COMMUNICATIONS CACM.ACM.ORG OF THEACM 10/2015 VOL.58 NO.10

Discovering Genes Involved in Disease and the Mystery of Missing Heritability Crash Consistency Concerns Rise about AI Seeking Anonymity in an Internet Panopticon What Can Be Done about Gender Diversity in Computing? A Lot!

Association for Computing Machinery

Previous A.M. Recipients

1966 A.J. Perlis 1967 1968 R.W. Hamming 1969 1970 J.H. Wilkinson 1971 John McCarthy 1972 E.W. Dijkstra 1973 1974 1975 1975 Herbert Simon 1976 Michael Rabin 1976 1977 ACM A.M. TURING AWARD 1978 Robert Floyd 1979 Kenneth Iverson 1980 C.A.R Hoare NOMINATIONS SOLICITED 1981 Edgar Codd 1982 Nominations are invited for the 2015 ACM A.M. Turing Award. 1983 1983 This is ACM’s oldest and most prestigious award and is presented 1984 annually for major contributions of lasting importance to computing. 1985 Richard Karp 1986 Although the long-term influences of the nominee’s work are taken 1986 into consideration, there should be a particular outstanding and 1987 1988 trendsetting technical achievement that constitutes the principal 1989 claim to the award. The recipient presents an address at an ACM event 1990 Fernando Corbató 1991 that will be published in an ACM journal. The award is accompanied 1992 by a prize of $1,000,000. Financial support for the award is provided 1993 1993 Richard Stearns by Google Inc. 1994 1994 Nomination information and the online submission form 1995 1996 are available on: 1997 http://amturing.acm.org/call_for_nominations.cfm 1998 James Gray 1999 Frederick Brooks 2000 Andrew Yao Additional information on the Turing Laureates 2001 Ole-Johan Dahl is available on: 2001 http://amturing.acm.org/byyear.cfm 2002 2002 Ronald Rivest 2002 The deadline for nominations/endorsements is 2003 November 30, 2015. 2004 Vinton Cerf 2004 Robert Kahn 2005 For additional information on ACM’s award program 2006 Frances E. Allen please visit: www.acm.org/awards/ 2007 Edmund Clarke 2007 E. Allen Emerson 2007 2008 2009 Charles P. Thacker 2010 Leslie G. Valiant 2011 2012 2012 2013 2014 COMMUNICATIONS OF THE ACM

Departments News Viewpoints

5 Editor’s Letter 24 Inside Risks What Can Be Done about Gender Keys Under Doormats Diversity in Computing? A Lot! Mandating insecurity by requiring By Moshe Y. Vardi government access to all data and communications. 7 Cerf’s Up By Peter G. Neumann et al. The Third Heidelberg Laureate Forum 27 Technology Strategy and Management By Vinton G. Cerf In Defense of IBM The ability to adjust to various 10 Letters to the Editor technical and business disruptions Ban ‘Naked’ Braces! has been essential to IBM’s success during the past century. 12 BLOG@CACM By Michael A. Cusumano The Morality of Online War; 15 the Fates of Data Analytics, HPC 29 Kode Vicious John Arquilla considers justifications 15 Scientists Update Views of Light Storming the Cubicle for warfare in the cyber realm, Experiment sheds new light Acquisitive redux. while Daniel Reed looks ahead at on wave-particle duality. By George V. Neville-Neil big data and exascale computing. By Gary Anthes 32 The Business of Software 33 Calendar 18 Automotive Systems Get Smarter Thinking Thoughts Automotive infotainment systems On brains and bytes. 98 Careers are driving changes to automobiles, By Phillip G. Armour and to driver behavior. By Samuel Greengard 35 Historical Reflections Last Byte Computing Is History 21 Cyber Policies on the Rise Reflections on the past 104 Future Tense A growing number of companies are to inform the future. Processional taking out cybersecurity insurance By Thomas J. Misa Information processing gives policies to protect themselves from spiritual meaning to life, for those the costs of data breaches. 38 Viewpoint who make it their life’s work. By Keith Kirkpatrick Rise of Concerns about AI: By William Sims Bainbridge Reflections and Directions Research, leadership, and communication about AI futures. By Thomas G. Dietterich and Eric J. Horvitz

Watch the authors discuss their work in this exclusive Communications video. http://cacm.acm.org/ videos/rise-of-concerns- about-ai-reflections-and- directions

41 Viewpoint Life After MOOCs Online science education needs a new revolution. Association for Computing Machinery Advancing Computing as a Science & Profession By Phillip Compeau

and Pavel A. Pevzner CARBONE/EPFL FABRIZIO BY IMAGE

2 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 10/2015 VOL. 58 NO. 10

Practice Contributed Articles Review Articles

46 70 80

46 Crash Consistency 58 Seeking Anonymity 80 Discovering Genes Involved Rethinking the fundamental in an Internet Panopticon in Disease and the Mystery of abstractions of the file system. The Dissent system aims for a Missing Heritability By T.S. Pillai, V. Chidambaram, quantifiably secure, collective The challenge of missing heritability R. Alagappan, S. Al-Kiswany, approach to anonymous offers great contribution options for A.C. Arpaci-Dusseau, communication online. computer scientists. and R.H. Arpaci-Dusseau By and Bryan Ford By Eleazar Eskin

Watch the author discuss 52 Dismantling the Barriers to Entry 70 Framing Sustainability as his work in this exclusive We have to choose to build a Web a Property of Software Quality Communications video. http://cacm.acm.org/ that is accessible to everyone. This framework addresses videos/discovering-genes- By Rich Harris the environmental dimension involved-in-disease- and-the-mystery-of- of software performance, as missing-heritability Articles’ development led by applied here by a paper mill queue.acm.org and a car-sharing service. Research Highlights By Patricia Lago, Sedef Akinli Koçak, Ivica Crnkovic, and 90 Technical Perspective Birgit Penzenstadler Not Just a Matrix Laboratory Anymore By Cleve Moler

91 Computing Numerically with Functions Instead of Numbers By Lloyd N. Trefethen

About the Cover: Discovering the variants involved in human disease calls on computing scientists to lead the exploration of huge datasets. Eleazar Eskin examines the mystery of missing heritability (p. 80) Cover illustration by Charles Wiese;

IMAGES BY CWA STUDIOS; CIENPIES DESIGN; CHARLES WIESE CHARLES DESIGN; CIENPIES STUDIOS; CWA BY IMAGES www.charleswiese.com.

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 3 COMMUNICATIONS OF THE ACM Trusted insights for computing’s leading professionals.

Communications of the ACM is the leading monthly print and online magazine for the computing and information technology fields. Communications is recognized as the most trusted and knowledgeable source of industry information for today’s computing professional. Communications brings its readership in-depth coverage of emerging areas of , new trends in information technology, and practical applications. Industry leaders use Communications as a platform to present and debate various technology implications, public policies, engineering challenges, and market trends. The prestige and unmatched reputation that Communications of the ACM enjoys today is built upon a 50-year commitment to high-quality editorial content and a steadfast dedication to advancing the arts, sciences, and applications of information technology.

ACM, the world’s largest educational STAFF EDITORIAL BOARD ACM Copyright Notice and scientific computing society, delivers Copyright © 2015 by Association for resources that advance computing as a DIRECTOR OF GROUP PUBLISHING EDITOR-IN-CHIEF Computing Machinery, Inc. (ACM). science and profession. ACM provides the Scott E. Delman Moshe Y. Vardi Permission to make digital or hard copies computing field’s premier Digital Library [email protected] [email protected] of part or all of this work for personal and serves its members and the computing or classroom use is granted without NEWS profession with leading-edge publications, Executive Editor fee provided that copies are not made Co-Chairs conferences, and career resources. Diane Crawford or distributed for profit or commercial William Pulleyblank and Marc Snir Managing Editor advantage and that copies bear this Board Members Acting Director and CEO and Thomas E. Lambert notice and full citation on the first Mei Kobayashi; ; Deputy Executive Director and COO Senior Editor page. Copyright for components of this ; Rajeev Rastogi Patricia Ryan Andrew Rosenbloom work owned by others than ACM must Director, Office of Information Systems Senior Editor/News VIEWPOINTS be honored. Abstracting with credit is Wayne Graves Larry Fisher Co-Chairs permitted. To copy otherwise, to republish, Director, Office of Financial Services Web Editor Tim Finin; Susanne E. Hambrusch; to post on servers, or to redistribute to Darren Ramdin David Roman John Leslie King lists, requires prior specific permission Director, Office of SIG Services Rights and Permissions Board Members and/or fee. Request permission to publish Donna Cappo Deborah Cotton William Aspray; Stefan Bechtold; from [email protected] or fax Director, Office of Publications Michael L. Best; Judith Bishop; (212) 869-0481. Bernard Rous Art Director Stuart I. Feldman; Peter Freeman; Director, Office of Group Publishing Andrij Borys Mark Guzdial; Rachelle Hollander; For other copying of articles that carry a Scott E. Delman Associate Art Director Richard Ladner; Carl Landwehr; code at the bottom of the first or last page Margaret Gray Carlos Jose Pereira de Lucena; or screen display, copying is permitted provided that the per-copy fee indicated ACM COUNCIL Assistant Art Director Beng Chin Ooi; Loren Terveen; in the code is paid through the Copyright President Mia Angelica Balaquiot Marshall Van Alstyne; Jeannette Wing Clearance Center; www.copyright.com. Alexander L. Wolf Designer Vice-President Iwona Usakiewicz Subscriptions Vicki L. Hanson Production Manager PRACTICE An annual subscription cost is included Secretary/Treasurer Lynn D’Addesio Co-Chairs in ACM member dues of $99 ($40 of Erik Altman Director of Media Sales Stephen Bourne which is allocated to a subscription to Past President Jennifer Ruzicka Board Members Communications); for students, cost Vinton G. Cerf Publications Assistant Eric Allman; Terry Coatta; Stuart Feldman; is included in $42 dues ($20 of which Chair, SGB Board Juliet Chance Benjamin Fried; ; is allocated to a Communications Patrick Madden Tom Limoncelli; Kate Matsudaira; subscription). A nonmember annual Co-Chairs, Publications Board Columnists Marshall Kirk McKusick; George Neville-Neil; subscription is $100. Jack Davidson and Joseph Konstan David Anderson; Phillip G. Armour; Theo Schlossnagle; Jim Waldo Members-at-Large Michael Cusumano; Peter J. Denning; The Practice section of the CACM ACM Media Advertising Policy Eric Allman; Ricardo Baeza-Yates; Mark Guzdial; Thomas Haigh; Editorial Board also serves as Communications of the ACM and other Cherri Pancake; Radia Perlman; Leah Hoffmann; Mari Sako; the Editorial Board of . ACM Media publications accept advertising Mary Lou Soffa; Eugene Spafford; Pamela Samuelson; Marshall Van Alstyne in both print and electronic formats. All Per Stenström advertising in ACM Media publications is SGB Council Representatives CONTRIBUTED ARTICLES CONTACT POINTS at the discretion of ACM and is intended Paul Beame; Barbara Boucher Owens Co-Chairs Copyright permission to provide financial support for the various Andrew Chien and James Larus [email protected] activities and services for ACM members. Board Members Calendar items Current Advertising Rates can be found BOARD CHAIRS William Aiello; Robert Austin; Elisa Bertino; [email protected] by visiting http://www.acm-media.org or Education Board Gilles Brassard; Kim Bruce; Alan Bundy; Change of address by contacting ACM Media Sales at Mehran Sahami and Jane Chu Prey Peter Buneman; Peter Druschel; [email protected] (212) 626-0686. Practitioners Board Letters to the Editor Carlo Ghezzi; Carl Gutwin; Gal A. Kaminka; George Neville-Neil James Larus; Igor Markov; Gail C. Murphy; [email protected] Single Copies Bernhard Nebel; Lionel M. Ni; Kenton O’Hara; Single copies of Communications of the Sriram Rajamani; Marie-Christine Rousset; REGIONAL COUNCIL CHAIRS WEBSITE ACM are available for purchase. Please Avi Rubin; Krishan Sabnani; ACM Europe Council http://cacm.acm.org contact [email protected]. Ron Shamir; Yoav Shoham; Larry Snyder; Fabrizio Gagliardi Michael Vitale; Wolfgang Wahlster; ACM India Council COMMUNICATIONS OF THE ACM AUTHOR GUIDELINES Hannes Werthner; Reinhard Wilhelm Srinivas Padmanabhuni http://cacm.acm.org/ (ISSN 0001-0782) is published monthly ACM Council by ACM Media, 2 Penn Plaza, Suite 701, Jiaguang Sun RESEARCH HIGHLIGHTS New York, NY 10121-0701. Periodicals Co-Chairs postage paid at New York, NY 10001, ACM ADVERTISING DEPARTMENT Azer Bestovros and Gregory Morrisett and other mailing offices. PUBLICATIONS BOARD 2 Penn Plaza, Suite 701, New York, NY Board Members Co-Chairs 10121-0701 Martin Abadi; Amr El Abbadi; Sanjeev Arora; POSTMASTER Jack Davidson; Joseph Konstan T (212) 626-0686 Nina Balcan; Dan Boneh; Andrei Broder; Please send address changes to Board Members F (212) 869-0481 Doug Burger; Stuart K. Card; Jeff Chase; Communications of the ACM Ronald F. Boisvert; Nikil Dutt; Roch Guerrin; Director of Media Sales Jon Crowcroft; Sandhya Dwaekadas; 2 Penn Plaza, Suite 701 Carol Hutchins; Yannis Ioannidis; Matt Dwyer; Alon Halevy; Norm Jouppi; New York, NY 10121-0701 USA Catherine McGeoch; M. Tamer Ozsu; Jennifer Ruzicka [email protected] Andrew B. Kahng; Henry Kautz; Xavier Leroy; Mary Lou Soffa Steve Marschner; Kobbi Nissim; Media Kit [email protected] Steve Seitz; Guy Steele, Jr.; David Wagner; Printed in the U.S.A. ACM U.S. Public Policy Office Margaret H. Wright Renee Dopplick, Director Association for Computing Machinery 1828 L Street, N.W., Suite 800 (ACM) WEB Washington, DC 20036 USA 2 Penn Plaza, Suite 701 Chair T (202) 659-9711; F (202) 667-1066 New York, NY 10121-0701 USA James Landay

E R E C T (212) 869-7440; F (212) 869-0481 Board Members S Y A C E L L E Computer Science Teachers Association Marti Hearst; Jason I. Hong; P

T E H Lissa Clayborn, Acting Executive Director Jeff Johnson; Wendy E. MacKay N I I S Z M A G A

4 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 editor’s letter

DOI:10.1145/2816937 Moshe Y. Vardi What Can Be Done about Gender Diversity in Computing? A Lot!

HE 2015 GRACE HOPPER Cel- data, showing, no surprise, a significant tion on the narrow pipeline of female ebration of Women in Com- underrepresentation of women in tech- high school graduates with interest in puting (GHC, for short) will nical jobs. Tech companies point, of CS. Several measures were adopted: take place October 14–16 in course, to the narrow pipeline of women ˲˲ Changing CS1 from a course about Houston, TX. GHC is an an- with computing degrees to explain this programming techniques to a course Tnual conference designed to bring the underrepresentation, but the culture about computational thinking. The lat- research and career interests of women inside some of these companies also ter course is more popular with both in computing to the forefront. It is the seems to be a major factor. In fact, the male and female students, and also world’s largest gathering of women male-dominated tech culture gave rise puts students with widely varied high in computing. GHC is organized by to the phrase “brogramming,” a slang school computing experiences on a the Anita Borg Institute for Women in term used to refer to computer code pro- more level playing field. Technology in partnership with ACM. duced by “bros” (slang for male friends). ˲˲ Creating a club for female com- This year’s event is expected to bring A magazine article on the subject, titled: puter science students. There are a together more than 12,000—mostly fe- “Brogramming—The Disturbing Rise of fair number of female students who male—computer scientists! Frat Culture in Silicon Valley,” was circu- desire the camaraderie of an all-wom- But this impressive number should lated widely a few years ago. en computing group on campus, given not be taken to mean all is well on But amid the deluge of bad news, one that the CS student body is still very the gender-diversity front. Far from can find some points of light. Carnegie much male dominated. it! According to the most recent Taul- Mellon University decided in the late 1990s ˲˲ Having faculty members, male bee Survey (covering academic year to take decisive action on gender diversity and female, develop mentoring rela- 2013–2014), conducted by the Com- and was able to increase the percentage tionships with female students to mo- puting Research Association in North of women entering its computer science tivate and encourage them, including America, only 14.7% of CS bachelor’s program to 40%. A similar outcome was offering opportunities for interaction degrees went to women. The U.S. De- recently reported by Harvey Mudd Col- beyond the classroom, for example, partment of Education’s data shows lege. The Anita Borg Institute, together undergraduate research opportunities. the female participation level in com- with Harvey Mudd College, launched the ˲˲ Continually dispel myths about puting peaked at about 35% in 1984, BRAID Initiative (http://anitaborg. the preparedness and ability of women more than twice as high as it is today. org/braid-building-recruiting-and- for technical jobs. The low participation of women in inclusion-for-diversity/) in 2014 to in- ˲˲ Last, but not least, sending female computer science has been, indeed, a crease the percentage of women and students to GHC. Especially given matter of concern for many years. The students of color majoring in computer Rice’s small size, this allows students Anita Borg Institute was founded in science in the U.S. to see there are many successful wom- 1997 “to recruit, retain, and advance At my own institution, Rice Univer- en in the field. women in technology.” (GHC is the In- sity, we were able to raise the percent- The bottom line is that while the gen- stitute’s most prominent program.) The age of declared female majors (Rice der-diversity problem is a very challeng- National Center for Women & Infor- students declare their major toward ing one, it is not hopeless. Indeed, the mation Technology, founded in 2004, the end of the second year of study) pipeline is narrow, but it can be expand- is another organization that works to from 14% in 2007 to 30% in 2014. What ed, one student at a time, one program increase the meaningful participation distinguishes Rice from Carnegie Mel- at a time, one company at a time. Insti- of girls and women in computing. And lon and Harvey Mudd is that computer tutional and personal commitments yet, we seem to be regressing rather science at Rice has no control whatso- can make a significant difference! than progressing on this issue. ever of the undergraduate-admission Follow me on Facebook, Google+, The gender-diversity issue received pipeline. To raise the level of participa- and Twitter. a fair amount of attention over the past tion of women in computer science at year, when several major technology Rice required a departmental decision Moshe Y. Vardi, EDITOR-IN-CHIEF companies released workforce-diversity that we cannot simply blame the situa- Copyright held by author.

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 5

17th International Conference on

November 9-13, 2015 http://icmi.acm.org/2015/ Seattle, WA, USA  Multimodal signal and interaction processing technologies  Multimodal models for human-human and human-machine interaction  Multimodal data, evaluation and tools  Multimodal systems and applications

Keynote Speakers Samy Bengio, Google, USA Kerstin Dautenhahn, University of Hertfordshire, UK Organising Committee

General Chairs Multimodal Grand Challenge Chairs Sponsorship Chairs Zhengyou Zhang (Microsoft Research, USA) Cosmin Munteanu (University of Toronto, YingLi Tian (City University of New York, USA) Phil Cohen (VoiceBox Technologies, USA) Canada) Laurence Devillers (LIMSI, France) Program Chairs Marcelo Worsley (, USA) Dan Bohus (Microsoft Research, USA) Doctoral Consortium Chairs Fei Wu (Zhejiang University, China) Radu Horaud (INRIA Grenoble Rhone-Alpes, Carlos Busso (University of Texas at Dallas, Local Organization Chairs France) USA) Qin Cai (Microsoft Research, USA) Helen Meng (Chinese University of Hong Vidhyasaharan Sethu (University of New Kong, China) South Wales, Australia) Zicheng Liu (Microsoft Research, USA) Workshop Chairs Publication Chair Finance Chair Jean-Marc Odobez (IDIAP, Switzerland) Lisa Anthony (University of Florida at David McGee (Adapx, USA) Hayley Hung (Technical University of Delft, Gainesville, USA) Netherlands) Publicity Chairs Web Chair Demo Chairs Xilin Chen (Chinese Academy of Sciences, Hyunggu Jung (University of Washington, USA) Hrvoje Benko (Microsoft Research, USA) China) Stefan Scherer (University of Southern Louis-Philippe Morency (Carnegie Mellon Volunteer Chair California, USA) University, USA) Ankur Agrawal (University of Washington, Christian Müller (DFKI GmbH, Germany) USA) cerf’s up

DOI:10.1145/2818988 Vinton G. Cerf

could brief four volunteers on ways to The Third Heidelberg “compute” passwords at need without memorizing them. All four succeeded! Laureate Forum Sir reminded us the roots of computation and science go back to HAVE JUST returned from the cussion. There were many poster ses- Aristotle and Euclid and other philoso- Third Heidelberg Laureate Fo- sions and workshops that stirred com- phers who have advanced the state of the ruma and it equaled and per- parable interactions and, as usual, there art over millennia. Edmund Clarke drew haps outperformed the previ- was ample time for informal discussion our attention to the importance of be- ous two. It was also, however, among the students and laureates. For ing able to say something about the cor- Ia poignant event because we were re- me, the opportunity to explore ideas at rectness of computations dealing with minded of the ephemeral nature of meal times and on excursions repre- real, continuous quantities (“hybrid our human lives. The instigator and sented a substantial portion of the value systems”). As we enter into a period in patron of these conferences, Klaus of this annual convocation. which we depend increasingly on cyber- Tschira, passed away unexpectedly in Among the excursions was a new one physical systems, such considerations March 2015. His enthusiasm, curios- (for me) to the Speyer Technik Museumc are vital. Ivan Sutherland demonstrat- ity, and capacity for making things led by Gerhard Daum. The museum was ed by construction that asynchronous happen were greatly missed, but his originally built to house the Russian computing is not only feasible but also spirit lives on in the leadership and BURAN spacecraftd—the counterpart to incredibly fast. offered a staff of his foundations. They showed the U.S. Space Shuttle. Daum, who had personal history of computing by shar- renewed commitment to Klaus’ vision, been collecting space artifacts since boy- ing his experiences with some of the gi- warmth, and generosity in the conduct hood, brought hundreds of additional ants in our field—it was as if the pages of of this extraordinary gathering. artifacts to the museum, including a full- a history book opened up. Butler Lamp- A new element was introduced this size Lunar Excursion Module in a moon- son reminded us there are principles year: a truly inspiring lecture by Nobel diorama setting along with the moon for good system design: STEADY AID: Prize winner Stefan W. Hell on the devel- rover vehicle and figures in spacesuits. simple, timely, efficient, adapt- opment of super-resolved fluorescence The most surprising artifact was an actual able, dependable, yummy and approximate, increment, iterate, clear, animated, technical slides with during the Apollo 15 mission! The exhibi- indirect, divide (and conquer). Leonard his personal story, Stefan told of a com- tion tells the story of the American, Euro- Adleman led us through a fascinating pelling and dramatic odyssey toward pean, and Russian space efforts and in- exploration of Riemannian Surfaces and a brilliant insight into the improved cludes many original artifacts from each. their properties in algebraic number resolution of optical microscopy. Each I spent at least an hour and a half with theory. Peter Naur explored a synapse- future Heidelberg Laureate Forum will Daum, whose knowledge of the space state theory of the mind and its associa- feature the “Lindau Lecture” by a No- programs around the world is encyclope- tive properties. Andy Yao drew attention bel Prize winner. The lecture is named dic in scope and rivaled only by his unbri- to the growing potential of quantum after an annual meetingb of Nobel Prize dled enthusiasm for space exploration. computation. pondered winners and 600 students that has been ACM President Alexander Wolf rep- when two mathematical functions are held since 1951 in Lindau, Germany. It resented ACM ably and eloquently and the same and used the concept of ho- is now also planned that at each Lindau chaired one of the morning lecture ses- lographic transformations applied to meeting, there will be a “Heidelberg Lec- sions. Many ACM Turing Award computational complexity. Surprisingly, ture” by one of the Heidelberg laureates. recipients were key contributors to the Valiant’s talk reignited my personal in- This has a personal consequence for event. Leslie Lamport gave a compel- terest in the graph equivalence problem me, as I have been invited to make that ling lecture advocating the use of math- and I spent several hours exploring this first lecture in 2016. This is a daunting ematics in the description of computer with some students over dinner. prospect and I hope I will be up to it! systems to aid in their construction and I am looking forward to Heidelberg The lectures were once again thought analysis. Manuel Blum brought drama and Lindau in 2016. provoking and stimulated a lot of dis- to the stage by demonstrating how he Vinton G. Cerf is vice president and Chief Internet Evangelist at Google. He served as ACM president from 2012–2014. a http://www.heidelberg-laureate-forum.org/ c http://speyer.technik-museum.de/en/ b http://www.lindau-nobel.org/ d http://bit.ly/1NJicZd Copyright held by author.

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 7 ACM ON A MISSION TO SOLVE TOMORROW.

Dear Colleague,

Computing professionals like you are driving innovations and transforming technology across continents, changing the way we live and work. We applaud your success.

We believe in constantly redefining what computing can and should do, as online social networks actively reshape relationships among community stakeholders. We keep inventing to push computing technology forward in this rapidly evolving environment.

For over 50 years, ACM has helped computing professionals to be their most creative, connect to peers, and see what’s next. We are creating a climate in which fresh ideas are generated and put into play.

Enhance your professional career with these exclusive ACM Member benefits:

• Subscription to ACM’s flagship publication Communications of the ACM • Online books, courses, and webinars through the ACM Learning Center • Local Chapters, Special Interest Groups, and conferences all over the world • Savings on peer-driven specialty magazines and research journals • The opportunity to subscribe to the ACM Digital Library, the world’s largest and most respected computing resource

We’re more than computational theorists, database engineers, UX mavens, coders and developers. Be a part of the dynamic changes that are transforming our world. Join ACM and dare to be the best computing professional you can be. Help us shape the future of computing.

Sincerely,

Alexander Wolf President Association for Computing Machinery

Advancing Computing as a Science & Profession SHAPE THE FUTURE OF COMPUTING. JOIN ACM TODAY.

ACM is the world’s largest computing society, offering benefits and resources that can advance your career and enrich your knowledge. We dare to be the best we can be, believing what we do is a force for good, and in joining together to shape the future of computing. SELECT ONE MEMBERSHIP OPTION ACM PROFESSIONAL MEMBERSHIP: ACM STUDENT MEMBERSHIP:

q Professional Membership: $99 USD q Student Membership: $19 USD q Professional Membership plus q Student Membership plus ACM Digital Library: $42 USD ACM Digital Library: $198 USD ($99 dues + $99 DL) q Student Membership plus Print CACM Magazine: $42 USD q ACM Digital Library: $99 USD q Student Membership with ACM Digital Library plus (must be an ACM member) Print CACM Magazine: $62 USD q Join ACM-W: ACM-W supports, celebrates, and advocates internationally for the full engagement of women in all aspects of the computing field. Available at no additional cost. Priority Code: CAPP Payment Information Payment must accompany application. If paying by check or money order, make payable to ACM, Inc., in U.S. dollars Name or equivalent in foreign currency.

ACM Member # q AMEX q VISA/MasterCard q Check/money order

Mailing Address Total Amount Due

Credit Card # City/State/Province Exp. Date ZIP/Postal Code/Country Signature Email

Return completed application to: Purposes of ACM ACM General Post Office ACM is dedicated to: P.O. Box 30777 1) Advancing the art, science, engineering, and New York, NY 10087-0777 application of information technology Prices include surface delivery charge. Expedited Air 2) Fostering the open interchange of information Service, which is a partial air freight delivery service, is to serve both professionals and the public available outside North America. Contact ACM for more 3) Promoting the highest professional and information. ethics standards Satisfaction Guaranteed!

BE CREATIVE. STAY CONNECTED. KEEP INVENTING.

1-800-342-6626 (US & Canada) Hours: 8:30AM - 4:30PM (US EST) [email protected] 1-212-626-0500 (Global) Fax: 212-944-1318 acm.org/join/CAPP letters to the editor

DOI:10.1145/2816943 Ban ‘Naked’ Braces!

NE FINE BUSINESS after- ing such an error; for example, instead noon early in 1990, when of just writing ‘}’ all by its naked self, we still used wires and write }//f o r, or }//i f , or whatever. microwave towers to Tagging construct terminators can make phone calls, and be done without changing existing Call for Oalmost all long-distance calls went compilers, and since such construct through big AT&T switches, one of terminators usually appear on a line Nominations the 100 or so 4ESS switches that of code by themselves, the structure handled U.S. long-distance traffic of the code is not affected. All this for ACM at the time hit a glitch and executed does is make the code easier to un- General Election some untested recovery code. The derstand and helps prevent bugs like switch went down briefly. No biggie, the one just described. This practice since traffic automatically took other is especially helpful when code must routes, but in the process the initial be moved about, which happens of- The ACM Nominating switch that hit the glitch dragged its ten. In addition, if coders want to go Committee is preparing neighboring switches down, and the one step further in making their code process cascaded across the country, understandable, a brief comment can to nominate candidates as all the switches that handled long- be added after the tag, like this for the officers of ACM: distance traffic began to repeatedly President, crash and auto-recover. The result }//for all transactions over a was that hardly any public telephone thousand dollars Vice-President, customer in the U.S. could make a Secretary/Treasurer; long-distance phone call that after- This would also eliminate the use- and five noon, along with millions of dollars fulness of putting the opening brace of time-sensitive business lost. on a line by itself where it would be Members at Large. AT&T tried to contain the damage by separated, from a syntactic viewpoint, rebooting the misbehaving switches, from the construct it is punctuating, Suggestions for candidates but as soon as a switch was brought while creating an almost blank line are solicited. Names should be back up, a neighboring switch would that could better serve to separate logi- sent by November 5, 2015 tell it to go down. The engineers at cally distinct parts of a program. to the Nominating Committee Chair, AT&T’s R&D arm, Bell Labs, who wrote I thus propose adoption of this prac- c/o Pat Ryan, the switch programs, were called in, tice by all software engineers and cod- Chief Operating Officer, and, by the end of the day, network ers forthwith, as well as taught to all ACM, 2 Penn Plaza, Suite 701, New York, NY 10121-0701, USA. normality was restored by reducing the beginners from the get-go. network message load. A. Frank Ackerman, Butte, MT With each recommendation, An investigation was launched im- please include background mediately, and after digging through information and names of individuals a few hundred lines of code, word-of- Surprisingly Deep Roots of Word the Nominating Committee mouth within Bell Labs was that the Processor Interface Design can contact for additional culprit was a closing brace (}) that The Research Highlight “Soylent: A information if necessary. terminated a selection construct— Word Processor with a Crowd Inside” but the wrong one. The lawyers at by Michael Bernstein et al. (Aug. Vinton G. Cerf is the Chair Bell Labs quickly claimed such a 2015) reminded me how long soft- of the Nominating Committee, lapse of human frailty could never be ware developers have been pursuing and the members are avoided entirely, and so dodged any such basic concepts as reducing re- Michel Beaudouin-Lafon, potential lawsuits. dundancy and improving readability Jennifer Chayes, P.J. Narayanan, The lawyers were right; the intrin- in computer-generated text. Soylent and Douglas Terry. sic nature of software is such that the recruits volunteer humans via the total absence of bugs is never guaran- Web, through a novel form of crowd- teed. But the simple practice of tag- sourcing, to accomplish what has ging all closing braces (or end in some long been a goal for natural language languages) with a brief comment that processing—improving readability indicates which construct they are and reducing redundancy in comput- closing would go far toward eliminat- er-produced text. Early work on auto-

10 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 letters to the editor mated abstracting, as in Betty Mathis regulatory measures are enacted. The incredible stimulus for the free/open- et al.’s 1973 article “Improvement lion’s share of the “persistent lack source software market. of Automatic Abstracts by the Use of of software quality” problem lies not David Warme, Annandale, VA Structural Analysis” in the Journal of with software “professionals” but the American Society for Information with business managers at software Science, demonstrated an algorithm companies rushing to ship software Whose Calendar? that improved readability. Mathis well before it is ready for public con- In Leah Hoffmann’s interview with Mi- et al. cited 18 even earlier works, in- sumption. There are few direct nega- chael Stonebraker “The Path to Clean cluding those covering algorithms tive consequences for such decisions Data” (June 2015), Stonebraker said, showing how to shorten abstracts by and far too many positive conse- “Turned out, the standard said to im- removing redundant and/or unneces- quences, including the business man- plement the Julian calendar, so that if sary phrases. Their earliest citation tra “First to market wins regardless of you have two dates, and you subtract was to a 1958 paper by IBM’s Hans product quality.” them, then the answer is Julian calen- Peter Luhn “The Automatic Creation I still see nothing to alter this bleak dar subtraction.” I surmise this was of Literature Abstracts” in the IBM landscape until society as a whole be- a lapsus linguae, and he must have Journal of Research and Development, comes so fed up with the sad state of meant the Gregorian calendar used demonstrating the deep roots of au- software it finally enacts laws making it throughout the former British Empire tomated text generation. illegal for software vendors to disclaim since 1752. Charles H. Davis, Bloomington, IN liability in their license agreements. Marko Petkovšek, Ljubljana, Slovenia Such drastic measures would have im- mediate consequences: Most vendors CS Quantity Is Not CS Quality would go out of business rather than Author’s Response Moshe Y. Vardi’s Editor’s Letter “In- face the legal and financial music of I thank Petkovšek for the clarification. The centivizing Quality and Impact in their past transgressions; the price of two calendars are, in fact, different, and I Computing Research” (May 2015) software would instantly jump by a fac- meant the Gregorian calendar. was the first public acknowledgment tor of 5 to 50; development and delivery Michael Stonebraker, Cambridge, MA I have seen of the problem of how to schedules would expand; software pric- quantify quality in computer science es would vary by customer, reflecting Communications welcomes your opinion. To submit a research, as well as in applied com- the liability risk posed by the customer; Letter to the Editor, please limit yourself to 500 words or puter science; that is, numbers alone and, as always, lawyers would continue less, and send to [email protected]. do not determine quality. The belief to win, even as their clients lose. © 2015 ACM 0001-0782/15/10 $15.00 in quantity-quality equivalence ap- Many software developers would lose pears to have so permeated the com- their jobs, but those among them able puter science culture it is not uncom- to design, structure, and implement Information Cartography mon to use quality numbers to cover software in a reliable manner would be real problems in research and soft- in demand and earn much higher sala- Why Do People Post ware development. An instance I can ries, especially if the title “professional” Benevolent and Malicious cite from my own experience is the meant they were personally liable for number of regression tests performed any possible failure of software they ap- Comments? in software development despite the proved. However, much of the higher outcry from developers that most salary would go to cover “professional Rolling ‘Moneyball’ with such tests add no value and in fact insurance” premiums. hinder development. I can only hope In many jurisdictions, those in the Sentiment Analysis COMMUNICATIONS the realization of the problem of cov- licensed construction professions have ering inferior research and practice the power and legal authority to deny Inductive Programming with inflated numbers of published their signatures when appropriate, papers and software projects com- halting construction until the related Meets the Real World pleted trickles down to the trenches flaw is corrected, and management of software development worldwide. cannot legally circumvent the process. Fail at Scale Raghavendra Rao Loka, Palo Alto, CA How many software professionals wield such power over their own prod- Componentizing the Web ucts? Until they have the authority, the Coming Next Month in Liability in Software primary problem for flawed software License Agreements products will continue to reside out- Vinton G. Cerf’s “Cerf’s Up” column side the technical field of software de- “‘But Officer, I was Only Program- velopment and computer science. ming at 100 Lines Per Hour!’” (July One hopes there would be a legal Plus the latest news about algorithmic authors, solving 2013) asked for readers’ views on how exception from liability for software the cocktail party problem, and to address current software quality/ that is free and/or open source. Free- employee-tracking technology. reliability issues before legislative or dom from liability could actually be an

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 11 The Communications Web site, http://cacm.acm.org, features more than a dozen bloggers in the BLOG@CACM community. In each issue of Communications, we will publish selected posts or excerpts.

Follow us on Twitter at http://twitter.com/blogCACM

DOI:10.1145/2811284 http://cacm.acm.org/blogs/blog-cacm

1999, and in recent years in Libya. The The Morality of U.N. authorized action to repel invad- ing North Korean forces in 1950; and so on. This category includes and al- Online War; the Fates lows ethical choices to go to war made by individual nations—even when that of Data Analytics, HPC choice might have been made in error (like the U.S.-led war against Iraq in John Arquilla considers justifications for warfare in the cyber realm, 2003, whose justification was the mis- while Daniel Reed looks ahead at big data and exascale computing. taken belief Saddam Hussein had, or soon would have, weapons of mass de- struction). In cyberwar, “due authority” suffers because armies, navies, and air John Arquilla battles honorably. In terms of going to forces are not necessary; just malicious “The Ethics war justly, there are three commonly software and skilled hackers. “Author- of Cyberwar” held principles: Right purpose, which ity” loses meaning in a world where ag- http://bit.ly/1LFEU2g refers mostly to acting in self-defense; gressive networks, or even highly adept July 2, 2015 Due authority seeks authorization from a individuals, can wage cyberwar. All over the world, there national or supranational body; and Last Last resort typically has referred to a is a growing sense conflict is spreading resort, which is self-explanatory. Ideas of requirement to pursue diplomatic ef- from the physical realm to the virtual do- fighting justly cluster around Noncom- forts until it is clear they will not resolve main. The 2007 cyber attacks on Estonia, batant immunity, a focus on military a given crisis. This aspect of just-war the military use of cyberwar techniques vs. civilian targets, and Proportionality, theory has also proved a bit nebulous, in the 2008 Russo-Georgian War, and avoiding excessive force. as sometimes war is resorted to because the “cybotage” committed against Iran’s Right purpose has always been a one or another party to a dispute just nuclear program by the Stuxnet (http:// fraught element of just-war theory and gets tired of negotiating. The July Crisis bit.ly/1KMCIo0) worm are salient signs practice. As Napoleon once said, “I had of 1914 that led to World War I falls in of a growing trend. These likely form to conquer Europe to defend France.” this category. The Japanese-American the tip of an iceberg, as cyber attacks Many military adventures follow simi- talks in 1941 were frustrating enough to and counterattacks can be observed in lar logic, justifying acts of aggression as Tokyo that the choice was made to attack many other places. It is high time, as preemptive or preventive defensive ac- Pearl Harbor before diplomatic talks this new mode of conflict diffuses in tions. Stuxnet would fall in the ethically ended. When it comes to cyberwar, its breadth and deepens in intensity, to dodgy area of prevention, and one can fundamentally covert, deniable nature think through the ethics of cyberwar. see how cyber attack may move nations may mean it will be used during negotia- Under what conditions should one in the direction of preemptive and pre- tions—clearly the case with Stuxnet. engage in cyberwar? How should such ventive action. Not good. Noncombatant immunity is the prin- a conflict be waged? These questions Due authority, until the Information ciple to avoid deliberate targeting of speak to the classical division in ethical Age, was confined to nations, coali- civilians. Over the past century, it has thought about warfare that addresses tions, or even transnational bodies like been outflanked by technologies that the matter of going from peace to war the United Nations. NATO made choic- allow the innocent to be struck directly, justly, then ponders how to fight one’s es to intervene militarily in Kosovo in without prior need to defeat armed forc-

12 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 blog@cacm es protecting them. World War II saw Hague to codify the ethics and laws of demia, I seek to bring cloud computing deliberate burning of many cities—and armed conflict, followed by another ideas to HPC. nuclear attacks on civilians in Japan as meeting on the same subject in 1907. Jack Dongarra and I co-authored an soon as the atomic bomb became avail- Perhaps it is time to go to The Hague article for Communications on the twin able. During the Korean War, virtually again, as a new realm of virtual conflict ecosystems of HPC and big data and every building in Pyongyang was flat- has emerged. Even if we cannot live up the challenges facing both. The article tened, and a greater weight of bombs to ethical ideals that might be agreed (http://bit.ly/1If45X0) examines com- fell on North Vietnam in “the American upon in such a gathering, it is impera- monalities and differences, and discuss- War” than were dropped on Hitler’s tive the world community should make es unresolved issues associated with Germany. How will this principle play the effort. Now. resilience, programmability, scalabil- out in an era of cyberwar? With far less ity, and post-Dennard hardware futures lethal harm done to noncombatants, Daniel A. Reed (http://bit.ly/1Dlj1E3). The article makes but no doubt with great economic costs “Exascale Computing a plea for hardware and software inte- inflicted upon the innocent. and Big Data: gration and cultural convergence. Proportionality has proved less dif- Time to Reunite” The possibilities for this convergence ficult to parse over the past century or http://bit.ly/1SQ0X8w are legion. The algorithms underly- so. By and large, nuclear-armed nations June 25, 2015 ing deep machine learning (http://bit. have refrained from using ultimate In other contexts, I have written about ly/1gEXlsr) would benefit from parallel- weapons in wars against others not so cultural and technical divergence of the ization and data movement minimiza- armed. Korea stayed a conventional data analytics (also known as machine tion techniques commonly used in HPC conflict; Vietnam, too, even though the learning and big data) and high-perfor- applications and libraries. Similarly, ap- outcomes of both for the nuclear-armed mance computing (big iron) communi- proaches to failure tolerance and systemic U.S. were, in the former case an uneasy ties. I have called them “twins separated resilience common in cloud software have draw, in the latter an outright defeat. In at both” (in http://bit.ly/1M186kd and broad applicability to high-performance cyberwar, the principle of proportionali- http://bit.ly/1IUkOSF). They share tech- computing. Both domains face growing ty may play out more in the type of action nical DNA and innate behaviors despite energy constraints on the maximum size taken, rather than in the degree of inten- superficial differences. After all, they of systems, necessitating shared focus on sity of the action. A cyber counterattack were once united by their use of BSD domain-specific architectural optimiza- in retaliation for a prior cyber attack gen- UNIX and SUN workstations for soft- tions that maximize operations per joule. erally will fall under the proportionality ware development. There is increasing overlap of appli- rubric. When might a cyber attack be an- Both have built scalable infrastruc- cation domains. New scientific instru- swered with a physically destructive mil- tures using high-performance, low-cost ments and sensors produce unprec- itary action? The U.S. and Russia have x86 hardware and a suite of (mostly) edented volumes of observational data, both elucidated policies suggesting they open source software tools. Both have and intelligent in situ algorithms are might respond to a “sufficiently serious” addressed ecosystem deficiencies by increasingly required to reduce raw data cyber attack by other-than-cyber means. developing special-purpose software and identify important phenomena in Classical ideas about waging war libraries and tools (such as SLURM real time. Conversely, client-plus-cloud remain relevant to strategic and policy (http://bit.ly/1M18i32) and Zookeeper services are increasingly model-based, discourses on cyberwar. Yet, it is clear (http://bit.ly/1IUl3xl) for resource man- with rich physics, image processing, and conflict in and from the virtual domain agement and MPI (http://bit.ly/1E4Ij41) context that depend on parallel algo- should impel us to think in new ways and Hadoop (http://bit.ly/1IHHR1b) for rithms to meet real-time needs. about these principles. In terms of parallelism), and both have optimized The growth of Docker (http://bit. whether to go to war, the prospects may hardware for problem domains (Open ly/1IHIHLl) and containerized (http:// prove troubling, as cyber capabilities Compute (http://bit.ly/1DlipOT) for bit.ly/1DljqGL) software management may encourage preemptive action and hardware building block standardiza- speaks to the need for lightweight, flexi- erode the notion of “war” as a tool of tion, FPGAs (http://bit.ly/1KMEFRs) for ble software configuration management last resort. When it comes to strictures search and machine learning, and GPU for increasingly complex software envi- against targeting civilians (so often vio- accelerators for computational science). ronments. I hope we can develop a uni- lated in traditional war), cyberwar may I have seen this evolution in both fied hardware/software ecosystem lever- provide a means of causing disruption the HPC and cloud computing worlds. aging the strengths of each community; without killing many (perhaps not any) One reason I went to Microsoft was to each would benefit from the experiences civilians. Yet there are other problems, bring HPC ideas and applications to and insights of the other. It is past time as when non-state actors outflank the cloud computing. At Microsoft, I led a for the twins to have a family reunion. “authority” principle, and when nations research team (http://bit.ly/1K179nC) to might employ disproportionate physical explore energy-efficient cloud hardware John Arquilla is a professor at the U.S. Naval Postgraduate School. Daniel A. Reed is Vice President force in response to virtual attack. designs and programming models, and for Research and Economic Development, University In 1899, when advances in weapons I launched a public-private partnership Computational Science and Bioinformatics Chair, and professor of Computer Science, Electrical and Computer technologies made leaders wary of the between Microsoft and the National Engineering, and Medicine at the University of Iowa. costs and dangers of war, a conference Science Foundation on cloud applica- (http://bit.ly/1KMCJZg) was held at The tions (http://bit.ly/1hfZr1V). Back in aca- © 2015 ACM 0001-0782/15/10 $15.00

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 13 VEE 2016 12th ACM SIGPLAN/SIGOPS international conference on Virtual Execution Environments Atlanta, GA April 2-3, 2016 with ASPLOS

Authors are invited to submit original papers related to virtualization across all layers of the software stack, from high-level language virtual machines down to the microarchitectural level. VEE 2016 accepts both full-length and short papers. Abstract deadline: November 23, 2015 Paper deadline: November 30, 2015

Image: Courtesy of Chuck Koehler https://www.flickr.com/photos/cokak/355135172/ ,https://creativecommons.org/licenses/by/2.0/

General Chair Program Co-chairs Vishakha Gupta-Cledat (Intel Labs) Donald Porter (Stony Brook University) Vivek Sarkar (Rice University) in cooperation with

http://conf.researchr.org/home/vee-2016 news

Science | DOI:10.1145/2811288 Gary Anthes Scientists Update N Views of Light Experiment sheds new light on wave-particle duality.

HE DEBATE ABOUT whether light consists of waves or particles dates back to the 17th century. Early in the 20th century, Albert Einstein, TNiels Bohr, and others exploring the world of quantum mechanics said light behaves as both waves and particles. Later experiments clearly showed this “wave-particle duality,” but they were never able to show light as both waves and particles at the same time. Now, in a triumph of science and en- gineering at scales measured in nano- meters and femtoseconds, internation- al researchers have shown light acting as waves and particles simultaneously and continuously, and they have even produced photographic images of it. The scientists are from École Polytech- nique Fédérale de Lausanne (EPFL) in Switzerland, Trinity College in Con- necticut, and Lawrence Livermore Na- tional Laboratory in California. The scientists fired intense femto- second (fs) pulses of ultraviolet light at a tiny (40nm in diameter, 2 microns in length) silver wire, adding energy to charged particles on the wire that trapped the light in a standing wave along the surface of the wire. Then the researchers shot a beam of electrons

IMAGE BY FABRIZIO CARBONE/EPFL CARBONE/EPFL FABRIZIO BY IMAGE close to the wire, and the electrons The first-ever image of light behaving simultaneously as a particle and a wave.

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 15 news

interacted with the photons of light are then observed and they tell you radiating around the wire. These elec- what was going on in the needle. By tron-photon interactions either sped “This is really an changing the delay between light and up or slowed down the electrons in an experimental tour de free electron pulse, you can make a exchange of energy packets (quanta) movie of the plasmonic wave.” between the particles. These quanta force, where you can The experiment neither contradicts created images of the standing light visualize the beautiful nor extends the known laws of quan- wave that could be seen by an ultra- tum mechanics, Batelaan says, “but fast transmission electron microscope plasmonic waves on this will certainly stimulate the discus- (UTEM), which can make videos at very these nano-needles.” sion of what is particle-wave duality.” high spatial resolutions. It also will make it easier to visualize After interacting with the photons that duality, Carbone says. The use of an traveling along the wire, the imaging experimental UTEM imaging system— electrons carry information about the one of just two femtosecond-resolved exchange encoded in their spatial and UTEMs in the world—is noteworthy be- energy distributions, explains EPFL’s the metal-air interface. These surface cause most electron microscopes only Fabrizio Carbone, the leader of the re- waves have a wavelength much shorter take snapshots, not time-resolved im- search team. These energy- and space- than the light that produces them, and ages (movies). “We design these kinds resolved images simultaneously show can exist in extremely tiny spaces and of circuits and then we induce these both the quantization of the light field move at far sharper angles than ordi- plasmons on them and we follow them (particles) and its interference pattern nary light on an optical fiber. as a function of time,” he says. (waves). “For the first time, we can film “This is really an experimental tour quantum mechanics—and its paradox- de force, where you can visualize the Applications ical nature—directly,” Carbone says. beautiful plasmonic waves on these The plasmons adhere very closely to The electromagnetic radiation on nano-needles,” says Herman Bate- the surface of the wire, even in com- the nanowire is not light in the conven- laan, a professor of physics at the Uni- plex geometries, making them espe- tional sense, but a form of light called versity of Nebraska at Lincoln. “They cially suitable for use in tiny photonic “surface plasmon polaritons” (SPP), use synchronous pulses of light and circuits. “You can miniaturize [pho- or simply “plasmons,” which exhibit pulses of free electrons. The light hits tonic] circuits in a very confined space all the properties—both classical and the nano-needle, gets the electrons using this property of guiding, and this quantum—of light. Light striking a in the needle sloshing back and forth offers an alternative to electronic cir- metal wire can produce these plas- (the plasmonic wave), the pulse of cuits with faster switching and propa- monic fields as an electromagnetic electrons flies by the needle and their gation,” Carbone says. “The next step wave that is coupled to free electrons motion is affected by the electrons in is to use materials other than simple in the metal and which travel along the needle. The electrons that fly by metal, other materials of interest such

Milestones Computer Science Awards, Appointments

BIOINFORMATICS LEADERS David Haussler, professor of UC BERKELEY PROFESSOR in the development of the Kali AWARDED DAN DAVID PRIZE biomolecular engineering WINS ACADEMY AWARD Destruction System and the Leaders in bioinformatics and director of the Genomics University of California, Berkeley Digital Molecular Matter toolkit, recently received the Dan David Institute at the University of computer science professor systems that formed a way to Prize, a $1-million award (which California, Santa Cruz; Michael James O’Brien received an model scalable and realistic they shared) endowed by the Dan Waterman, professor of Academy Award for scientific and fracture and deformation David Foundation and based at biological sciences, computer technical achievement from the simulations. Tel Aviv University. science, and mathematics Academy of Motion Pictures Arts When buildings are destroyed The Dan David Prize recognizes at the University of Southern and Sciences. and broken apart in a movie, interdisciplinary research California; and Cyrus Chothia, O’Brien was recognized for software based on O’Brien’s across traditional boundaries emeritus scientist at the MRC his computer graphics research, research is used to determine and paradigms in the past Laboratory of Molecular Biology which served as the foundation how each building breaks. (fields that expand knowledge in Cambridge, U.K. for systems that create fracture He began his research on of former times), the present The award for Retrieving and deformation simulations. destruction simulations for (achievements that shape and the Past: Historians and their Software based on his research his doctoral thesis at Georgia enrich society today), and the Sources was shared by historians was used for films such as Avatar, Institute of Technology’s College future (breakthroughs that hold Peter Brown and Alessandro Prometheus, Skyfall, Harry of Computing, and continued great promise for improvement of Portelli, while the prize for Potter and the Deathly Hallows, this work when he began our world). the Present: The Information and Guardians of the Galaxy, teaching at UC Berkeley in 2000. The 2015 laureates for the Revolution was presented to among others. O’Brien said he always had future time dimension in the Jimmy Wales, cofounder of O’Brien conducted research the film industry in mind when field of bioinformatics were Wikipedia. on simulations that assisted conducting his research.

16 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 news as graphene or transition metal dichal- Carbone says the experiment does cogenide monolayers.” not resolve an issue that arose between Indeed, SPPs are of great interest “The significance of Einstein and Bohr: whether a single in fields such as communications and this experiment is photon can act as both a wave and a measurement, in applications includ- particle at the same time. Carbone’s ing optical data storage, bio-sensing, that it takes a very experiment considers small numbers optical switching, and sub-wavelength different approach to of photons as a group, some of which lithography. While Carbone’s work behave as particles and some as waves, does not contribute directly to the sci- a classical problem, and its results are consistent with the ence underlying these applications, opening a new known laws of quantum mechanics, the ability to both see and control what he says. However, he says his research is going on at such tiny scales in space perspective for its team is exploring the possibility of and time will likely be of interest to investigation.” looking at the behavior of single elec- product developers and engineers. tron-photon interactions. If that were “The technique employed enables to show wave-particle duality at the sin- the coupling of free electrons travel- gle photon level, that would violate the ing at two-thirds the speed of light with known laws of quantum mechanics, he electromagnetic fields to be spatially says, but experimental data so far sug- imaged on scales below the wavelength simple metal structures. So the hope is gests that will not be the case. of light,” says David Flannigan, a pro- that new materials can support surface Scientists agree the merit of this fessor of chemistry at the University plasmons while having small propaga- experiment lies not in new science re- of Minnesota. He said the technique’s tion losses.” vealed, but in greater insights about ability to probe essentially any nano- known phenomena and better ways to structure geometry “allows for a clearer The Double-Slit experiment study them. “If you can see it, you can understanding of deviations from ideal The wave-particle duality theories of understand it better,” Carbone says. behavior; for example, in the presence the early 20th century were verified via of impurities and morphological imper- a classic experiment in which light is Further Reading fections that are challenging to quantify projected onto a surface with two slits, and understand via other means. One which split the beam into two parts. Kocsis, S., et al. could envision a number of ways this The split beams are then measured, re- Observing the average trajectories of single photons in a two-slit interferometer, could be useful for real-world materials, combined, and measured again. Pho- Science, vol. 332, June 3, 2011, pp. 1170– systems, and device architectures.” ton detectors behind each of the two 1173 http://bit.ly/1DEVegd The success of the experiment using slits show individual photons “choose” Papageorgiou, N., Porchet, O., and Pousaz, L. nanoscale wires and femtosecond time with equal probability to go one way or Two-in-one photography: Light as wave and frames will be of interest to develop- the other, showing light’s particle na- particle! ers of tiny integrated circuits, Batelaan ture. In addition, the light beams when École polytechnique fédérale de Lausanne agrees. “They have gotten such beauti- recombined produce the interference https://www.youtube.com/ watch?v=mlaVHxUSiNk ful control over what happens in the patterns characteristic of waves. The wire, and they can measure it probably two measurements are performed one Piazza, L., Lummen, T.T.A., Quiñonez, E., Murooka, Y., Reed, B.W., Barwick, B., and better than anybody before.” after the other, so the particle and wave Carbone, F. Batelaan points out today’s com- states of light are not detected simulta- Simultaneous observation of the puter processors operate at speeds of neously. quantization and the interference a few GHz, “but when they are working Says Carbone, “The [split-beam] ex- pattern of a plasmonic near-field, Nature in femtoseconds, orders of magnitude periments show the paradox of quan- Communications, March 2, 2015. http://bit. ly/1aPJD2p faster,” he says, “that could lead to com- tum mechanics, and they show light is pletely new computer architectures.” basically a superposition of both a wave Piazza, L., Maisel, D.J., LaGrange, T., Reed, B.W., Barwick, B., and Carbone, F. The experiment is controlled by 80fs and a particle until one decides to mea- Design and implementation of a fs-resolved laser pulses that produce 800fs elec- sure it.” The photon detector will say transmission electron microscope based tron pulses along the wire. “The buses “particle,” but the interferometer will on thermionic gun technology, Chemical linking the circuitry in a computer suf- later say “wave.” “So the question was, Physics, Vol. 423, September 2013, pp. 79–84 fer higher loss if the frequency of the ‘Is light somehow capable of adapting http://bit.ly/1yoxfl1 signal traveling in them is higher,” its behavior depending on the experi- Zia, R., Brongersma, M. Carbone says. “Ultimately, beyond ment being performed?’” Surface plasmon polariton analogue to Young’s double-slit experiment, Nature the GHz range, simple cable radiates Until now, no one has performed an Nanotechnology 2, published online: 1 July like an antenna, thus losing signal experiment that shows both natures 2007 when propagating an electromagnetic of light occurring at the same time, he http://bit.ly/1Iat0cR wave, especially when sharp corners says. “The significance of this experi- or bends are made. Surface plasmons ment is that it takes a very different ap- Gary Anthes is a technology writer and editor based in can circumvent this problem, although proach to a classical problem, opening Arlington, VA. they suffer other types of losses in a new perspective for its investigation.” © 2015 ACM 0001-0782/15/10 $15.00

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 17 news

Technology | DOI:10.1145/2811286 Samuel Greengard Automotive Systems Get Smarter Automotive infotainment systems are driving changes to automobiles, and to driver behavior.

VER THE LAST quarter- century, automobiles have evolved into increasingly sophisticated—and com- puterized—machines. OToday, some motor vehicles contain upward of 100 electronic control units with microprocessors that manage ev- erything from steering and braking to navigation, climate control, and en- tertainment. They also have hundreds of millions of lines of software code. Overseeing the tangle of systems—and integrating buttons, knobs, voice com- mands and more—has emerged as a growing challenge, particularly as con- sumers carry smartphones into cars and look to integrate all these systems Automotive infotainment systems provide drivers with a simplified interface to their vehicles. and controls seamlessly. “There is a huge challenge associ- “Consumers have become enamored to integrate all these systems effectively ated with providing a driver with the by the breadth, variety, and timeliness and add advanced technology features, right amount of information at the of information they get on their phone, while Apple and Google are introduc- right time. You don’t want to over- and they are now expecting this level of ing infotainment platforms for vehi- whelm a driver or have someone get to information in a vehicle. In some cas- cles. “We are moving past an era where the point where they are distracted or es, they want the same display and the features and capabilities have been tuning out crucial information,” says same choices built into their car.” thrown into cars, to a new environment Sam Abuelsamid, senior analyst on The upshot? As automobiles and that supports a connected lifestyle,” the Transportation Efficiencies Team computing roll forward and distracted observes Mark Boyadjis, senior analyst at Navigant Research, which closely driving becomes an ever-greater con- and manager of infotainment and Hu- tracks automobile technologies. In re- cern, automakers are looking for ways man Machine Interface at automotive cent years, auto manufacturers have research and consulting firm IHS Auto- introduced apps, speech recognition, motive. “We will see a huge transforma- and other systems, but often with lim- “You don’t want to tion in vehicles over the next few years.” ited success. “While these systems have delivered extra features to drivers, overwhelm a driver Beyond the Dashboard they’ve been limited in capabilities and or have someone get Although GPS-based automobile navi- the user interfaces have been relatively gation systems and other advanced clunky,” he notes. to the point where technology features have been around As a result, many consumers have they are distracted since the early 1990s, a new era of au- thrown up their hands (but not while tomobile infotainment systems began driving) and given up on using these or tuning out crucial around 2007, when Ford announced systems. Instead, they prefer to tap into information.” the first integrated, in-vehicle commu- their smartphones and the simple, fa- nications and entertainment system, miliar interfaces they provide as the hub SYNC. It allowed motorists to make for infotainment and other functions. hands-free phone calls with their cel- As John Maddox, assistant director of lular phones and to control music the Michigan Transportation Center and other functions with specialized

at the University of Michigan, puts it: controls, including voice commands, ERIC RISBERG/AP PHOTO BY IMAGE

18 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 news activated by tapping a button on the in. This might include a Mercedes with steering wheel. Over the next few years, a non-touchscreen system and knob ACM other automobile makers introduced controls on the center console, a Ferrari similar systems, typically built on Mi- with a resistive touchscreen interface, Member crosoft’s Embedded Automobile Sys- or a Volvo with a capacitive touchscreen tem or Blackberry’s QNX software plat- interface. In every instance, the soft- form, which is used for critical systems ware translates the relevant hardware News such as air traffic controls, surgical signals into a form the phone recog- USING BIG DATA equipment, and nuclear power plants. nizes. Moreover, these platforms allow TO FIX CITIES Unfortunately, many of these early manufacturers to move away from pro- Juliana Freire systems were difficult to use, and prietary systems and let consumers use is passionate about using some relied on highly specialized either Android or iOS devices in their big data and, at times, cryptic voice commands car—and even to switch between them. analytics to rather than natural language. In fact, “It eliminates a basic problem: every car solve real-world problems, J.D. Power reports the number-one is different and it’s difficult to operate a particularly those involving disappointment of new car buyers is car you’re not familiar with. It introduc- large urban centers like her the voice recognition function. These es a standard interface,” Boyadjis says. Rio de Janeiro, Brazil, birthplace systems also did not integrate well Convenience and happier motorists and her adopted hometown New York City. with iPods and emerging iPhones. are not the only goals, however. Accord- “Data can make people’s Even with a built-in USB connection ing to the Virginia Tech Transporta- lives better,” says Freire, a or Bluetooth connectivity, it was diffi- tion Institute’s Center for Automotive professor in the Department cult, if not impossible, to view or con- Safety, 80% of all crashes and 65% of all of Computer Science and Engineering at New York trol a music playlist or see information near-crashes involve a motorist looking University (NYU). She has co- about a song, for example. In addition, away from the forward roadway within authored over 130 technical these early systems could not pull con- three seconds of the event. CarPlay and papers and holds nine U.S. patents. Her research focuses tact information directly from a smart- Android Auto aim to minimize driver on large-scale data analysis, phone, making it necessary for a mo- distraction. For example, the phone’s visualization, and provenance torist to program in phone numbers screen goes dark when the automobile management involving urban, and addresses manually. is running, and these systems do not scientific, and Web data. With her team in the By 2010, Ford had introduced Ap- support social media or video. In ad- Visualization, Imaging and pLink and Chevrolet introduced My- dition, Android Auto has no “back” or Data Analysis Center at NYU’s Link—and other auto companies, “recents” buttons. Finally, both plat- School of Engineering, Freire explores spatial temporal data, including Audi and Volvo, soon fol- forms offer better speech recognition like energy and electricity lowed suit with tighter integration with through Siri and Google Now, which consumption and traffic flow. iPhones or similar controls accessible off-load processing to the cloud. She and the team work with from a vehicle’s LCD display or, in some Says Jim Buczkowski, Henry Ford New York City’s Taxi and Limousine Commission to cases, from a smartphone app. Yet, as technical fellow and director for elec- analyze real-time streaming Abuelsamid puts it: “These systems were trical and electronic systems in Ford’s data, like information about the a step forward, but consumers still found Research and Innovation Center, “A 500,000 daily taxi trips that take them confusing and clunky. There was a key is understanding what to process place in that city. “We utilize predictive analysis to examine need for a platform that could tie togeth- onboard and what to process in the ‘what-if’ scenarios, like the er all the various tools, technologies, and cloud. The experience must be seam- cost-effectiveness of putting other elements effectively.” less and consistent, even when there in a new subway line or a new bridge between Queens and In 2013, Apple introduced a new isn’t 100% cloud availability.” Manhattan, and the potential concept: an interface and software impact on traffic patterns,” she driver layer that runs on top of QNX Driving Forward explains, adding, “We can take and other real-time vehicle operat- Automotive infotainment systems are action in minutes or hours, instead of weeks or months.” ing systems. Apple’s CarPlay, and the only part of the story, however. The J.D. Freire returns to Brazil subsequent introduction of Google’s Power 2015 U.S. Tech Choice Study found annually to collaborate with Android Auto, allow motorists to pair consumers increasingly seek technol- researchers there on urban projects like bus usage in Rio their mobile devices with a vehicle and ogy that makes driving safer. Blind-spot de Janeiro. “They have amazing view a simplified phone interface on detection and collision-avoidance sys- information about automobile the car’s display screen, with a limited tems, night vision, and other enhanced movement because cameras are number of icons. “Anyone that is com- features ranked highest among desired everywhere,” she notes. A proponent of fortable with the phone should be im- technologies. Many high-end cars now “democratizing big data,” Freire mediately comfortable with the inter- include these features. Automakers strives to create a virtual online face,” Abuelsamid explains. are experimenting with head-up dis- facility “to house a structured plays that project text and graphics on urban data analysis search For automakers, the appeal of Car- engine that’s accessible to Play and Android Auto is that they essen- an area of the windshield. In addition, everyone,” she says. tially adapt to whatever vehicle they are Texas Instruments is developing a pro- —Laura DiDio

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 19 news

jection system that uses digital light tems and other onboard systems to up- processing and interpolation meth- date over the air, you enter an entirely ods to produce clear images across a Some automakers are different realm.” For instance, auto- windshield, even in poor weather or now building Ethernet maker Tesla has instantly updated more at night. The critical factor? “An HUD than 30,000 vehicles over the air. “In the that displays information or alerts has into vehicles in order future, it will be possible to add features to work with a quick glance and allow to tie together all and improve safety for power train, brak- a person’s eyes to remain upward and ing systems, steering controls, and other forward,” Ford’s Buczkowski says. the various onboard components through real-time software Today, separate computerized sys- systems in a more updates.” Adds Buczkowski: “Cars will tems in a vehicle typically use dedi- add new features and address deficien- cated electronic controllers. Future secure way. cies or shortfalls based on customer automobiles will begin to combine and feedback. It will likely be a very similar connect these systems, including GPS, model as today’s smartphones.” cameras, radar, lidar, and more, Abuel- To be sure, greater technology in- samid says. “They will be tied together tegration will radically redefine the through a vehicle network that will al- automobile and the driving experi- low data sharing and introduce new also building LTE cellular connectivity ence over the next few years. In a de- and more advanced capabilities. This directly into vehicles. This makes vehi- cade, cars and their interiors may not is a step toward automated driving sys- cle-to-vehicle and vehicle-to-infrastruc- resemble what we drive today. Con- tems.” General Motors has announced ture communications possible, along cludes Abuelsamid: “We may at some support for “Super Cruise” control in with advanced certificate management point see reprogrammable touch in- the 2016 Cadillac CT6; the technology and support for enhanced security fea- terfaces that allow vehicle consoles will enable hands-free lane following tures, including data encoding and en- and interfaces to appear the same and automatic braking and speed con- cryption. Ford’s Buczkowski says this way, regardless of the vehicle. We may trol during highway driving. could ultimately lead to far more inno- see NFC tags that recognize you and Critical to engineering these next- vative features, including, for example, adapt the car automatically. When you generation vehicles is embedding cars that can “see” around corners by migrate to a software-based platform, robust but highly secure communica- communicating with other vehicles, all sorts of ideas become possible.” tions systems. Researchers have al- and using their onboard systems to ready demonstrated the ability to hack spot a cyclist or pedestrian. The net- Further Reading into vehicles and take control of steer- work might also deliver an alert to the ing wheels and brakes. Informatics sys- pedestrian through a smartwatch that Gharavi, H., Venkatesh, K.., and Petros Ioannou, P. tems pose additional risks. vibrates or a smartphone that emits an Scanning Advanced Automobile Technology, Proceedings of The IEEE - PIEEE, vol. 95, As a result, some auto manufactur- alarm. “Mobility and cloud computing no. 2, pp. 328-333, 2007, ers are now building Ethernet into ve- will play important roles in defining fu- http://1.usa.gov/1b7sFMO hicles in order to tie together all the ture driving experiences,” he says. Alt, F., Kern, D., Schulte, F., Pfleging, B., Sahami various onboard systems in a more These communications capabilities Shirazi, A., and Schmidt, A. secure way. In addition, the automo- will prove nothing less than transforma- Enabling micro-entertainment in vehicles tive industry is developing a dedicated tive, Boyadjis says. Today, a two-year old based on context information, Proceedings nd short-range wireless communications car seems outdated, “but when you build of the 2 International Conference on Automotive User Interfaces and Interactive protocol called 802.11p, and some are a platform that allows infotainment sys- Vehicular Applications, 2010. Pages 117-124. http://dl.acm.org/citation.cfm?id=1969794 Steinbach, T. Real-time Ethernet for automotive applications: A solution for future in-car networks, Consumer Electronics - Berlin (ICCE-Berlin), 2011 IEEE International Conference, September 6-8, 2011, Pages 216-220. http://bit.ly/1Efgbxf Huang, Y., Qin, G. H., Liu, T., and Wang, X. D. Strategy for Ensuring In-Vehicle Infotainment Security, Applied Mechanics and Materials, Vols. 556-562, pp. 5460- 5465, May 2014. http://www.scientific.net/AMM.556- 562.5460

Samuel Greengard is an author and journalist based in West Linn, OR.

Recently, automaker Tesla remotely updated more than 30,000 vehicles at once. © 2015 ACM 0001-0782/15/10 $15.00 OF BLOGS.MOTORTREND.COM COURTESY IMAGE

20 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 news

Society | DOI:10.1145/2811290 Keith Kirkpatrick Cyber Policies on the Rise A growing number of companies are taking out cybersecurity insurance policies to protect themselves from the costs of data breaches.

HE CYBER ATTACKS carried out against Sony, Target, Home Depot, and J.P. Mor- gan Chase garnered a great deal of press coverage in T2014, but data breaches, denial-of- service attacks, and other acts of elec- tronic malfeasance are hardly limited to large, multinational corporations. However, it is the high-profile nature of these breaches—as well as the stag- gering monetary costs associated with several of the attacks—that are driving businesses of all types and sizes to seriously look at purchasing cybersecurity insurance. Currently, the global market for cy- bersecurity insurance policies is esti- mated at around $1.5 billion in gross written premiums, according to rein- surance giant Aon Benfield. Approxi- mately 50 carriers worldwide write specific cyber insurance policies, and many other carriers write endorse- outlays of millions of dollars each time information rights in the public inter- ments to existing liability policies. The a breach occurs, a cost that could be est) can fine companies up to about U.S. accounts for the lion’s share of the covered by a cyber insurance policy. 500,000 pounds (about $750,000) for market—about $1 billion in premiums The market for cyber insurance is failure to prevent a data breach, but spread out across about 35 carriers, ac- projected to grow strongly, largely due with the EU reforms currently being cording to broker Marsh & McLennan, to regulatory changes being enacted discussed, the potential fines for data with Europe accounting for just $150 in jurisdictions around the globe. The breaches are likely to be significantly million or so in premiums, and the rest Data Protection Directive (Directive higher, portending a greater need for of the world accounting for the balance 95/46/EC), which is being debated by insurance coverage. “Where those fines of the policy value. the European Union and is expected to and penalties are insurable, we’ll pay Due to strong privacy laws that have be ratified by 2017, spells out customer them,” Pearson notes. been enacted over the past decade, it is privacy and data-breach notification Marciano agrees, noting that “once no surprise the U.S. is the leading mar- requirements. This type of regulation the EU Data Protection reform reaches ket for cyber policies. likely will bolster the cyber insurance an agreement and is passed, the Euro- “The United States is many years market in Europe, which currently ac- pean cyber insurance market will see ahead, due to 47 state privacy laws that counts for less than 10% of the global many new insurers offering cyber in- require companies to disclose data cyber insurance premiums written, ac- surance policies, and many companies breach incidents,” says Christine Mar- cording to Nigel Pearson, global head seeking coverage.” ciano, president of Cyber Data-Risk of Fidelity at Allianz Global Corporate Pearson says the market continues Managers LLC, a Princeton, NJ-based & Specialty (AGCS), one of the world’s to evolve in Asia as well, as jurisdictions cyber-insurance broker. While notifica- largest insurance firms. such as Hong Kong and Australia intro- tion may only cost a few cents per cus- Pearson notes that in the U.K., the duce tougher privacy laws. The market tomer, large companies with millions Information Commissioner (a govern- for cyber insurance is “certainly evolv-

IMAGE BY DONSCARPO BY IMAGE of customers likely will be looking at ment-level post established to uphold ing in Asia,” Pearson says, noting that

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 21 news

“last year Hong Kong, Singapore, [and] due to a relatively smaller pool of actu- Australia all had new data protection arial data, the evolving nature of cyber legislation. The big question is wheth- General liability attacks or breaches, and the unwilling- er there is a requirement for manda- insurance covers ness of many carriers to share claims tory notification.” data, collectively make it challenging losses related to to craft standard cyber policies. General Policies Fall Short a physical act, such “Within cyber, it’s not unusual to One of the key reasons businesses need have quotes that vary by multiples— to consider a cyber insurance policy or as a person breaking sometimes 100%, 200%, 300% differ- endorsement is that general liability into an office and ent,” Pearson says. “Companies are coverage only covers losses related to seeing the risks in very different ways, a physical act, such as a person break- stealing files or and are assessing the risk in very dif- ing in to an office and stealing files or computers. Cyber ferent ways.” computers. Cyber policies focus on so- Nevertheless, according to January called “intangible losses,” which are policies focus on 2015 testimony before the U.S. Senate often not covered under general busi- “intangible losses.” Committee on Homeland Security & ness liability policies, Marciano says. Government Affairs by Peter J. Beshar, “Many business liability policies that executive vice president and general are coming up for renewal now contain counsel for the Marsh & McLennan clearly defined data breach exclusions, Companies, the average cost for $1 mil- whilst most of the older policies did not lion of coverage is between $12,500 and clearly define such losses, and in some vent and limit lost business. Notification $15,000 across industry sectors includ- instances in which a claim arose, such costs, call center costs, and credit moni- ing healthcare; transportation; retail/ policies were challenged,” Marciano toring services for victims of the breach wholesale; financial institutions; com- says. “For those companies wanting to are also items that can be covered by cy- munications, media, and technology; ensure they’re covered for cyber and data ber policies, and often represent a major education; and power and utilities. risk, a standalone cyber insurance policy portion of the overall cost of the breach, According to news reports, the at- should be explored and purchased.” given that many companies have hun- tack on Target cost that company $148 Damage caused by intrusions, at- dreds of thousands, if not millions, of million, along with an investment of tacks, or other losses must be covered individual customers to contact. $61 million to implement anti-breach by a specific cyber policy that gener- Finally, the cost of financial losses technology in the months after the at- ally covers three main activities or is- caused directly by electronic theft and tack. Meanwhile, Home Depot was ex- sues related to a cyber attack: liability, fraud can be covered, as can the cost pected to pay $62 million to cover the business interruption, and the cost of of cyber-extortion, in which criminals cost of its attack, including legal fees IT notification and forensics, accord- take control of a company’s Website or and overtime for staff. ing to Pearson. Furthermore, cyber network, and refuse to relinquish con- Before the breach occurred, Target policies typically offer both first-party trol until a ransom is paid. carried at least $100 million in cyber coverage (covering the policyholder’s Third-party coverage will gener- insurance. Home Depot had $105 mil- losses) and third-party coverage (cov- ally cover the cost to hire attorneys, lion in cyber insurance at the time of ering defense costs and damages and consultants, and expert witnesses to the attack, and Sony, hacked in De- liabilities to customers, partners, and defend a company from civil lawsuits cember, carried a $60-million policy. regulatory agencies.) by customers, business partners, and These policies helped offset some of First-party coverage includes the vendors harmed as a result of malware the costs of the breaches, but not all, cost of forensic investigations, which delivered via a compromised network, underscoring the need to ensure cyber include determining whether a data and shareholders (who may claim the policies’ coverage levels match the po- breach has occurred, containing the value of their investment has been tential losses. breach, and then investigating the damaged as a result of the company’s cause and scope of the breach. Other failure to protect itself). Insurance may Limitations and Exclusions coverage elements include the cost of also be purchased to cover any settle- However, there are limits to coverage. computer and data-loss replacement or ments or judgments entered against Cyber insurance does not cover losses restoration costs, and the costs associ- the company. Additional third-party due to terrorist acts or acts of war, and ated with interruption to the business coverage can be purchased to cover the according to Marciano, few cyber poli- (such as paying for alternative network costs of regulatory or administrative cies cover physical injuries or damage services, employee overtime, and cover- agency investigations, prosecutions, caused by an attack that started online, ing profits lost due to the data breach). and fines or penalties, though certain but then caused actual physical dam- Other first-party costs often covered state or country laws may prohibit the age in the real world, important issues include the cost of public relations ef- coverage of such fines by insurance. businesses must consider when decid- forts to communicate appropriately to However, identifying the proper cov- ing on coverage levels. customers, business partners, and the erage levels, as well as securing a fair “New threats and vulnerabilities are press and general public, to try to pre- quote can be extremely challenging, discovered daily, and it is hard to cover

22 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 news every cyber incident, especially evolving and enforcing policies and procedures, Education risks we don’t yet understand,” Marcia- encrypting sensitive data at rest and in no says. “Insurers tend to be conserva- transit, being PCI compliant, adopting ACM, CSTA tive on evolving risks until they have a a security framework such as the NIST better understanding of how to quanti- Cybersecurity Framework, and practic- fy and cover them.” As such, individual ing good cyber hygiene can help com- Launch company limits are determined based panies obtain the most favorable cyber on factors such as company size, indus- insurance premium.” New Award try, revenues, services offered, types of Undergoing a network vulnerabil- ACM and the Computer Science data (such as whether personal identi- ity assessment to determine strengths Teachers Association (CSTA) fiable information or personal health and weaknesses of a firm’s IT infra- have launched a new award to information is stored by the company), structure can help companies spot recognize talented high school and, ultimately, how much the compa- weaknesses before they can be exploit- students in computer science. The ACM/CSTA Cutler-Bell ny can afford to purchase. ed, allowing them to be corrected and Prize in High School Computing Still, understanding how much insur- then the firms can get coverage based program aims to promote ance to carry has been a struggle for many on their tightened defenses. computer science, as well as companies, says John Farley, Cyber-Risk The most important step a compa- empower aspiring learners to pursue computing challenges Practice Leader for North American in- ny can take is to ensure specific cyber outside of the classroom. surance brokerage HUB International. coverage is already in place, and if not, Four winners each year will “You want to understand what type of to speak with a broker or carrier to ob- be awarded a $10,000 prize and cost of travel to the annual ACM/ data you hold, and what could cause you tain coverage, even if they believe their CSTA Cutler-Bell Prize in High heartache if it’s compromised,” he says, industry or business probably is not a School Computing Reception. noting that certain types of businesses target for hackers. The prizes will be funded are likely to be deemed to be a higher “The response we often get [from by a $1-million endowment established by David Cutler risk for insurers, and therefore likely will clients] is that ‘I’m not Home Depot, and Gordon Bell. Cutler, Senior require higher coverage limits. Unsur- I’m not Target, I’m not Chase, so the Technical Fellow at Microsoft, prisingly, the companies and industries hackers aren’t going to be after me,’” is a software engineer, designer, and developer of operating that likely face the largest cyber security says Shawn Bernabeu, a business systems including Windows threats are those that hold and use sen- development manager with HUB In- NT at Microsoft and RSX-11M, sitive consumer information, including ternational. “The hackers are con- VMS, and VAXELN at Digital IT companies, financial services com- tinually going after smaller, not-so- Equipment Corp. (DEC). Bell, researcher emeritus at Microsoft panies, retailers, higher education well-known clients, and the fact of the Research, is an electrical organizations, and healthcare firms, matter is those smaller clients may engineer and an early employee according to Farley. not have the financial wherewithal to of DEC, where he led the development of VAX. “Healthcare and retail would be withstand and emerge from that hack ACM President Alexander considered higher risk than manufac- and actually function.” L. Wolf said the new award turing,” Farley says, noting that compa- “touches on several areas central nies that hold personal information, fi- to ACM’s mission,” including “to Further Reading foster technological innovation nancial data, or health information are and excellence, in this case, more likely to be targets for attackers “Code Spaces forced to close its doors after by bringing the excitement than those companies that do not have security incident,” CSO, June 18, 2014, of invention to students at a http://bit.ly/1KdGMg3 data than can easily be re-sold or used time in their lives when they begin to make decisions about by cyber criminals. Cyber Claims Examples, London Australia Underwriting, http://bit.ly/1HxObZv higher education and career However, carriers and brokers note possibilities.” that practicing good “cyber hygiene” Cybersecurity Framework, National Said CSTA Executive Director Institute of Standards and Technology, Mark R. Nelson, “The Cutler-Bell can help lower the cost of purchasing http://www.nist.gov/cyberframework/ Award celebrates core tenets of insurance, particularly if a company and computer science education: its policies, systems, and practices can Cybersecurity In Demand, Nightly Business creativity, innovation, and Report, March 17, 2015, https://www. demonstrate a reduction in cyber risk. computational thinking. To youtube.com/watch?v=GS_HPiwhJWQ encourage more students to Marciano defines cyber hygiene as Testimony of Peter J. Beshar, pursue careers in computer “implementing and enforcing data se- executive vice president and general science, to be America’s next curity and privacy policies, procedures, counsel, Marsh & McLennan Companies, pioneers, we need intentional and visible attempts to increase before the United States Senate Committee and controls to help minimize poten- awareness of what is possible. on Homeland Security & Governmental tial damages and reduce the chances We expect the entries to the of a data security breach.” Affairs, Jan. 28, 2015 competition to set a high bar on http://1.usa.gov/1HcQSKX Marciano says processes should be what is possible with exposure to computer science in K–12.” put in place to protect against, moni- Keith Kirkpatrick is principal of 4K Research & The application period for tor, and detect both internal and exter- Consulting, LLC, based in Lynbrook, NY. the awards closes Jan. 1; nal threats, as well as to respond and inaugural awards will be announced in February 2016. recover from incidents. “Establishing © 2015 ACM 0001-0782/15/10 $15.00

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 23 viewpoints

DOI:10.1145/2814825 Peter G. Neumann et al. VInside Risks Keys Under Doormats Mandating insecurity by requiring government access to all data and communications.

WENTY YEARS AGO, law en- deployed exceptional access systems forcement organizations raises difficult problems about how lobbied to require data and The complexity of such an environment would be gov- communication services today’s Internet erned and how to ensure such systems to engineer their products environment means would respect human rights and the Tto guarantee law enforcement access rule of law. to all data. After lengthy debate and new law enforcement Political and law enforcement lead- vigorous predictions of enforcement ers in the U.S. and the U.K. have called channels going dark, these attempts requirements are for Internet systems to be redesigned to regulate the emerging Internet were likely to introduce to ensure government access to infor- abandoned. In the intervening years, mation—even encrypted information. innovation on the Internet flourished, unanticipated They argue the growing use of encryp- and law enforcement agencies found security flaws. tion will neutralize their investigative new and more effective means of ac- capabilities. They propose data storage cessing vastly larger quantities of data. and communications systems must be Today, we are again hearing calls for designed for exceptional access by law regulation to mandate the provision of enforcement agencies. These propos- exceptional access mechanisms. als are unworkable in practice, raise In this column, a group of computer namics online should be approached enormous legal and ethical questions, scientists and security experts, many of with caution. Exceptional access and would undo progress on security whom participated in a 1997 study of would force Internet system develop- at a time when Internet vulnerabilities these same topics, explore the likely ef- ers to reverse forward-secrecy design are causing extreme economic harm. fects of imposing extraordinary access practices that seek to minimize the im- As computer scientists with exten- mandates. We have found the damage pact on user privacy when systems are sive security and systems experience, that could be caused by law enforce- breached. The complexity of today’s we believe law enforcement has failed ment exceptional access requirements Internet environment, with millions of to account for the risks inherent in ex- would be even greater today than it apps and globally connected services, ceptional access systems. Based on our would have been 20 years ago. In the means new law enforcement require- considerable expertise in real-world wake of the growing economic and so- ments are likely to introduce unantici- applications, we know such risks lurk cial cost of the fundamental insecurity pated, hard-to-detect security flaws. in the technical details. In this col- of today’s Internet environment, any Beyond these and other technical vul- umn, we examine whether it is techni- proposals that alter the security dy- nerabilities, the prospect of globally cally and operationally feasible to meet

24 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 V viewpoints

law enforcement’s call for exceptional law-enforcement access requirements find it would pose far more grave secu- access without causing large-scale se- has been imposed in the U.S., but only rity risks, imperil innovation, and raise curity vulnerabilities. We take no issue on regulated telecommunications sys- difficult issues for human rights and here with law enforcement’s desire tems. Still, in a small but troubling international relations. to execute lawful surveillance orders number of cases, weaknesses related There are three general problems. when they meet the requirements of to these requirements have emerged First, providing exceptional access to human rights and the rule of law. Our and been exploited by state actors and communications would force a U-turn strong recommendation is that any- others. Those problems would have from the best practices now being de- one proposing regulations should first been worse had key escrow been widely ployed to make the Internet more se- present concrete technical require- deployed. And if all information appli- cure. These practices include forward ments, which industry, academics, and cations had to be designed and certi- secrecy—where decryption keys are the public can analyze for technical fied for exceptional access, it is doubt- deleted immediately after use, so that weaknesses and for hidden costs. ful that companies like Facebook and stealing the encryption key used by Many of this column’s authors Twitter would even exist. Another im- a communications server would not worked together in 1997 in response portant lesson from the 1990s is that compromise earlier or later communi- to a similar but narrower and better- the decline in surveillance capacity cations. A related technique, authenti- defined proposal called the Clipper predicted by law enforcement 20 years cated encryption, uses the same tem- Chip.1 The Clipper proposal sought ago did not happen. Indeed, in 1992, porary key to guarantee confidentiality to have all strong encryption systems the FBI’s Advanced Telephony Unit and to verify the message has not been retain a copy of keys necessary to de- warned that within three years Title forged or tampered with. crypt information with a trusted third III wiretaps would be useless: no more Second, building in exceptional ac- party who would turn over keys to law than 40% would be intelligible and in cess would substantially increase sys- enforcement upon proper legal autho- the worst case all might be rendered tem complexity. Security researchers rization. We found at that time it was useless.2 The world did not “go dark.” inside and outside government agree beyond the technical state of the art to On the contrary, law enforcement has that complexity is the enemy of secu- build key escrow systems at scale. Gov- much better and more effective surveil- rity—every new feature can interact ernments kept pressing for key escrow, lance capabilities now than it did then. with others to create vulnerabilities. but Internet firms successfully resisted The goal of this column is to similar- To achieve widespread exceptional ac- on the grounds of the enormous ex- ly analyze the newly proposed require- cess, new technology features would pense, the governance issues, and the ment of exceptional access to com- have to be deployed and tested with lit- risk. The Clipper Chip was eventually munications in today’s more complex, erally hundreds of thousands of devel-

IMAGE BY ALICIA KUBISTA/ANDRIJ BORYS ASSOCIATES BORYS ALICIA KUBISTA/ANDRIJ BY IMAGE abandoned. A much narrower set of global information infrastructure. We opers all around the world. This is a far

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 25 viewpoints

more complex environment than the References electronic surveillance now deployed 1. Abelson, H. et al. The risks of key recovery, key escrow, ... legislators should and trusted third-party encryption, 1997; http:// in telecommunications and Internet academiccommons.columbia.edu/catalog/ac:127127. access services, which tend to use simi- 2. Advanced Telephony Unit, Federal Bureau of reject out of hand Investigation. Telecommunications Overview, slide on lar technologies and are more likely to Encryption Equipment, 1992; https://www.cs.columbia. have the resources to manage vulner- any proposal to edu/~smb/Telecommunications_Overview_1992.pdf. 3. Nakashima, E. “Chinese hackers who breached Google abilities that may arise from new fea- return to the failed gained access to sensitive data, U.S. officials say.”The tures. Features to permit law enforce- Washington Post (May 20, 2013); http://wapo.st/1MpTz3n. ment exceptional access across a wide control Harold “Hal” Abelson ([email protected]) is a professor range of Internet and mobile comput- policy of the 1990s. of electrical engineering and computer science at MIT, ing applications could be particularly a fellow of the IEEE, and a founding director of both Creative Commons and the Free Software Foundation. problematic because their typical use Ross Anderson ([email protected]) is would be surreptitious—making secu- Professor of Security Engineering at the University of rity testing difficult and less effective. Cambridge. Third, exceptional access would cre- it. But this is not only a U.S. issue. The Steven M. Bellovin ([email protected]) is the Percy K. and Vida L.W. Hudson Professor of Computer Science at ate concentrated targets that could at- U.K. government promises legisla- Columbia University. tract bad actors. Security credentials tion this fall to compel communica- Josh Benaloh is Senior Cryptographer at Microsoft that unlock the data would have to be tions service providers, including U.S.- Research where his research focuses on verifiable election protocols and related technologies. retained by the platform provider, law based corporations, to grant access to Matt Blaze ([email protected] ) is Associate Professor enforcement agencies, or some other U.K. law enforcement agencies, and of Computer and Information Science at the University of trusted third party. If law enforce- other countries would certainly fol- Pennsylvania where he directs the Distributed Systems Lab. ment’s keys guaranteed access to every- low suit. China has already intimated Whitfield “Whit” Diffie is an American cryptographer whose 1975 discovery of the concept of public-key thing, an attacker who gained access to it may require exceptional access. If cryptography opened up the possibility of secure, these keys would enjoy the same privi- a British-based developer deploys a Internet-scale communications. John Gilmore ([email protected]) is an entrepreneur and lege. Moreover, law enforcement’s stat- messaging application used by citi- civil libertarian. He was an early employee of Sun ed need for rapid access to data would zens of China, must it provide excep- Microsystems, and co-founded Cygnus Solutions, the Electronic Frontier Foundation, the Cypherpunks, and the make it impractical to store keys of- tional access to Chinese law enforce- Internet’s alt newsgroups. fline or split keys among multiple key ment? Which countries have sufficient Matthew Green ([email protected]) is a research holders, as security engineers would respect for the rule of law to partici- professor at the Johns Hopkins University Information Security Institute. His research focus is on cryptographic normally do with extremely high-value pate in an international exceptional techniques for maintaining users’ privacy, and on new credentials. Recent attacks on the U.S. access framework? How would such techniques for deploying secure messaging protocols. Government Office of Personnel Man- determinations be made? How would Susan Landau ([email protected]) is Professor of Cybersecurity Policy at Worcester agement (OPM) show how much harm timely approvals be given for the mil- Polytechnic Institute. can arise when many organizations lions of new products with communi- Peter G. Neumann ([email protected]) is Senior rely on a single institution that itself cations capabilities? And how would Principal Scientist in the Computer Science Lab at SRI International, and moderator of the ACM Risks Forum. has security vulnerabilities. In the case this new surveillance ecosystem be Ronald L. Rivest ([email protected]) is an MIT Institute of OPM, numerous federal agencies funded and supervised? The U.S. and Professor, and well known for his co-invention of the lost sensitive data because OPM had U.K. governments have fought long RSA public-key cryptosystem, as well for founding RSA Security and Verisign. insecure infrastructure. If service pro- and hard to keep the governance of the Jeffrey I. Schiller ([email protected]) was the Internet viders implement exceptional access Internet open, in the face of demands Engineering Steering Group Area Director for Security requirements incorrectly, the security from authoritarian countries that it be (1994–2003). of all of their users will be at risk. brought under state control. Does not Bruce Schneier is a security technologist, author, Fellow at the Berkman Center for Internet and Society at Our analysis applies not just to sys- the push for exceptional access repre- Harvard Law School, and the CTO of Resilient Systems, tems providing access to encrypted data sent a breathtaking policy reversal? Inc. He has written a number of books, including Data and Goliath: The Hidden Battles to Collect Your Data and but also to systems providing access The need to grapple with these legal Control Your World (Norton, 2015). directly to plaintext. For example, law and policy concerns could move the In- Michael A. Specter ([email protected]) is a security researcher and Ph.D. candidate in computer science enforcement has called for social net- ternet overnight from its current open at MIT’s Computer Science and Artificial Intelligence works to allow automated, rapid access and entrepreneurial model to becom- Laboratory. to their data. A law enforcement back- ing a highly regulated industry. Tackling Daniel J. Weitzner ([email protected]) is Principal Research Scientist at the MIT Computer Science and door into a social network is also a vul- these questions requires more than our Artificial Intelligence Lab and Founding Director, MIT nerability open to attack and abuse. In- technical expertise as computer scien- Cybersecurity and Internet Policy Research Initiative. From 2011–2012, he was U.S. Deputy Chief Technology deed, Google’s database of surveillance tists, but they must be answered before Officer in the White House. targets was surveilled by Chinese agents anyone can embark on the technical who hacked into its systems, presum- design of an exceptional access system. The full technical report MIT-CSAIL-TR-2015-026 from ably for counterintelligence purposes.3 Absent a concrete technical proposal, which this column has been derived is available at http:// dspace.mit.edu/bitstream/handle/1721.1/97690/MIT- The greatest impediment to ex- and without adequate answers to the CSAIL-TR-2015-026.pdf. ceptional access may be jurisdiction. questions raised in this column, legisla- Building in exceptional access would tors should reject out of hand any pro- be risky enough even if only one law posal to return to the failed cryptogra- enforcement agency in the world had phy control policy of the 1990s. Copyright held by authors.

26 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 viewpoints

VDOI:10.1145/2814827 Michael A. Cusumano Technology Strategy and Management In Defense of IBM The ability to adjust to various technical and business disruptions has been essential to IBM’s success during the past century.

BM’S CURRENT FINANCIAL re- Gerstner also had to deal with the In- sults have made the news ternet and the World Wide Web—an- again—relatively good profits Should we always other historic disruption that would but flat or declining revenues judge the value eventually offer a lot of software and for the past five years as well services for free. To his credit, Gerst- 3–6 of a company simply Ias a stagnant stock price. Rather ner saw the Internet less as a threat than dismiss this historic company on sales growth and more as a new opportunity. He (founded in 1911) as an obsolete tech understood that large customers titan, however, I find myself instead and profit? faced challenges similar to what he appreciating what IBM has achieved Maybe not. had experienced at RJR Nabisco and over the past 100 years as well as American Express—how to combine thinking about what it might do in the new technologies with the old the future. IBM has struggled to grow systems. He settled on using pro- but has also demonstrated the ability fessional services—IT consulting to navigate through multiple tech- around “e-business” as well as system nological and business disruptions. customization, integration, main- These include mechanical punch- lion. IBM still dominated mainframes tenance, and outsourcing—to help card tabulators to electromechani- but that business was shrinking. The large customers pull together hard- cal calculators and then mainframes, company had successfully launched ware and software for mainframes, personal computers, complex soft- a personal computer in 1981 but lost PCs, and the Internet. ware programs, and now “cloud- control over the new platform busi- Over the next 20 years, Gerstner based” services of almost magical ness to Microsoft and Intel. Gerstner’s and his successors, Sam Palmisano sophistication, like the Watson artifi- predecessor, John Akers, responded and Virginia Rometty, would contin- cial intelligence system that won the by laying off approximately 100,000 ue on this path, adding other skills 2011 “Jeopardy!” game show.a employees and devising a plan to split and new businesses, along with a There are many accounts of IBM’s up the company into more than a much more responsive strategy and history, so I will not attempt to relate dozen firms. Instead, IBM’s board of resource allocation process.2 As the all the details here.1,b However, most directors hired Gerstner, and he de- accompanying table shows, the struc- important to appreciate the modern cided to keep the company together tural changes they introduced have company takes us back to 1993, when but change the strategy.c been dramatic. Hardware accounted IBM appointed a new CEO, Louis Ger- IBM’s mainframe business faced for 49% of revenues in 1993 and only stner, who joined an organization a major disruption not only from the 11% in 2014. Services have grown that had just recorded the largest cor- personal computer, a mass-market from 27% to 61%, and software prod- porate loss in history— nearly $9 bil- product that produced much smaller ucts from 17% to 27%. Annual rev- profit margins. Within a year or so, enues did stall at approximately $100 billion over the past several years and a See “Watson Computer Wins at Jeopardy”; https:// www.youtube.com/watch?v=Puhs2LuO3Zc. c Gerstner told his own story in L. Gerstner, Who even declined in 2014 by $7 billion. b See “IBM Centennial Film”; http://www.you- Says Elephants Can’t Dance: Inside IBM’s His- Part of the reason is that, following tube.com/watch?v=39jtNUGgmd4. toric Turnaround. Harper Business, 2002. Gerstner’s lead, IBM has continued to

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 27 viewpoints

IBM financial comparison, 1993 and 2013–2014. value of a company simply on sales growth and profits? Maybe not. We are now moving into an era of excit- 1993 2013 2014 ing opportunities for new types of Revenues ($million) $62,716 $99,751 $92,793 products and services that blend big Profit (before tax) ($8,797) $19,524 $18,356 data and “intelligent” analytics with Gross Margin 39% 49% 50% massive computing power—precisely the combination of skills and tech- Employees (year-end) 256,207 431,212 379,592 nologies that few firms, other than Revenues/Employee $245,000 $231,000 $244,000 IBM, possess within the same orga- R&D/Sales 9% 6% 6% nization. One potential example of SG&A/Sales 29% 19% 20% this combination is the application of IBM Watson to problems such as

reducing healthcare costs, diagnos- Hardware as % of Revenues 49% 14% 11% ing diseases, minimizing pollution, or Hardware Gross Margin 32% 36% 40% optimizing energy usage. Software as % of Revenues 17% 26% 27% Gerstner’s main contribution was Software Gross Margin 61% 89% 89% to keep IBM as one company with a clear purpose—service the data pro- Services as % of Revenues 27% 57% 61% cessing needs of large organizations, Services Gross Margin 31% 36% 37% public and private. Those customers Note: SG&A refers to Sales, General, and Administrative Expenses. often tackle enormously complex Source: Calculated from IBM Form 10-K annual reports. problems of value to business, gov- ernment, and society. In the 1930s, for example, IBM built the informa- shed commodity businesses—the list cloud computing, as well as overseas tion infrastructure for the U.S. Social now includes PCs, semiconductors, development and service centers in Security system. In the 1950s and printers, storage equipment, low-end low-wage areas such as in India, have 1960s, it pioneered anti-missile de- servers, and call centers. Yet the com- reduced the need for lucrative main- fense software as well as airline res- pany still managed to generate more tenance and other technical services. ervation systems. Today, it is tackling than $18 billion in operating profits These trends have brought down the new applications for artificial intel- in 2014 on sales of under $93 billion. total cost of enterprise computing ligence. IBM has always taken on Moreover, hardware, software, and and have meant less revenues for the biggest information technology services are all more profitable today companies such as IBM. problems since its predecessor com- than they were when Akers left the Critics also point out that IBM has pany first began making mechanical company in 1993. propped up the value of company tabulators for census taking more IBM’s biggest structural challenge shares through stock buybacks ($108 than 100 years ago. I expect it will still today is that it has become so depen- billion worth since 2000) instead of be taking on society’s most complex dent on professional services, and investing in research and develop- data processing and analysis prob- these kinds of revenues are difficult ment at the level of other enterprise lems 100 years from now. to scale and automate. They grow technology companies, or making approximately on a one-to-one ratio big transformational acquisitions.7 References 1. Cusumano, M. IBM: One hundred years of customer with headcount increases. In fact, (By comparison, Microsoft, Oracle, solutions. In The Business of Software. Free Press, Google, and SAP generally spend 13% New York, 2004, 97–108. in terms of revenues generated per 2. Harreld, J.B., O’Reilly III, C.A., and Tushman, M.L. employee, not adjusted for inflation, or 14% of revenues on R&D. Apple, be- Dynamic capabilities at IBM. California Management Review (Summer 2007), 21–43. IBM employees are no more produc- cause of its limited consumer prod- 3. Langley, M. Behind Ginni Rometty’s plan to reboot tive today than they were in 1993 uct lines and rapid sales growth, only IBM. The Wall Street Journal (Apr. 20, 2015). 4. Lohr, S. IBM first quarter earnings top Wall Street (see the table here). Not surprisingly, spends about 3% of sales on R&D.) For expectations. The New York Times (Apr. 20, 2015). IBM’s market value (about $170 bil- a company whose business is mainly 5. Lohr, S. The nature of the IBM crisis. The New York Times, (Oct. 22, 2014). lion in May 2015) is far behind Apple services, though, IBM still spends a 6. Sommer, J. Apple won’t always rule. Just look at IBM. ($750 billion), Microsoft ($395 bil- lot on R&D. And big R&D spending The New York Times (Apr. 25, 2015). 7. Sorkin, A.R. The truth hidden by IBM’s buybacks. The lion), Google ($370 billion), and even has not necessarily helped other com- New York Times (Oct. 20, 2014). Facebook ($220 billion), and just panies like Microsoft and Intel grow ahead of Intel ($160 billion). faster than the enterprise comput- Michael A. Cusumano ([email protected]) is a professor at the MIT Sloan School of Management and Another reason for lagging sales ing market, which is increasing sales School of Engineering and co-author of Strategy Rules: productivity is that technology has slowly compared to hot consumer Five Timeless Lessons from Bill Gates, Andy Grove, and become cheaper. Not only do we see product segments like smartphones Steve Jobs (HarperBusiness, 2015). this in hardware and software prod- and tablets, or even SaaS for small ucts but in maintenance and servic- and medium-size enterprises. es. Software as a service (SaaS) and But should we always judge the Copyright held by author.

28 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 viewpoints

DOI:10.1145/2814838 George V. Neville-Neil V Article development led by queue.acm.org Kode Vicious Storming the Cubicle Acquisitive redux.

Dear KV, I just signed on to a new project and started watching commits on the proj- ect’s GitLab. While many of the com- mits seem rational, I noticed one of the developers was first committing large chunks of code and then following up by commenting out small bits of the file, with the commit message “Silence warning.” No one else seemed to no- tice or comment on this, so I decided to ask the developer what kinds of warn- ings were being silenced. The reply was equally obscure—“Oh, it’s just the compiler not understanding the code properly.” I decided to run a small test of my own, and I checked out a version of the code without the lines comment- ed out, and ran it through the build system. Each and every warning actu- ally made quite a bit of sense. Since I’m new to the project, I didn’t want to go storming into this person’s cubicle to demand he fix the warnings, but I was also confused by why he might think this was a proper way to work. Do de- velopers often work around warnings or other errors in this way? Forewarned If Not Forearmed

definitely warrants the use of strong Once upon a time compilers were Dear Forewarned, words, words I am not, alas, allowed to notoriously poor at finding and flag- Let me commend your restraint in not use here. But I commend to you George ging warnings and errors. I suspect storming into this person’s cubicle Carlin’s “Seven Words You Can Never there are readers old enough to have and, perhaps, setting it and the devel- Say on Television”1 as a good start- seen unhelpful messages such as, oper alight, figuratively speaking of ing point. If you find that too strong “Too many errors on one line (make course. I doubt I would have had the you can use my tried-and-true phrase, fewer),” as well as remembering com- same level of restraint without being “What made you think ... ” which needs pilers where a single missing charac- physically restrained. I am told scream- to be said in a way that makes it clear ter would result in pages of error out- ing at developers is a poor way to mo- you are quite sure the listener did not, put, all of which was either misleading

IMAGE BY BLEND IMAGES BY IMAGE tivate them, but this kind of behavior in fact, think at all. or wrong.

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 29 viewpoints

There is a lesson here for both tool Their errors and warnings are clearer writers and tool users. If you write a and better targeted than any I have tool that cries wolf too often then the used thus far. The system is not per- users of that tool, in the absence of a fect, but it beats other compilers I have new and better tool, will simply ignore used (such as gcc). the warnings and errors you output. If you are a tool consumer you had Between warnings and errors, the lat- better be quite sure of your knowledge ter are easier to get right, because the of the underlying system so you can tool can, and should, stop processing say, with better than 90% probability, the input and indicate immediately that a warning you receive is a false what the problem was. Communi- positive. Some readers may not know cating the problem is your next chal- this, but we programmers have a bit of

APPS lenge. The error message I mentioned an issue with hubris. We think we are here came from a real, for-pay prod- modeling in our heads what the code uct sold by a company that went on to is doing, and sometimes what we have make quite a lot of money—it was not in our heads is, indeed, a valid model. generated by some toy compiler cre- That being said, be prepared to be ated by a second-year college student. humbled by the tools you are using. Looking back through previous Kode Good tools, written by good tool writ- Vicious columns you will find plenty ers, embody the knowledge of people Access the of commentary on how to write good who have spent years, and in some log messages, but for tool writers, in cases decades, studying exactly what latest issue, particular those who write tools for the meaning of a code construct is and other engineers, there are a couple of ought to be. Think of the compiler as past issues, key points to keep in mind. an automated guru who is pointing BLOG@CACM, The first point is to be specific. Say you to a higher quality of code. There exactly what was wrong with the input are certainly false gurus in the world, News, and you were trying to process. The more so it pays to pick a good one, because specific your message, the easier it the false ones will surely lead you into more. is for the user of the tool to address a world of programming pain. the problem and move on. Given that KV computer languages are complex beasts, being specific is not always easy, as the input received may have Dear KV, sent your compiler off into some very I saw your response to Acquisitive in odd corners of its internal data struc- the June 2015 Communications.3 I liked tures, but you must try to maintain your response, but would have liked to enough state about the compilation see you address the business side. Available for iPad, process to be able to make the warn- Once the acquisition is completed, iPhone, and Android ing or error specific. then Acquisitive’s company owns the The second point is even simpler: software and assumes all of the asso- tell the consumer exactly where, down ciated business risks. So my due dili- to the character in the file if possible, gence on the code would have includ- the error occurs. Older compilers ed ensuring the code in question was thought the line was enough, but if actually written by the engineers at you are looking at a function prototype with five arguments, and one of them is wrong, it is best if your tool says exactly Given that computer Available for iOS, which one is causing the issue, rather Android, and Windows than making the rest of us guess. A languages are blind guess on five arguments gives complex beasts, you a 20% chance, and if you think tool users do not have to guess blindly very being specific is often, then you are one of those engi- not always easy. COMMUNICATIONS neers who never have to deal with ran- dom bits of other people’s code. If you want a good example of a tool that tries to adhere to the two points I have laid out, I recommend you look at Clang and the LLVM compiler suite.

30 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10

ACM_CACM_Apps2015_ThirdVertical_V01.indd 1 6/4/15 2:51 PM viewpoints the other company or that it was free types of licenses, those that control and open source software where the the sharing of code and those that do engineers were in compliance with A basic understanding not. The GPL family of licenses is of the associated open source license. of copyright the controlled type; depending on the There is a risk that one or more of the version of the license (LGPL, GPLv2, engineers brought the code from a and licensing and GPLv3) the programmer using previous employer or downloaded it can go a long way, the code may have certain responsi- from some online source where the bilities to share changes and fixes they ownership of the code was uncertain. at least in asking make to the code they import. The In short, management’s request of the correct questions. BSD family of licenses does not re- Acquisitive should be seen not only as quire the programmer using the code checking the functionality and qual- to share anything with the originator ity of the code, but also protecting the of the code, and is used only to pre- company against litigation over the vent the originator from being sued. associated IP. It is also important to verify that the Moving up in an organization license you see in the file has not been comes with the need to understand ing a soccer goal tender, but instead changed. There have been cases of the business and management issues of the players (lawyers) kicking a ball projects changing licenses in derived of that organization. Management’s at you, they are kicking you instead. code, and this has caused a number request of Acquisitive might also be From a practical standpoint, I of problems for various people. A rea- seen as a test of whether he has the would expect Acquisitive to ask for sonable description of common open right business instincts to move higher the complete commit log for all the source licenses is kept at opensource. than the “architect” role to which he code in question. Rational develop- org (http://opensource.org/licenses), was promoted. Someone with a good ers—and there are some—will actu- and I would expect Acquisitive to have tech background and strong business ally put in a code comment when they looked that over at least a few times knowledge becomes a candidate for import a foreign library. They may during the review. CTO or other senior roles. even notify their management and Lastly, I am not a lawyer, but when Business and Management legal teams, if they have them, about I deal with these topics I make sure I the fact they are using code from have one on my side I trust, because the some other place. Very few large sys- last thing I want to do is bring a knife to Dear Business, tems are cut from whole cloth, so the a gun fight. You are quite right to point out the likelihood a system being reviewed KV issues related to the provenance of contains no outside code is relatively the software that Acquisitive has to small. Asking the legal team for a list review and that this ought to also be of systems that have been vetted and Related articles on the list when reviewing code that imported should also be on Acquisi- on queue.acm.org will be reused in a commercial or even tive’s checklist, although it does re- Commitment Issues an open-source context. The number quire talking to lawyers, which I am George Neville-Neil of developers who do not understand sure he is inclined to do. http://queue.acm.org/detail.cfm?id=1721964 source code licensing is, unfortunate- Harking back to the theme of the Making Sense of Revision-control Systems ly, quite large, which I have discov- original letter, even with these pieces Bryan O’Sullivan ered mostly by asking people why they of information in hand, Acquisitive http://queue.acm.org/detail.cfm?id=1595636 chose a particular license for their should not trust what they were told by 20 Obstacles to Scalability projects. Often the answer is either “I others. Spot-checking the code for con- Sean Hull did a search for open source” or “Oh, I nections to systems or libraries that are http://queue.acm.org/detail.cfm?id=2512489 thought license X was a good default.” not called out is laborious and time con- There are books on this topic, as I’m suming, but, at least in the case of open References 1. Carlin, G. Seven words you can never say on television. 2 sure you know, such as Lindberg but source code, not insurmountable. Some Class Clown. 1972; https://www.youtube.com/ it is very difficult to get developers well-targeted searches of commonly watch?v=lqvLTJfYnik. 2. Lindberg, V. 2008. Intellectual Property and Open to read about, let alone understand, used APIs in the code will often sniff out Source: A Practical Guide to Protecting Code. O’Reilly. http://shop.oreilly.com/product/9780596517960.do. the issues addressed in those books. places where code might have been ap- 3. Neville-Neil, G.V. Lazarus code. Commun. ACM But for those who want to be, or find propriated. Many universities now use 58, 6 (June 2015), 32–33; http://cacm.acm.org/ themselves thrust into the role of Ac- systems to check their students’ code magazines/2015/6/187314-lazarus-code/abstract. quisitive, this type of knowledge is as for cheating, and the same types of sys- George V. Neville-Neil ([email protected]) is the proprietor of important as the ability to understand tems can be used to check corporate Neville-Neil Consulting and co-chair of the ACM Queue the quality of acquired code. Anyone code for similar types of cheats. editorial board. He works on networking and operating systems code for fun and profit, teaches courses on who thinks working through a ton of A basic understanding of copyright various programming-related subjects, and encourages bad code is problematic has not been and licensing can go a long way, at your comments, quips, and code snips pertaining to his Communications column. deposed by a set of lawyers prior to a least in asking the correct questions. court case. I am told it is a bit like be- In open source we have two major Copyright held by author.

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 31 viewpoints

VDOI:10.1145/2814840 Phillip G. Armour The Business of Software Thinking Thoughts On brains and bytes.

VER THE LAST 15 years, through this column, I have been thinking out loud about what it means to consider software as a Oknowledge storage medium. Rather than a product in the traditional sense, software is better viewed as a container for the real product. What the custom- er buys and the user employs is the ex- ecutable knowledge contained in the software. When that knowledge is com- plete, internally consistent, and prop- erly maps onto a problem space, the software is valuable. When the knowl- edge is incomplete or contradictory the software can be difficult or even dan- gerous to use. Discovering a software bug is simply when a lack of knowl- edge is made manifest, its appearance signals an epiphany of ignorance—an event in time where something that is not known becomes obvious. While we can consider software as a knowledge medium, perhaps we should also think of software as that have some survival advantage. with the world. Thinking has other a thought medium—an extension of While most animals think, humans functions: social cooperation, the our cognitive processes. In fact, since have a much higher degree of this ca- ability to plan and forecast and the software often contains things that are pability. But why? We should avoid like. But if the foundational advan- manifest not correct knowledge, it is a teleological argument of the form: tage is to better deal with the out- really a place where we store our think- we ended up thinking because that side world then thinking should be ing, even if that thinking happens to is how we ended up. Or its corollary: closely aligned with the senses. It is be wrong. if we had not developed thinking no through our senses that we experi- So, given our increasing reliance on one would be around to wonder how ence the world, so it makes sense software to run the world, perhaps we and why we ended up thinking. Not that thinking would build on this. should give some thought to thinking. that these recursive views are not cor- We get hints of this when people say rect; they are just not very helpful. things like: “… that idea stinks, but Why We May Think The most obvious evolutionary ad- this idea looks better and it some- To take a simple evolutionary view, vantage of enhanced thinking would how feels right …” Lakoff and Nuñez

species usually develop capabilities be to give a more efficient way to deal have made a compelling argument PONNE ANITA BY IMAGE

32 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 viewpoints viewpoints

for this with respect to mathemat- ics1 but it could serve for other Calendar thought disciplines. Perhaps we should also think of Events Near and Far We cannot easily understand or deal of software as a October 3–7 with things unless they are “close to- thought medium— CHI PLAY ‘15: The Annual gether” either physically or conceptu- Symposium on Computer- an extension of our Human Interaction in Play, V ally. Our brains are adept at identify- London, UK, ing or even imposing relationships cognitive processes. Sponsored: ACM/SIG that connote similarity; it is one of the Contact: Anna L Cox, Email: [email protected] fundamental functions of the brain. In fact this “like” construct is essen- October 9–12 tial to our ability to reason and we RACS ‘15: International have done a good job of extending this Conference on Research in Adaptive and Convergent, function by building whole systems, to our consciousness. While the brain Prague Czech Republic, such as algebraic mathematics or the does have physical locations that spe- Contact: Esmaeil S. Nadimi, Linnaean classification of living or- cialize in processing certain kinds of Email: [email protected] ganisms, by collecting different things information, there is no “purple” neu- October 12–16 together based on (our perception of) ron, no “color” clump of neurons, and CCS’15: The 22nd ACM their alikeness. no specific area of the brain that deals Conference on Computer and The complexities of the constructs with the knowledge of people, purple Communications Security, we have built for thinking, such as our or otherwise. Denver, CO, Sponsored: ACM/SIG, ability to abstract ideas, make it appear Our knowledge of purple and of Contact: Indrajit Ray, we have moved a long way from our people and of everything else is likely Email: [email protected] sense-driven cognition processes. But stored all over the brain and it is stored we still clump them together according dynamically not statically. The brain is October 18–21 PACT ‘15: International to their proximity to like things. And we an enormous network of connections Conference on Parallel often refer to them using verbs based along which signals are continuously Architectures and Compilation, on our senses. traveling. The function of neurons is to San Francisco, CA, Contact: Kathy Yelick, But these refer to what thinking amplify and pass on these signals not Email: [email protected] does, not what thinking is. So what is it? to store them for later use. These mes- sages start before we are born and they October 19–23 I Am, Therefore I Think I Am end when we die. They are active when CIKM’15: 24th ACM International Conference on A traditional view of thinking views we are reading articles in Communica- Information and Knowledge knowledge as being resident in some tions and when we are asleep. Management, place: this person knows how to play Thought—conscious or uncon- Melbourne VIC Australia, chess and that one does not. This scious—can be viewed as a self-sus- Sponsored: ACM/SIG, Contact: James Bailey, company knows how to build widgets taining fractal pattern of signals. Email: [email protected] and that one does not. The simplistic Embedded in these patterns are sub- locational view of brain function reca- patterns that carry the knowledge of all October 22–23 pitulates this and assumes that physi- the things we know and all the things ESEM ‘15: 2015 ACM-IEEE International Symposium on cal parts of our brain store knowledge we have known. The patterns continu- Empirical Software Engineering in some static and persistent form. ously morph and refresh. Should they and Measurement, Thinking, particularly recovery from ever completely stop they would not , China, memory, would then be the retrieval restart. The knowledge carried by these Contact: Guenther Ruhe, Email: [email protected] of knowledge from those places. It is a patterns is like a radio signal imposed simple model and is how we have con- on a carrier in which is embedded October 25–30 structed most digital computers. But it many other signals. SPLASH ‘15: Conference is probably wrong. on Systems, Programming, Languages, and Applications: Patterns Within Flows Software for Humanity, Purple People Eaters The “strongest” of these patterns are Pittsburgh, PA, When we think of purple people who our most conscious and intention- Sponsored: ACM/SIG, Contact: Jonathan Aldrich, eat or are eaten the “static knowledge” al thoughts—those that are strong Email: jonathan.aldrich@ view of the brain would imply that neu- enough to be accessible to and rec- cs.cmu.edu rons that store the concept of “purple” ognized by the “consciousness” pat- and those that store the knowledge of tern. Our habits might also be strong “people” would somehow send purple patterns, though we may be quite and people messages to each other, to unaware of them. Some patterns re- some central processing function, or semble other patterns and these simi-

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 33 viewpoints

Consciousness INTERACTIONS Consciousness, as a pattern that is We would think more aware of itself (read: able to pro- of better ways cess) than other patterns, seems to be the thing that separates humans from to build software animals. Animals think, but they do if we better not appear to think about thinking. This introspection pattern is likely a understand main element of consciousness and how we think. thinking-about-thinking is evident in the very name of the modern human, which is homo sapiens sapiens.

Ontology Recapitulates Psychology ACM’s Interactions magazine Software languages and designs appear explores critical relationships to recapitulate brain function—in fact, between people and larities are themselves signals. Some it is difficult to see how they could be technology, showcasing signals are so weak they are almost much different. We use proximity con- emerging innovations and gone. When they weaken further or structs in “modularization.” We have industry leaders from around are completely buried in other pat- search patterns and indexes and “like” the world across important terns they will be gone and we will constructs we call inheritance, we push applications of design thinking have “forgotten.” Patterns can be and pop data into our memory as onto a and the broadening eld of made stronger by continually revisit- stack. We refresh using constructors and interaction design. ing them as happens when we prac- destructors. We have process and data, Our readers represent a growing tice playing a musical instrument. operators, and operands. This seems community of practice that is Patterns that are very similar to others quite obvious. But if software is thought— of increasing and vital global may become conflated over time and even “bad” or “incorrect” thought—then importance. memories merge. the building blocks of thought must be the building blocks of software. Pulling Patterns Thought, like the Von Neumann Cognitive Machine architecture, uses much the same Our most entrenched software mecha- mechanisms for “data” as for “pro- nisms and constructs come, not from cess”—for knowledge and how to ac- the outside world, but from the inside cess that knowledge. It is likely that world. We do not have object classes some of these patterns are functional and inheritance because the world is rather than factual. That is, they en- structured this way, we have them be- able actions rather than store data; cause we are structured this way. We they are verbs rather than nouns. would think of better ways to build Some patterns are “retrieval patterns” software if we better understand how that search other signals to see how we think. similar they are and perhaps perform The first sentence on the first page some organization on them. This or- of the first book I ever read about soft- ganization may consist of: ware development reads: “This book ˲˲ combining patterns where one has only one major purpose—to trigger is subsumed into another or they are the beginning of a new field of study: … merged—this is the “like” construct; the psychology of computer program- To learn more about us, 2 visit our award-winning website ˲˲ comparing patterns to identify ming.” I read it in 1972. http://interactions.acm.org differences and similarities—which It is time to read it again, I think. might be compared to other differenc- Follow us on es and similarities; References Facebook and Twitter 1. Lakoff, G. and Nunez, R. Where Mathematics Comes ˲˲ patterns that organize other pat- From: How the Embodied Mind Brings Mathematics terns rather like indexes; Into Being. Basic Books, 2001. To subscribe: 2. Weinberg, G.M. The Psychology of Computer http://www.acm.org/subscribe ˲˲ meta-patterns that set out patterns Programming. Van Nostrand Reinhold, 1971. based on similarities and differences; ˲˲ meta-meta patterns, rather like Phillip G. Armour ([email protected]) is a vice president at Applied Pathways LLC, Schaumburg, IL, and Association for this list; and a senior consultant at Corvus International Inc., Deer Computing Machinery ˲˲ hybrid patterns that hook together Park, IL. other pattern types (including hybrid patterns). Copyright held by author.

34 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10

IX_XRDS_ThirdVertical_V01.indd 1 3/18/15 3:35 PM viewpoints

VDOI:10.1145/2814845 Thomas J. Misa Historical Reflections Computing Is History Reflections on the past to inform the future.

ITH CLOUD, BIG data, tations. Similarly, Denning and Martell supercomputing, and look beyond the 42 ACM-recognized social media, it’s clear Turing’s complex computing domains, such as security, that computing has an legacy is of programming languages, graphics or eye on the future. But enhanced importance artificial intelligence, to discern com- Wthese days the computing profession mon principles that guide or constrain also has an unusual engagement with today with the “how we manipulate matter and energy history. Three recent books articulat- to perform computations,” their apt de- ing the core principles or essential na- expansion of the scription of the field. For each of their ture of computing place the field firmly A.M. Turing Award. six principles—communication, com- in history. Purdue University has just putation, coordination, recollection, published an account of its pioneer- evaluation, and design—historical ing effort in computer science.4 Boole, cases and historical figures shape their Babbage, and Lovelace are in the news, exposition. Communication is Claude with bicentennial celebrations in the Shannon, Harry Nyquist, Richard Ham- works. Communications readers have Dasgupta began his personal engage- ming. These are historical principles. been captivated by a specialist debate ment with history in conversation with In Great Principles the closer the au- over the shape and emphasis of com- Maurice Wilkes and David Wheeler. thors get to cutting-edge science, the puting’s proper history.a And concern- Babbage, Lovelace, Hollerith, Zuse, less their findings resemble the sci- ing the ACM’s role in these vital discus- Aiken, Turing, and von Neumann, ence-fair model of hypothesis, data col- sions, our organization is well situated among others, loom large in his pages. lection, and analysis. They start from with an active History Committee and Two recent books further suggest full visibility in the arenas that matter. that computing is historically ground- Perhaps computing’s highly visible ed. Peter Denning and Craig Martell’s role in influencing the economy, re- Great Principles of Computing2 builds on shaping national defense and security, Denning’s 30-year quest to identify and and creating an all-embracing virtual codify “principles” as the essence of reality has prompted some soul search- computing. The authors readily grant ing. Clearly, computing has changed the origins of the Association for Com- the world—but where has it come puting Machinery, initially coupled from? And where might it be taking us? to the study and analysis of comput- The tantalizing question whether com- ing machines. In their perspective on puting is best considered a branch of computing as science, they approvingly the mathematical sciences, one of the quote Edsger Dijkstra’s quip “comput- engineering disciplines, or a science er science is no more about computers in its own right remains unsolved. His- than astronomy is about telescopes.” tory moves to center stage according to Dijkstra and others in the founding Subrata Dasgupta’s It Began with Bab- generation closely connected to studies bage: The Genesis of Computer Science.1 in logic, computability, and numerical analysis naturally saw computing as a a Downloads exceed 114,000 for Thomas Haigh’s Historical Reflections column “The mathematical or theoretical endeavor Tears of Donald Knuth,” Commun. ACM 58, 1 and resisted a focus on engineering (Jan. 2015), 40–44, as of August 26, 2015. questions and technological manifes-

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 35 viewpoints

Dijkstra’s view that “programming is one of the most difficult branches of applied mathematics.” But program- ming is more than math. Program- ming languages from Fortran (1957) to Distinguished Python (2000) are expressions of algo- Speakers Program rithms in an artificial language with its own syntax, often tailored for specific applications. Programmers with var- http://dsp.acm.org ied levels of skill work with compilers or interpreters, debugging tools, and version control as well as grapple with different means for avoiding errors. The practice of programming, howev- er, is not cut-and-dried application of known laws. “Good programming is an artisan skill developed with good train- ing and years of practice,” they affirm. Design as a core computing principle emerges from the authors’ treatment of Students and faculty ENIAC and EDVAC in the 1940s through the information protection principles can take advantage of of Saltzer and Schroeder (1975) and for- just-published computable numbers ACM’s Distinguished ward to the design hints of Butler Lamp- paper, aided by Alonzo Church, but son (1983). Judgment, intuition, and “there was rather bad attendance.” Speakers Program sense of history come to the fore. “Suc- With just two reprint requests, Turing cess of a design . . . depends on knowl- despairs. And in a fellowship recom- to invite renowned edge of history in the designer’s field, mendation that von Neumann wrote which informs the designer on what for Turing in June 1937—just where thought leaders in works and what does not work.” Design you would expect a line about com- academia, industry returns powerfully in their conclusion, putability or decision problem—the which emphatically places “designers great mathematician and soon-to-be and government and their work at the center of the prog- namesake of von Neumann architec- ress and innovation in computing.” Great ture praises instead Turing’s “good to deliver compelling Principles does not stand apart from his- work” in quasi-periodic functions! At and insightful talks tory; it embraces historical examples this critical juncture Turing’s influ- and historical thinking. And with de- ence on von Neumann is, at best, in- on the most important sign at its core, computing is history. direct and elusive.b Matti Tedre’s The Science of Com- Tedre also closely examines the ri- topics in computing puting: Shaping a Discipline5 examines val visions for “computer science” in and IT today. three broad historical debates about the 1960s and the shifting emphases in the nature of computing: about com- ACM’s model curricula. Three distinct ACM covers the cost puting as a distinctive theoretical debates engagingly frame the emerging field (starting in the 1930s), as an scientific character of computing, in- of transportation engineering field, and as a science cluding debates on formal verification, in its own right. Tedre writes in the when advocates like C.A.R. Hoare (1985) for the speaker shadow of Denning’s principles, with sought to formally prove program cor- to travel to your event. due tribute. His engagement with his- rectness and create computing from tory is long and deep. Tedre sets up axioms; on software engineering, which the pre-history in Leibniz, Boole, and unsettled the theoretical and math- Frege and closely examines the “deci- ematical foundations of the pioneers; sion problem” that animated Church and on experimental computer science, and Turing, arriving at a surprising conclusion. He suggests, unmistak- b Andrew Hodges, Alan Turing: The Enigma ably, that “Turing’s mathematical (Simon & Schuster 1983), quotes “bad atten- ideas had little if any influence on the dance,” and “good work.” Dasgupta1 largely invention of the modern computer.” agrees (p. 58), then hedges (p. 113). By con- trast, Martin Davis in The Universal Computer At Princeton in the mid-1930s the (2000) and George Dyson in Turing’s Cathedral pieces were there—but they did not (2012) suggest a close connection between gel: Turing gives a seminar on his Turing and von Neumann.

36 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 viewpoints which it seems everyone loved but no challenges of doing professional his- one quite practiced. Tedre gives a bal- tory with rigorous computing con- anced treatment of each debate, attend- Clearly, computing tent, we have evident successes. In ing to the intellectual and institutional has changed the her 2012 History Committee-sup- dimensions, as people sought funding ported Ph.D. dissertation (“Turing from the NSF, aimed at disciplinary world—but where Award Scientists: Contribution and identity, and struggled to create educa- has it come from? Recognition in Computer Science”) tional coherence. Computing emerges Irina Nikiforova from Georgia Tech as a science, but there is no unfolding of And where might investigated intellectual and institu- a singular Newtonian paradigm. it be taking us? tional patterns in which fields of Turing’s complex legacy is of en- computer science and which com- hanced importance today with the puter scientists were likely awardees. expansion of the A.M. Turing Award, In another dissertation, completed given for “major contributions of last- in 2013 (“A House with the Window ing importance to computing.” The to the West: The Akademgorodok Turing Award recipients are drama- Computer Center (1958–1993))” tis personae for each of these books. These oral histories, continued year Princeton’s Ksenia Tatarchenko fol- Tedre, especially, heavily cites their by year, will complement the ongoing lows Andrei Ershov and his col- contributions in Communications. The work on the Turing website, overseen leagues’ efforts to build computer ACM History Committee, created in now by Thomas Haigh. science in Soviet Russia and forge 2004, recently concluded a major re- The History Committee connects professional ties—across the “iron vamping of the Turing Award website the ACM membership with profes- curtain”—to the ACM community. (http://amturing.acm.org). Michael R. sional historians of computing. Com- New York University’s Jacob Williams, professor emeritus at the mittee members represent research Gaboury’s 2014 dissertation (“Image University of Calgary, expanded the centers and museums, libraries and Objects: Computer Graphics at the individual entries beginning with Alan academic departments, industry and University of Utah”) investigates the Perlis in 1966, aiming at in-depth cov- government laboratories, and varied prolific Evans and Sutherland net- erage for ACM members as well as ac- ACM committees.3 Since 2009 the work. Books done with ACM support cessible treatments that might spread History Committee has supported 22 are out from Cambridge University the word. The History Committee has historical projects on ACM’s storied Press and forthcoming from ACM just launched a major oral-history ini- history. So far the results include five Books.g In funding original research tiative to ensure there are interviews completed Ph.D. dissertations, two on ACM, as with enhanced publicity with each of the 42 living Turing laure- published books, and a bevy of confer- for the Turing awardees, we see ates, creating (where interviews are yet ence papers and other contributions. many opportunities for constructive needed) a compelling video record.c We responded to the ACM member- collaboration and professional dia- ship’s curiosity about archival prin- logue in the years to come. c See ACM History Committee interviews at http:// ciples and methods with a workshop history.acm.org/content.php?do=interviews. at the Charles Babbage Institute in g With ACM funding Andrew Russell com- May 2014.d This month we will hold an pleted a set of interviews with European ACM history workshop at the annual networking pioneers that led to his book meetings of the Society for the History Open Standards and the Digital Age (Cam- bridge University Press, 2014). ACM funding of Technology and the SIGCIS history supported Bernadette Longo’s biography of e of computing group. ACM members’ ACM founder: Edmund Berkeley and the So- interest in oral history methods and cial Responsibility of Computer Professionals SIG-centered history are on the docket. (ACM Books, forthcoming 2015). The computing-history gap that References Donald Knuth was troubled by and 1. Dasgupta, S. It Began with Babbage: The Genesis of that Thomas Haigh anatomized Computer Science. Oxford University Press, 2014. 2. Denning, P. and Martell, C. Great Principles of f might be tractable. Despite the clear Computing. MIT Press, 2015. 3. Hall, M. Understanding ACM’s past. Commun. ACM 55, 12 (Dec. 2012), 5. d See “ACM History Committee Archiving 4. Pyle, R.L. First in the Field: Breaking Ground in Workshop” ACM SIGSOFT Software Engi- Computer Science at Purdue University. Purdue neering Notes http://dl.acm.org/citation. University Press, 2015. 5. Tedre, M. The Science of Computing: Shaping a cfm?doid=2693208.2693215 and http://his- Discipline. CRC Press, 2015. tory.acm.org/public/public_documents/ACM- archiving-workshop_2014-05.pdf. e See http://www.historyoftechnology.org/features/ Thomas J. Misa ([email protected]) is chair of the ACM History Committee. annual_meeting/. f See Thomas Haigh’s column cited in footnote a and Martin Campbell-Kelly, “Knuth and the Spectrum of History,” IEEE Annals of the His- tory of Computing 36, 3 (July–Sept. 2014), 96. Copyright held by author.

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 37 viewpoints

VDOI:10.1145/2770869 Thomas G. Dietterich and Eric J. Horvitz Viewpoint Rise of Concerns about AI: Reflections and Directions Research, leadership, and communication about AI futures.

ISCUSSIONS ABOUT ARTIFI- CIAL intelligence (AI) have jumped into the public eye over the past year, with sev- eral luminaries speaking Dabout the threat of AI to the future of humanity. Over the last several de- cades, AI—automated perception, learning, reasoning, and decision making—has become commonplace in our lives. We plan trips using GPS systems that rely on the A* algorithm to optimize the route. Our smartphones understand our speech, and Siri, Cor- tana, and Google Now are getting bet- ter at understanding our intentions. Machine vision detects faces as we take pictures with our phones and recogniz- es the faces of individual people when we post those pictures to Facebook. Internet search engines rely on a fabric of AI subsystems. On any day, AI pro- vides hundreds of millions of people with search results, traffic predictions, and recommendations about books AI has been in the headlines with such notable advances as self-driving vehicles, now under and movies. AI translates among lan- development at several companies; Google’s self-driving car is shown here. guages in real time and speeds up the operation of our laptops by guessing highest risk for complications, and AI lives, including those lost to accidents what we will do next. Several compa- algorithms are finding important nee- on our roadways and to errors made nies are working on cars that can drive dles in massive data haystacks, such as in medicine. Over the longer-term, themselves—either with partial hu- identifying rare but devastating side ef- advances in machine intelligence will man oversight or entirely autonomous- fects of medications. have deeply beneficial influences on ly. Beyond the influences in our daily The AI in our lives today provides a healthcare, education, transportation, lives, AI techniques are playing roles in small glimpse of more profound con- commerce, and the overall march of science and medicine. AI is already at tributions to come. For example, the science. Beyond the creation of new work in some hospitals helping physi- fielding of currently available technol- applications and services, the pursuit

cians understand which patients are at ogies could save many thousands of of insights about the computational OF GOOGLE.COM/SELFDRIVINGCAR/ COURTESY IMAGE

38 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 viewpoints viewpoints

foundations of intelligence promises bustness may require self-monitoring to reveal new principles about cogni- architectures in which a meta-level pro- tion that can help provide answers to The AI in our lives cess continually observes the actions of longstanding questions in neurobiol- today provides a the system, checks that its behavior is ogy, psychology, and philosophy. consistent with the core intentions of On the research front, we have been small glimpse of the designer, and intervenes or alerts making slow, yet steady progress on more profound if problems are identified. Research “wedges” of intelligence, including contributions to come. on real-time verification and monitor- V work in machine learning, speech rec- ing of systems is already exploring such ognition, language understanding, layers of reflection, and these methods computer vision, search, optimization, could be employed to ensure the safe and planning. However, we have made operation of autonomous systems.3,6 surprisingly little progress to date on A second set of risks is cyberattacks: building the kinds of general intelli- criminals and adversaries are continu- gence that experts and the lay public We believe computer scientists ally attacking our computers with vi- envision when they think about “Arti- must continue to investigate and ad- ruses and other forms of malware. AI ficial Intelligence.” Nonetheless, ad- dress concerns about the possibili- algorithms are as vulnerable as any vances in AI—and the prospect of new ties of the loss of control of machine other software to cyberattack. As we roll AI-based autonomous systems—have intelligence via any pathway, even if out AI systems, we need to consider the stimulated thinking about the poten- we judge the risks to be very small and new attack surfaces that these expose. tial risks associated with AI. far in the future. More importantly, we For example, by manipulating train- A number of prominent people, urge the computer science research ing data or preferences and trade-offs mostly from outside of computer sci- community to focus intensively on a encoded in utility models, adversaries ence, have shared their concerns that second class of near-term challenges could alter the behavior of these sys- AI systems could threaten the survival for AI. These risks are becoming sa- tems. We need to consider the implica- of humanity.1 Some have raised con- lient as our society comes to rely on au- tions of cyberattacks on AI systems, es- cerns that machines will become su- tonomous or semiautonomous com- pecially when AI methods are charged perintelligent and thus be difficult to puter systems to make high-stakes with making high-stakes decisions. control. Several of these speculations decisions. In particular, we call out five U.S. funding agencies and corporations envision an “intelligence chain reac- classes of risk: bugs, cybersecurity, the are supporting a wide range of cyberse- tion,” in which an AI system is charged “Sorcerer’s Apprentice,” shared auton- curity research projects, and artificial with the task of recursively designing omy, and socioeconomic impacts. intelligence techniques will themselves progressively more intelligent ver- The first set of risks stems from pro- provide novel methods for detecting sions of itself and this produces an gramming errors in AI software. We are and defending against cyberattacks. “intelligence explosion.”4 While for- all familiar with errors in ordinary soft- For example, machine learning can be mal work has not been undertaken to ware; bugs frequently arise in the de- employed to learn the fingerprints of deeply explore this possibility, such velopment and fielding of software ap- malware, and new layers of reflection a process runs counter to our current plications and services. Some software can be employed to detect abnormal understandings of the limitations that errors have been linked to extremely internal behaviors, which can reveal cy- computational complexity places on costly outcomes and deaths. The verifi- berattacks. Before we put AI algorithms algorithms for learning and reasoning. cation of software systems is challeng- in control of high-stakes decisions, we However, processes of self-design and ing and critical, and much progress must be confident these systems can optimization might still lead to signifi- has been made—some relying on AI survive large-scale cyberattacks. cant jumps in competencies. advances in theorem proving. Many A third set of risks echo the tale of the Other scenarios can be imagined in non-AI software systems have been de- Sorcerer’s Apprentice. Suppose we tell a which an autonomous computer sys- veloped and validated to achieve high self-driving car to “get us to the airport tem is given access to potentially dan- degrees of quality assurance. For exam- as quickly as possible!” Would the au- gerous resources (for example, devices ple, the software in autopilot and space- tonomous driving system put the pedal capable of synthesizing billons of bio- craft systems is carefully tested and to the metal and drive at 125 mph, put- logically active molecules, major por- validated. Similar practices must be ap- ting pedestrians and other drivers at tions of world financial markets, large plied to AI systems. One technical chal- risk? Troubling scenarios of this form weapons systems, or generalized task lenge is to guarantee that systems built have appeared recently in the press. markets9). The reliance on any comput- via machine learning methods behave Many of the dystopian scenarios of out- ing systems for control in these areas is properly. Another challenge is to en- of-control superintelligences are varia- fraught with risk, but an autonomous sure good behavior when an AI system tions on this theme. All of these exam- system operating without careful hu- encounters unforeseen situations. Our ples refer to cases where humans have man oversight and failsafe mechanisms automated vehicles, home robots, and failed to correctly instruct the AI system could be especially dangerous. Such a intelligent cloud services must perform on how it should behave. This is not a system would not need to be particu- well even when they receive surprising new problem. An important aspect of larly intelligent to pose risks. or confusing inputs. Achieving such ro- any AI system that interacts with people

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 39 viewpoints

is that it must reason about what people poor decisions. Here again, AI meth- Year Study on Artificial Intelligence,10,c intend rather than carrying out com- ods can help solve these problems by which is planning centuries of ongoing mands literally. An AI system must ana- anticipating when human control will studies about advances in AI and its in- lyze and understand whether the behav- be required and providing people with fluences on people and society. ior that a human is requesting is likely to the critical information that they need. The computer science community be judged as “normal” or “reasonable” A fifth set of risks concern the broad must take a leadership role in explor- by most people. In addition to relying on influences of increasingly competent ing and addressing concerns about internal mechanisms to ensure proper automation on socioeconomics and machine intelligence. We must work to behavior, AI systems need to have the ca- the distribution of wealth.2 Several ensure that AI systems responsible for pability—and responsibility—of work- lines of evidence suggest AI-based au- high-stakes decisions will behave safely ing with people to obtain feedback and tomation is at least partially respon- and properly, and we must also examine guidance. They must know when to stop sible for the growing gap between per and respond to concerns about poten- and “ask for directions”—and always be capita GDP and median wages. We tial transformational influences of AI. open for feedback. need to understand the influences Beyond scholarly studies, computer sci- Some of the most exciting opportu- of AI on the distribution of jobs and entists need to maintain an open, two- nities for deploying AI bring together on the economy more broadly. These way channel for communicating with the complementary talents of people questions move beyond computer sci- the public about opportunities, con- and computers.5 AI-enabled devices ence into the realm of economic poli- cerns, remedies, and realities of AI. are allowing the blind to see, the deaf cies and programs that might ensure to hear, and the disabled and elderly to that the benefits of AI-based productiv- b See http://www.aaai.org/Organization/pres- walk, run, and even dance. AI methods ity increases are broadly shared. idential-panel.php. c See https://ai100.stanford.edu. are also being developed to augment Achieving the potential tremendous

human cognition. As an example, pro- benefits of AI for people and society will References totypes have been aimed at predicting require ongoing and vigilant attention 1. Bostrum, N. Superintelligence: Paths, Dangers, Strategies. Oxford University Press, 2014. what people will forget and helping to the near- and longer-term challenges 2. Brynjolfsson, E. and McAfee, A. The Second Machine them to remember and plan. Moving to to fielding robust and safe computing Age: Work Progress, and Prosperity in a Time of Brilliant Technologies. W.W. Norton & Company, New York, 2014. the realm of scientific discovery, people systems. Each of the first four challenges 3. Chen, F. and Rosu, G. Toward monitoring-oriented working together with the Foldit online listed in this Viewpoint (software qual- programming: A paradigm combining specification and 8 implementation. Electr. Notes Theor. Comput. Sci. 89, game were able to discover the struc- ity, cyberattacks, “Sorcerer’s Appren- 2 (2003), 108–127. ture of the virus that causes AIDS in only tice,” and shared autonomy) is being 4. Good, I.J. Speculations concerning the first ultraintelligent machine. In Advances in Computers, three weeks, a feat that neither people addressed by current research, but even Vol. 6. F.L. Alt and M. Rubinoff, Eds., Academic Press, nor computers working alone could greater efforts are needed. We urge our 1965, 31–88. 5. Horvitz, E. Principles of mixed-initiative user match. Other studies have shown how research colleagues and industry and interfaces. In Proceedings of CHI ’99, ACM SIGCHI the massive space of galaxies can be ex- government funding agencies to devote Conference on Human Factors in Computing Systems (Pittsburgh, PA, May 1999); http://bit.ly/1OEyLFW. plored hand-in-hand by people and ma- even more attention to software qual- 6. Huang, J. et al. ROSRV: Runtime verification for robots. chines, where the tireless AI astronomer ity, cybersecurity, and human-computer Runtime Verification, (2014), 247–254. 7. Kamar, E., Hacker, S., and Horvitz, E. Combining understands when it needs to reach out collaboration on tasks as we increasing- human and machine intelligence in large-scale crowdsourcing. AAMAS 2012 (Valencia, Spain, June and tap the expertise of human astrono- ly rely on AI in safety-critical functions. 2012); http://bit.ly/1h6gfbU. mers.7 There are many opportunities At the same time, we believe schol- 8. Khatib, F. et al. Crystal structure of a monomeric retroviral protease solved by protein folding game ahead for developing real-time systems arly work is needed on the longer-term players. Nature Structural and Molecular Biology 18 that involve a rich interleaving of prob- concerns about AI. Working with col- (2011), 1175–1177. 9. Shahaf, D. and Horvitz, E. Generalized task markets for lem solving by people and machines. leagues in economics, political science, human and machine computation. AAAI 2010, (Atlanta, However, building these collabora- and other disciplines, we must address GA, July 2010), 986–993; http://bit.ly/1gDIuho. 10. You, J. A 100-year study of artificial intelligence? tive systems raises a fourth set of risks the potential of automation to disrupt Science (Jan. 9, 2015); http://bit.ly/1w664U5. stemming from challenges with fluid- the economic sphere. Deeper study is ity of engagement and clarity about also needed to understand the poten- Thomas G. Dietterich ([email protected]) is a states and goals. Creating real-time tial of superintelligence or other path- Distinguished Professor in the School of Electrical Engineering and Computer at Oregon State University systems where control needs to shift ways to result in even temporary losses in Corvallis, OR, and president of the Association for the rapidly between people and AI sys- of control of AI systems. If we find there Advancement of Artificial Intelligence (AAAI). tems is difficult. For example, airline is significant risk, then we must work to Eric J. Horvitz ([email protected]) is Distinguished Scientist and Director of the Microsoft Research lab in accidents have been linked to misun- develop and adopt safety practices that Redmond, Washington. He is the former president of derstandings arising when pilots took neutralize or minimize that risk. We AAAI and continues to serve on AAAI’s Strategic over from autopilots.a The problem is should study and address these con- Planning Board and Committee on Ethics in AI. that unless the human operator has cerns, and the broader constellation Copyright held by authors. been paying very close attention, he or of risks that might come to the fore in she will lack a detailed understanding the short- and long-term, via focused Watch the authors discuss of the current situation and can make their work in this exclusive research, meetings, and special efforts Communications video. such as the Presidential Panel on Long- http://cacm.acm.org/ b videos/rise-of-concerns- a See http://en.wikipedia.org/wiki/China_Air- Term AI Futures organized by the AAAI about-ai-reflections-and- lines_Flight_006. in 2008–2009 and the One Hundred directions

40 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 viewpoints

VDOI:10.1145/2686871 Phillip Compeau and Pavel A. Pevzner Viewpoint Life After MOOCs Online science education needs a new revolution.

HREE YEARS AGO, published an editorial in Communications expressing concerns about the pedagogi- cal quality of massive open Tonline courses (MOOCs) and including the sentiment, “If I had my wish, I would wave a wand and make MOOCs disap- pear.”9 His editorial was followed by studies highlighting various limitations of MOOCs (see Karsenti5 for a review). We share the concerns about the quality of early primitive MOOCs, which have been hyped by many as a cure-all for education. At the same time, we feel much of the criticism of MOOCs stems from the fact that truly disruptive scalable educational re- sources have not yet been developed. For this reason, if we had a wand, we would not wish away MOOCs but rath- er transform them into a more effec- tive educational product called a mas- sive adaptive interactive text (MAIT) that can compete with a professor in a classroom. We further argue that com- puter science is a discipline in which this transition is about to happen.

When Will Massive Open Online Courses Disappear? Was the printing press a worthwhile invention? This may seem like a silly question, but some of the backlash against early MOOCs reminds us of a criticism of the printing press made by beauty of a Renaissance illuminated The Case for Radical Change the prominent 15th-century polymath manuscript can sympathize with Tri- in Science Education Johannes Trithemius. Believing print- themius. Likewise, anyone who has at- Large universities continue to pack ed books were inferior to hand-copied tended a lecture delivered by a brilliant hundreds of students into a single manuscripts, Trithemius wrote, “The teacher in a small classroom can sym- classroom, despite the fact this printed book is made of paper and, like pathize with Vardi. Yet in reality, con- “hoarding” approach has little peda- paper, will quickly disappear.”8 temporary higher education often falls gogical value.4 Hoarding is particular-

IMAGERY BY JAMESBIN BY IMAGERY Anyone who has witnessed the short of this ideal. ly objectionable in science, technol-

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 41 viewpoints

ogy, engineering, and mathematics initial ITS developments, which have (STEM) courses, where learning a largely aimed at entry-level courses, complex idea is comparable to navi- Online education Bioinformatics is a series of complex in- gating a labyrinth. In the large class- should move terdisciplinary courses aimed at upper- room, once a student takes a wrong level undergraduate and graduate stu- turn, the student has limited oppor- toward replicating dents that covers algorithms, biology, tunities to ask a question in order to the experience and programming.b facilitate understanding, resulting in That we are MOOC developers may a learning breakdown, or the inability of receiving come as a surprise, since we have ex- to progress further without individu- one-on-one tutoring. pressed doubts that MOOCs in their alized guidance. current form really represent a para- A recent revolution in online edu- digm shift in STEM education. How- cation has largely focused on making ever, we see the creation of a MOOC as low-cost equivalents of hoarding class- a natural first step toward producing a es. These MOOCs, which are largely MAIT, and we are currently transition- video-based, have translated all of the investments are being made into so- ing Bioinformatics toward a MAIT. pedagogical problems with hoarding phisticated content platforms that Automated, individualized assess- into an even less personal forum on- can help improve upon the current ments. When a student suffers a learn- line. In other words, MOOCs have thus video-based model. Third, a well-es- ing breakdown, that student needs im- far focused on being massive, when tablished research field is devoted to mediate help in order to proceed. But they should strive to feel individual. intelligent tutoring systems (ITSs), traditional homework assignments are Rather than reproducing the imper- and next-generation electronic text- issued a week after the breakdown oc- sonal experience of listening to a pro- books are already in development.1,7 curs. Teaching assistants (TAs) then fessor’s lecture in a large auditorium, Efforts in ITS research have at- must grade these assignments by online education should move toward tempted to address certain inherent hand, an undertaking that often proves replicating the experience of receiving limitations of the traditional class- repetitive. Furthermore, homework as- one-on-one tutoring in the professor’s room, such as: most instructors teach signments are often unchanged year office—the most productive (yet ex- to only a certain percentile of the after year, and assignments at different pensive) form of education.2 class; most students do not receive the universities have substantial overlap. Furthermore, the majority of energy immediate feedback necessary to pre- Such a system makes no sense when a student invests in a STEM course is vent learning breakdowns; and most grading in many STEM courses can be spent outside of the classroom, read- instructors lack information about the consolidated into a single automated ing a textbook and completing assign- many different learning breakdowns system available at all universities. ments. But the traditional textbook experienced by individual students. In our call for automated assess- suffers from the same flaw as a large Yet despite the promise of ITSs, as ments, we are not referring to primi- class in failing to address individual Mazoue6 noticed, hardly any MOOCs tive quizzes testing whether students learning breakdowns. And although have adopted ITSs. In light of the lim- are awake, but rather to robust assign- some publishers have recently found- ited success of ITSs with the current ments that require a sophisticated ed projects aimed at developing truly generation of MOOCs, this Viewpoint software system. Computer science is interactive learning resources, results defines a clear plan for how to make a unique discipline in that students’ have been slow in coming. MOOCs truly disruptive by transform- ability to program provides the op- Since universities and academic ing them into MAITs. portunity to automatically check their publishers have failed to address knowledge through coding challenges. these shortcomings, we are calling for What Is a MAIT? These coding challenges are far su- a second revolution in online educa- A MAIT is defined by the following perior to traditional quizzes because, tion. This revolution will focus on the characteristics: in order to implement a complex pro- creation of MAITs, a new generation ˲˲ Automated, individualized assess- gram, the student must possess a deep of interactive learning experiences for ments; understanding of its underlying com- STEM fields that can adapt to learners’ ˲˲ Interactivity; putational ideas. individual needs and simulate the ex- ˲˲ Adaptivity; and Programming challenges already perience of one-on-one education. ˲˲ Modularity account for a significant fraction of Our call for revolution may seem Here, we illustrate these character- assignments in many computer sci- like a lofty proposal, but we believe istics using our own experience in de- ence courses such as introductory the time is ripe for a number of rea- veloping the Bioinformatics Specializa- algorithms. However, thousands of sons. First, the rise of MOOCs has tion on Coursera, a series of six MOOCs computer science professors have already established a competitive on- followed by a Capstone Projecta accom- implemented their own custom-made line marketplace, in which only the panied by a textbook.3 In contrast to systems for grading student programs, most developed courses in a given STEM discipline will have a chance a See http://coursera.org/specialization/bioin- b https://www.youtube.com/playlist?list=PLQ- of long-term success. Second, large formatics/34. 85lQlPqFM7jL47_tVFL61M4QM871Sv

42 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 viewpoints an incredible illustration of academic ferentiate students’ responses and most current MOOCs are static, with inefficiency. A MAIT therefore prom- guide them through the material on limited changes introduced between ises to build a common repository of individual learning paths according to consecutive offerings of the course. programming challenges and a user- these responses. Achieving true adap- In our case, the creation of adaptive friendly environment for learners, tive learning is the most challenging modules has nearly doubled the con- thus allowing professors and TAs to aspect of creating a MAIT, since it re- tent needed for Bioinformatics. As- focus on teaching. quires far more work than creating a signing students to remedial modules For example, in addition to our textbook or MOOC. should be done based on automated MOOC, we contributed to the devel- Second, in order to achieve adaptive analysis of their responses, another opment of Rosalind,c a platform that learning, the MAIT itself must be adap- important feature of a successful automatically grades programming tive, meaning that its authors must be MAIT that will require future invest- challenges in bioinformatics and al- willing to change its content perpetu- ment into data analysis. lows a professor to form a customized ally. This property is missing in most Adaptive learning is a particularly Rosalind Classroom for managing as- existing MOOCs because revising a attractive feature of MAITs in inter- sessments. In addition to Rosalind’s video lecture (even to change a single disciplinary fields. In these fields, 30,000 users, the Rosalind Classroom sentence) is costly. students come from a variety of dis- has been used over 100 times by pro- To make a MAIT adaptive, its au- ciplines, and they often have gaps in fessors wishing to incorporate its au- thors should initially generate a com- their background and skills. In Bioin- tomated grading function into their pendium of learning breakdowns. We formatics, for example, biology, math- offline courses. Grading half a million recently generated a compendium for ematics, and physics students typi- submissions to Rosalind has freed Bioinformatics based on the analysis cally lack knowledge of algorithms, an army of TAs from the task of grad- of 8,500 discussion forum posts. This whereas computer science students ing, thus saving time for interactions compendium is a pedagogical gold typically lack knowledge of statistics with students. Rosalind problems are mine that has helped us continually and biology. We have witnessed first- individualized: the input parameters revise our course and eliminate many hand how automated assignments are randomly generated so no two stu- learning breakdowns. allow Bioinformatics students to suc- dents receive the same assignment. Creating a compendium of learn- ceed despite these gaps, but more Interactivity. A MAIT should incor- ing breakdowns has also been an eye- work must be done to provide each porate elements of active learning. For opening experience. We never could student with an individual learning example, Bioinformatics incorporates have imagined our students’ ability to path through the course. hundreds of “just in time” exercises catch every tiny logic error, every minor Modularity. Because the existence and coding challenges that assess the detail we had attempted to hide. At the of a MAIT in a given field will likely student’s progress at the exact mo- same time, our students encountered flatten the textbook and MOOC mar- ment this assessment is needed, facili- many unpredictable, superficially im- kets in that field, some would rightly tating the transition to the next topic. plausible learning breakdowns. Most be concerned that a MAIT might lead As such, Bioinformatics attempts to ad- breakdowns only affected a small per- to a rigid, standardized curriculum. dress learning breakdowns as soon as centage of students but were made ap- To prevent this pitfall, MAITs should they occur. parent by the scale of the MOOC. include an effort to modularize core A MAIT should also incorporate After generating a compendium content and provide resources for sup- peer instruction, helping students in- of learning breakdowns, a MAIT’s plementing this content by additional teract with each other as well as with authors should be willing to write crowdsourced learning modules. online TAs. If a learning breakdown many special adaptive modules, each An ancillary benefit of modularity persists after attempting an assess- one presented only to students with is that a MAIT can serve as an educa- ment, the student should be able to a specific breakdown. Unfortunately, tional hub for a community of educa- consult with peers who are having ex- tors. New professors teaching a sub- actly the same breakdown. To achieve ject for the first time can choose from this goal, each paragraph of the inter- Adaptive learning an enormous menu of learning mod- active text powering Bioinformatics ules, while seasoned professors can specialization is linked to a separate is a particularly contribute their own expertise to the discussion forum. attractive feature growing project. Adaptivity. Most MOOCs incorpo- rate elements of interactivity, but their of MAITs in The Need for a High-Cost educational materials are essentially interdisciplinary Development Team static. In contrast, MAITs should be Although professors creating new adaptive, an adjective that we apply in fields. MOOCs often complain about the high two distinct senses. cost of MOOC development, the cost of First, a MAIT should implement creating a MAIT will be much higher. adaptive learning, meaning it can dif- We should cast aside the image of a professor on sabbatical writing a text- c See http://rosalind.info. book or planning a new course from a

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 43 viewpoints

café in some exotic locale. Instead, the TA and forced us to completely rethink production of a MAIT requires an en- these roles. When students arrived tire development team with a budget of In looking for in class, they already understood the $1 million or more. ways to improve majority of relevant course material. Although this figure may seem pre- We would then help them answer each posterous, some educators, such as the our teaching, other’s questions about complicated developers of the Online Master of Sci- we found ourselves concepts. We also divided students ence in Computer Science at Georgia into small groups and guided them Tech, have already invested compara- not looking forward, through additional challenge ques- ble funds in developing their courses. but backward, tions we had devised. As a result, class MAITs should therefore be developed time was reinvested in direct interac- under the assumption that they have a at the pedagogical tions with students and group projects sufficient budget in order to construct style of Socrates. rather than preaching to them from a an educational product that can cap- pulpit. It may sound like a strange way ture a large share of the MOOC market to run a course, but consider: Is this and truly disrupt both hoarding classes not the kind of educational experience and traditional textbooks. students expect to receive when they For example, Bioinformatics has enroll in a university? already required over two years of de- We do not claim our flipped course velopment by a team consisting of overnight. Rather than attempting has operated perfectly on its first at- professors, postdoctoral researchers, the futile task of creating a lecture tempts. However, its flaws have in- students, artists, and software engi- that can be understood by hundreds spired us to become better educators neers located in two countries and of students from widely varying back- in ways we never could have imagined. supported by three funding agencies grounds, professors in hoarding class- In looking for ways to improve our and a private foundation. The total es will immediately see the inherent teaching, we found ourselves looking time investment made by this team benefit in “flipping” these classes. In not forward, but backward, at the peda- was 50 times larger than the average of fact, some of our colleagues at leading gogical style of Socrates. The irony has 100 hours required to develop a typi- universities have already used Bioin- not been lost on us that our adoption of cal MOOC.5 The majority of develop- formatics to flip their classes. Rather new technologies presented by online ment focused on creating an interac- than listening to lectures, students education forced our offline course to tive text to power the course; lecture will complete assignments from the return to educational principles hand- videos—which are often cited as a MAIT, which has already been fine- ed down from antiquity. major investment in MOOC develop- tuned to anticipate countless learn- ment—accounted for only a fraction ing breakdowns. Energy the professor References 1. Anderson, J.R. et al. R. Cognitive tutors: Lessons of our budget. Yet Bioinformatics will previously allocated to planning and learned. Journal of the Learning Sciences 4 (1995), 167–207. require substantial additional invest- delivering lectures can then be devot- 2. Bloom, B. The 2-Sigma problem: The Search for ment in order to become a MAIT. ed to in-class discussions helping stu- methods of group instruction as effective as one-on-one tutoring. Educational Researcher 13, 6 (1984), 4–16. The high cost of MAIT develop- dents understand complicated con- 3. Compeau, P.E.C. and Pevzner, P.A. Bioinformatics ment immediately raises the question cepts, or even guided group projects Algorithms: An Active Learning Approach, Second ed. Active Learning Publishers, 2015. of whether it makes sense to develop that help them take the next steps. 4. Cuseo, J. The empirical case against large class a million-dollar MAIT for small online Yet although we believe MAITs will size: adverse effects on the teaching, learning, and retention of first-year students.The Journal of Faculty courses, for example, attracting “just” first disrupt hoarding classes, we see Development 21, (2007), 5–21. 10,000 serious learners per year. We MAITs as a disruptive technology to all 5. Karsenti, T. MOOCS: What the research says. International Journal of Technologies in Higher note that because of the rising costs STEM courses, both online and offline. Education 10 (2013), 23–37; http://bit.ly/1MPd8lH. of textbooks, a MAIT attracting just Even the most talented teachers of 6. Mazoue, J.G. Five myths about MOOCs. Educause Reviews (Sept.–Oct. 2013). 10,000 learners per year indicates a small, offline courses may use MAITs 7. Miller, B.N. and Ranum, D.L. Beyond PDF and ePub: potential educational market of over to flip their courses when they realize Toward an interactive textbook. In Proceedings of the 17th ACM Annual Conference on Innovation and $1 million per year. Furthermore, the that MAITs free them to imagine new Technology in Computer Science Education, (2012), high fixed cost of creating a MAIT is ways to inspire their students. 150–155. 8. Trithemius, J. De Laude Scriptorum (In Praise of balanced by the negligible marginal Indeed, using the resources of a Scribes). Klaus Arnold, Ed., Roland Behrendt. Tr. Colorado Press, 1974. cost of each additional learner. Finally, MAIT in an offline course does not 9. Vardi, M. Will MOOCs destroy academia? Commun. there are numerous opportunities to just facilitate a professor’s transition ACM 11, 5 (Nov. 2012), 5. expand MAITs to developing countries, toward a flipped classroom; it necessi- where the number of qualified profes- tates this transition. We observed this Phillip Compeau ([email protected]) is an assistant teaching professor in the Department of Computational sors is far smaller than the number of phenomenon in our own instruction Biology at Carnegie Mellon University, Pittsburgh, PA. capable students. of an offline course at the University Pavel A. Pevzner ([email protected]) is Ronald of California, San Diego, which used R. Taylor Chair Professor of Computer Science and The Future of MAITs the interactive text that powers Bioin- Engineering in the Department of Computer Science and Engineering at the University of California at San Diego. MAITs will eliminate the current formatics. Our flipped course blurred model of hoarding classes practically the boundary between instructor and Copyright held by authors.

44 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 VRST 2015 The21st ACM Symposium on Virtual Reality Software and Technology http://vrlab.buaa.edu.cn/vrst2015/

The 21st ACM Symposium VRST 2015 will be held in Beijing, the capital of China. From the magnificent Palace Museum, also known as the Forbidden City, on Virtual Reality Software to the beautiful Summer Palace and the Great Wall, Beijing is the political, economic and cultural center of China for over 800 years and Technology (VRST) from the Yuan Dynasty. The numerous royal buildings with long history is an international forum for endow it with incomparable charm. On the other hand, as the host city of the 2008 Olympic Games, this oriental ancient city presented her best the exchange of experience and fashion fascination to the world. The conference will be hosted by China State Key Laboratory of Virtual Reality Technology and Systems, School knowledge among researchers of Computer Science and Engineering in Beihang University (BUAA). VRST 2015 aims at bringing together VR researchers from around and developers concerned the world to present the state-of-the-art advances in this ever-growing with virtual reality software and dynamic area, and introducing VR research in China. technology. VRST will provide Important dates. an opportunity for VR researchers All deadlines are 15:59 UTC/GMT (Beijing time 23:59): to interact, share new results, * July 20th, 2015: Abstract submission show live demonstrations * July 27th, 2015: Full/short papers submission of their work, and discuss * August 15th, 2015 : Poster submission emerging directions for the field. * September 8th, 2015: Decisions announced The event is sponsored by * September 15th, 2015: Camera-ready papers due ACM SIGCHI and SIGGRAPH. * November 13th–November 15th, 2015: Conference

Conference Chairs: Qinping Zhao, Beihang Univerisity Daniel Thalmann, Nanyang Technological University

Program Chairs: Enhua Wu, University of Macau & Institute of Software, Chinese Academy of Sciences Ming C. Lin, University of North Carolina at Chapel Hill Lili Wang, Beihang University

Local Chair: Dangxiao Wang, Beihang University practice

DOI:10.1145/2788401 Specifically, a pressing challenge for Article development led by queue.acm.org developers trying to write portable ap- plications on local file systems is crash consistency (that is, ensuring applica- Rethinking the fundamental tion data can be correctly recovered in abstractions of the file system. the event of a sudden power loss or sys- tem crash). BY T.S. PILLAI, V. CHIDAMBARAM, R. ALAGAPPAN, Crash consistency is important. S. AL-KISWANY, A.C. ARPACI-DUSSEAU, AND Consider a typical modern photo-man- R.H. ARPACI-DUSSEAU agement application such as iPhoto, which stores not only the photos a user takes, but also information relevant to a photo library, including labels, events, and other photo metadata. No Crash user wants a system that loses photos or other relevant information simply because a crash occurs while the pho- to-management application is trying to Consistency update its internal database. Much of the burden today in ensur- ing crash consistency is placed on the application developer, who must craft an update protocol that orchestrates modifications of the persistent state of the file system. Specifically, the de- veloper creates a carefully constructed sequence of system calls (such as file THE READING AND writing of data, one of the most writes, renames, and other file-system fundamental aspects of any von Neumann computer, calls) that updates underlying files and is surprisingly subtle and full of nuance. For example, directories in a recoverable way. The correctness of the application, there- consider access to a shared memory in a system with fore, inherently depends on the seman- multiple processors. While a simple and intuitive tics of these system calls with respect to a system crash (that is, the crash be- approach known as strong consistency is easiest havior of the file system). 14 for programmers to understand, many weaker Unfortunately, while the standard- models are in widespread use (for example, x86 total ized file-system interface has been 22 in widespread use for many years, store ordering ); such approaches improve system application-level crash consistency is performance, but at the cost of making reasoning currently dependent on intricate and about system behavior more complex and error subtle details of file-system behavior. Either by design or by accident, many prone. Fortunately, a great deal of time and effort has modern applications depend on par- gone into thinking about such memory models,24 and, ticular file-system implementation de- tails and thus are vulnerable to unex- as a result, most multiprocessor applications are not pected behaviors in response to system caught unaware. crashes or power losses when run on Similar subtleties exist in local file systems—those different file systems or with different configurations. systems that manage data stored in your desktop Recent research, including work computer, on your cellphone,13 or that serve as the performed by our group at the Univer- sity of Wisconsin–Madison,21 as well as underlying storage beneath large-scale distributed systems elsewhere,29 has confirmed that crash- 23 such as Hadoop Distributed File System (HDFS). es are problematic: many applications STUDIOS CWA BY IMAGE

46 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 47 practice

(including some widely used and de- An Example Because file systems buffer writes veloped by experienced programmers) Let’s look at an example demonstrat- in memory and send them to disk lat- can lose or corrupt data on a crash or ing the complexity of crash consis- er, from the perspective of an applica- power loss. The impact of this reality tency: a simple database manage- tion most file systems can reorder the is widespread and painful: users must ment system (DBMS) that stores its effects of system calls before persist- be prepared to handle data loss or cor- data in a single file. To maintain ing them on disk. For example, with ruption,15 perhaps via time-consuming transactional atomicity across a sys- some file systems (ext2, ext4, xfs, and and error-prone backup and restore; tem crash, the DBMS can use an up- btrfs in their default configurations, applications might tailor their code to date protocol called undo logging: but not ext3), the deletion of the log match subtle file-system internals, a before updating the file, the DBMS file can be reordered before the write blatant violation of layering and mod- simply records those portions of the to the database file. On a system crash ularization; and adoption of new file file that are about to be updated in a in these file systems, the log file might systems is slowed because their imple- separate log file.11 The pseudocode is be found already deleted from the mentations do not match the crash be- shown in Figure 1; offset and size disk, while the database has been up- havior expected by applications.6 In es- correspond to the portion of the db- dated partially. Other file systems can sence, the file-system abstraction, one file that should be modified, and persist a system call partially in seem- of the basic and oldest components of whenever the DBMS is started, the ingly nonsensical ways: in ext2 and modern operating systems, is broken. DBMS rolls back the transaction if nondefault configurations of ext3 and This article presents a summary of the log file exists and is fully written ext4, while writing (appending) to the recent research in the systems com- (determined using the size field). The log file, a crash might leave garbage munity that both identifies these crash pseudocode in Figure 1 uses POSIX data in the newly appended portions consistency issues and points the way system calls (POSIX is the standard of the file; in such file systems, dur- toward a better future. First a detailed file-system interface used in Unix-like ing recovery, one cannot differentiate example illustrates the subtleties of operating systems). In an ideal world, whether the log file contains garbage the problem. We summarize the state one would expect the pseudocode to or undo information. of the art, illustrating the problems we work on all file systems implement- Figure 2 shows the measures need- (and others) have found are surpris- ing the POSIX interface. Unfortunate- ed for undo logging to work on Linux ingly widespread. Some of the prom- ly, the pseudocode does not work on file-system configurations (“./” refers ising research in the community aims any widely used file-system configura- to the current directory); the red parts to remedy these issues, bringing new tion; in fact, it requires a different set are the additional measures needed. thinking and new techniques to trans- of measures to make it work on each Comments in the figure explain which form the state of the art. configuration. measures are required by different file systems: we considered the default Figure 1. Incorrect undo-logging pseudocode. configurationsLog file can endof ext2, up with ext3, garbage, ext4, xfs, and btrfs,in ext2, and ext3-wb, the ext4-wb data=writeback configuration of ext3/4 (denoted write(log) and write(dbfile) ascan ext3-wb re-order inand all ext4-wb). Almost all # Making a backup in the log file measuresconsidered configurationssimply resort to using the fsync() system call, which flushes a # Actual Update creat(log) can be re-ordered after givenwrite (dbfile), file (oraccording directory) to warnings from the buf- # Deleting the log file ferin Linux cache manpage. to the Occurs disk on ext2.and is used to write(dbfile) canprevent re-order after the unlink(log) file system from reorder- in all considereding configurations updates. except The fsync() calls can be ext3’s default modearbitrarily costly, depending on how If durability is desired, in all considered configurations Figure 2. Undo-logging pseudocode that works correctly in Linux file systems. the file system implements them; an efficient application will thus try to avoid fsync() calls when possible. Log file can end up with garbage, With only a subset of the fsync() in ext2, ext3-wb, ext4-wb calls, however, an implementation write(log) and write(dbfile) will be consistent only on some file- can re-order in all # Making a backup in the log file system configurations. considered configurations Note that it is not practical to use # Actual Update creat(log) can be re-ordered after a verified implementation of a single write (dbfile), according to warnings update protocol across all applica- # Deleting the log file in Linux manpage. Occurs on ext2. tions; the update protocols found in write(dbfile) can re-order after unlink(log) in all considered configurations except real applications vary widely and can ext3’s default mode be more complex than in Figure 2. The If durability is desired, in all considered configurations choice can depend on performance characteristics; some applications might aim for sequential disk I/O and

48 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 practice prefer an update protocol that does not involve seeking to different por- tions of a file. The choice can also de- pend on usability characteristics. For Try It Yourself! example, the presence of a separate Many application-level crash-consistency problems are exposed only under uncommon timing conditions or specific file-system configurations, but some are easily log file unduly complicates common reproduced. As an example, on a default installation of Fedora or Ubuntu with a Git workflows, shifting the burden of re- repository, execute a git-commit, wait for five seconds, and then pull the power plug; covery to include user involvement. after rebooting the machine, you will likely find the repository corrupted. Fortunately, this particular vulnerability is not devastating: if you have a clone of the repository, you The choice of update protocol is also likely can recover from it with a little bit of work. (Note: do not do this unless you are inherently tied to the application’s truly curious and will be able to recover from any problems you cause.) concurrency mechanism and the for- mat used for its data structures.

Current State of Affairs Given the sheer complexity of achiev- ing crash consistency among different The Unspoken Agreement What can applications rely on? File-system developers seem to agree on two rules file systems, most developers write in- that govern what information is preserved across system crashes. The first is subtle: correct code. Some applications (for information already on disk (file data, directory entries, file attributes, among others) is example, Mercurial) do not even try preserved across a system crash, unless one explicitly issues an operation affecting it. to handle crashes, instead assuming The second rule deals with fsync() and similar constructs (msy nc(), O _ SYNC, and so on) in Unix-like operating systems. An fsync() on a file guarantees the file’s that users will manually recover any data and attributes are on the storage device when the call returns, but with some data lost or corrupted as a result of a subtleties. A major subtlety with fsync() is the definition of storage device: after crash. While application correctness information is sent to the disk by fsync (), it can reside in an on-disk cache and hence can be lost during a system crash (except in some special disks). Operating systems depends on the intricate crash behav- provide ad hoc solutions to flush the disk cache to the best of their ability; since you ior of file systems, there has been little might be running atop a fake hard drive,8 nothing is promised. Another subtlety relates formal discussion on this topic. broadly to directories: directory entries of a file and the file itself are separate entities Two recent studies investigate the and can each be sent separately to the disk; an fsync() on one does not imply the persistence of others. correctness of application-level crash consistency: one at the University of Wisconsin–Madison21 and the other at Ohio State University and HP Labs.29 The applications analyzed include distributed systems, version-control Best Practices for systems, databases, and virtualiza- tion software; many are widely used Application Developers applications written by experienced Developers can alleviate the problem of crash consistency within their applications by developers, such as Google’s LevelDB following these recommended practices: and Linus Torvalds’s Git. Our study at Use a library. Implementing consistency directly atop the file-system interface is like pleading insanity in court: you do it only if you have no other choice. A wiser strategy is to the University of Wisconsin–Madison use a library, such as SQLite, that implements crash consistency below your application found more than 30 vulnerabilities whenever possible. exposed under widely used file-system Document guarantees and requirements. Consistency guarantees provided by configurations; among the 11 appli- applications can be confusing; some developers can be unclear about the guarantees provided by their own applications. Documenting file-system behaviors that the cations studied, seven were affected application requires to maintain consistency is more complicated, since both by data loss, while two were affected application developers and users are often unclear about file-system behavior. The best by silent errors. The study from Ohio documentation is a list of supported file-system configurations. Test your applications. Because of the confusing crash behavior exhibited by file State University and HP Labs had sim- systems, it is important to test applications. Among the tools publicly available for ilar results: they studied eight widely finding application crash vulnerabilities, ALICE21 has been used successfully for testing used databases and found erroneous eleven applications; ALICE also clearly shows which program lines lead to a vulnerability. behavior in all eight. The public version of ALICE, however, does not work with m map() memory and some rare system calls. There is another tool designed for testing file systems9 that works with For example, we found that if a any application that runs on Linux, but it is less effective. file system decides to reorder two rename() system calls in HDFS, the HDFS namenode does not boot2 Java (in which HDFS is written) does switches to a new log file and com- and results in unavailability. There- not directly allow calling fsync() on pacts the previous log file for faster fore, for portable crash consistency, a directory, the issue is currently ig- record retrieval. We found that, dur- fsync() calls are required on the di- nored by HDFS developers. ing this switching, an fsync() is re- rectory where the rename() calls oc- As another example, consider Lev- quired on the old log file that is about cur. Presumably, however, because elDB, a key-value store that adds any to be compacted;19 otherwise, a crash widely used file-system configurations inserted key-value pairs to the end might result in some inserted key-val- rarely reorder the rename() calls, and of a log file. Periodically, LevelDB ue pairs disappearing.

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 49 practice

Many vulnerabilities arise because ficult, however, are essential for gener- application developers rely on a set of al-purpose file systems. popular beliefs to implement crash To illustrate, consider reordering, consistency. Unfortunately, much of the behavior that is arguably the least what seems to be believed about file- intuitive and causes the most crash- system crash behavior is not true. Con- Recent research consistency vulnerabilities. In our sider the following two myths: has confirmed study, a file system that provided in- ˲˲ Myth 1: POSIX defines crash be- order operations (and some minimal havior. POSIX17 defines the standard that crashes are atomicity) exposed only 10 vulner- file-system interface (open, close, problematic: abilities, all of minor consequences; read, and write) exported by Unix- in comparison, 31 were exposed in like operating systems and has been many applications btrfs and 17 in ext4. In current envi- essential for building portable appli- ronments with multiple applications cations. Given this, one might believe (including some running simultaneously, however, that POSIX requires file systems to widely used a file system requires reordering for have a reasonable and clearly defined good performance. If there is no re- response to crashes, such as requir- and developed ordering, fsync() calls from impor- ing that directory operations be sent by experienced tant applications will be made to wait to the disk in order.18 Unfortunately, for writes from nonessential tasks to there is little clarity as to what exactly programmers) complete. Indeed, ext3 in its default POSIX defines with regard to crash- can lose or corrupt configuration provides an (almost) in- es,3,4 leading to much debate and little order behavior, but has been criticized consensus. data on a crash for unpredictably slow fsync() calls.7 ˲˲ Myth 2: Modern file systems re- or power loss. quire and implement in-order meta- Moving Forward data updates. Journaling, a common Fortunately, not all is bleak in the technique for maintaining file-system world of crash consistency, and re- metadata consistency, commits dif- cent research points toward a number ferent sets of file-system metadata up- of interesting and plausible solutions dates (such as directory operations) as to the problems outlined in this ar- atomic transactions. Journaling is pop- ticle. One approach is to help devel- ular among modern file systems and opers build correct update protocols. has traditionally committed metadata At least two new open source tools updates in order;12 hence, it is tempt- are available publicly for consistency ing to assume modern file systems testing (though neither is mature yet): guarantee in-order metadata updates. ALICE,20 the tool created for our re- Application developers should not as- search study at the University of Wis- sume such guarantees, however. Jour- consin–Madison, and a tool designed naling is an internal file-system tech- by Linux kernel developers9 for test- nique; some modern file systems, such ing file-system implementations. AL- as btrfs, employ techniques other than ICE is more effective for testing appli- journaling and commonly reorder di- cations since it verifies correctness on rectory operations. Furthermore, even a variety of simulated system crashes file systems that actually use journal- for a given application test case. In ing have progressively reordered more contrast, the kernel tool verifies cor- operations while maintaining internal rectness only on system crashes that consistency. Consider ext3/4: ext3 reor- occur with the particular execution ders only overwrites of file data, while path traversed by the file system dur- ext4 also reorders file appends; accord- ing a run of the given test case. ing to Theodore Ts’o, a maintainer Two other testing tools are part of of ext4, future journaling file systems recent research but are not yet pub- might reorder more (though unlikely licly available: BOB21 from our study, with ext4). and the framework used by research- Should file-system developers be ers from Ohio State University and HP blamed for designing complicated file Labs.29 Both of these are similar to the systems that are unfavorable for im- kernel tool. plementing crash consistency? Some A second approach for better ap- complex file-system behaviors can plication crash consistency is for file (and should) be fixed. Most behaviors systems themselves to provide better, that make application consistency dif- more easily understood abstractions

50 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 practice

that enable both correctness and high ers in such storage stacks. Our group is 12. Hagmann, R. Reimplementing the Cedar file system using logging and group commit. In Proceedings of the performance for applications. One so- also working on such a language, along 11th ACM Symposium on Operating Systems Principles, lution would be to extend and improve with methods to prove the overall cor- (Austin, TX, Nov. 1987). 1 13. Kim, H., Agrawal, N., Ungureanu, C. Revisiting storage the current file-system interface (in the rectness of the entire storage stack. for smartphones. In Proceedings of the 10th Usenix Unix world or in Windows); however, Symposium on File and Storage Technologies (San Jose, CA, Feb. 2012). the interface has been built upon many Conclusion 14. Lamport, L. How to make a multiprocessor computer years of experience and standardiza- This article aims to convince readers that correctly executes multiprocess programs. IEEE Trans. Computers 28, 9 (1979), 690–691. 16 tion, and is hence resistant to change. that application-level crash consis- 15. Mercurial. Dealing with repository and dirstate The best solution would provide better tency is a real and important problem. corruption, 2014; http://mercurial.selenic.com/wiki/ RepositoryCorruption. crash behavior with the current file-sys- Similar problems have been faced be- 16. Microsoft. Alternatives to using transactional NTFS; https://msdn.microsoft.com/en-us/library/windows/ tem interface. As previously explained, fore in other areas of computer sys- desktop/hh802690(v=vs.85).aspx. however, in-order updates (that is, bet- tems, in the domains of multiproces- 17. Open Group Base Specifications. POSIX.1-2008 IEEE Std 1003.1, 2013; http://pubs.opengroup.org/ ter crash behavior) are not practical in sor shared memory and distributed onlinepubs/9699919799/. multitasking environments with multi- systems. Those problems have been 18. Sankaranarayana Pillai, T. Possible bug: fsync() required after calling rename(), 2013; https://code. ple applications. Without reordering in overcome by creating new abstrac- google.com/p/leveldb/issues/detail?id=189. these environments, the performance tions, understanding various trade- 19. Sankaranarayana Pillai, T. Possible bug: Missing a fsync() on the log file before compaction, of an application depends significantly offs, and even thinking about the 2013; https://code.google.com/p/leveldb/issues/ on the data written by other applica- problem with analogies to baseball.25 detail?id=187. 20. Sankaranarayana Pillai, T., Chidambaram, V. tions in the background and will thus Similar solutions are possible for ap- Alagappan, R., Al-Kiswany, S., Arpaci-Dusseau, A.C. be unpredictable. plication crash consistency, too, but and Arpaci-Dusseau, R.H. ALICE: Application-Level Intelligent Crash Explorer; http://research.cs.wisc. There is a solution. Our research only with the involvement of the wider edu/adsl/Software/alice/. group is working on a file system that systems community. 21. Sankaranarayana Pillai, T., Chidambaram, V., Alagappan, R., Al-Kiswany, S., Arpaci-Dusseau, A.C. maintains order only within an appli- and Arpaci-Dusseau, R.H. 2014. All file systems cation. Constructing such a file system are not created equal: on the complexity of crafting Related articles crash-consistent applications. In Proceedings of the th is not straightforward; traditional file on queue.acm.org 11 Symposium on Operating Systems Design and systems enforce some order between Implementation (Broomfield, CO, Oct. 2014). Abstraction in Hardware System Design 22. Sewell, P., Sarkar, S., Owens, S., Nardelli, F.Z. and metadata updates10 and therefore might Myreen, M.O. x86-TSO: A rigorous and usable Rishiyur S. Nikhil programmer’s model for x86 multiprocessors. enforce order also between different ap- http://queue.acm.org/detail.cfm?id=2020861 Commun. ACM 53, 7 (July 2010): 89–97. plications (if they update related meta- 23. Shvachko, K., Kuang, H., Radia, S. and Chansler, R. The Storage Systems: Not Just a Bunch of Disks Hadoop Distributed File System. In Proceedings of the data). Another possible approach, from Anymore 26th IEEE Symposium on Mass Storage Systems and HP Labs,26 does change the file-system Erik Riedel Technologies (Incline Village, NV, May 2010). 24. Sorin, D.J., Hill, M.D., Wood, D.A. A Primer on Memory interface but keeps the new interface http://queue.acm.org/detail.cfm?id=864059 Consistency and Cache Coherence. Morgan & simple, while being supported on a pro- Keeping Bits Safe: How Hard Can It Be? Claypool Publishers, 2011. 25. Terry, D. Replicated data consistency explained duction-ready file system. David S. H. Rosenthal through baseball. MSR Technical Report (Oct. 2011). A third avenue for improving the http://queue.acm.org/detail.cfm?id=1866298 26. Verma, R., Mendez, A.A., Park, S., Mannarswamy, S.S., Kelly, T.P., and Morrey III, C.B. Failure-atomic crash consistency of applications goes updates of application data in a Linux file system. In Proceedings of the 13th Usenix Symposium on File and beyond testing and seeks a way of for- References Storage Technologies (Santa Clara, CA, Feb. 2015). 1. Alagappan, R., Chidambaram, V., Sankaranarayana mally modeling file systems. Our study 27. VMWare. Software-defined storage (SDS) and storage Pillai, T., Arpaci-Dusseau, A.C., Arpaci-Dusseau, R.H. virtualization; http://www.vmware.com/software- introduces a method of modeling file Beyond storage APIs: Provable semantics for storage defined-datacenter/storage. stacks. In Proceedings of the 15th Workshop on Hot systems that completely expresses 28. VMWare. The VMware perspective on software- Topics in Operating Systems (Kartause Ittingen, defined storage; http://www.vmware.com/files/pdf/ Switzerland, May 2015). their crash behavior via abstract per- solutions/VMware-Perspective-on-software-defined- 2. Al-Kiswany, S. Namenode fails to boot if the file storage-white-paper.pdf. sistence models. We modeled five file- system reorders operations, 2014; http:// rename 29. Zheng, M., Tucek, J., Huang, D., Qin, F., Lillibridge, issues.apache.org/jira/browse/HDFS-6820. system configurations and used the M., Yang, E. S., Zhao, B. W., Singh, S. Torturing 3. Aurora, V. POSIX v. reality: A position on O PONIES, databases for fun and profit. InProceedings of the models to discover application vulner- 2009; http://lwn.net/Articles/351422/. 11th Symposium on Operating Systems Design and 4. Austin Group Defect Tracker. 0000672: Necessary abilities exposed in each of the mod- Implementation (Broomfield, CA, Oct. 2014). step(s) to synchronize filename operations on disk, eled file systems. Researchers from 2013; http://austingroupbugs.net/view.php?id=672. 5 MIT have more broadly considered 5. Chen, H., Ziegler, D., Chlipala, A., Kaashoek, M. F., T. Sankaranarayana Pillai, Vijay Chidambaram, Kohler, E., Zeldovich, N. Specifying crash safety for and Ramnatthan Alagappan (madthanu, vijayc, ra @ different formal approaches for model- th storage systems. In Proceedings of the 15 Workshop cs.wisc.edu) are Ph.D. candidates in the Department of ing a file system and found Hoare logic on Hot Topics in Operating Systems (Kartause Computer Science at the University of Wisconsin–Madison. Ittingen, Switzerland, May 2015). to be the best. Chidambaram is joining the faculty at the University of 6. Corbet, J. Ext4 and data loss, 2009; https://lwn.net/ Texas at Austin. Beyond local file systems, applica- Articles/322823/. 7. Corbet, J. That massive filesystem thread, 2009; Samer Al-Kiswany ([email protected]) is a tion crash consistency is an interesting http://lwn.net/Articles/326471/. postdoctoral fellow in the Department of Computer problem in proposed storage stacks 8. Davies, C. Fake hard drive has short-term memory Science at the University of Wisconsin–Madison. not 500GB. SlashGear, 2011; http://www.slashgear. that will be constructed on the fly, mix- com/fake-hard-drive-has-short-term-memory-not- Andrea Arpaci-Dusseau and Remzi Arpaci-Dusseau (dusseau, remzi @cs.wisc.edu) are professors of computer ing and matching different layers such 500gb-08145144/. 9. Edge, J. Testing power failures, 2015; https://lwn.net/ science at the University of Wisconsin–Madison. as block remappers, logical volume Articles/637079/. 27,28 10. Ganger, G.R., Patt, Y.N. 1994. Metadata update managers, and file systems. An ex- performance in file systems. InProceedings of the pressive language is required for speci- 1st Symposium on Operating Systems Design and Implementation. (Monterey, CA, Nov. 1994), 49–60. fying the complex storage guarantees 11. Garcia-Molina, H., Ullman, J.D., Widom, J. Database Copyright held by authors. and requirements of the different lay- Systems: The Complete Book. Prentice Hall Press, 2008. Publication rights licensed to ACM. $15.00

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 51 practice

DOI:10.1145/2788399

Article development led by queue.acm.org We have to choose to build a Web that is accessible to everyone.

BY RICH HARRIS Dismantling the Barriers to Entry

A WAR IS being waged in the world of Web development. On one side is a vanguard of toolmakers and tool users, who thrive on the destruction of bad old ideas (“old,” in this milieu, meaning anything that debuted on Hacker the Web down, harm accessibility, and News more than a month ago) and raucous debates increase fragility. You can often find about transpilers and suchlike. them linking to vanilla-js.com in the On the other side is an increasingly vocal contingent of comments of programming blogs. Here is Peter-Paul Koch, the creator developers who claim—not entirely without justification— of quirksmode.org, in a recent article6 the head-spinning rate of innovation makes it impossible (emphasis original): to stay up to date, and the Web is disintegrating into a “The movement toward toolchains and ever more libraries to do ever less jumble of hacks upon opinions, most of which are wrong, useful things has become hysterical, and all of which will have changed by the time hot-new- and with every day that passes I’m more happy with my 2006 decision to thing.js reaches version 1.0.0. ignore tools and just carry on. Tools This second group advocates a return to the don’t solve problems anymore, they have basics, eschewing modern JavaScript libraries and become the problem.” Setting aside the “get off my lawn” frameworks in favor of untamed DOM APIs (the DOM tone of much of this commentary, the being the closest we unwashed Web developers ever movement does have valid concerns. But we expect more of the Web than get to “bare metal”). Let’s call it the back-to-the-land we used to—real-time collaboration, movement. The back-to-the-landers argue tools slow personalized apps, rich interactivity.

52 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 We cannot expect software engineers for someone who could cobble togeth- cated, so must the tools—and the peo- to build those experiences without er some HTML and CSS and sprinkle ple using them. tools any more than we expect civil en- some JavaScript on top of it, perhaps As a consequence, many com- gineers to build suspension bridges by after searching Stack Overflow for mentators have placed the traditional hand. As Facebook’s Sebastian Mark- “how to hide element with jQuery.” front-ender on extinction watch. Trek båge says in a direct response to Koch,7 The front-ender was responsible for Glowacki, a core member of the Ember. “the only time you can say that the adding the Google Analytics script js team (Ember is one of the aforemen- Web is “good enough” is when you are snippet to the CMS article template, tioned client-side application frame- building for yesterday’s Web.” and perhaps adding a carousel of slid- works), wrote in response to a lament As in any war, there are false di- ing images (the traditional cure for the about build tools: chotomies (simplicity versus power), marketing department’s indecision “I know everyone on Ember core hypocrisies (abandoning libraries then about what to put on the homepage), sympathizes with Web developers writing acres of app code that do the but was never trusted with anything whose careers started during the same thing, albeit without documen- particularly important. ‘download a zip, add some script tags, tation or tests), and casualties. It is the Then along came Backbone,1 which FTP into production’ era for the ‘front casualties I want to talk about. was the starting pistol in the race to- end’ and now feel a bit startled that wards ever more elaborate JavaScript all their favorite tools are becoming Front-Enders: application frameworks. Many mod- increasingly complex. But, the fact re- An Endangered Species? ern Web apps push almost all the logic mains, that era is ending.”5 Until relatively recently, “front end out to the client, the result being that In other words, “get with the pro-

IMAGE BY IOMIS BY IMAGE developer” was a slightly derisive term as applications become more sophisti- gram.” Glowacki is not wrong, just like

OCTOBER 2015 | VOL. 58 | NO. 10 | COMMUNICATIONS OF THE ACM 53 practice

Koch isn’t wrong, but there is a prob- rather than making programming data, and serve the resulting HTML lem with modern tools—newcomers more accessible, and secondly that to the client. But string templating is to the field, after they have been greet- “learning to code” consists of absorb- a bad technique once you are in the ed with an overwhelming number of ing facts about programming lan- browser. Repeatedly generating HTML choices, are expected to learn a dizzy- guages and practicing the formation and inserting it into the document ing array of new concepts (insert joke of correct syntax. means trashing the existing DOM, about “transclusion” here) before In reality, learning how to program which taxes the garbage collector and they can actually build anything. The is a process of developing the ability to destroys state (such as which element incredible power of those tools is only model problems in such a way that a is focused, and where the cursor is). really available to a select few—those computer can solve them—something Because of that, developers typically with the determination to ascend a that only happens through experience. break their applications apart into steep learning curve, and the time and You do not learn a foreign language by microscopic chunks, with dedicated inclination to keep pace with our com- learning how to conjugate verbs and custom Model and View classes tied munity’s frantic innovation. pluralize nouns; you learn by picking together with an events system. MVC up phrases and practicing them, and duct tape is the new jQuery spaghetti. “Learn to Code” Is Not the Answer reading and listening to native speak- Ractive.js10 was designed to allow Back when the Web was a simpler ers until it becomes natural. Every lan- developers to use the declarative pow- place, it was a welcoming environment guage teacher knows this, yet to a large er of templates to their fullest extent for newbie programmers. There were extent it is not how we teach program- without the sacrifices that come from fewer tools, and the ones we had were ming languages. string-based templating systems. The a good deal less sophisticated, but we We do not need the 1,437th explana- idea, novel at the time (though less made up for it with the power of “view tion of prototypal inheritance or Java- so now, as other tools have adopted a source.” In those Wild West days, be- Script’s ‘this’ keyword. What we need similar approach), was that a template fore we cared about best practices, it are tools that allow novices to express parser that understood both HTML was surprisingly easy to reverse engi- their ideas without a complete knowl- and template tags could generate a tree neer a lot of Web software. edge of the process by which it happens. structure that a data-binding engine Web development has matured could later use to manipulate the DOM spectacularly in a few short years. But Enter Ractive.js with surgical precision. The developer the tools that have supplanted “view A few years ago I was in need of such a need do nothing more than occasion- source” (which is useless in an age of tool, having recently joined the inter- ally provide new data. transpiled, minified code) are not ac- active news team at theguardian.com. This is not the virtual DOM diffing cessible to the vast majority. News interactives typically contain a technique used by React.js and other It is not simply a question of bet- lot of state, represented in several dif- similar libraries. That approach has ter training for those who would be ferent visually rich forms, and have some deeply interesting properties, professional software engineers. The to handle many different modes of but data-binding—that is, updating power and beauty of the Web was al- user interaction—a recipe for buggy the parts of the DOM that are known ways that anyone could participate code, especially when written against to correspond to particular values that as a creator as well as a consumer— news industry deadlines (we laugh at have changed, rather than re-render- scientists, academics, artists, jour- the term “agile”). I was well aware my ing everything and not updating the nalists, activists, entertainers, edu- jQuery spaghetti was always a few key- bits that have not changed—is typically cators—most of whom have yet to strokes away from implosion, but more a great deal more performant. unlock the thrilling possibilities of advanced tools such as Angular were Since then, Ractive has added (and modern Web technologies. both too intimidating and yet some- in some cases pioneered) many new One way we have tried to address how inadequate for the task at hand. features: a component system, declara- this problem is with the “learn to code” I had been looking forward to the tive animations and transitions, full movement, which has spawned an en- day when someone would let me in on SVG support, encapsulated CSS, serv- tire industry of startups (startup cul- the secret to doing it properly, but that er-side rendering, and more. In terms ture itself being one of the prime driv- day never came. There simply were not of mindshare, we are a minnow next ers of learn to code). Politicians love it any tools designed to make my job eas- to the likes of Angular, Ember, Meteor because it makes them look forward- ier, so I resolved to create one myself. and React, even though we have con- thinking, though no one is quite sure if Laid bare, the problem is relatively tributors from all around the world Michael Bloomberg ever did finish his simple to articulate. The state of a and Ractive is used for all kinds of web- Codecademy course.2 Web app UI at any given moment can sites, from e-commerce to enterprise There is plenty to admire about be described as a function of applica- monitoring software. learn to code, of course. Many people tion state, and our task is to manipu- But the thing the team and I are have developed skills that would oth- late the DOM until the reality matches most proud of is the way it has allowed erwise have been out of reach. But the the intention. less experienced developers to bring movement rests on two odd assump- On the server, it is easy: write a tem- their ideas to life on the Web. tions—firstly our priority should be plate, compile it to a function with a A magazine article is a suboptimal to make more programmer talent templating engine, call it with some place for code samples demonstrating

54 COMMUNICATIONS OF THE ACM | OCTOBER 2015 | VOL. 58 | NO. 10 practice an interactive UI library, but if you are in a Ractive-specific observable class curious you should visit http://learn. (think ‘Backbone.Model’ or ‘ko.observ- ractivejs.org for an interactive tutorial. able’). That posed some implementa- tion challenges, but it was unquestion- Lessons Learned ably the right move. We are currently in The question: “Will this make it easier The question: the process of overhauling the internal or more difficult for novice developers “Will this make architecture, which will deliver signifi- to get started?” is always on our minds cant performance boosts to many users when we are building Ractive. Inter- it easier or more without breaking their apps. estingly, we have never found this difficult for novice The phrase “Readme-driven devel- has required us to sacrifice power for opment” was coined, or at least popu- more experienced developers—there developers to get larized, by Tom Preston-Werner.9 is no “dumbing down” in software Eliminate dependencies. Depen- development, only clear APIs versus started?” is always dency management in JavaScript is a convoluted APIs. By focusing on the on our minds pain, even for experts—especially in beginner experience, we make life bet- the browser. There are tools designed ter for all of our users. when we are to make the situation easier, such as Over the years, we have distilled building Ractive. Browserify and RequireJS (or Webpack, this mind-set into a toolmaker’s Esperanto, and JSPM, if you are part checklist. Some of these points are, of the revolutionary vanguard), but frankly, aspirational. But we have they all have steep learning curves and found them to be useful guidelines sometimes go wrong in ways that are even when we fall short, and they ap- spectacularly difficult to debug. ply to tools of all kinds. So the silent majority of developers Readme-driven development. Often, use the tried-and-tested solution of when we write code designed to be used manually adding