Political pressure in Arlington Virginia

The battle on Pershing Drive

How is political pressure applied to affect outcomes in Arlington County, Virginia?
Here is a case study in that.

(How this will end up is not known at the present.
My expectation, based on past events in Arlington
(e.g., activists preventing a Cherrydale gun ship from opening),
is that the anti-gun-store activists will win, one way or the other,
and the gun store will not in fact open,
or if it does, will close after a short time.
Basically, because the passion of the anti-gun-shop people
is greater than that of the pro-gun-shop people.
But that is just my opinion, and is not certain.
It will be interesting to see what does happen, and why.)

Disclosure: Many years ago I lived about five blocks from Pershing Drive,
so I find this controversy interesting.

Google Map of the location

An activist organization formed to oppose NOVA Armory is
Act 4 Lyon Park.
This web site contains a detailed list of press coverage of this issue,
far more complete than what appears below.

Gun Store Touting Largest Selection Inside the Beltway Coming to Lyon Park
ARLnow.com, 2016-02-24 1735

Petition Launched Against Lyon Park Gun Store
ARLnow.com, 2016-02-26 1005

Gun store operator, neighbors may meet over Arlington dispute
By Patricia Sullivan
Washington Post, 2016-02-28

Residents of Arlington County’s Lyon Park neighborhood are scheduled to meet with two County Board members Sunday and are setting up a meeting with the owner of a gun store that is to open in the neighborhood next month, even as an online petition opposing the store neared 2,500 signatures.

John Goldener, president of the Lyon Park Citizens Association, said the group will meet with two County Board members Sunday night to share information and is trying to schedule a meeting with the owner of the business. The meeting, he said, will be limited to people who live in nearby neighborhoods.


Media Denied Access to Lyon Park Community Meeting About Gun Store
ARLnow.com, 2016-02-29


John Goldener, president of the Lyon Park Citizens Association,
spoke to ARLnow.com after the meeting,
which ran from 7-9 p.m. (on Sunday, 2016-02-28) and was attended by about 140 residents, he said.

Goldener declined to provide details about the discussion,
saying that the civic association purposely excluded outsiders
because the meeting was intended to be a safe space for community members to discuss the gun store.

“All I can tell you is what the meeting was about,” Goldener said.
“This was an opportunity for people in the community to have a safe, civil discussion.”

“The civic association’s role here is to be a facilitator,”
Goldener added. “We don’t take a stance on this particular issue.”

On a night in which the local investigative journalism drama Spotlight later won the Academy Award for Best Picture,
Goldener said he has “tremendous respect” for local news outlets,
but the community was worried about “people coming from out of the area, with their agendas.”

[Sounds like a good idea to me,
to facilitate a two-way conversation about the issues involved
between the county authorities
and the residents in the immediate neighborhood of the proposed gun shop,
without outside agitators interfering with the discussion.

This allows separation between the direct, immediate impact on the neighborhood
and the larger, global concerns about gun sales, gun regulation, and gun control.]


Can Va. state lawmakers stop a gun store from opening in Arlington?
By Patricia Sullivan
Washington Post, 2016-03-03

The seven state legislators who represent Arlington County
wrote a letter [thanks to ARLnow for the letter!] Wednesday
to the property owner of the office where a gun store intends to open later this month,
asking her to reconsider the lease.

The letter recalls the years in the 1990s when Virginia was known as the “gun-running capital of the East Coast”
and warns that Nova Armory, the business that aims to locate at 2300 N. Pershing Dr., is “already marketing aggressively” to residents of other states.
[No indication is given in this article, or the letter,
as to how the legislators know that.]


Lyon Park Gun Shop Threatens to Sue Critics, Lawmakers
ARLnow.com, 2016-03-04 9:50 AM

[Between 9:50 AM, when the article was posted, and 3:50 PM
this article attracted 304 comments.
That's about one per minute.
Talk about exciting the community!]

NOVA Armory, the gun store that says it’s planning to open soon in Lyon Park,
has responded to critics with a long, threatening press release.


[The text of the press release in full appears at the end of this article,
and also below is a link to a PDF of the release.]

NOVA Armory Press Release:
Gun Shop Fires Back at Critics
(3-page PDF)
NOVA Armory, 2016-03-04

Fight over Arlington gun store’s opening pits teenage girl against legislators
By Patricia Sullivan
Washington Post, 2016-03-04

[This story includes a color photo of 16-year-old Lauren Pratte,
from NOVA Armory's 2016-03-04 press release.]

The fight between a planned Arlington gun store and its neighbors escalated this week with an exchange of threats between state lawmakers and the business owner — in the voice of his 16-year-old daughter.

A news release issued Friday by Nova Armory quotes Lauren Pratte, the daughter of business owner Dennis R. Pratte, and describes her as the gun store’s “owner-in-training.” It includes a photo of Lauren, smiling and holding an antique gun.


Dennis Pratte on Friday canceled plans to meet Monday with the executive board of the Lyon Park Citizens Association, which is against the store. He also canceled plans to attend a community meeting in April.

Instead, according to a notice posted Friday on the Nova Armory website, the Lyon Park executive board was invited to a meeting at the store next week. The notice also said that there would be an “Open House” at the store next Saturday and that it would open for “normal business” on March 19.


Karen Taylor Soiles, a physical therapist who rents space in the same three-story commercial building where Nova Armory intends to open, said her landlord and most other tenants are avoiding discussion about the shop, although it’s the prime topic at every neighborhood gathering.

“My patients have been voicing their concerns,” Soiles said. “My lease is up in May, and I don’t know what to do . . . I wasn’t looking for this, but it came to my doorstep.”


Another Virginia Gun Store Faces Another Angry Mob
by Marshall Lewin
America'a 1st Freedom (a publication of the NRA), 2016-03-08


Dennis Pratte, the would-be proprietor of NOVA Armory,
recently talked to America’s 1st Freedom, and said
“the pushback has been crazy.”


Pratte says he never wanted any of this controversy and conflict.
He deliberately didn’t put up signs or advertisements announcing his plans to open the store.
After all, after seeing the firestorm that forced NOVA Firearms to abandon its plan to open a store in Arlington’s Cherrydale neighborhood, who would?

Pratte went through all the paperwork and permitting—
saying Arlington County officials were “a pleasure to work with and bent over backwards” to accommodate him—
and everything was going smoothly
until someone apparently discovered the reserved parking spaces in the store’s parking lot,
which were marked “Reserved for NOVA Armory Customers.”
Then all hell broke loose.

Originally, Pratte had agreed to meet with Lyon Park residents at one of their community meetings to discuss their concerns.
When travel plans conflicted with that meeting, and Pratte had to cancel,
residents invited him to another later meeting—
and again, Pratte agreed.
But now, he says, after the letter sent by Arlington’s politicians
and all the rest of the gnashing of teeth, “enough is enough”—
so he canceled attending that meeting.
[Big mistake.
He should have attended, and at least listened to their concerns.
Show some respect for the community in which his store hopes to exist.]

Opponents of the store tried to make it sound like Pratte is unwilling to listen to their concerns,
but as he said, “I didn’t want it to turn into a big shouting match.”
[Don't jump to conclusions.]

So now, instead, Pratte is inviting all of his new neighbors to see firsthand
what he plans for the store by attending an open house at NOVA Armory this Saturday, March 12.
“A picture is worth a thousand words,” Pratte says.
So instead of trying to explain everything about guns to a hostile audience that may be misinformed, he says,
“The best way for them to see what we plan is to come and see it in person.”

For now, NOVA Armory is scheduled to have its grand opening on March 26.
And for now, Pratte hopes, he might face at worst maybe a day of protestors picketing the store at its grand opening, and that’ll be it.


NOVA Armory Sets Opening Date As Civic Association Set to Vote
ARLnow.com, 2016-03-08 (Tuesday)

NOVA Armory, the controversial planned gun store in Lyon Park, says it will hold a grand opening at 9 a.m. on Saturday, March 26.

The store, at 2300 N. Pershing Drive, says it has all applicable permits needed to open.
The grand opening will feature a ribbon-cutting ceremony with “several VIPs,” the store’s website says.

The Lyon Park Citizens Association, however, is still discussing the store and has planned a membership vote on whether the association should take an official stance on NOVA Armory.
It’s unclear what stance the association would take, though many residents have expressed concerns about the store and its proximity to a nearby preschool.

John Goldener, president of the civic association, confirmed the vote was to take place at some point this week. It comes after NOVA Armory, in a press release issued Friday, threatened to sue opponents and “local crazies.”

“The Association will not… respond favorably to any threats to our residents or to free speech in our meetings, our online forums, or on individual members’ social media pages,
as appeared in NOVA Armory’s own March 4 press release to this and other media outlets,”
Goldener said Monday.
“We assume that the business owner is a proud and responsible gun owner,
as are many residents of Lyon Park and members of the LPCA.
He should understand better than most that the Constitution is not a buffet,
and your cannot infringe upon individuals’ First Amendment rights in order to defend those in the Second.”

“We remain wholly committed to productive and constructive dialogue on this any any other issue of interest or concern to our residents,” Goldener added.

On Friday NOVA Armory said on its website — in a post that has since been removed —
that is [sic] cancelled a planned private meeting with the citizens association
and would only meet with residents at the store.
Since then, the stance of NOVA Armory’s owner appears to have softened a bit.

“Dennis Pratte and I have been in touch today, and we are working together to find a new time for him to meet with the Association,” Goldener told ARLnow.com Tuesday.

Pratte, meanwhile says his business is legal and wants Lyon Park residents to stop by the store to clear up “misinformation floating around the internet” before voting.

“NOVA Armory’s application for zoning was approved and all the inspections were passed by the county,” Pratte wrote. “The business received an occupancy permit. And, every inspector, and every law enforcement official that has visited the shop has left confident knowing that they have met all the requirements to operate this business, and to operate it safely from this location. So, before the committee votes, I would hope they take this information into account, or at least stop by the business before casting their vote so they can make an informed decision.”

Video of the 2016-03-12 Arlington County Board Meeting

The comments from community members to NOVA Armory
and the response from the five board members, the county manager, and the county attorney
runs, in the complete video, from 7 minutes, 20 seconds to 42 minutes
(the above clip is, at least in my browser, clipped to just that portion).

He says the Arlington gun store will be great. He just won’t say who owns it.
By Patricia Sullivan
Washington Post, 2016-03-14, March 13 at 6:48 PM

Dennis R. Pratte II doesn’t want people to consider him the owner of Nova Armory, the Arlington gun store he plans to open later this month.

Pratte, 46, describes himself as a “supporter” of the business — albeit one who holds the federal firearms sales license, applied for and signed the certificate of occupancy and lives in the same McLean, Va., house where the registered owner of the business, Broadstone Security LLC, is based.

Nova Armory, Pratte says, is “a family owned and operated business — and more specifically a female, minority-owned business.” He won’t say whether he is referring to his wife, Yong OK Pratte, who is listed on paperwork as an officer for one of Pratte’s previous gun businesses, or his 16-year-old daughter Lauren, whom he has publicly described as Nova Armory’s “owner-in-training” and who was there the other day, along with her older brother Alex.

“I may or may not be the owner,” Pratte said coyly after a reporter showed up Tuesday at the 900-square-foot storefront at 2300 N. Pershing Dr. “Just say ‘Mr. Pratte declined to comment’.”

Such secrecy is not going over well among many residents of the surrounding Lyon Park neighborhood, who say they do not want a gun store in general and are particularly suspicious about who is behind this one.

“This lack of transparency goes to the heart of the really intense reactions that people are having,” said Natalie Roy, a 25-year resident. “It’s not like he’s selling teddy bears.”


Members of the Lyon Park Citizens Association last week
voted 264 to 16 to oppose the gun-store opening,

with 21 people saying the association should not take a position.
After several canceled meetings,
Pratte and the neighborhood group’s executive board are scheduled to sit down together Monday.


Pratte said Nova Armory will concentrate on rifles and shotguns used for sport or collectors, and will ask customers to park in back and use the rear entrance to the store so as not to attract attention. He said he will sell Class III firearms to government buyers and “local law-enforcement-type agencies,” but will not stock them in the store. Nova Armory will stock handguns, he said, but “We are not selling $100 Saturday night specials. Our low end will be about $1,000. This is meant to be an exclusive store.”

He did not directly answer questions about whether he would sell semiautomatic weapons such as assault rifles, instead describing the superior stopping power of a hunting rifle or shotgun. He also declined to answer questions about his military background, his employment record, and whether any non-relatives are business partners, citing his preference for privacy.

In a letter to her other tenants, [building owner Ekaterina] Varley said Nova Armory has met all legal requirements to operate a gun store and will have military and law enforcement veterans working there.

Varley’s letter, a copy of which was obtained by The Washington Post, says the store will be operated by “individuals with over 20-years of experience in the firearms industry . . . they have taken their past experiences to create a new, 1-of-a-kind, retail firearms store.”


Arlington leaders: Our hands are tied on gun store
by Scott McCaffrey
Inside NOVA, 2016-03-14

Arlington officials say that despite their personal beliefs, they are hamstrung by state and federal law from taking steps to prevent a proposed gun shop from opening on Pershing Drive.

“If I had the authority to do something, I would,” County Board Vice Chairman Jay Fisette (D) said after opponents of the Nova Armory descended on the March 12 board meeting to express their anger to elected officials and staff.

Those critics came away with a sympathetic hearing, but little in the way of promises.

Local governments across Virginia are limited by the state legislature, which “has gone out of its way” to strip local authority on gun issues, County Attorney Stephen MacIsaac noted.

“We are at the mercy of the General Assembly, and to some degree, the Congress,” said MacIsaac, who added that local governments have no more power to regulate establishment of gun shops than they do comic-book shops.


The other option, county officials said, was for the public to put pressure on the store owner and landlord, as was the case when gun shops were planned for the Cherrydale and Nauck neighborhoods.

[You can bet your last dollar
that that is exactly what many people in Arlington will do,
by any means they can,
including secondary boycotts.]

Gun Store Rattles Arlington's Lyon Park Neighborhood
by Michael Pope
WAMU, 2016-03-16

Arlington Residents Don’t Want a Gun Shop.
A Lawyer for the Store Doesn’t Understand Why

By Jennifer Ortiz
Washingtonian, 2016-03-17


Daniel Hawes, the attorney for Broadstone Security LLC,
the entity that owns the store, NOVA Armory,
through the management of Dennis R. Pratte, says he doesn’t quite understand the community’s concern.


The Lyon Park Citizens Association took a vote, and found that
88 percent of people polled opposed the opening of NOVA Armory.
And on Wednesday night,
93 percent of residents of the neighboring Ashton Heights neighborhood
voted against the the firearm business
according to email correspondence from an attendee.


Controversial Arlington Gun Store's Owner Breaks His Silence
By: Michael Pope
WAMU, 2016-03-17

The owner of a new gun store in Arlington appeared on WAMU 88.5's The Kojo Nnamdi Show on Thursday, defending his threat to sue members of the General Assembly and assuring concerned neighbors his store would not stock machine guns.

Dennis Pratte's business, NOVA Armory, isn't open yet, but it has residents in the Lyon Park neighborhood concerned about property values and gun violence.

"We can actually open legally today if we'd like," Pratte said via telephone in his first extensive broadcast interview. "But we've pushed it back a week, primarily due to delays responding to neighbors, trying to calm the fears of the folks in the area."

Some in Lyon Park also worry that the neighborhood's commercial district will suffer if people stop patronizing businesses because of the gun store. Resident Emily Hughes also appeared on The Kojo Nnamdi Show to voice the concerns shared by many of her neighbors.

"I don't like the idea that somebody could walk into Mr. Pratte's store, buy a firearm and then go sit down at the restaurant next door and decide to shoot somebody," she said.


Our Man in Arlington
by Charlie Clark
Falls Church News-Press, 2016-03-22


How Arlington and the nation have changed. Before the 1999 massacre at Columbine High School, before the National Rifle Association transformed from a gun-safety sportsman’s group to an intimidating lobby, before Arlington became less working-class, guns were visible routinely—in schools and shopping strips.

From the 1961 until 1999, Arlington’s public high schools had rifle teams whose members carried weapons to school and practiced on campus ranges. Jim Allen, a founding teacher at Yorktown and later its athletic director, recalls that when the school opened in 1961, rifle coach Bill Beals commented, “Who ever heard of a high school rifle team?”

Allen and fellow biology teacher Clarence Seldomridge (who also coached rifle) allowed students to store .22 caliber rifles in their classroom closet because it was right up a stairwell from the range. “No one thought anything of it,” he says.

The 1991 Yorktown yearbook—one of many showing the rifle team kneeling with weapons and padded coats– described that range as “deep beneath the Yorktown cafeteria.” Safety protocol was strictly followed, Allen says, though one time a rifle “kicked up” and put a bullet through a waterpipe. It required a police and fire fighter response, but nothing more.

One Yorktown student who loved the team was Ron Anglin, class of ’66. Back when he was around 10, Anglin’s father bought him a .22 rifle at Sports Fair in Cherrydale, The boy walked with his weapon to lessons at the Washington-Lee High School rifle range “underneath the bleachers.”


After Columbine, the Arlington School Board voted to end campus rifle practice. The Virginia code, schools spokeswoman Linda Erdos reports, prohibits weapons on school property.

All three high schools today offer rifle teams, however, and at least a half-dozen Arlington rifle students have recently gone on to compete at college level. The typically 10-member squads practice off-site using air rifles. Yorktowners travel to a range on a VFW post and Masonic lodge.


Gun Store to Hold Ribbon-Cutting Ceremony While Opponents Hold ‘Community Celebration’
ArlNow, 2016-03-25

Arlington gun shop opening met with fanfare, opposition
by Dennis Foley
WTOP (103.5 FM), 2016-03-26

[This story features a photo of the ribbon-cutting.
Everyone looks very happy, especially Dennis Pratte.]


Along with other politicians,
the Arlington Chamber of Commerce took part in the ribbon cutting ceremony,
speaking highly of the newest retail outlet in the county.

Nova Armory’s owner says the shop is just supplying a demand.

“The Second Amendment is not just about hunting.
It’s about personal protection, self-preservation,” Pratte said.
“We provide a needed service to people who take that seriously.”

And although Nova Armory just opened, Pratte is already looking at his next possible location.

“We’d like to open a place in D.C.,” said Pratte.
“If there’s any landlords that want to give it shot, give me a call.”

Gun store opens in Arlington County to strong support and business
by Patricia Sullivan
Washington Post, 2016-03-27


The neighborhood group decided not to stage a protest at the store because
“we don’t want to have a confrontation,”
said Natalie Roy, one of the Lyon Park group’s organizers.
“Why give the gun-store owner any unnecessary publicity, which is what he’s after.”

[The photo in the print edition makes it clear that she is
the Natalie Roy who advertises frequently in the local papers as "The Bicycling Realtor"?]

Numerous elected officials, including four state legislators, four of five Arlington County Board members, the county manager and a school board member attended the Lyon Park rally, calling on residents to not give up the fight.

State Sen. Barbara A. Favola (D-Arlington) described her unsuccessful attempt to pass a bill that would give local communities control of gun stores.

Del. Alfonso H. Lopez (D-Arlington) decried the General Assembly’s unwillingness to ban any weapons, even flamethrowers.

Del. Mark Levine (D-Alexandria) urged residents to “picket, protest and apply peer pressure.”

County Board member Christian Dorsey (D), who brought his daughter to the rally,
said the county will apply “certainly a level of vigilance — not special scrutiny,
but we’re going to be watching closely to be sure [the store] operates as it’s supposed to.”

Arlington residents can buy guns at a pawnshop on Lee Highway or head out to Fairfax County,
where numerous stores, including some formerly owned by Pratte, operate.
But some have been hostile to stand-alone shops;
last year, residents in the Cherrydale neighborhood persuaded a landlord to revoke a lease to a McLean business, Nova Firearms, that wanted to relocate there.

Last week, another low-level confrontation took place when the store’s landlord towed another tenant’s van that was adorned with articles about gun violence.

Karen Taylor Soiles, a physical therapist who works above the gun store,
said Katya Varley had her vehicle towed and refused to pay the $95 towing fee.
Varley declined to talk Saturday to a reporter.


Arlington gun store’s owner sues critics,
says opponents issued death threats

By Patricia Sullivan
Washington Post, 2016-04-25

The owner of the Arlington gun store that opened last month despite vociferous objections from local residents
has sued 64 people, including elected officials,
claiming that they conspired to destroy the business, harassed the owner and landlord
and mailed death threats to the 16-year-old “owner-in-training.”

The suit, filed last week in Richmond Circuit Court,
named seven state legislators who appealed to the landlord, on official General Assembly stationery,
to refuse to rent 2300 N. Pershing Dr. to Nova Armory.
The lawsuit also named
Arlington County Board member Christian Dorsey, School Board member Barbara Kanninen
and multiple residents who have spoken out against the gun store.

Daniel Hawes, attorney for Broadstone Security, which does business as Nova Armory, said the plaintiffs warned the lawmakers and residents against “interference” with the business.

“People generally don’t like it if you try to destroy their business. That’s malicious behavior,” Hawes said. He said someone has been following customers who leave the store and taking photos of their cars and license plates. “There’s been all sorts of creepy stuff by people with a morbid obsession, a neurotic obsession, with firearms,” he said. “They are really dangerous people.”

The complaint says defamatory comments on social media, harassing phone calls and emails and a mailed death threat to 16-year-old Lauren Pratte forced the business to spend time and money “in merely surviving the crisis.” Pratte is the daughter of Dennis R. Pratte II, who described Nova Armory as a family-owned business. The lawsuit asks for $2.1 million in lost revenue and damages, an amount that can be tripled under law.


Nova Armory Sues Residents, Lawmakers
ArlNow, 2016-04-25

Lyon Park gun store Nova Armory is suing 64 people who spoke out against its recent opening, including local residents and lawmakers.

A [PDF] copy of the lawsuit can be downloaded here.

[This 14 page document makes for highly interesting reading.
I am certainly not a lawyer, but their case sounds somewhat plausible.
The only thing obviously unjustified in their suit
is the claim that some of the anti-gunshop arguments were and are racist.
I don't think you have to be a racist to support those arguments.
That is not to say that I am taking a side, one way or the other in conflict between the gunshop and its opponents,
merely that I don't see racism as being part of the issue here,
nor do I believe the opponents were motivated by racism.
Gun crimes are and have been committed by people of all races.]


Zoning Board to Hear Resident Challenge to Gun Store
ArlNow.com, 2015-05-10

A group of Lyon Park and Ashton Heights residents is trying to challenge the legality of Nova Armory’s Certificate of Occupancy.


In a report to the BZA, Arlington’s Acting Zoning Administrator, Arlova Vonhm, recommends denying the appeal and upholding Nova Armory’s Certificate of Occupancy at 2300 N. Pershing Drive. Vonhm addressed each of the challenges made by the residents:


Zoning Board Rules In Favor Of Local Virginia Gun Store
by Kerry Picket
Daily Caller, 2016-05-12

Chalk up another victory up for NOVA Armory. The suburban Virginia firearms store beat back an appeal late Wednesday night that asked the Arlington County Zoning Board to revoke its small business occupancy permit.

The five-member board voted unanimously to uphold issuing the occupancy certificate to NOVA Armory, though board members stressed that their decision was based on zoning rules rather than the Second Amendment.


Another member agreed, saying, “For us this is not about a Second Amendment right. It’s very narrow. So our personal feelings about how we feel about this gun store or any gun store or guns in general is completely not relevant to our decision here. It is a technical decision based on a zoning question.”


Arlington gun store that riled the neighborhood is sold to employee
by Patricia Sullivan
Washington Post, 2016-10-03

An Arlington gun store whose owner enraged neighbors — first by claiming it was owned by his 16-year-old daughter and then by suing them for speaking out in opposition — has sold the property to an employee.

Dennis R. Pratte, who opened Nova Armory in March under the business name of Broadstone Security, said he sold the business Aug. 19 to Shawn Poulin, the store’s manager, who continues to operate it.

Poulin, in an interview at the store Saturday, said that the business is “in the black” and that he plans to expand to the second floor, with a showroom to feature rifles, tactical gear and an expanded clothing line. The former Marine said he’s the majority owner of the store. He said his partner is a Fairfax County company that makes amphibious patrol boats, but he would not name the firm.



Dropped Gun Store Lawsuit Helps Bring Va. Bill to Protect Protesters
by Chris Teale

The lawsuit against 64 people who spoke in opposition to Nova Armory, the Lyon Park gun store, helped provide the impetus for a state bill to protect protesters from similar court action.

House Bill 1941, introduced by southwest Virginia Del. Terry Kilgore (R-1) and co-patroned by local Del. Mark Levine (D-45), provides immunity from a lawsuit to anyone who speaks out on a matter of public concern, unless they knowingly make false statements. Defendants in so-called “strategic lawsuits against public participation” could be awarded reasonable attorney fees and costs under the bill.

It passed unanimously in both the House of Delegates and the state Senate, and awaits the signature of Gov. Terry McAuliffe (D).

ArlNow, 2017-03-07




In DNA Era, New Worries About Prejudice
New York Times, 2007-11-11


Eden? Maybe. But Where’s the Apple Tree?
New York Times, 2009-05-01


Signs of Neanderthals Mating With Humans
New York Times, 2010-05-07

Neanderthals mated with some modern humans after all
and left their imprint in the human genome,
a team of biologists has reported in
the first detailed analysis of the Neanderthal genetic sequence.

The biologists, led by Svante Paabo of the
Max Planck Institute for Evolutionary Anthropology in Leipzig, Germany,
have been slowly reconstructing the genome of Neanderthals,
the stocky hunters that dominated Europe until 30,000 years ago,
by extracting the fragments of DNA that still exist in their fossil bones.
Just last year, when the biologists first announced
that they had decoded the Neanderthal genome,
they reported no significant evidence of interbreeding.

Scientists say they have recovered 60 percent of the genome so far
and hope to complete it.
By comparing that genome with those of various present day humans,
the team concluded that
about 1 percent to 4 percent of the genome of non-Africans today
is derived from Neanderthals.

[Ma Ma! Da Da!]

Studies Show Genetic Similarities of Jews
New York Times, 2010-06-10

Jewish communities in Europe and the Middle East
share many genes inherited from
the ancestral Jewish population
that lived in the Middle East some 3,000 years ago,
even though each community also carries genes from other sources —
usually the country in which it lives.

That is the conclusion of two new genetic surveys,
the first to use genome-wide scanning devices
to compare many Jewish communities around the world.

A major surprise from both surveys is
the genetic closeness of the two Jewish communities of Europe,
the Ashkenazim and the Sephardim.
The Ashkenazim thrived in North and Eastern Europe
until their devastation by the Hitler regime,
and now live mostly in the United States and Israel.
The Sephardim were exiled from Spain in 1492 and from Portugal in 1497
and moved to the Ottoman Empire, North Africa and the Netherlands.


Jewish communities from Europe, the Middle East and the Caucasus
all have substantial genetic ancestry that traces back to the Levant,
except for Ethiopian Jews and two Judaic communities in India,
which are genetically much closer to their host populations.


The shared genetic elements suggest that

members of any Jewish community are related to one another
as closely as are
fourth or fifth cousins in a large population,

which is about 10 times higher than the relationship between
two people chosen at random off the streets of New York City,
Dr. Atzmon said.

Ashkenazic and Sephardic communities have roughly 30 percent European ancestry, with most of the rest from the Middle East, the two surveys find. The two communities seem very similar to each other genetically, which is unexpected because they have been separated for so long.

One explanation is that they come from the same Jewish source population in Europe. The Atzmon-Ostrer team found that the genomic signature of Ashkenazim and Sephardim is very similar to that of Italian Jews, suggesting that an ancient population in northern Italy of Jews intermarried with Italians could have been the common origin. The Ashkenazim first appear in northern Europe around 800 A.D., but historians suspect they arrived there from Italy.

Another explanation, which may be complementary to the first, is that there was far more interchange and intermarriage than expected between the two communities in medieval times, despite the fact that they spoke different languages.


Sickle cell testing of athletes stirs discrimination fears
By Rob Stein
Washington Post, 2010-09-20


Race reemerges in debate over ‘personalized medicine’
By Rob Stein
Washington Post, 2011-08-01


Eugenics and dysgenics


Marion Barry’s son following in his addictive footsteps, tragically
by Petula Dvorak
Washington Post, 2011-07-19

Talk of the apple and how it doesn’t fall far from the tree did abound.
You know, that old story about how the father was an addict
and got into all kinds of trouble
and then the son grew up and did exactly the same?


There’s a lot of scientific evidence that addiction is genetic.
And there’s no doubt it’s environmental, too.
Kids who grow up with weed on the coffee table
or a parent always balancing a drink in one hand
are probably going to follow that path.

That addiction is so often passed on through generations
“is something people don’t want to talk about,”
said Amelia Arria, the Director of the center on Young Adult Health and Development at the University of Maryland School of Public Health.


Parents who are addicts are probably not parenting too well
when they’re raging on with drugs or alcohol,
so there’s that damage to repair.
And even though they might recover themselves,
they can’t always undo the wreckage they’ve left in their wake —
or even admit what they’ve done to their children.

The refusal to address those issues festers in the kids.
And what better way to deal with a problem
than tackle it the same way that dear old mom or dad did?

“This cuts across socioeconomic status,” Arria said.
“Addiction is an equal-opportunity problem.”

[Dvorak emphasizes the environmental factor,
but she did earlier allude to a genetic factor as well.]

Labels: ,

Nature versus nuture

Back in the old days, say the 1950s and 1960s,
it was common to debate the relative importance of nature (meaning one's genetic inheritance)
and nurture (meaning one's post-birth surroundings)
in determining various aspects of one's persona.

However such questions seems strangely (to me, at least) to be overlooked in much of more recent debate
(I am writing this on 2013-10-22, but have been observing this since at least, say, 1990).
For example, does not the at one time highly popular "No Child Left Behind" act
suggest that nurture trumps nature?
Does not much of the current (post-2000) emphasis on education assume that one's genes are of little significance in determining one's abilities?

The push to disavow the importance of nature received impetus, and took shape,
in the opposition to the very idea of "IQ", pushed by, among others, Stephen Jay Gould.

At any rate, skipping to the current, 2013, world,
here are some news articles that bring up, explicitly or implicitly, this issue.

Language-Gap Study Bolsters a Push for Pre-K
New York Times, 2013-10-23

I have no doubt that children learn very, very much from their parents,
and that speaking to, and interacting with, children from the earliest age
plays a crucial role in their development of skills.
Children learn by observing.
So nurture certainly plays a dominant role in this arena.
But may not nature be of some significance as well?

Labels: ,




A Contributor to Wikipedia Has His Fictional Side
New York Times, 2007-03-05

In a blink, the wisdom of the crowd became the fury of the crowd. In the last few days, contributors to Wikipedia, the popular online encyclopedia, have turned against one of their own who was found to have created an elaborate false identity.

Under the name Essjay, the contributor edited thousands of Wikipedia articles and was once one of the few people with the authority to deal with vandalism and to arbitrate disputes between authors.

To the Wikipedia world, Essjay was a tenured professor of religion at a private university with expertise in canon law, according to his user profile. But in fact, Essjay is a 24-year-old named Ryan Jordan, who attended a number of colleges in Kentucky and lives outside Louisville.

[For details, see the Wikipedia article on this.]

Wikipedia To Check I.D.’s
By Rob Mackey
New York Times Blog, 2007-03-09

What’s Russian for ‘Hacker’?
New York Times Week in Review, 2007-10-21


Ideology and the Internet
by Justin Raimondo
Antiwar.com, 2009-02-04

From Right to Left – and back again?

Stung by the Perfect Sting
New York Times, 2009-08-26


If I read all the vile stuff about me on the Internet,
I’d never come to work.
I’d scamper off and live my dream
of being a cocktail waitress in a militia bar in Wyoming.

If you’re written about in a nasty way, it looms much larger for you than for anyone else. Gossip goes in one ear and out the other unless you’re the subject. Then, nobody’s skin is thick enough.

“The velocity and volume on the Web are so great that nothing is forgotten and nothing is remembered,” says Leon Wieseltier, the literary editor of The New Republic. “The Internet is like closing time at a blue-collar bar in Boston. Everyone’s drunk and ugly and they’re going to pass out in a few minutes.”

Those are my people, I protested, but I knew what he meant. That’s why I was interested in the Case of the Blond Model and the Malicious Blogger.

Sooner or later, this sort of suit will end up before the Supreme Court.

It began eight months ago when Liskula Cohen,
a 37-year-old model
and Australian Vogue cover girl
[see more...],
was surprised to find herself winning
a “Skankiest in NYC” award
from an anonymous blogger.
The online tormentor put up noxious commentary on Google’s blogger.com
[Who they? :-)],
calling Cohen a “skank,” a “ho”
and an “old hag”
who “may have been hot 10 years ago.”

Cohen says she’s “a lover, not a fighter.”
But the model had stood up for herself before.
In 2007, at a New York club,
she tried to stop a man named Samir Dervisevic
who wanted to drink from the vodka bottle on her table.
He hit her in the face with the bottle
and gouged a hole “the size of a quarter,”
as she put it, requiring plastic surgery.

This time, she punched the virtual bully in the face,
filing a defamation suit
to force Google to give up the blogger’s e-mail.

And she won.

“The words ‘skank,’ ‘skanky’ and ‘ho’
carry a negative implication of sexual promiscuity,”
wrote Justice Joan Madden of State Supreme Court in Manhattan,
rejecting the Anonymous Blogger’s assertion that
blogs are a modern soapbox designed for opinions, rants and invective.

The judge cited a Virginia court decision
[almost surely the one involving the Cornwell/Sachs dispute]
that the Internet’s “virtually unlimited, inexpensive and almost immediate means of communication” with the masses means “the dangers of its misuse cannot be ignored. The protection of the right to communicate anonymously must be balanced against the need to assure that those persons who choose to abuse the opportunities presented by this medium can be made to answer for such transgressions.”

Cyberbullies, she wrote, cannot hide “behind an illusory shield of purported First Amendment rights.”

Once she had the e-mail address,
Cohen discovered whence the smears:
a cafe society acquaintance named
Rosemary Port,
a pretty 29-year-old
Fashion Institute of Technology student.


Cohen called and forgave Port, but did not get an apology.
She had her lawyer, Steve Wagner, drop her defamation suit.

[Am I the only one who senses a strong discontinuity here?
After going to all the effort to file a defamation lawsuit,
Cohen just backs down and wants absolutely no recompense?
Why did she file the lawsuit in the first place?
What if the “defamer” had been a man?
Would she have been so forgiving in that case?]

But now Port says she’ll file a $15 million suit against Google
for giving her up.

Port contends that if Cohen hadn’t sued,
hardly anyone would have seen the blog.
(If a skank falls in the forest and no one hears it ... ?)

But Cohen says the Internet is different than water-cooler gossip.
“It’s there for the whole world to see,” she told me.
“What happened to integrity?
Why go out of your way solely to upset somebody else?
Why can’t we all just be nice?”

She said she may become an activist, and has been e-mailing with Tina Meier, mother of Megan Meier, the 13-year-old who killed herself after getting cyberbullied by the mother of a classmate who pretended to be a teen suitor named “Josh.”

“If that woman had started a MySpace page as herself, that little girl would still be in her mother’s arms,” Cohen said.

The Internet was supposed to be the prolix paradise where there would be no more gatekeepers and everyone would finally have their say. We would express ourselves freely at any level, high or low, with no inhibitions.

Yet in this infinite realm of truth-telling, many want to hide. Who are these people prepared to tell you what they think, but not who they are? What is the mentality that lets them get in our face while wearing a mask? Shredding somebody’s character before the entire world and not being held accountable seems like the perfect sting.

Pseudonyms have a noble history. Revolutionaries in France, founding fathers and Soviet dissidents used them. The great poet Fernando Pessoa used heteronyms to write in different styles and even to review the work composed under his other names.

As Hugo Black wrote in 1960, “It is plain that anonymity has sometimes been assumed for the most constructive purposes.”

But on the Internet, it’s often less about being constructive and more about being cowardly.


Obama's War on the Internet
By Philip Giraldi
Campaign for Liberty, 2010-07-19

A recent trip to Europe has convinced me that
the governments of the world have been rocked by the power of the internet
and are seeking to gain control of it

so that
they will have a virtual monopoly
on information that the public is able to access.


Everything Google knows about you
(and how it knows it)

By Caitlin Dewey
Washington Post The Intersect, 2014-11-19



Net of Insecurity:
A history of Internet security

Part of the Washington Post series, “Net of Insecurity”

Net of Insecurity, Part 1:
A Flaw in the Design

by Craig Timberg
Washington Post, 2015-05-31

The Kernel of the Argument
Fast, flexible, and free, Linux is taking over the online world.
But there is growing unease about security weaknesses

by Craig Timberg
Washington Post, 2015-11-05

It took years for the Internet to reach its first 100 computers. Today, 100 new ones join each second. And running deep within the silicon souls of most of these machines is the work of a technical wizard of remarkable power, a man described as a genius and a bully, a spiritual leader and a benevolent dictator.

Linus Torvalds — who in person could be mistaken for just another paunchy, middle-aged suburban dad who happens to have a curiously large collection of stuffed penguin dolls — looms over the future of computing much as Bill Gates and the late Steve Jobs loom over its past and present. For Linux, the operating system that Torvalds created and named after himself, has come to dominate the exploding online world, making it more popular overall than rivals from Microsoft and Apple.

But while Linux is fast, flexible and free, a growing chorus of critics warn that it has security weaknesses that could be fixed but haven’t been. Worse, as Internet security has surged as a subject of international concern, Torvalds has engaged in an occasionally profane standoff with experts on the subject. One group he has dismissed as “masturbating monkeys.” In blasting the security features produced by another group, he said in a public post, “Please just kill yourself now. The world would be a better place.”

There are legitimate philosophical differences amid the harsh words. Linux has thrived in part because of Torvalds’s relentless focus on performance and reliability, both of which could suffer if more security features were added.
Linux works on almost any chip in the world and
is famously stable as it manages the demands of many programs at once,
allowing computers to hum along for years at a time without rebooting.

Yet even among Linux’s many fans there is growing unease about vulnerabilities in the operating system’s most basic, foundational elements — housed in something called “the kernel,” which Torvalds has personally managed since its creation in 1991. Even more so, there is concern that Torvalds’s approach to security is too passive, bordering on indifferent.

“Linus doesn’t take security seriously; it’s yet another concern in his mind, and he’s surrounded himself with people who share those views,” said Daniel Micay, a Toronto-based security researcher whose company, Copperhead, is developing a hardened version of the Android mobile operating system, which is based on Linux. “There are a lot of kernel developers who do really care about security, but they’re not the ones making the calls.”

The rift between Torvalds and security experts is a particular source of worry for those who see Linux becoming the dominant operating system at a time when technology is blurring the borders between the online and ­offline worlds. Much as Windows long was the standard for personal computers, Linux runs on most of the Internet’s servers. It also operates on medical equipment, sensitive databases and computers on many kinds of vehicles, including tiny drones and warships.

“If you don’t treat security like a religious fanatic, you are going to be hurt like you can’t imagine. And Linus never took seriously the religious fanaticism around security,” said Dave Aitel, a former National Security Agency research scientist and founder of Immunity, a Florida-based security company.

Torvalds — who despite his history of blistering online exchanges is genial in person, often smiling from behind round-framed glasses — indeed appears to be the opposite of a religious fanatic as he zips around his adopted home town of Portland, Ore., in a yellow Mercedes convertible. The license plate is “DAD OF3,” but it’s the plate holder that better captures his sly sense of humor, somehow mixing self-confidence with self-mockery. “MR. LINUX,” it reads, “KING OF GEEKS.”

Over several hours of conversation, Torvalds, 45, disputed suggestions that security is not important to him or to Linux, but he acknowledged being “at odds” with some security experts. His broader message was this:
Security of any system can never be perfect.
So it always must be weighed against other priorities —
such as speed, flexibility and ease of use —
in a series of inherently nuanced trade-offs.
This is a pro­cess, Torvalds suggested, poorly understood by his critics.

[The evidence (see, e.g., the highlighted material in paragraph 0.4) is
that Linux has achieved near perfection in stability.
Why can it not achieve the same level of quality
when it comes to security?]

“The people who care most about this stuff are completely crazy. They are very black and white,” he said, speaking with a slight Nordic accent from his native Finland. “Security in itself is useless. . . . The upside is always somewhere else. The security is never the thing that you really care about.”

When the interviewer asked whether Linux — designed in an era before hacking had become a major criminal enterprise, a tool of war and constant threat to the privacy of billions of people — was due for a security overhaul after 24 years, Torvalds replied, “You’re making sense, and you may even be right.”

But what followed was a bracing example of why Torvalds said the interviewer was wrong: Imagine, Torvalds said, that terrorists exploited a flaw in the Linux kernel to cause a meltdown at a nuclear power plant, killing millions of people.

“There is no way in hell the problem there is the kernel,” Torvalds said. “If you run a nuclear power plant that can kill millions of people, you don’t connect it to the Internet.”

Or if you do, he continued, you build robust defenses such as firewalls and other protections beyond the operating system so that a bug in the Linux kernel is not enough to create a catastrophe.

“If I have to worry about that kind of scenario happening,” Torvalds added with a wry grin, “I won’t get any work done.”

Even without a potential nuclear disaster, the stakes are high. Operating system kernels are the most essential code on any computer, allowing hardware to work smoothly with multiple pieces of software. This makes kernels uniquely powerful — they can override the safeguards on any other program, meaning nothing on a computer is truly secure if the operating system kernel is not.

Now, consider this: The Linux kernel runs on the New York Stock Exchange, every Android smartphone and nearly all of the world’s supercomputers. Much of the rapidly expanding universe of connected devices uses Linux, as do many of the world’s biggest companies, including Google, Facebook and Amazon.com. The tech-heavy U.S. economy, many would argue, also depends on the smooth functioning of Linux.

Even more broadly, the battle over Linux security is a fight over the future of the online world. At a time when leading computer scientists are debating whether the Internet is so broken that it needs to be replaced, the network is expanding faster than ever, layering flaw upon flaw in an ever-expanding web of insecurity. Perhaps the best hope for fixing this, some experts argue, lies in changing the operating system that — more than any other — controls these machines.

But first, they have to change the mind of Linus Torvalds.

Accidental hero

Stories about tech titans tend toward pat narratives: the blazing discovery, the shrewd business moves, the thrilling triumph after years of struggle. The story of Torvalds, and by extension Linux, is almost the opposite. He was a shy, brainy college student who built something with no obvious market — a new operating system in a world that already had Windows, Mac OS and Unix — and gave it away. It wasn’t a business. It was a hobby.

There is a telling moment in his autobiography, “Just for Fun,” written with journalist David Diamond, that captures this spirit of naive experimentation. In early 1992, about six months after announcing the creation of Linux, Torvalds posted an online message asking anyone using the operating system to send him a postcard.

Soon, his mailbox in Helsinki overflowed with hundreds of postcards from the United States, New Zealand, Japan and beyond. It was the first time that his sister and mother, with whom Torvalds shared an apartment, realized that he was up to something big. Torvalds had told them little about what he was doing in his bedroom, perched over his computer, all hours of the day and night.

This diffuse and ever-growing community of users proved to be the magic that powered Linux. The operating system had its inherent virtues — it was simple and clean; tech enthusiasts worldwide fell in love with its elegance — but more important it was an “open-source” project. That meant anybody could use it, alter it and even make a new version without paying a cent, without even asking permission. Linux soon became, in a phrase from Torvalds’s autobiography, the “world’s largest collaborative project,” with contributors numbering in the hundreds of thousands. They drove the growth of Linux long after Torvalds might have lost interest.

“In 1992,” he said, “I was like, ‘Wow, it does everything I wanted it to do. What now?’ ”

Torvalds had little choice but to become the general of an unruly volunteer army. As the kernel grew from 10,000 lines of code to 19 million, Torvalds created an elaborate and remarkably functional system that, every couple of months, offered a free update of the Linux kernel to anyone who wanted it.

Based on the kernel, others then tailored the operating systems to their own tastes and purposes, adding even more lines of code that collectively became fully fledged “distributions” of Linux that ran on various types of computers. The price of admission to this elaborate process was faith in Torvalds, although some went the extra step of making an offering to their hero: free computer gear, company T-shirts or penguin dolls (because a squat, cheerful-looking aquatic waterfowl — usually sitting lazily on its butt — was the symbol of Linux).

Years of spinning such devotion into well-honed computer code has shaped a development process that is gradual and evolutionary. The goal is to fix problems and adapt to new hardware, while never causing malfunctions. This idea is enshrined, somewhat antiseptically, in Torvalds’s often-stated prohibition against what he calls “breaking user space” — essentially, causing something that a user depends on to stop working. But there is nothing antiseptic about his reaction when somebody violates this cardinal rule.

One notorious exchange came in December 2012, when Torvalds publicly raged to a regular Linux contributor who had proposed a flawed patch: “WE DO NOT BREAK USERSPACE! Seriously. How hard is this rule to understand? We particularly don’t break user space with TOTAL CRAP. I’m angry, because your whole email was so _horribly_ wrong, and the patch that broke things was so obviously crap.”

Torvalds sometimes expresses regret about his rhetorical excesses, but the emotion that boils up in these moments is unmistakably real, fueled by his fierce sense of guardianship over Linux.

The effect of Torvalds’s approach to managing the kernel — defensive, gradualist, sometimes cranky — chilled debate about the security of Linux even as it became a bigger, richer target for hackers. The result, critics argue, is that while Linux in its early days was widely considered a safer choice than Windows or other commercial operating systems, the edge has dwindled and perhaps disappeared.

“While I don’t think that the Linux kernel has a terrible track record, it’s certainly much worse than a lot of people would like it to be,” said Matthew Garrett, principal security engineer for CoreOS, a San Francisco company that produces an operating system based on Linux. At a time when research into protecting software has grown increasingly sophisticated, Garrett said, “very little of that research has been incorporated into Linux.”

Versions of Linux have proved vulnerable to serious bugs in recent years. AshleyMadison.com, the Web site that facilitates extramarital affairs and suffered an embarrassing data breach in July, was reportedly running Linux on its servers, as do many companies.

Those problems did not involve the kernel itself, but experts say the kernel has become a popular target for hackers building “botnets,” giant networks of computers that can be organized to initiate cyberattacks. Experts also say that government spies — and the companies that sell them surveillance tools — have turned their attention to the kernel as Linux has spread.

The Security Intelligence Response Team for Akamai, a leading Internet content delivery company, spoke bluntly on the rising vulnerability of Linux in September when it announced the discovery of a massive botnet that attacked up to 20 targets worldwide each day.

“A decade ago, Linux was seen as the more secure alternative to Windows environments, which suffered the lion’s share of attacks at the time,” Akamai’s security team wrote. But the sharply rising popularity of Linux has meant “the potential opportunity and rewards for criminals has also grown. Attackers will continue to evolve their tactics and tools and security professionals should continue to harden their Linux based systems accordingly.”

But harden how?

Ultimate attack surface

Even if Torvalds originally considered Linux a hobby, others saw gold. Red Hat, a North Carolina company, released a version that became widely deployed across corporate America and at many government agencies. A South African businessman released Ubuntu, a popular desktop version of Linux, in 2004. Traditional tech giants — IBM, Intel, Oracle — also made big bets on Linux.

As Linux took off, Torvalds took something of a detour, leaving Finland with his wife and first child in 1997 to work for a Silicon Valley start-up. But he never gave up control of Linux and, in 2003, Torvalds joined an Oregon-based nonprofit group that later merged with another organization to become the Linux Foundation, which promotes the overall development of the operating system.

(Torvalds also was granted stock options by Red Hat and one other company selling Linux products, making him comfortable enough to pay cash for a new house but not nearly as rich as Gates or other top tech executives.)

The rising popularity of the operating system sparked efforts to toughen its defenses. Companies that sold versions of Linux had security teams add protections. Even the U.S. government, which has adopted Linux on many of its computers, had the NSA develop advanced security features, called SELinux, making the operating system more suitable for sensitive work. (This was a defensive effort, say security experts, not part of the NSA’s spying mission.)

The problem, as critics pointed out, was that these protections relied on building walls around the operating system that, however high or thick, could not possibly stop all comers. Those who penetrated gained control of the Linux kernel itself, meaning the hackers could make a compromised computer do anything they wanted — even if every other piece of software on the machine was flawlessly protected. According to veteran security engineer Kees Cook, this made the Linux kernel “the ultimate attack surface.”

“Vulnerabilities in the kernel generally meant that an attacker with access to a flawed kernel interface” — meaning a bug in the code — “could bypass nearly every other security policy in place and take total control of the system,” said Cook, who from 2006 to 2011 worked for Canonical, which supported the Ubuntu version of Linux, and later joined Google to work on kernel security.

Another expert, Brad Spengler of Grsecurity, used satire to make a similar point in 2009, circulating a spoof of an illustration that had been used in promotional material for SELinux. The original version showed the kernel wrapped in protective layers that repelled attacks, but the spoof overlaid images of “Sesame Street” characters happily getting through these layers to menace the kernel. Ernie, Bert, Elmo, Oscar the Grouch and the Cookie Monster represented “Blackhats with kernel exploits,” the text read, meaning malicious hackers armed with the computer bugs that offered a way past even the heaviest defenses.

Spengler later acknowledged that the spoof was “childish” but said it “at least was more accurate” than the original diagram. To drive the point home, he soon demonstrated how nearly a dozen known Linux coding bugs could be exploited by malicious hackers to defeat external defenses and take control of the kernel.

The response from Torvalds to such concerns did little to calm Spengler or other critics. In an era when software makers increasingly were candid about security flaws, issuing alerts that detailed problems and explicitly urged people to install safer updates, Torvalds had a different approach. In messages that accompanied each new version of the Linux kernel, he described various improvements but would not call attention to the ones that fixed security problems.

This frustrated security experts who saw transparency as a key part of their mission. They reasoned that if a software maker knew about a bug, then malicious hackers almost certainly did, too, and had been exploiting it for months or even years. Failing to warn users directly and forcefully made it harder for them to protect themselves.

Torvalds, however, has held his ground on this issue. He knew there were countless versions of Linux running across the world and that weeks or months often passed before updates reached individual machines. Publicly revealing details about computer bugs — even if fixed in the latest release — gave an edge to malicious hackers until the software fixes arrived, he believed.

Torvalds also resisted suggestions that security deserved a special place in the hierarchy of concerns faced by software makers. All flaws, in his view, were equally serious. This attitude was enshrined in a public posting in July 2008 that said: “I personally consider security bugs to be just ‘normal bugs.’ I don’t cover them up, but I also don’t have any reason what-so-ever to think it’s a good idea to track them and announce them as something special.”

This comment — often recalled in shorthand as Torvalds’s declaration that “bugs are just bugs” — is the line most often quoted by his critics as they seek to explain what they consider a persistent, almost willful tone-deafness on security. These experts say that although most bugs are mere glitches that might cause a function to fail or a program to crash, others are far more serious, offering malicious hackers an opening to take total control of computers.

Those who specialize in security think in terms of categories of bugs. Each one is a cousin of others, some known, some not yet discovered, based on which functions they exploit. By studying each new one carefully, these experts say it is possible to defeat entire classes of bugs with a single fix.

But in his recent interview with The Washington Post, Torvalds rejected the notion that bugs could be usefully sorted into categories.

“I refuse to waste a second of my life — or any other developer’s life — trying to classify something that can’t be classified,” he said.

Rather than trying to create protections against “classes” of bugs, Torvalds hopes to inspire better coding in general. “Well-written code just doesn’t have a lot of special cases. It just does the right thing. . . . It just works in all situations.”

As for the exceptions, Torvalds shrugs. “Sometimes reality bites you in the ass. Sometimes it’s just bad coding.”

The Cassandras

There has been a recurring subplot in the history of the online world: For every advance, every thrilling new vista of possibility, there are those who warn of dangers lurking in shadows ahead. To borrow from Greek mythology, they are the Cassandras — often right in their prophecies, yet generally ignored until disaster actually arrives.

The leading Cassandra in the Linux story has been Spengler, whose critique of SELinux featured malevolent “Sesame Street” characters in 2009. He and a pair of collaborators, who worked for an affiliated project called the PaX Team, had over several years developed patches that dramatically hardened Linux. The best known of these techniques, called address space layout randomization, reshuffled each computer’s memory regularly. So even when hackers attempted to penetrate a system, it was difficult to steal files or implant malicious code.

Despite providing a steady supply of defensive innovations, Spengler did not become a popular figure within the upper reaches of the Linux community, where he was seen as extreme in his views and sometimes brittle in his manner. Plus, the Grsecurity and PaX patches, although universally regarded as cutting-edge security measures, can slow computer performance. Some also caused some features to perform less effectively, violating Torvalds’s cardinal rule against “breaking user space.”

Torvalds said recently of Spengler, “He’s one of the crazy security people, no doubt about it, and so we’ve butted heads.”

He added that Spengler “is somebody I respect from a technical standpoint,” but a split emerged that was philosophical and, eventually, personal.

Torvalds was happy to let Spengler’s project toil on the fringes of a sprawling Linux empire, but Torvalds showed little interest in overhauling the kernel itself to address complaints from the security community, especially if that meant exacting a significant price in operating system performance.

“The market for that is pretty small in the end,” he later said of Spengler’s project. “Most people don’t want the Grsecurity system.”

The limited consumer demand for security was not news to anybody who worked in the field. Spengler often lamented how, as Linux spawned a multibillion-dollar industry, he and his colleagues struggled to raise enough in donations to underwrite their work.

“People don’t really care that much,” Spengler later said. “All of the incentives are totally backward, and the money isn’t going where it’s supposed to. The problem is just going to perpetuate itself.”

Because the Linux kernel is not produced by a business, it does not respond to market conditions in a conventional way, but it is unquestionably shaped by incentives — and, most of all, by Torvalds’s priorities.

To carry out this vision, Torvalds has surrounded himself with dozens of code “maintainers,” each of whom helps manage different elements of the operating system. Anyone with an idea for improving Linux can craft the relevant code and submit it to a maintainer, who vets each proposal before sending the best ones upward to Torvalds.

From his home office above a three-car garage, Torvalds then approves — and occasionally rejects — the changes submitted by the maintainers and consolidates them before releasing the next version. Each new release typically affects hundreds of thousands of lines of code, and each change carries the risk of creating new bugs.

Although they once worked largely as volunteers, top maintainers today typically have day jobs with tech companies that have a stake in the growth of the operating system and pay salaries to developers to support that common goal. But the Linux development process remains decentralized, relying heavily on the individual interests and initiative.

Even many Linux enthusiasts see a problem with this from a security perspective: There is no systemic mechanism for identifying and remedying problems before hackers discover them, or for incorporating the latest advances in defensive technologies. And there is no chief security officer for the Linux kernel.

“Security is an easy problem to ignore, and maybe everyone thinks somebody else should do it,” said Andrew Lutomirski, a maintainer for part of the Linux kernel and an advocate for introducing better defenses overall. “There certainly are people who have security as a much higher priority than Linus Torvalds does.”

Spengler’s quest to improve overall Linux security peaked in 2010, when he spoke at a Linux conference in Boston. He prepared an extensive presentation titled “Linux Security in 10 Years” that detailed a range of ideas for keeping the kernel safe even when hacks inevitably happened.

The proposals seemed so urgent to Spengler that he expected to see top Linux maintainers, and possibly even Torvalds, in the audience. But when he looked out across the half-empty room, Spengler saw none of them. They were all off at other meetings.

“These guys are just working on things that they’re interested in, and, for most of them, what they’re interested in is not security,” Spengler said recently. “My feeling with Linux is that they still treat security as a kind of nuisance thing.”

Signs of trouble

In the years since Spengler and others began warning about the security of Linux, it has triumphed in the marketplace. Google released its first version of the Android mobile operating system, which is based on Linux, in 2007, allowing Torvalds’s work to reach hundreds of millions of smartphones each year. Google also made the kernel the basis of Chrome OS, which is used in an increasingly popular category of cloud-based computers called Chromebooks.

Companies building the so-called Internet of Things — a massive universe including objects as diverse as online thermostats, heart-rate monitors and in-flight entertainment systems — also came to prefer Linux, which requires no fees that might drain away profits.

Those worried about security arguably have bigger problems than Linux, at least for now. Hackers are more likely to prey upon Oracle’s Java and Adobe’s Flash and Acrobat. But while many older, vulnerable pieces of software are being phased out, Linux is conquering new computing worlds.

As the operating system explodes in popularity, the debate over security has begun drawing attention beyond the world of Linux insiders. Sergey Bratus, as associate professor of computer science at Dartmouth College, argues that the kernel should be overhauled to streamline the code and to integrate the type of security features long advocated for by Spengler and other critics — even if the features slow computers down.

“In a device that I trust my life to, I would prefer this,” Bratus said.

The most famous overhaul in software history came in 2002, when Gates ordered engineers at Microsoft to make security their top priority, a process that took several years and helped the famously hackable staples of that company’s lineup to become considerably safer.

The security situation with Linux is not nearly so dire as it was for Microsoft in 2002. It’s also harder to see how such an overhaul could happen for an open-source project.

“Linux cannot just be turned around by a memo from Linus. He’s not Bill Gates,” Bratus said. “But a culture change is definitely needed before we start relying on these systems for everything.”

The Linux Foundation did suffer an embarrassing hack in 2011. More recently, in 2014, Linux devotees were unhappy to discover that an Italian surveillance company called Hacking Team had swiftly turned a Linux exploit known as “towelroot” into a skeleton key capable of gaining access to hundreds of millions of Android phones. This allowed Hacking Team to turn Android devices into powerful spying tools — capable of tracking targets, recording their conversations, rifling through their files and even taking pictures of them — on behalf of customers that included some of the world’s most repressive governments.

“It works :),” wrote one Hacking Team developer to another in an e-mail about towelroot, according to a trove published by WikiLeaks. “Good job, thanks!”

The security stakes for the tech industry were underscored in the keynote address at an August summit on Linux security that pointedly compared the blinkered attitude of software makers today to that of the automobile industry in the 1960s, when cars functioned well but failed to protect people during unforeseen events such as crashes — leading directly to unnecessary suffering and death.

“Let’s not take 50 years to get to the point where computing is fun, powerful and a lot less likely to maim you when you make a mistake,” concluded the keynote speaker, Konstantin Ryabitsev, who manages computer systems for the Linux Foundation.

‘Dodo birds had it coming’

The Cassandra myth reached its tragic climax when she warned the Trojans that a giant wooden horse on their shores — supposedly a gift of surrender after a long siege — actually was filled with Greek warriors who soon would emerge to destroy Troy. The Trojans laughed and ridiculed Cassandra. They realized their error when it was too late.

In the days after Ryabitsev gave his August keynote address suggesting that software makers should rethink how they approach security, several Linux maintainers exchanged messages on a public mailing list about the possibility of revisiting some of the issues long raised by Spengler and other critics.

“We have some measures in place, although we are really not doing everything we can,” wrote James Morris, maintainer of ­Linux’s exterior defenses against attackers. As evidence of his concern, Morris cited occasions when bugs are discovered that are thwarted by Grsecurity — Spengler’s patches — but not the main kernel released by Torvalds.

Spengler’s name soon came up explicitly in the discussion, although participants correctly guessed that he had little interest in taking part in such an effort now. (“I already did it in 2010,” he said in an interview afterward. “It’s kind of annoying that nothing came of it at the time. . . . I feel it would be better if they came up with their own ideas.”)

Among those who were part of the discussion was Kees Cook, the Linux security engineer who now works for Google. He, too, recalled Spengler’s call to action in 2010. Cook said there have been improvements since then — what he called “the low-hanging fruit” — but not enough.

“We’re five years into that list, and we’ve only scratched the surface,” said Cook, who in addition to his work for Google is a maintainer for Linux and part of a kernel security response team. “There is not the cultural shift I’d like to see.”

Yet Cook and others say that the chances of a major reconsideration of kernel security may now be better than ever. Edward Snowden’s revelations about the extent of government spying — and about how the NSA took advantage of security weaknesses that experts often knew about but had failed to get fixed — have alarmed many in the tech community. So have the recent rash of high-profile hacks, including the massive pilfering of personal data from the U.S. government computers at the Office of Personnel Management.

“Given some of the evidence of the widespread security problems, it’s a little easier to introduce the topic again,” Morris said in an interview. “Now that we’re looking at literally billions of Linux systems out there, I think people are starting to wake up.”

The online discussion sparked by Morris in August has produced at least one tangible result: At the annual Linux Kernel Summit in Seoul last week, he and Cook gave a presentation that echoed many of Spengler’s points from 2010 — only the list of problems needing serious attention had doubled, from six to 12. And this time, Torvalds and some of his top deputies were there.

There was a revealing moment, however, when Cook raised the possibility of adding an especially intrusive feature long offered by Grsecurity. Torvalds immediately spoke up, saying this was “the kind of idea that makes security people look crazy,” according to LWN.net, a site that follows Linux issues.

Torvalds has often said — and reiterated after the meeting in Seoul — that he is open to new kernel defenses if the cost in performance is reasonable. But debate remains about what qualifies as “reasonable.”

Torvalds himself still instinctively resists anything smacking of a dramatic overhaul, asking the world to trust the Linux development model’s gradualist, evolutionary approach in which problems — and the trouble that often results — lead to computer code continually improving.

“I don’t think you have an alternative,” Torvalds said in the interview with The Post. “I don’t think you can design things better than they evolve. . . . It really is working very well.”

And what, he was asked, of the inevitable costs of evolution? The entire species, like the dodo bird, that have died off? Must progress come at such a price?

Torvalds smiles again. “Dodo birds had it coming.”

But dodo birds, driven from existence after the arrival of humans ruined their native island habitat, had little chance to protect themselves from doom. What about the Trojans?


Security of critical phone database called into question
By Ellen Nakashima
Washington Post, 2016-04-28

Federal officials fear that national security may have been jeopardized when the company building a sensitive phone-number database violated a federal requirement that only U.S. citizens work on the project.

The database is significant because it tracks nearly every phone number in North America, making it a key tool for law enforcement agencies seeking to monitor criminal or espionage targets.

Now Telcordia, a Swedish-owned firm, is being compelled to rewrite the database computer code — a massive undertaking — to assuage concerns from officials at the FBI and Federal Communications Commission that foreign citizens had access to the project. These officials fear that if other countries gain access to the code, they could reap a counterintelligence bonanza, learning the targets of U.S. law enforcement and espionage investigations.

The security rewrite began in March after the agencies learned that a Chinese citizen with a U.S. work permit had helped write the system code, said individuals familiar with the matter who spoke on the condition of anonymity to discuss a sensitive matter. Seven other foreign citizens, including a British engineer, also worked on the project, although it was the Chinese engineer who raised red flags for officials.

In a separate development, a former Telcordia employee in New Jersey alleged in a civil lawsuit made public this week that he was fired in retaliation for blowing the whistle on a foreign worker.

Put together, these incidents raise a broader question about the security of a database that is perhaps the most important cog that most people have never heard of in the communications network.

The system was created in 1997 to solve a consumer problem: allowing people to keep their numbers when they switch phone companies. It is also instrumental every time a person makes a call or sends a text message, allowing that person’s carrier to ping the database to learn which other phone service should next receive the call or text. In addition, law enforcement agencies rely on the database to link suspects’ numbers to carriers so that search warrants can be executed.

Telcordia, headquartered in Piscataway, N.J., and owned by Ericsson, said in a statement that the foreigners who worked on the project were all “highly qualified” legal U.S. residents with work permits and that the company’s work now meets all the security requirements of its contract. The company would not comment on whether the Chinese engineer was let go or reassigned but said that no foreign citizens were working on the system any longer.

“There was no indication that there was any issue with any source code but regardless, to mitigate any concerns, the final application will be an entirely new version, designed and coded by U.S. citizens,” Telcordia spokeswoman Sharon Oddy said.

Oddy also said that the former employee’s claims in court were without merit.

From its creation, the system, called the Number Portability Administration Center (NPAC), was run by a Northern Virginia-based firm, Neustar. The firm has run NPAC under a contract with a consortium of phone companies that pay for the database’s operation. But in 2013 for the first time, the work was put up for competitive bid. Last year, Telcordia was given the go-ahead to begin negotiating a contract, which still needs to receive final approval from the FCC.

One of the requirements: Only U.S. citizens could work on the project. Last fall, the FCC learned of a Chinese citizen being employed by Telcordia for the database and contacted the FBI, officials said. The two agencies conducted a review.

[This is crazy.
Why should one assume that just because someone is a U.S. citizen that he or she is not a security risk?
The people working on critical aspects of this project should be required to undergo security scrutiny to verify that they are not a security risk.
Merely being a U.S. citizen is no guarantee of that.]

“Consistent with that review and in close coordination with the national security agencies, the commission and Telcordia agreed that the company would discard the pre-contract work performed and start entirely anew,” FCC spokesman Mark Wigfield said in a statement to The Washington Post.

The current draft contract “includes rigorous oversight measures and explicitly requires that only appropriately vetted U.S. citizens work on the project,” Wigfield said.

FBI spokesman Christopher Allen confirmed that the FBI is working “closely with the FCC . . . to help identify and mitigate national security and law enforcement risks.”

In addition to the counterintelligence risks, officials are concerned that if access to the database fell into the wrong hands, a hacker could misdirect calls to erroneous or nonexistent networks, which could be especially disruptive during a national emergency.

Some critics have faulted the FCC and the phone company consortium,
which wrote the language requesting bids,
for not building in adequate security requirements from the start.

“The right time to be addressing the issues is at the [bid] stage,
not after you’ve selected a winner and are trying to retrofit security as an afterthought,”

said Michael Chertoff, a former secretary of homeland security who was paid by Neustar to help with its bid for the contract.

The United States has long been concerned about Chinese espionage.

The Chinese breach of the Office of Personnel Management’s databases, which exposed sensitive information concerning more than 22 million current and former federal employees and their families, was seen by intelligence officials as a move by Beijing to build dossiers on employees they might target or recruit for spying.

Neustar, which declined to comment for this story, last year appealed the FCC’s selection of Telcordia to a federal court on grounds that the process was unlawful.

Neustar’s contract was worth $496 million a year, whereas Telcordia said it could do the same work for $143 million annually.

Neustar is expected to continue running the NPAC database until the transition to Telcordia has been completed. As part of that transfer, Telcordia must build its own system, a task that Oddy said the company expects to finish by fall 2017 as called for in the draft contract.

The source code for Neustar’s NPAC took hundreds of thousands of hours to write, said an industry official familiar with the project. Some 4,800 telecommunications systems from 2,000 carriers feed information to the database. “It is a major undertaking,” the official said.