”

Saturday, December 8, 2012

The Official Solomon Says blog

Here's announcing  the official blog for Solomon Says.

I am no hotshot blogger, but I understand when Robert Scoble complains about noise. We follow blogs for some particular topics, and if the author starts spamming us with a whole bunch  of  other stuff, it becomes outright annoying.Over the last few months, I have devoted all of my time and energy to building Solomon Says into a useful website, and consequently my blogging has also taken on the form of a journal of my efforts. This was not a conscious decision, but I write what I am thinking about, and what I was thinking about was the site.

On the other hand, I felt compelled to share with my readers what I was planning with Solomon Says and the reasons for doing what I was doing. Since this blog was the only web destination I had at that time, this is where all the posts came. But some of you may be reading for entirely different reason and do not care about what changes I am making to the homepage. Other may only be interested in the progress of Solomon Says.

To avoid alienating both set of reader, I decided to separate the two data streams. Starting today, I am moving all blogging related to Solomon Says over to its own home, which will be the hub for all news, discussions, and brainstorming.

Go check it out, and subscribe if you would to stay abreast of what's happening in the world of online reviews.

Friday, November 23, 2012

Alway keep a backup. Of everything.

Let me tell you a story of failures and backups and pain.

So last night I finished a bunch of changes to Solomon Says.  After the regular load of testing (that lasts 15 minutes and includes opening a bunch of pages on Firefox and Chrome), I uploaded the changes and tried to bring the server back up. Everything exploded in my face at about the same time. The only reason we are still in business is that I had backups. In decreasing order of importance, the following backups saved the day:
  1. Database
  2. Code/Configurations
  3. Images
So pretty much everything :)

At this point, a note on the deployment process is in order. Here’s how it goes:
  1. Stop python fcgi process and nginx service.
  2. Delete the production code.
  3. Run the DB migration script.
  4. Upload the entire code from my laptop to the production location.
  5. Start python and nginx
#2, #3, and #4 didn’t go too well.

#2 – My dev. environment is Windows, but production is on LINUX.  So there’s a bunch of stuff related to path handling (‘/’ vs ‘\’ etc.) that I change just for development. This is automatically handled in production by using a different configuration file. Alas, I ran the delete for #2 from one level higher in the directory structure. Boom goes the config. And on bringing the server up, I get a load of ‘access permission denied’ errors. I spent a half hour analyzing the arcane debug messages, then give up and restore the entire code base file by file and change by change.

#3 – I missed selecting a couple of ‘where’ conditions when running the migration script. Result – 2 of the main table got randomly changed. Considering how crappy the day had been so far, I realized it only on restarting the server. So bring the server down again, restore the DB to its previous avatar from the backup, and run the migration with extra precaution.

#4 – My development copy did not have quite a few of the images related to the newer reviews I had posted. And since I had deleted the production data in #2, the server started throwing ‘Suspicious Operation’ exception (What the hell is that? It should have said ‘File not found” or something). In view of the blunders I had made for #2 and #3, I assumed a mistake in the new configuration I had created and spent another hour debugging, then gave up and copied over the image folders from the back up to production.
 
All told, something that should have taken 15 minutes took 4 hours.
 
Lesson learnt. Always keep a backup. Of everything.

Wednesday, November 7, 2012

Looking just a little bit better

A lot of the feedback that I have received on Solomon Says (a big thank you to everyone who spent time and effort providing it) has been regarding the styling and design aspect of the website. Or rather, the lack of it styling and design aspects in the website. Now, I am no designer. CSS3 and templating were not quite my fortes when I started working on it. So operating out of my ignorance of these fields, I have been forced to improve the design of the site in increments. Get something working, make it usable, and put it out there. Then improve what it looks like in the next iteration.

I'd like to share with you some of the changes I'm currently working on to the layout of the review pages. This primarily involves improving the data panel just above the text of the review. For the uninitiated, this is what it currently looks like on book and travel reviews respectively.


Both look very cramped and difficult to interact with. The huge orange rating section is sort of a waste of space, and the images don’t get due prominence (especially harmful on travel reviews). So I thought through these problems and came up with a small redesign which hopefully makes everything cleaner and easier to access. Check it out.


The new version is only slightly different from the current one but I think it lends a much more spaced-out feel to the whole page. You would also have noted that there is a small panel of image thumbnails right above the ratings section. These are the images that currently show up below the text of the review, like so:



I never really this design because pics are cool and everybody loves them. So I moved the images right to the top in a combination of sliding thumbnail carousel and Fancybox. Now they are easily accessible, and clicking on the thumbnail gallery blows them up to full size too! Like this.


A lot more groovy, even if I say so myself! I am planning to roll out the changes in about two weeks after a few minor tweaks and testing.

So what do you think? Like the new look? Not quite? Let me know in the comments or drop me a line at solomonsaysindia@gmail.com. Suggestions/flowery words of praise/hate mail are all welcome.

Solomon Says at ISB

First things first – Please fill out this short survey. This will help me in assessing what I can do to make Solomon Says more exciting and useful for its users. I really, really appreciate it.

Now for the news of the week.

Solomon Says is currently the subject of a marketing project/case study in a course on Entrepreneurial Decision Making (EnDM) at ISB (Indian School of Business). The project is being conducted by Varun Jain (a very close friend of mine from my undergrad days at NSIT) of the ISB class of 2013 under Prof. Arun Pereira. Over the course of the project, I will be working with the two aforementioned gentlemen (mostly with Varun) to conduct market surveys, audiences analysis and other analytical wizardry to refine SolomonSays into an even more awesome product.

Quick background on how this came about. Essentially Varun was looking for a start-up to whet his new-found marketing chops on.. I was going around writing reviews and hacking away to glory with no time for reaching out to the wide world and finding a place in it. We discussed the website one day, and agreed that it could use some MBA lovin’. So starting this week with survey mentioned above, we’ll be doing some basic scoping exercises to (hopefully) understand out audience and define our market with a lot more clarity than before. These efforts will also try to discover how readers interact with the website and what we can build into it to make that experience smooth.

I have written before that I do not have a proper business plan yet for SolomonSays. Throughout this ISB affair, my focus will continue to be on how to make this the best, most helpful reviews website on the web. No doubt there are parts of the project which demand an emphasis on revenue streams and sustainability, but those come later. Till then, the spotlight, my dear readers, is on you.

Don't forget the survey.

Tuesday, October 23, 2012

Meet SolomonSays : All the review you will ever need



This post has been coming for a few months, but somehow I could never get around to writing it. But a certain milestone has been reached today that makes me want to sit down and write this. A minor milestone, no doubt, but something is better than nothing right? Over the last 10 months or so I have been working on a website called SolomonSays. This is a blog-in-website-shape where I review books, travel destinations, and eateries (though I am yet to get any traction on the last one). The milestone – 100 likes on the facebook page.

I have referred earlier to the broken-ness of the crowd-sourced or community driven model of getting reviews of products. It is great at getting lots of info and scales insanely, but none of this data is in a very usable form (short of going through tons of reviews). And apparently, I’m not the only one cribbing either. The other problem is that one has to go to so many different sites to get reviews on different things despite the fact that all these websites are doing the exact same thing – gathering user generated review content.

I first faced this problem while looking up book recommendations and reviews. So I set out to do what I thought was the right of reviewing things. Which, I believe, is the old fashioned way of having a team of dedicated reviewers writing comprehensive reviews about whatever it is that is being reviewed. I believe that no one should have to go through 300 one-off personal experiences to get an idea what a new restaurant or car is like. These are critical elements of a discussion, but do not comprise a coherent review. Combining the two approaches, i.e. getting a community to offer their individual opinions around a central review, is the clear winner IMO.

My original goal was extraordinarily ambitious – SolomonSays.in would review absolutely _everything_ that can be reviewed. Books, Restaurants, Home appliances, vehicles, were all fair game. While I realized that actually doing this wouldn’t be possible all at once, that was where I believed I wanted to get to. Such a website, if it could be created, would occupy a unique position between Wikipedia and Amazon – the reviews would be free, and we would be able to facilitate any purchase the reader wanted through affiliate partners. But the content would be the business. Data would come first. ALWAYS. I still hold to the original unbounded scope of the website - but getting there is being done only in baby steps.

All MBA and otherwise savvy reader will have seen that the above isn’t much of a business plan – write reviews till you have enough content to drive steady traffic through SEO, and then try to convert that traffic into sales. In all honesty, I didn’t think too much in terms of a business idea (I still don’t). I was extremely excited by the idea of having all this data under one roof, the day job wasn’t too interesting at the time, so I just ran with it. One of my friends whom I initially discussed this with still hasn’t stopped harassing me about monetization.

The time spent working on this has been very exciting, and very tiring. I essentially have two jobs, so I get to hang out with my friends a lot less that I used to. For all that, the learning has been tremendous (I have written earlier about the technical experience). But now I am paid to read books (not yet really, but soon will be, I hope J), and writing about what I read clears things up in my head too. Besides, there’s no better feeling than when drops a line saying how useful they found something that I wrote. 

At this small occasion, I thank everyone who has supported me thus far (Special mention – Aditya Mangla, Sid Reddy, Sreejith, Kalpana, and Sin City). Do drop me a line with your ideas, suggestions, and review requests (or if you are willing to share your beer). Random gossip and philosophical musings are welcome too. 

Whatever I code or write is only half the answer. The rest of the awesomeness comes from your experiences and participation. I will continue to bring more information to this party. Hope you’ll stay. Let’s clean up this morass of online reviewing!

Wednesday, August 29, 2012

The problem with crowdsourced content

We have whole lot of sites featuring reviews written by their readers on pretty much all topics. Of these, at least the front runners attract large traffic volumes, have a devoted user base, and are, I assume, making money. However, I want to discuss what I think is wrong with them.

The problem is the method of generating content. All these sites rely on a bevy of users to come write reviews on the products/service that the site focuses on and that they have used/experienced. This can be restaurant, book, travel, gadgets, or whatever else. Via friendly UIs, facilitated social media interaction etc., users are encouraged to contribute data for each others benefit. This strategy is very effective in generating large amounts of data. However, it is very bad at generating cohesive data.

In general, I have three somewhat interconnected problems with this:
  1. Data is of poor quality – Since the website wants readers to submit reviews, it can rarely hold them accountable to the quality of their writing. The aim is to lower the barrier to writing and social media sharing. Get him to write. No matter he writes, get him to write. To be fair, most of the reputed website will intervene if you write inflammatory or profane material, but apart from that, pretty much anything goes. As a direct consequence, the quality of review in terms of both the content (what is written) and the form (how it is written) goes down. Most people write unbalanced reviews, either giving full marks and endless praise or griping about a very bad experience.This can be avoided to some extent by making sincere efforts at moderating and community building (StackOverflow is a great example), but none of the major commercial websites seem to be doing so.
  2. There is just too much data – This is the explicit result of successfully inducing readers to submit content to a site. Since anyone can submit anything, the data volumes are large, and it becomes well-nigh impossible to find information. This is what I like to call the Problem of 500 reviews. What I mean by that is that on any successful reviews site, today you can find 500 reviews for pretty much every single item. Too much data is not much better than no data. The best this deluge of disjointed reader inputs can give us is a general sense of how people like something. As an experiment, choose any famous book about which you know nothing, and try to find out about the book using only GoodReads reviews. I am fairly regular on the site, but I mostly do it for the bragging rights, and to let my friends know what I am up to.
  3. Data is without structure – I totally agree that a successful travel site of the kind that we are talking about will have all data about some destination. But how do we find this data? Since it is broken up across a large number of unconnected reviews, it is very difficult to present the information in a coherent, intuitive manner. It is now left to the reader to sift through the data that each reviewer has provided and collate the data he needs (when to get there, how to get there etc.)
The crowdsourced content model is like a group discussion where everyone is talking at the same time. There is no anchor or reference around which a discussion can be built.

IMO, a far better alternative is to have an informed member write one review, and then use that to gather all sorts of varied and personalized experiences regarding the topic of discussion. It may seem so up front, but such a model (critic-driven model, if you will) is not about classroom style information broadcast. The Expert has not spoken. It is about providing a structured core, the basic information, and then inviting the readers to extend that into a wider body of information. If you want people to spend time and effort sharing their opinion, it is only fair that you offer them something in return.

Monday, August 27, 2012

A sample Ladakh itinerary and a vote of thanks

So yours truly went to Leh two weeks ago. It was, as expected, a mind-blastingly awesome experience.

It is not the most routine of trips, so I pulled up my Google socks and got down to business. Although data is widely available on each individual destination in Leh, I found difficult to plan an itinerary since no one was very clear how long each place would take (I found Nubra Valley estimates from "Dont even bother going there" to "It will definitely take 4 days"). The tour operators will certainly make one for you, but the geeks (and the jock for that matter) _has_ to work it out for himself, right?

I eventually had to call up friends who had been there to get their itineraries. Not cool. I don't want to be real life social when I can be online social. So to save all you worthies this trouble, here is my itinerary:
Day 1
Arrive Leh and overnight Stay. Check out Leh Palace and Shanti Stupa. Chill in random cafes.
 
Day 2
Leh-Like Monastery - Gurudwaara Pathhar Sahib - Lamayuru Monastery-Ule :  
You can actually visit Alchi the same day and come back if you rush somewhat, but why bother? The nice Ule resorts are built overlooking the river. Ergo, overnight stay.
 
Day 3
Ule-Alchi-Leh : Alchi monastery is nice and old. You can visit Basgo Palace on the way back, but it is really just a pile of mud and stone now and not worth the climb. Also see Hall of Fame - an army memorial/museum for our high altitude warriors. Respect.
  
Day 4
Leh to Nubra Valley - The drive is awesome. Bragging rights are earned by clicking pics at Khardungla (the highest motorable pass in the world at 5600-ish metres). Then bactrian camel ride at Diskit. It's  beautiful here and a hard ride back, so stay overnight.
Day 5
Drive back to Leh. Relax.
 
Day 6
Leh - Chang La - Pangong Lake : Changla is the third highest motorable pass in the world (14500 ft. Reach camp around lunchtime. Sit on the banks of the beautiful lake. It's frikking cold and windy.
 
Day 7
Pangong Lake - Leh. Enroute visit Hemis, Thikse Monasteries and Shey Palace.
 
Day 8
Go home
 
Everything was done at a mellow pace, no rushing. Spending less time than this would not be doing justice to them IMO. Also, this is a fairly touristy plan, since this was my first time.

For all the research, we still booked a packaged tour (I'll hulk out the next time, I promise) via Escapades India. That almost got effed up due to the recent flash floods. We were stuck in Manali for 2 days, and missed the first two days of our itinerary. But the folks over at Escapades were EXTREMELY helpful, stayed in touch constantly to find out if we were doing okay. I called the unputdownable Mr. Parag more times than I called my family and he just might have done the same! A mail of theirs said "On adventure trips, you want to worry more about the reliability of your operator rather than what he is charging you" (paraphrased). Parag and Co. certainly came through on that front.

We extended our trip by two days to compensate for the things we had missed, and Escapades arranged it for no extra charge. Read that again. Slowly. No extra charge.

So all in all I strongly recommend anyone looking for the arranged travel option to go to Leh (or elsewhere, but I'm not very sure of  that) to get in touch with Escapades India.

Monday, May 28, 2012

Chance knowledge and the cumulative effect

As I was driving past a park this Saturday, I saw that a section of it was burning. I suddenly had a vivid image of the entire park burning with high flames (It is a very large park). This then caused a thought about how Rome would have looked to Nero as it burnt. The revelation – I now know why Nero (the software) is so named.




This sort of random revelation is not an unusual thing. The most important part here was that I wasn’t thinking about computers at all. The experience was quite Sherlock Holmes-ish – When he gives voice to Dr. Watson’s thoughts by saying “Such a waste” and then proceeds to explain the chain of thought in the latter’s mind. Richard Bach compared ideas to fractures running in a crystal – any could lead to any other. Others have referred to the oneness of knowledge – that given one thing, everything else could be discovered. Both seem somewhat limited ways of explaining the experience.

Chance discoveries happen in science all the time. Microwave background radiation and radioactivity  are but two examples.

I’m thinking now of the cumulative nature of scientific knowledge. Both socio-economic theorists (Farcis Fukuyama, Fareed Zakaria etc.) and scientists (Francis Bacon) assert that with the invention of the scientific method (hypothesis-experiment-prove/disprove), scientific knowledge has become cumulative. That later generation inherit the knowledge of their predecessors. And it is intuitively true. We don’t have to rediscover the gravitational principle, although we may have to prove it several times over (damned CBSE exams!).

This is brought into somewhat contrary focus by the revelational experience. The cumulative nature of the scientific method no doubt holds true when the steps are small. Not to belittle any discoveries, but some _are_ greater than others. It took a Newton to get us to gravity, and even more drastically, an Einstein to get to relativity. Both works are quite out of the league for their times. The tools they used were there, as was the a-priori knowledge. But the power of the method seems to wane when we consider efforts where accepted first principles have to be discarded.

The cumulativity assertion says that given a state of human knowledge and the scientific method – the future can be worked out again. But how does this apply when the prior knowledge has to be discarded by a leap of faith.  When accidents force the next step forward, how does the scientific principle handle it? We can say that the geniuses use informed intuition (Kekule and the structure of Benzene). But that would lead us into the myriad definitions of genius and intuition.

And that’s a discussion for some other time.