595 stories

New article: The Spatial Articulation of Urban Political Cleavages


By Jan Doering, Dan Silver, and Zack Taylor in Urban Affairs Review.

Sociologists and geographers have long placed space and place at the center of their analyses. They have shown that people’s identities and attitudes are inflected by their social and physical contexts—who their neighbors are and what kind of place they live in—although they have not always extended this to politics. Studies of urban politics, on the other hand, have focused on individual characteristics such as race and gender rather than space or place. In their important study of exit polls in American big-city elections, Trounstine and Hajnal (2014) find that race overwhelms all other factors. Elections in large American cities are predominantly contests between cohesive groups defined by race. 

In our Urban Affairs Review article, “The Spatial Articulation of Urban Cleavages,” we develop a framework for rooting urban politics in space. We theorize three sources that turn urban politics into spatial divisions: group-, place-, and location-based interests. Group-based interests emerge from shared experience and linked fate on the basis of race, class, religion, sexuality, language, and other salient markers of difference. In segregated cities, where groups cluster in particular districts or neighbourhoods, conflicts between groups are articulated in space. A distinction between “us” and “them” may manifest politically as, for example, a distinction between “East Side” and “West Side.”

Place and location-based interests derive from different sources. Regarding place, cities offer a range of urban experiences, because neighborhoods vary in terms of their built environments, density, amenity composition, and so on. These idiosyncratic characteristics in turn generate unique identities, interests, and lifestyles. The consumption patterns and policy demands of privatistic “homevoters” in low-density, car-dependent neighborhoods differ from inhabitants in dense neighborhoods with mixed uses and collective amenities that are accessible by walking and cycling. If place-based interests emerge from lifestyles and identities associated with neighborhoods’ internal features, location-based interests derive from the fact that areas have distinct needs and priorities depending on their relative position within the city as a whole. Triggered by transit cuts and gas price increases, France’ Yellow Vest movement, for example, developed in part as a conflict between peripheral, car-dependent locations and centrally located areas with comprehensive transit access.

To examine the spatial basis of political cleavages, we constructed an original dataset of neighborhood-scale mayoral election results over two decades in three cities, Chicago, Toronto, and London. These cities are large in population and territory, socially diverse, and contain many different kinds of places, from dense central business districts to apartment tower neighborhoods to low-rise residential tracts. At the same time, each is also located in a different national context with distinct institutional features and social histories. 

Our analysis unfolded in three stages. First, we sought to uncover to what extent political divisions occur between rather than within neighbourhoods. Strikingly, we found that most elections are landslides at the neighborhood scale even if close citywide. Precinct margins of victory were greater than 20 percentage points in at least 60% of precincts in each of the three cities. This suggested that election results are spatially articulated to a similar degree in Chicago, Toronto, and London, and that the national U.S. trend toward urban-rural polarization in voting despite close national results has a counterpart within urban politics, even when elections are nonpartisan. 

Our next step was to uncover the nature of these divisions. As Chicago and Toronto have nonpartisan elections featuring multiple candidates, and London has a shifting array of party-nominated and independent candidates, we used principal component analysis, a data reduction technique, to reduce this complexity to three latent variables (“components”) that account for over 80% of variation in neighborhood vote shares across time in each city. We then correlated neighborhood scores on these components with a range of census and other data representing group-, place-, and location-based interests. We found that the positive and negative correlations on each component correspond to recognizable bundles of identities and interests, although their strength varies across the three cities. (See Table 1.)

Table 1: Summary of cleavages

Black ↔ White/Latino (56%)
African American neighborhoods support Black candidates. White and Latino neighborhoods support their opponents.
Periphery ↔ Core (56%)
Dense core supports progressive candidates. Low-density, auto-dependent periphery areas support conservative candidates.
Periphery ↔ Core (41%)
Dense core supports progressive parties. Lower density periphery areas support conservative parties.
White ↔ Latino (14%)
White, well-off, privileged areas support business-friendly white candidates. Mostly Latino, blue-collar areas support Latino candidates when they run.
Establishment ↔ Marginality (20%)
Privileged areas support establishment conservative candidates. Disadvantaged areas support right-populist candidates when they run. 
Establishment ↔ Marginality (27%)
Privileged areas support mainstream parties (Labour, Conservatives, Liberal Democrats). Disadvantaged areas support anti-establishment parties (BNP, UKIP, Respect).
Periphery ↔ Core (11%)
Ethnically diverse core areas support more progressive candidates. Auto-dependent periphery areas support more conservative candidates.
South Asian ↔ Southern European (7%)
Established southern European neighborhoods support Italian candidates when they run. Asian immigrant neighborhoods cohere when appealed to.
Immigrants ↔ UK-born (13%)
UK-born areas support Lib Dems and xenophobic parties. Established, mostly South Asian and Muslim immigrant neighborhoods support Conservatives and Respect.
Maps are not to scale.

As might be expected in a city that is highly and durably segregated by race, and where class and race are closely linked, Chicago’s dominant cleavage is race. Across all six elections, the strongest, most persistent division is between Black neighborhoods and White and Latino neighborhoods. A second, much weaker cleavage also revolves around race and class, dividing well-off White neighborhoods and blue-collar Latino neighborhoods. A third, very weak cleavage is based on place-based lifestyle and location, pitting dense centrally located neighborhoods against peripherally located, car-dependent single-family, neighborhoods. 

The cleavage structures found in Toronto and London are similar to one another and almost the inverse of Chicago’s. The dominant cleavage in both cities is rooted in place-based lifestyles. On one side are dense and accessible core neighborhoods whose residents tend to be young, single, and work in creative occupations. On the other side are peripherally located neighborhoods featuring low-density housing, auto-dependency, and traditional lifestyles. The next-strongest cleavage turns on class, pitting higher-income educated professionals against lower-income, blue-collar residents. The weakest cleavage divides native-born from foreign-born residents. In stark contrast with Chicago, lifestyle is the strongest cleavage, and ethno-racial group identity the weakest. 

Overall, our findings demonstrate that urban politics are strongly articulated in space, although this happens in different ways in different cities. This opens up new possibilities for research comparing cities within and across national borders. For example, we suggest that group-based cleavages will dominate in cities that are segregated by race, language, religion, and class, while place- and location-based cleavages will appear in large jurisdictions that contain highly differentiated built environments. Furthermore, our findings call more for research on the actions and processes that produce and activate group-, place-, and location-based cleavages.

Post originally published in Urban Affairs Forum.

Read the whole story
4 days ago
iPhone: 49.287476,-123.142136
5 days ago
Toronto, ON
Share this story

The Doable City Reader – A Reminder That Change in Our Cities Is Doable (Possible)


Five years ago we embarked on our first project with Knight Foundation, the Doable City Forum in Chicago, which brought together two hundred civic innovators from around North America.

Rich conversations amongst participants and presenters lead us to work with our friends at Discourse Media to put together the Doable City Reader – a resource for anyone looking into making change in their city.

There is so much to do to make our cities happier, healthier, 8 80 focused and more prosperous, equitable places. Rethinking the role of our streets and public spaces is a good place where to start.

We know change isn’t easy.  But, recognizing that all human beings have the right to mobility, right to public space, and right to participate in decision-making processes that affect them will drive communities and decision-makers in the right direction. Some of the improvements we want to see in our cities will take years to take place, others are short-term, low-cost and easily implemented. The truth is that change is already happening either in small or large scales and having a massive impact.

Conceived as an educational resource, The Doable City Reader is a reminder that change is possible. With many layers of information along with its five chapters, this useful resource shares ideas to bring these solutions to your communities.

Some of the topics included are:

  • How cities of all sizes are creating free-bike shares and encouraging thousands of people to get outside and be active
  • How streets can be transformed for happier citizens
  • What existing but hidden assets each city has that can be used overnight
  • How businesses benefit from good public spaces that are accessible to all
  • Related real-life stories of how people have gone about making those changes, which are doable – that means possible

Many of the best, most authentic and enduring destinations in a city, the places that keep locals and tourists coming back again and again and that anchor quality, local jobs, were born out of a series of incremental, locally-based improvements. One by one, these interventions have built places that were more than the sum of their parts. — Project for Public Spaces

Happy reading!

Check out The Doable City Reader

The post The Doable City Reader – A Reminder That Change in Our Cities Is Doable (Possible) appeared first on 8 80 Cities.

Read the whole story
16 days ago
iPhone: 49.287476,-123.142136
17 days ago
Toronto, ON
Share this story

Never Written a Story? Here’s how to Get Started

1 Share

I meet people every day who tell me they can’t write a story. The truth, however, is that we’ve grown up writing stories, creating make-believe worlds and imaginary scenarios. No one has lost the ability to write a story, in fact, I’m a firm believer that anyone can write a story. But, if you’re struggling to get going or barely know where to start, here are the four simple steps you need to create a narrative.


Firstly, you need to figure out who your story is about, and what characters can join them on their journey. Starting with one or two characters and figuring out others as the narrative progresses is fine, but you need to start with someone. Ask yourself some questions to really get to know your protagonist:

What’s their name?
How old are they?
What do they look like?
What is their passion in life?
What makes them sad?
What’s their biggest fear?
What’s their best and worst quality?

The list goes on… but truly getting inside the mind of your character is the best way to make them real and believable. If you need help developing a character, this article can give you the tools to really find who they are and bring them to life.

The story can follow someone, be about someone or something can happen to someone and that makes the story exist. For example, Harry Potter is the main character and the books follow his life but Katniss Everdeen becomes the main character because she is chosen for The Hunger Games.

Once you have someone to star in your story, the rest can evolve from there…


Your location is where the story is set, and where all the action takes place. Depending on your genre, this can be real or a fantasy location. If you decide to go down the fantasy route, this gives you loads of scope to do anything to the world you create. If you choose a real location, make sure you know it well enough to enhance your story and pick out the features and locations that could resonate with readers. Once you have chosen your location, the features of that setting, regardless of whether it is real or something you have created, will assist in developing your plot and even your characters.

Another key aspect to think about where your story is set is to also think about when your story is set. For example, both The Fault in Our Stars by John Green and Divergent by Veronica Roth are set in the US, however the latter being in the future creates a very different setting for those characters, as opposed to the ones created by John Green.

You can choose to set your story in the past, present or future, and within all these are limitless options for how your plot can unfold. If you choose to set it in the past, make sure you research key events and the reality of existence for people in that time to keep it engaging for readers passionate about your era and to really bring your story to life. Present-day stories are incredibly interesting for many readers, particularly those inspired by realism. Finally, throwing your plot into the future is an amazing way to get creative and project your vision of our future. Whether dystopian or utopian, 10 years or 1000 years in the future, lovers of fantasy and sci-fi can flourish with this.

To add a whole new level of excitement, why not combine fantasy with time, and set your story in an existing time period, but in a fantasy world. Think Game of Thrones, which hosts a ‘medieval’ location (associated with our past) but is really a fantasy world with dragons and more.

While location might often be overlooked, this could even be a better place to start prior to creating your characters. Allowing your location and time-period to thrive is the key of a good location, so get creative and follow your vision.

Status Quo and Changing the Normal…

A story is created when something happens that disrupts the normality or ‘status quo’ of the everyday life of your world or character. Regardless of your setting being fantasy or real, dystopian or utopian, micro or macro in scale, any change can ripple and evolve into a brilliant story.

This change or disruption can be positive or negative. Characters can fall in love, win the lottery or survive a life-changing accident. What would happen if something positive influenced your character or your world? Try mind mapping, drawing, bullet-pointing or anything that gets your brain going, all the different branches you can think of that might come as a result of a positive change. Perhaps they all lead on from one-another or perhaps they could all be a story in their own right. Which one will you choose and how can you transform your characters’ or world’s lives?

Negative change can often be more significant or even more fun to write. Anything from your protagonist forgetting their wallet to whole world invasions and wars – whatever scale you see this negative change will still cause waves of change to your story and create something exciting for readers to engage with.

Perhaps your negative change could evolve into a happy ending. Maybe what seems positive on the surface will actually have detrimental effects. Something NEEDS to change for a story to be created. Let your mind take you to endless possibilities and see which one can grow into a mind-blowing story…

The key to a good story is planning it and knowing all the twists and turns you might need to take to get to the finale you might envision from the start. Take your time to work out these core things, and the more you immerse yourself in your world, the easier it will be to bring to life.

Read the whole story
17 days ago
Toronto, ON
Share this story

zoom is not the problem — meetings are

1 Share

When all you have is Zoom, every work-from-home office looks like an endless face-to-face video call. I have been working remotely since 2003. Video calls have been a regular part of my work and I have used pretty well every platform available. In the early days my favourite platform was Marratech, until they were bought by Google and some of the technology created Hangouts. But video communication was only part of my work.

Asynchronous communication — threaded discussions, blogs, and wikis — was always part of my work conversations. Writely — which became Google Docs — was a great tool and helped our distributed team, from British Columbia to New Brunswick, write the specifications for the Pan-Canadian Online Learning Portal. This was the first time that all the Ministers of Education had agreed to do something together. But CMEC cancelled the project after a vendor was selected. It would be interesting to see how the current pandemic would have been handled by schools, with a national online learning resource already in place and with over 10 years of experience. But I digress. Let’s just say that technology is not usually the issue in the workplace — it’s how the technology is used.

A recent article on working from home puts much of the blame for additional work-related stress squarely on Zoom. In 5 psychological reasons to reduce the number of Zoom meetings, the authors list these ‘problems’.

  1. lack of non-verbal communication
  2. anxiety about possible distractions, like children
  3. no casual conversations, or ability to walk and chat
  4. the stress of looking at your face all the time
  5. dead air

It seems that the Zoom gallery view of seeing everyone’s face at one glance has become the default type of Zoom meeting. This shows the lack of creativity, or even basic understanding of the medium, by those who run the meetings. I agree that non-verbal communication can be an issue. That’s why I often have one-on-one video calls, as these are more intimate and great for getting to know someone better over time.

I have successfully completed many projects with people I have never met in person. Anxiety about children bursting in is only a problem for control freaks. My discussions over the past month unanimously show that people appreciate having more human conversations as people are no longer wearing their ‘office armour’. We see the person behind their job title.

Yes, you can Zoom and walk (just don’t chew gum as well). Our perpetual beta coffee club meets regularly on Zoom and one member was out walking during our last call. He just turned off his video, and would stop from time to time and turn the video back on. Finally, there is no reason to always have your video camera on. Video is great to get to know other people but after the first few meetings, it’s no longer necessary. And dead air (nobody talking) is actually good for thinking. You are not running a radio broadcast.

The problem is not Zoom. It’s your bloody meetings!

In meetings, bloody meetings I highlighted age-old problems with business meetings, which I learned about in the 1980’s and which continue today. Meetings should have an objective, a clear format, and be run by a competent person to facilitate the process. Most importantly there must be a clear reason why the meeting is necessary in the first place. Quite often, an alternative would be more effective than calling a meeting — e.g. one-on-one conversation, email, wiki, blog, discussion thread, etc.

Liberating Structures offer 33 open source methods for convening meetings for different purposes. Use one of these instead of an ad hoc Zoom chat wasting most attendees’ time. These have been used and tested around the world. In addition, Liberating Structures are now being frequently adapted for distributed workers. There is no excuse for “Chairing without due thought & preparation”.

Like most organizational changes, meetings will only get better when those in leadership positions decide to make them so. Perhaps the ubiquity of all these Zoom meetings over the past month will get people thinking and talking about better ways to communicate and collaborate at work.

Whether you stay with distributed work or go back to a location, improving meetings will not only raise morale but make room for what is really important in every workplace now — learning. The problems with meetings are not new, so let’s use this crisis to compensate every person who has ever been stuck in a useless meeting, and make meetings better.

“In 1973, Canadian business management expert Henry Mintzberg was among the first to examine the problem [frustrations with meetings]. His book ‘The Nature of Managerial Work’ found that more than half of managers’ time in his sample was spent in meetings.”CNBC 2015

Read the whole story
17 days ago
Toronto, ON
Share this story

Roy Fielding’s Misappropriated REST Dissertation

1 Comment and 3 Shares

RESTful APIs are everywhere. This is funny, because how many people really know what “RESTful” is supposed to mean?

I think most of us can empathize with this Hacker News poster:

I’ve read several articles about REST, even a bit of the original paper. But I still have quite a vague idea about what it is. I’m beginning to think that nobody knows, that it’s simply a very poorly defined concept.

I had planned to write a blog post exploring how REST came to be such a dominant paradigm for communication across the internet. I started my research by reading Roy Fielding’s 2000 dissertation, which introduced REST to the world. After reading Fielding’s dissertation, I realized that the much more interesting story here is how Fielding’s ideas came to be so widely misunderstood.

Many more people know that Fielding’s dissertation is where REST came from than have read the dissertation (fair enough), so misconceptions about what the dissertation actually contains are pervasive.

The biggest of these misconceptions is that the dissertation directly addresses the problem of building APIs. I had always assumed, as I imagine many people do, that REST was intended from the get-go as an architectural model for web APIs built on top of HTTP. I thought perhaps that there had been some chaotic experimental period where people were building APIs on top of HTTP all wrong, and then Fielding came along and presented REST as the sane way to do things. But the timeline doesn’t make sense here: APIs for web services, in the sense that we know them today, weren’t a thing until a few years after Fielding published his dissertation.

Fielding’s dissertation (titled “Architectural Styles and the Design of Network-based Software Architectures”) is not about how to build APIs on top of HTTP but rather about HTTP itself. Fielding contributed to the HTTP/1.0 specification and co-authored the HTTP/1.1 specification, which was published in 1999. He was interested in the architectural lessons that could be drawn from the design of the HTTP protocol; his dissertation presents REST as a distillation of the architectural principles that guided the standardization process for HTTP/1.1. Fielding used these principles to make decisions about which proposals to incorporate into HTTP/1.1. For example, he rejected a proposal to batch requests using new MGET and MHEAD methods because he felt the proposal violated the constraints prescribed by REST, especially the constraint that messages in a REST system should be easy to proxy and cache.1 So HTTP/1.1 was instead designed around persistent connections over which multiple HTTP requests can be sent. (Fielding also felt that cookies are not RESTful because they add state to what should be a stateless system, but their usage was already entrenched.2) REST, for Fielding, was not a guide to building HTTP-based systems but a guide to extending HTTP.

This isn’t to say that Fielding doesn’t think REST could be used to build other systems. It’s just that he assumes these other systems will also be “distributed hypermedia systems.” This is another misconception people have about REST: that it is a general architecture you can use for any kind of networked application. But you could sum up the part of the dissertation where Fielding introduces REST as, essentially, “Listen, we just designed HTTP, so if you also find yourself designing a distributed hypermedia system you should use this cool architecture we worked out called REST to make things easier.” It’s not obvious why Fielding thinks anyone would ever attempt to build such a thing given that the web already exists; perhaps in 2000 it seemed like there was room for more than one distributed hypermedia system in the world. Anyway, Fielding makes clear that REST is intended as a solution for the scalability and consistency problems that arise when trying to connect hypermedia across the internet, not as an architectural model for distributed applications in general.

We remember Fielding’s dissertation now as the dissertation that introduced REST, but really the dissertation is about how much one-size-fits-all software architectures suck, and how you can better pick a software architecture appropriate for your needs. Only a single chapter of the dissertation is devoted to REST itself; much of the word count is spent on a taxonomy of alternative architectural styles3 that one could use for networked applications. Among these is the Pipe-and-Filter (PF) style, inspired by Unix pipes, along with various refinements of the Client-Server style (CS), such as Layered-Client-Server (LCS), Client-Cache-Stateless-Server (C$SS), and Layered-Client-Cache-Stateless-Server (LC$SS). The acronyms get unwieldy but Fielding’s point is that you can mix and match constraints imposed by existing styles to derive new styles. REST gets derived this way and could instead have been called—but for obvious reasons was not—Uniform-Layered-Code-on-Demand-Client-Cache-Stateless-Server (ULCODC$SS). Fielding establishes this taxonomy to emphasize that different constraints are appropriate for different applications and that this last group of constraints were the ones he felt worked best for HTTP.

This is the deep, deep irony of REST’s ubiquity today. REST gets blindly used for all sorts of networked applications now, but Fielding originally offered REST as an illustration of how to derive a software architecture tailored to an individual application’s particular needs.

I struggle to understand how this happened, because Fielding is so explicit about the pitfalls of not letting form follow function. He warns, almost at the very beginning of the dissertation, that “design-by-buzzword is a common occurrence” brought on by a failure to properly appreciate software architecture.4 He picks up this theme again several pages later:

Some architectural styles are often portrayed as “silver bullet” solutions for all forms of software. However, a good designer should select a style that matches the needs of a particular problem being solved.5

REST itself is an especially poor “silver bullet” solution, because, as Fielding later points out, it incorporates trade-offs that may not be appropriate unless you are building a distributed hypermedia application:

REST is designed to be efficient for large-grain hypermedia data transfer, optimizing for the common case of the Web, but resulting in an interface that is not optimal for other forms of architectural interaction.6

Fielding came up with REST because the web posed a thorny problem of “anarchic scalability,” by which Fielding means the need to connect documents in a performant way across organizational and national boundaries. The constraints that REST imposes were carefully chosen to solve this anarchic scalability problem. Web service APIs that are public-facing have to deal with a similar problem, so one can see why REST is relevant there. Yet today it would not be at all surprising to find that an engineering team has built a backend using REST even though the backend only talks to clients that the engineering team has full control over. We have all become the architect in this Monty Python sketch, who designs an apartment building in the style of a slaughterhouse because slaughterhouses are the only thing he has experience building. (Fielding uses a line from this sketch as an epigraph for his dissertation: “Excuse me… did you say ‘knives’?”)

So, given that Fielding’s dissertation was all about avoiding silver bullet software architectures, how did REST become a de facto standard for web services of every kind?

My theory is that, in the mid-2000s, the people who were sick of SOAP and wanted to do something else needed their own four-letter acronym.

I’m only half-joking here. SOAP, or the Simple Object Access Protocol, is a verbose and complicated protocol that you cannot use without first understanding a bunch of interrelated XML specifications. Early web services offered APIs based on SOAP, but, as more and more APIs started being offered in the mid-2000s, software developers burned by SOAP’s complexity migrated away en masse.

Among this crowd, SOAP inspired contempt. Ruby-on-Rails dropped SOAP support in 2007, leading to this emblematic comment from Rails creator David Heinemeier Hansson: “We feel that SOAP is overly complicated. It’s been taken over by the enterprise people, and when that happens, usually nothing good comes of it.”7 The “enterprise people” wanted everything to be formally specified, but the get-shit-done crowd saw that as a waste of time.

If the get-shit-done crowd wasn’t going to use SOAP, they still needed some standard way of doing things. Since everyone was using HTTP, and since everyone would keep using HTTP at least as a transport layer because of all the proxying and caching support, the simplest possible thing to do was just rely on HTTP’s existing semantics. So that’s what they did. They could have called their approach Fuck It, Overload HTTP (FIOH), and that would have been an accurate name, as anyone who has ever tried to decide what HTTP status code to return for a business logic error can attest. But that would have seemed recklessly blasé next to all the formal specification work that went into SOAP.

Luckily, there was this dissertation out there, written by a co-author of the HTTP/1.1 specification, that had something vaguely to do with extending HTTP and could offer FIOH a veneer of academic respectability. So REST was appropriated to give cover for what was really just FIOH.

I’m not saying that this is exactly how things happened, or that there was an actual conspiracy among irreverent startup types to misappropriate REST, but this story helps me understand how REST became a model for web service APIs when Fielding’s dissertation isn’t about web service APIs at all. Adopting REST’s constraints makes some sense, especially for public-facing APIs that do cross organizational boundaries and thus benefit from REST’s “uniform interface.” That link must have been the kernel of why REST first got mentioned in connection with building APIs on the web. But imagining a separate approach called “FIOH,” that borrowed the “REST” name partly just for marketing reasons, helps me account for the many disparities between what today we know as RESTful APIs and the REST architectural style that Fielding originally described.

REST purists often complain, for example, that so-called REST APIs aren’t actually REST APIs because they do not use Hypermedia as The Engine of Application State (HATEOAS). Fielding himself has made this criticism. According to him, a real REST API is supposed to allow you to navigate all its endpoints from a base endpoint by following links. If you think that people are actually out there trying to build REST APIs, then this is a glaring omission—HATEOAS really is fundamental to Fielding’s original conception of REST, especially considering that the “state transfer” in “Representational State Transfer” refers to navigating a state machine using hyperlinks between resources (and not, as many people seem to believe, to transferring resource state over the wire).8 But if you imagine that everyone is just building FIOH APIs and advertising them, with a nudge and a wink, as REST APIs, or slightly more honestly as “RESTful” APIs, then of course HATEOAS is unimportant.

Similarly, you might be surprised to know that there is nothing in Fielding’s dissertation about which HTTP verb should map to which CRUD action, even though software developers like to argue endlessly about whether using PUT or PATCH to update a resource is more RESTful. Having a standard mapping of HTTP verbs to CRUD actions is a useful thing, but this standard mapping is part of FIOH and not part of REST.

This is why, rather than saying that nobody understands REST, we should just think of the term “REST” as having been misappropriated. The modern notion of a REST API has historical links to Fielding’s REST architecture, but really the two things are separate. The historical link is good to keep in mind as a guide for when to build a RESTful API. Does your API cross organizational and national boundaries the same way that HTTP needs to? Then building a RESTful API with a predictable, uniform interface might be the right approach. If not, it’s good to remember that Fielding favored having form follow function. Maybe something like GraphQL or even just JSON-RPC would be a better fit for what you are trying to accomplish.

If you enjoyed this post, more like it come out every four weeks! Follow @TwoBitHistory on Twitter or subscribe to the RSS feed to make sure you know when a new post is out.

Previously on TwoBitHistory…

  1. Roy Fielding. “Architectural Styles and the Design of Network-based Software Architectures,” 128. 2000. University of California, Irvine, PhD Dissertation, accessed June 28, 2020, https://www.ics.uci.edu/~fielding/pubs/dissertation/fielding_dissertation_2up.pdf

  2. Fielding, 130. 

  3. Fielding distinguishes between software architectures and software architecture “styles.” REST is an architectural style that has an instantiation in the architecture of HTTP. 

  4. Fielding, 2. 

  5. Fielding, 15. 

  6. Fielding, 82. 

  7. Paul Krill. “Ruby on Rails 2.0 released for Web Apps,” InfoWorld. Dec 7, 2007, accessed June 28, 2020, https://www.infoworld.com/article/2648925/ruby-on-rails-2-0-released-for-web-apps.html 

  8. Fielding, 109. 

Read the whole story
23 days ago
Toronto, ON
Share this story
1 public comment
39 days ago
I mean, yeah, alphabet soup, but kind of interesting alphabet soup.
Sherman, TX

China Malware: Sorry, Techno Geeks, There Still is no Place to Hide

1 Share

China Cyber Lawyers

In The Chinese Government is Accessing YOUR Network Through the Backdoor and There Still is NO Place to Hide, I explained how Chinese banks are requiring their account holders to install malware which allows the Chinese government to see All account holder data — financial or otherwise. We received the usual set of comments we get whenever we right about the lack of data protection in China:

  1. There are those who ask why we write about China’s lack of data protection when “every country does the same thing.” First off, this is a blog about China. Second, not every country does the same thing. Third, your data in China goes to the Chinese government, not to Facebook or to Google and last we looked, neither Facebook nor Google have virtually unlimited power to imprison you.
  2. There are those who ask why we write about China’s lack of data protection when there isn’t anything anyone can do about it and would not we all (including YOUR law firm) be better off just keeping our mouths shut. Yes, we would all be better keeping our mouths shut and just acting like this is not a problem and continuing to encourage companies to go into China strictly for the money. But that is just not how we roll.
  3. You are international lawyers, not data security specialists and you just don’t know all the easy workarounds out there that will enable you to have a China bank account and give no data to the Chinese government. I will address these comments in this post

The most interesting comments focused on the idea that Western-style cyber security measures can be successfully used as a defense to government lead hacking in China. One detailed response appeared on Dylan Evan’s Simple Salt blog in Chinese spying: the ongoing saga.

Mr. Evan’s describes himself and his blog as follows:

Good security is easy for most people.  I want to explain how it can be easy for you.  I receive no compensation for any content on this site, and have no direct financial stake in any company mentioned on this site.

I have a deep technical background in corporate security and compliance, mostly for medical and finance companies in the USA.  I currently work for a large company in the finance industry.

Mr. Evan’s stated goal is to show cyber security is easy. But it is not easy in China because capable technicians like Mr. Evans are not permitted to work their magic in China and other than his one post on our post, there is nothing on Mr. Evans’ blog to indicate he has ever had anything to do with China cyber security prior to last week. Just to be clear, we are not questioning Mr. Evans’ cybersecurity knowledge, nor are we even questioning his knowledge of cybersecurity in China. We are simply pointing out why it is that he seems not to realize why China cybersecurity is not your father’s cybersecurity in Tulsa or Jacksonville.

To put it starkly, in China, the government itself is the hacker and it will not allow any foreign or domestic technician to provide services that will defeat the hacker’s ultimate goals.

Simple Salt starts its post by explaining how setting up banking operations on a separate laptop can seal the compromised site from the safely protected main site. The use of a dedicated laptop for banking purposes is standard practice in China. I did that in China myself when I had to step in to help run a company there. The reason a separate laptop is required reveals where the problems lie. The Chinese bank software is written so it will only run on a Chinese version of the Windows operating system.

Moreover, it will only run on an outdated, unpatched, unsupported version of Windows — usually an outdated version of Windows 7. The reason is that the malware hidden in the software depends on exploiting various flaws that are endemic in unpatched Windows operating systems. For this reason, anyone who is using a dual language, patched, supported version of Windows 10 simply cannot make use of the bank provided software. Use of the separate laptop is therefore forced.

In the daily life of a normal business in China, this use of a separate laptop becomes completely impractical. It is important to understand that under the new system I described, the entire financial and regulatory life of a business in China is done over the Internet. For full protection, then, we would need multiple separate laptops: one for each bank, one for the tax department, one for VAT receipts, one for the local government, one for the national government, one for freight forwarders, one for customs, one for the (government controlled) accountant, one for the bookkeeper, one for the employee benefits service. The list becomes endless. So the pressure is to combine all of those software systems onto one single laptop. This laptop is then used throughout the entire working day. It is not linked to the receiver (let’s say the one bank) and then immediately shut down. It remains linked to someone on the Internet for virtually the entire day.

But wait, it gets worse. Now all of the business’s important data is located on one or more dedicated laptops sealed off from the company’s main system. But to do business, the company needs the data from its laptops to go to its main system. Imagine for just a minute if all your company’s bank information were on one laptop in one office and not a part of your main system. So data from the laptops has to be regularly transmitted to the main system.

Not only must data from the laptop go to the main system at some point for the company to function at all smoothly, but it is also necessary for data from the main system to go to the laptop for use of the various systems located on the laptops. Again, just imagine how you will smoothly move only certain financial data from your main system to your laptop every day.

As a practical matter, it is not possible to keep the systems separate and during these required data transfers, your door is opened for malware infection. In the most primitive way, malware is transferred when a thumb drive is used for data transfer. However, many businesses just do the data transfer through some form of ethernet or wireless link between the various systems. In some cases, companies just give up and shift all their important financial operations to the dedicated laptop, or even to a Chinese Windows desktop.

This is what actually happens on the ground in China, and there is no way to prevent it. Some foreign owned companies in China will install a system based on advice from a foreign expert like Mr. Davies. They will use patched, updated operating systems, the most modern anti-virus protections, the best cryptography and a sophisticated VPN. This work is all in vain because when a network connection is required, China Telecom or some other Chinese government agency will install the network system. And they will say it is fine for you to use these systems for your personal purposes, but you cannot use these systems for any operations that make use of the Internet in China because China’s rules require the following:

1. China approved virus software.

2. China approved cryptography.

3. A China approved ISP.

4. A China approved cloud provider.

5. China approved connection software.

6. A China approved version of Chinese language Windows that we will provide to you.

7. Support service provided only by a China approved (and controlled) network consultant.

To top it all off, China’s local authorities have the right to inspect your networked system at any time without notice and this inspection is done without the participation of company staff. During that inspection, your data will be removed using a thumb drive. If the government inspectors want to do it, they can then install the malware through the use of that same thumb drive. Most large network connections in China are done through use of a cloud system. Chinese government authorities have the same rights to inspect the cloud system. In accordance with the rules, the client of the cloud provider will not even know that its system has been inspected.

Network systems are provided to businesses in China exclusively through the Chinese government and/or by Chinese government agencies and/or by IT consultants approved and controlled by the government. The Chinese government is the primary hacker in China, with your cyber security being performed by the hacker itself. This goes beyond a simple network connection. The Chinese government provides the landline phone system and the cell phone system. The Chinese government provides the Internet connection. The government Chinese government provides the email server. Many Chinese government agencies will not use email; they instead require all contacts be through WeChat, a completely insecure platform constantly monitored by the Chinese government. By using the extreme efforts described in the Simple Salt post, a foreign company doing business in China might be able to avoid one of these assaults on its data. But when the attacks come from every direction and are organized by the Chinese government itself, and all backed up by threat of imprisonment, any defense will ultimately fail.

So as I have said: there is no place to hide.

For this reason, the analysis provided in the Simple Salt post and in some of the other comments we received are naive and the vast majority of foreign invested companies in China do not have the capacity even to try. The task is too daunting and they know they will ultimately fail. The task is made even more pointless because in China these companies have no place to go for on the ground help. U.S. based cybersecurity consultants are not permitted to work on the ground in China, so the assistance is not in fact practically available.

Measures taken to maintain security against Chinese government intrusion are seen as suspect or even illegal behavior. This is an important point. On Twitter, our post was met with comments from China bots and China lackeys saying things like “the only people who care about this sort of thing are those who have something to hide.” Truth is though that it is that the Chinese government will not allow any consultant or any company to defeat its cyber hacking program. This program is part of critical, central government policy.

U.S. based cyber security consultants who promote their services by marketing an “easy” way to evade to Chinese government cyber hacking are doing a double disservice. First, within China their measures simply won’t work. Second, companies that use these measures risk being identified as a “problem”, leading to even more intrusive scrutiny of their network systems and potential increased scrutiny and interference with their business operations in China, perhaps even prison. See e.g., the following articles, all published within the last couple of weeks, and all detailing how China does not take terribly kindly to foreigners who try to circumvent the China system:

  1. U.S. Warns Its Citizens in China They Risk ‘Arbitrary’ Arrest
  2. Australians at risk of arbitrary arrest in China, DFAT travel advice warns
  3. China’s national security law for Hong Kong covers everyone on Earth
  4. China Thinks It Can Arrest Basically Anyone on the Planet for Criticizing Communism
  5. How this Long Island man ended up in a Chinese prison on espionage charges
  6. Michael Kovrig and Michael Spavor: China charges Canadians with spying

I challenge anyone to read these articles and then suggest that companies in China set up their network systems to circumvent Chinese government dictates.

So, as I noted, there is no place to hide. You are only “safe” if the Chinese government has no interest in you. The techno types who think they can defeat the Chinese system on the ground in China are living in a dream world. But there is no risk to them. The risks are loaded on the foreign companies operating within China. It is those risk we work to identify on this blog. Those risks are real and cannot be dissolved by techno-magic.

What are you seeing out there?

Read the whole story
26 days ago
Toronto, ON
Share this story
Next Page of Stories