a personal update

Tomorrow (Jan 31st) is my last day on the Research Faculty at Harvard Medical School and Children’s Hospital Boston. It’s been a fantastic ride thanks entirely to the folks with whom I had the pleasure of working, in particular Zak Kohane and Ken Mandl. Ultimately, I finally noticed what was staring me in the face: I love building software systems, and the right place for me to do that now is industry. I’m no stranger to it, and I’m excited to be back.

I’m taking two weeks off. I won’t be blogging or tweeting (much). I’ll be digging into a very thoughtful gift just received (what timing!): the Flour Bakery recipe book. If you live in Boston and you haven’t been to Flour, you’re simply missing out (or you don’t like baked goods, which is just too sad to think about.) This week’s goal, currant scones. Should be at least interesting, maybe delicious.

As to what I’m doing next… that’s for a blog post to be written 2 weeks from now. I’ve had some fantastic discussions with amazing people these last few weeks, and there are a few more conversations to be had before the picture is truly filled in. See you on the flip side of a few days spent with family and friends.

The Accidental Tinkerer, Unexpected Lock-in, and Fatherhood

Ben Fry recently explained his concerns about the iPad:

I want to build software for this thing. I’m really excited about the idea of a touch-screen computing platform that’s available for general use from a known brand who has successfully marketed unfamiliar devices to a wide audience.
[..]
It represents an incredible opportunity, but I can’t get excited about it because of Apple’s attempt to control who creates for it, and what they can create for it. Their policy of being the sole distributor of applications, and even worse, requiring approval on all applications, is insulting to developers.
[..]
I find it offensive on a very basic level, because I know that if such restrictions were in place when I was first learning to write software — mostly on Apple machines, no less — I would not have a career in the field.

John Lilly followed up brilliantly:

In a nutshell, what worries me about the trajectory of computing is not so much the emergence of tightly-controlled, non-tinkerable boxes, but the presumption that “normal people” don’t ever want to tinker, don’t want to be bothered with understanding how things work. I think it’s not true, really — certainly not for everyone — but I even think that this distinction between “normal people” and “tinkerers” or “techies” or “makers” is bogus at best, and really dangerously corrosive at worst.
[..]
It’s not like I was born an engineer — the instinct to fiddle with things isn’t something we’re born with. I became a tinkerer because I was exposed to surfaces that allowed — that invited — it. I figured out that I liked tweaking and building and creating because I got a bunch of chances to do that stuff, from hardware to software and everything in between. I knew I could do it because Dad modeled that behavior, but also because the stuff we had around the house was inspectable and malleable.
[..]
We all have the potential inside us to make things. But we’re not born into the world as makers — the world around us — the people in it and the artifacts in it — help us to discover what we can be.

I don’t know that I agree 100% with John: not everyone is a tinkerer. But, for sure, we need “surfaces that invite tinkering,” otherwise those who would be tinkerers might never discover it.

I was a tinkerer from an early age, but most of my tinkering in the physical world sucked, because, well, I don’t have good instincts about physics or analog things: I’m a digital kind of guy. So my egg-drop competition entries were overly complicated, my solar ovens were a perfect fit for a raw diet, my matchstick suspension bridges were unsafe at any speed, and my analog-circuit-based room-alarm systems would go off at random times in the middle of the night, or not at all, but at least would consistently end up blowing out the LED indicator (what do you mean you can’t connect the power source straight to the LED?)

I might have given up on tinkering, were it not for software… that was something else.

When my father brought home our first computer, a Thomson MO5, I was hooked. I spent hours transcribing BASIC programs from the 3 magazines I could find on the topic (this was Paris, France, not exactly Silicon Valley.) My dad took me to the office so I could talk to some Thomson engineers and debug my floppy disk drive. Later came the TO7, and eventually the Apple IIGS, my first “major” Pascal program to help my mother schedule carpooling (and my first taste of how hard it is to write a scheduling algorithm), my second “major” Pascal program to manage the Prom guest list. I wrote my final Geography report using a page-layout program on the Apple IIGS that probably cost me hours of extra time because of its bugs and the work-arounds I had to find, and got a worse grade for it because “not everyone can afford such fancy software, so we took off a couple of points” (for those of you still confused, THAT is socialism.) Not long after that I was applying to MIT and tinkering with one of the first e-commerce web sites. I love what I do, but would I have discovered this love without those first few lines of BASIC on that MO5 computer, written without anyone’s permission or knowledge?

Over time, though, I have become a little bit complacent about openness. I own an iPhone, and I’ve bought a few apps. I bought music on iTunes, and figured the DRM was not so problematic. I got a Kindle and bought some books. And then one day Apple’s DRM server went down and I couldn’t play music for a few hours. And Amazon decided to recall the book “1984”. And Apple decided to retroactively remove a bunch of apps they considered “not useful enough.” So I started thinking, maybe it’s time to get a different phone.

But I can’t. See, in the interim, I got unexpectedly locked in. I sync my calendar via MobileMe. I sync my music/TV shows via iTunes. Moving to something like a Palm Pre is going to take a significant effort. So how much worse will it be if I get an iPad, get some apps, and Apple decides to change the rules in a way that I don’t like? How locked in will I be then?

This change is happening gradually. At no point are you going to be shocked by an unfortunate Apple decision. You’ll enjoy your iPad, you’ll buy more apps, you’ll enjoy it even more. Apple will make a few decisions that inconvenience you, but you’ll deal. Until one day you’re inconvenienced enough that you might begin to look elsewhere. But you won’t be able to, because your data will be locked in. 3 years ago, we didn’t even have 3rd-party apps on the iPhone. Today, we have more than 100,000, and they’re all rushing to the iPad at warp speed. Change is happening.

One last point. A few months ago, I became a father. My wonderful little boy has an incredible appetite for life. Will he be a tinkerer? I don’t know, but if I had to bet I’d say yes. Will I be able to do for him what my father did for me? What will he tinker with, if everything in the house is a polished, professional, touch-but-don’t-tinker device? If he is to be a maker, a tinkerer, will he be able to fully explore his ideas if the rules of his digital universe are decided by the whims of Apple, Facebook, and Google?

I’m not sure. Maybe he will find a way, the way that kids do. Or maybe we, the generation that is witnessing this change, need to make sure that the rules of computing do not become a permanent, universal, inescapable sandbox.

Owning Genes

At some point in the history of patents, something went a little nutty: it became possible to patent genes themselves. Not “a method for extracting” a gene. Not “a method for synthesizing” a gene. But the gene itself. As a result, a number of biotech companies own human genes. If you want to find out if you have a dangerous mutation that predisposes you to breast cancer, no matter which lab you choose, no matter which technology they use to test you, they have to pay a royalty fee to the gene patent holder.

One can have a number of arguments as to whether this is an efficient way to do research. Hint, it’s not, it’s terrible, it makes research fantastically expensive and slow. But I’m actually less concerned about that than I am about the principle: how is it okay for a naturally occurring substance that is part of me to be controlled by someone else? It’s ludicrous, and it violates a basic sense of personal freedom. Might a patent holder eventually have the right to charge me because my body is naturally producing a beneficial chemical derived from “their” gene?

So the ACLU is taking on this fight, and I commend them for it. This is a big deal. And the opposition to their action is going to be fierce, because the short-term financial interests in gene patenting are enormous. But this is the fight that matters for personal genomic freedom, efficient biomedical research, and generally finding a sane balance between necessary commercial incentives and basic freedoms. Patent a novel genome sequencing technique? Yes, by all means. Patent a gene itself so that no matter what other sequencing technique is invented, it can’t be used to sequence the “owned” gene? Insane, and wrong.

Does CVS provide a CSV?

Over the last two years, I’ve spent most of my time on… not elections believe it or not, but rather the personal control of health data over at Children’s Hospital, Boston, with a fantastic crew. And so now it turns out that health data is super cool, what with the Obama recovery plan and the significant funding towards NIH / electronic medical records. I didn’t see it coming, but I can’t say I’m unhappy, of course.

Over at CHIP (Children’s Hospital Informatics Program), we’re a bunch of folks who feverishly believe that Personally Controlled Health Records (PCHRs), records you get to share, protect, augment as you see fit, are going to be the IT platform of a new, more efficient health care system. You don’t have to believe me, you can just ask Clayton Christensen, the Harvard Business School professor who wrote the book(s) on disruptive technology. And Microsoft HealthVault and Google Health certainly seem to agree with that concept. My group’s project, Indivo, was the original PCHR that inspired the Google and Microsoft efforts (long before I arrived on the scene, so I take no credit.)

Recently, Google Health announced a deal where you can get your CVS pharmacy data into Google Health. That’s great… but can I get the data without involving Google Health if I want to? In other words, will CVS offer me a CSV (comma-separated values) file of my data so I can put it in my own spreadsheet or upload it to a competing PCHR?

I don’t know for sure, but from their web site it looks like they do not support that machine-readable data export. In other words, it’s your data, as long as you use Google Health. (Oh sure, you can export from Google Health, but what if you don’t like Google’s privacy policy?)

Adam Bosworth recently wrote about data liquidity in health records, and he’s right on. Data liquidity means that we stop with these one-off integrations, and start building common APIs and open data formats. Only then will we gain the efficiencies we seek from letting individuals truly control their personal health record.

Don’t Hash Secrets

Building secure systems is difficult. It would be nice if we had a bunch of well-designed crypto building blocks that we could assemble in all sorts of ways and be certain that they would, no matter what, yield a secure system overall. There are, in fact, folks working on such things at a theoretical level [Universal Composability].

But even if you had these building blocks, you would still have to use them in their intended way. A component can only be secure under certain well-defined circumstances, not for any use that happens to look similar.

One area of secure protocol development that seems to consistently yield poor design choices is the use of hash functions. What I’m going to say is not 100% correct, but it is on the conservative side of correct, so if you follow the rule, you (probably) can’t go wrong. You might be considered overly paranoid, but as they say, just because you’re paranoid doesn’t mean they’re not after you.

So here it is: Don’t hash secrets. Never. No, sorry, I know you think your case is special but it’s not. No. Stop it. Just don’t do it. You’re making the cryptographers cry.

What the heck am I talking about, you say? I’ll explain. But before we get lost in the details, just remember. Don’t hash secrets. Ever. Kapish?

What exactly do you mean by “Hash”?

A hash function takes any document, big or small, and creates a short fingerprint. That gigabyte movie of your newborn baby? Hash it with SHA1, and you’ve got yourself a 160 bit (~30 alphanumeric characters) fingerprint. Now, hold on, you say, 30 characters? You’ve hashed my baby to pieces and all that’s left is a measly 30 characters? No, no, don’t worry, your baby is still a unique snowflake. You can’t take those 30 characters and, from them, recover your gigabyte video. This is not uber-data-compression.

But it’s going to be darn hard for you to find any other document, big or small, that hashes to the same 30 characters. In fact, it’s so hard, even the most powerful computer in the world dedicated to this one task for hundreds of years won’t succeed at finding that doppelganger document. You’ve got lots of computers you say? You’re Google and you have hundreds of thousands of computers? Yeah, well…. tough. You still won’t succeed.

In fact, you can try something that should be easier: rather than find another document that hashes specifically to those 30 characters that represent your baby, you can go looking for any two documents that happen to hash to the same thing (collide). And you won’t find any such pair. Promised. We call that “collision resistance”. That thing about how you can’t find another document that hashes to the same value as your baby video? We call that “second pre-image resistance.”

Oh, and I forgot to mention that this magical function, SHA1, is public. Anyone can see the code. There are no secrets. Even if you see the code, you can’t find a collision. No, really, I’m not screwing with you.

I want to hash everything!

That’s usually the reaction after discovering the amazing power of hash functions. There are all sorts of nails just waiting for this magical hammer, so let’s start hashing everything in sight. De-duplicating large documents? Hash and compare! Passwords in a database? Hash and store! Anonymizing names in a database? Hash and pseudonymize!

After all, the magical power of a hash function is that you can’t “go back,” right? Given a hash, it’s impossible to get that pre-image, so hash away, my magical crypto friends!

Wrong.

Yeah, so it’s not quite that magical.

Let’s say I give you a SHA1 hash value 29b0d7c86b88565b78efffeea634cee81a209c92. From that hash alone, you can’t tell what I hashed. But if I tell you that I hashed a password, then all you need to do is try a bunch of common passwords and see which one matches. In this case, I hashed “love”, one of the most common passwords there is.

Now you start to see how this “you can’t go back” reasoning fails: if you know the domain of possible pre-images, and that domain is not too large, then you can just try them all and see which one matches. That’s a big strike against the “hash everything” approach.

Sprinkle in some Salt

It gets more interesting with the complete password use-case. Many web developers already know that they shouldn’t store user passwords in the clear in the database, just in case a break-in reveals every user’s password. So, instead of storing passwords in the clear, let’s store a SHA1 hash of the password, against which a candidate password can be easily checked: hash it and compare.

Now the web developers who have been around the block a few times know that, if you just apply SHA1 blindly, you’ve got the “small domain” problem I just mentioned. An attacker can build up a huge dictionary of hashed passwords just once, and, when he breaks into your web site, check the hashes against this pre-built dictionary.

To prevent these “dictionary attacks”, we add salt to the hashing process, so that each user’s password is hashed differently, and generic attacks don’t work: you have to rebuild the dictionary for each user you choose to attack. Sprinkling in salt is easy: just concatenate the password with a random string:

SHA1("TheAnswerIs42" || "love") = ce75a1c90ed564a231de85d93520f1e47726df64

Then, when a user types in a password, e.g. “lvoe” (a typo), the system checks:

SHA1("TheAnswerIs42" || "lvoe") = f832b210d62251c19a374a175bff760935c540d4
                               != ce75a1c90ed564a231de85d93520f1e47726df64

and sure enough, that doesn’t match, so the password is rejected.

Of course, the system has to keep the salt “TheAnswerIs42” around to check the password, otherwise, it can’t re-perform the hash. So, if an attacker breaks in, he’ll find the salts, of course. This means that salting won’t protect a user with a weak password. But it will provide better protection for users with reasonable passwords, since, even with the salt in hand, the attacker will have to re-compute the dictionary for each salt, and thus each user.

So the moral of the story is that hashing the secret password directly is a bad idea.

And this is typically where most developers stand. They understand that hashing is good, they vaguely understand the notion of salting, and they figure that salt+hash is all they need to know. Except it’s not.

When hashing is really a signature

One interesting application of hash functions that has spread like wildfire in the last few years is in the realm of cheap signatures. Consider an application, SuperAnnoyingPoke that wants to send an authenticated message to MyFace. It could apply a full digital signature, using say RSA, so that MyFace can be sure that the message really came from SuperAnnoyingPoke. But that actually takes milliseconds on an average computer, and milliseconds are a lot. Plus, there’s all sorts of weird padding issues and size limitations that might require hybrid encryption, so it’s messy.

But hey, let’s take out our trusty cryptographic Swiss Army Knife, the hash function! Let’s salt+hash! We’ll just make sure that SuperAnnoyingPoke and MyFace share a secret string that’s a good 20 characters long or so, and when SuperAnnoyingPoke wants to send a message to MyFace, it will also send along a “Message Authentication Code” (MAC) that is computed as:

MAC = SHA1(secret_string || message)

MyFace can easily look at the message that is sent, recompute the MAC given the secret string it shares with SuperAnnoyingPoke, and compare it to the MAC sent along with the message. Heck, you can even put a timestamp in there to make sure the message can’t be re-played by an attacker at a later date. After all, since the hash function makes it hard to “go back” when you’re using a salt (the secret string), this should be a secure and cheap way to sign messages! Super!

Except this is where things really fall apart.

The security property we want here is that, if the attacker sees a message and its corresponding MAC, then it should not be able to figure out the MAC for a different message. That’s the whole point of a signature. And, unfortunately, there’s a property of SHA1 and lots of other hash functions like it that make it a fast hash function, but a terrible way to compute a MAC.

Here’s the deal: if I tell you that SHA1(foo) is X, then it turns out, in a lot of cases, to be quite easy for you to determine what SHA1(foo || bar) is. You don’t need to know what foo is. It’s just that, because SHA1 is iterative and works block by block, if you know the hash of foo, then you can extend the computation to determine the hash of foo || bar.

Oh crap.

That means that if you know SHA1(secret || message), then you can compute SHA1(secret || message || ANYTHING), which is a valid signature for message || ANYTHING. So to break this system, you just need to see one signature from SuperAnnoyingPoke, and then you can impersonate SuperAnnoyingPoke for lots of other messages.

Why? How??? But…. I thought hash functions didn’t let me “go back!” Well, note how I didn’t say the attacker would recover the secret. It’s just that, given one hash, they can compute others for related pre-images. That’s why you have to be careful about using hash functions when you’re hashing secrets. Another strike against using hash functions willy-nilly.

(If you’re keeping up, your next suggestion is “well, put the secret AFTER the message, not before”. And yeah, that’s a reasonable suggestion, but it points out how you’re now assuming some extra properties of the SHA1 hash function in your design, and that’s bad. What if you upgrade to a different hash function in 5 years, do you then have to update your protocol to match? The point is that you shouldn’t be using a hash function for this, that’s not its purpose!)

HMAC

What you should be using is HMAC: Hash-function Message Authentication Code. You don’t need to know exactly how it works, just like you don’t need to know exactly how SHA1 works. You just need to know that HMAC is specifically built for message authentication codes and the use case of SuperAnnoyingPoke/MyFace. Under the hood, what’s approximately going on is two hashes, one after the other, with the secret combined after the first hash… but don’t worry about it! That’s the whole point! HMAC is built for this feature.

HMAC has two inputs and one output: in go a message, and a secret, and out comes a message authentication code (i.e. a signature). The security of HMAC is such that, you can see as many messages and corresponding signatures as your heart desires, and you still won’t be able to determine the signature on a message you haven’t seen yet. That’s the security property you’re looking for. And HMAC is built on top of a hash function, so more specifically you should be using HMAC-SHA1.

So, again, don’t hash secrets. HMAC them.

In Conclusion

There’s plenty more to read if you’re interested in this topic, but chances are, you’re not and you just want a recommendation. “Don’t Hash Secrets” is not always entirely necessary. In the password example, you can hash a password as long as you salt it correctly. But do you really want to have to worry about that? I don’t. In fact, I use HMAC for my password databases, too. It’s overkill, but it lets me use a standard library that likely makes me safer in the long run.

So the next time you’re using a hash function on anything, ask yourself: is any of the stuff I’m hashing supposed to stay secret? If so, don’t hash. Instead, use HMAC.

Translation from Rove-speak to Plain English

[inspired by John Gruber and Mark Pilgrim.]

Karl Rove, ex-Senior Advisor to Bush, in today’s Newsweek giving Obama advice.

Four months ago, you took the political world by storm in Iowa. The media were agog. They called your words “gorgeous,” your victory “a message to the world.” You “made history” and Americans could “look at ourselves with pride” in “a moment to marvel.”

Four months ago, your candidacy made me realize how I’ve destroyed the Republican Party for a generation.

Times change. The six weeks leading into Pennsylvania were difficult. You excelled at raising money and gaining endorsements, but got weaker as big problems emerged. Before you can fix them, you must understand them. In Pennsylvania, you won only 30 percent among Catholics and 29 percent among white working-class voters. Defections like this elect Republicans.

I’m grasping at straws, and I enjoy confusing a Primary and the General Election.

Even liberal commentators who adore you warn you can’t win with a McGovern coalition of college students and white-wine sippers from the party’s left wing. Saying small-town voters cling to guns, faith and xenophobia because of economic bitterness hurt you; it reinforced the growing sense you don’t share Middle America’s values. So did asking about the price of arugula in Iowa, dismissing the “true” patriotism of people who wear a flag lapel pin, being “friendly” (as your chief strategist, David Axelrod, put it) with a violent, unrepentant ’60s radical and having a close relationship with an angry pastor who expressed anti-American sentiments.

I just love bringing up that Arugula story and reminding you that, yes, a flag pin is all you need to be patriotic.

You argue the son of a single working mom can’t be an elitist. But it’s not where you start in life; it’s where you end up. After a prestigious prep school, Columbia and Harvard, you’ve ended up with the values of Cambridge, San Francisco and Hyde Park. So you’re doing badly in Scranton, Youngstown and Erie, where ordinary Americans live.

At least when Bush attended Ivy League schools, he didn’t become smart or anything.

HERE ARE SIX SUGGESTIONS FOR WHAT TO DO.

1. Your stump speech is sounding old and out of touch. You made a mistake by not giving the bored press (and voters) something new last Tuesday when you lost Pennsylvania. Come up with something fresh that’s focused on the general election. Recapture the optimistic tone of your start and discard the weary, prickly and distracted tone you’ve taken on.

Keep changing your message to stay fresh.

2. When you get into trouble, pick one, simple explanation. And stay with it.

The truth is not important. Don’t change the message, even if all evidence points to the contrary.

3. Your lack of achievements undercuts your core themes. It’s powerful when you say America is not “Red States or Blue States but the United States.” The problem is, you don’t have a long Senate record of working across party lines. So build one.

I am making things up and ignoring your significant bi-partisan achievements because I’d like you to go bury yourself in Senate work so people forget about you.

In the coming months, say that you’ll appoint Republicans to your cabinet and get a couple to say they’d serve.

I need a job cause McCain ain’t gonna win.

Highlight initiatives Republicans can agree on. Most importantly, push for a bipartisan issue now before Congress.

Bipartisan rocks when the President is a Democrat.

4. You speak of the “fierce urgency of now” that calls leaders to confront important challenges. Sounds good, but people are asking, what urgent issues have drawn your enormous talents? It’s counterintuitive, but spend less time campaigning and more time working the Senate. Pick a big issue and fight hard for it. Win or lose, you’ll give your argument substance.

Really, please, just go bury yourself in Senate work. For goodness sake, stay off the TV!

5. Stop the attacks. They undermine your claim to a post-partisan new politics. You soared when you seemed above politics, lost altitude when you did what you criticize. Attacks are momentarily satisfying but ultimately corrode your appeal.

I am Jack’s amused sense of irony.

6. To answer growing questions about your inexperience, people need to know, in concrete and credible ways, what they can expect from you as president. That’s missing now. And don’t think those position papers written by academics and posted on the Web do the job. They have a check-the-box quality to them.

You wrote a whole paper! Elitist!

Americans want to see your passion and commitment to things they care about, in ways that give them confidence you’re up to the job. They can smell when something is poll-tested and focus-grouped, not from the heart.

I am confusing you with Senator Clinton.

The only problem is, the Bush administration, building on the good work of the Clinton administration,

I really hope Hillary wins the nomination.

You’ll have to do both your homework and occasionally something that’s difficult for you (and most other politicians): admit you don’t know.

Oh god, my hypocrisy is too much even for me.

You have talent, intelligence and tapped into something powerful early in your campaign. But running for president is unlike anything you’ve ever done. You’re making mistakes and making people worry that you’re an elitist. So while you’ll almost certainly win the nomination, Democrats are nervous about the fall. You’ve given them reasons to be.

I am high as a kite.

Hope

In anticipation of tonight’s results, I was going to try to write something that captures my incredibly hopeful and enthusiastic state of mind, but my good friend Oliver beat me to it:

Doesn’t some part of you still believe that there are special moments in the world? Special people who catalyze and give a voice to a feeling that has been quietly building for years? When Kennedy pointed at the moon, when MLK stood on the steps of the Lincoln memorial, when Reagan talked about morning in America – didn’t these people shift the world around them just a little bit? Didn’t the right speech at the right time change you and how you saw the world?

Health Records and Me

This summer, I joined the faculty at Children’s Hospital Informatics Program. My work is focused on security and privacy of health data. One of the projects I’m contributing to was just announced in the press:

Dossia was established by major U.S. employers Applied Materials, BP America Inc., Cardinal Health, Intel Corporation, Pitney Bowes Inc. and Wal-Mart to create a Web-based system that will enable employees to gain access to their own personal health data, which is now largely inaccessible to them. Dossia will use a Web-based infrastructure to empower individuals to manage their own health care, improve communications with their doctors, and provide more complete and accurate information for healthcare providers than the current system, which continues to be fragmented and still partially paper-based.

[…]

Dossia also announced a collaboration with Children’s Hospital Boston to provide strategic and technological expertise and guidance in creating, deploying and operating the Dossia infrastructure. For more than a decade, researchers in the Children’s Hospital Informatics Program (CHIP), based at Children’s Hospital Boston and affiliated with Harvard Medical School and with the Harvard-MIT Division of Health Sciences and Technology have been leaders in pioneering and promoting personal control of health information as a key to improving consumer health management and outcomes, and in developing rigorous, privacy-protective methods of ensuring patient control over their own medical information.

And on that note, back to work…

New Things

So I defended successfully. I have a bit more writing to do, and I have a number of projects to wrap up cleanly here at MIT, but by end of August I’ll be done. It’s a bit crazy, really. My first day at MIT was 12 years ago. Since then, I have, in some way, always been associated with MIT. An undergrad, then a Master’s student, then on leave, then a PhD student. When I left MIT to go on leave, it was with the intent of eventually coming back. When I leave in August, though, it will be a final exit. These definitive transitions are fairly rare in life, I think.

Every exit is also an entrance, of course. Next Fall, I’ll be a Post-Doctoral Fellow at Harvard’s Center for Research on Computation and Society. I’m very excited to be working with this fantastic team. I will continue work on voting, while spending a bit more of my time on applied cryptography issues like web security and semantic web security. That’s the plan, anyways, but the plan is very much subject to change. After all, this is research.

And since it’s always good to organize your changes into neat little bundles, I’m also moving all of my hosted sites (including this one) to WebFaction, which, so far, has been quite good to me. And I’m ditching Typo, the Rails-based blogging system, because it hasn’t been working well for me in terms of features and usability. So this blog now runs on WordPress, with all old URLs (including the feed) still working.

Here’s to new things….