Author: Christopher Parsons

Policy wonk. Torontonian. Photographer. Not necessarily in that order.

Categories
Videos

IBM and Intelligence Cities

IBM’s efforts to add ‘intelligence’ to cities – and thus make them more manageable – is an ongoing effort. While what they’ve developed in Rio is interesting, I suspect that several facets of the ‘defence mechanism’ obfuscate residents’ economic realities.

Specifically, the video notes that residents of favelas may receive text messages that warn of oncoming disasters. This is good, but misses the point that a warning system without a capacity to absorb/protect residents who are fleeing poorly-build environments is effectively useless.

While the IBM ‘smart city’ project may  make the city more intelligent, and improve daily operations, such intelligence doesn’t necessarily mean that the city can temporarily house residents of favelas in ‘safe’ areas of the city if a major disaster occurs. Unfortunately, the sale of technology in this video obfuscates this key truth of disaster preparation.

Categories
Videos

Wacky Security Devices

This is the kind of wacky security device that would lead to lawsuits if it worked and hilarity regardless of functionality.

Categories
Writing

Facebook Censorship

I’ve tried to think of something comprehensive to say about the Facebook censorship rules for a few days now. I still don’t have something that really captures how absurd and offensive many of the items listed are. So, rather than give a holistic analysis of the document, here are a few thoughts:

Sex and Nudity

  • Point (1) indicates that permitting foreplay images between members of the same gender is somehow exception, given the statement “Foreplay allowed (Kissing, groping, etc.) even for same sex (man-man/woman-woman.” That this needs to be clearly stated is suggestive of a basic level of discomfort with same sex relationships.
  • Point (12) seems intensely hard to police, with enforcement being contingent on an employee’s own awareness of sexual fetishes. Moreover, given that the definition of a fetish is often derived from the use of inanimate objects as a stimulus to achieve sexual enjoyment/arousal, a high level of subjectivity will almost necessarily come into monitoring for the depiction of sexual fetishes “in any form.”

Hate Content

  • The note that “Humor overrules hate speech UNLESS slur words are present or the humor is not evident” is concerning because, in some circumstances, Facebook recognizes hate speech as somehow appropriate. I would suggest that the capacity for one person to detect humour is a particularly poor (and, arguably, inappropriate) evaluation metric.

Graphic Content

  • Point (1) seems immediately hard to govern, especially given that many Facebook members will support state-sanction violence towards targeted individuals. Example: would graphic comments supporting American efforts to torture Osama bin Laden be inappropriate? Is it OK to call for violence towards ‘bad’ people and not towards ‘good’ ones?
  • Point (6) prohibits the exhibition of what might be termed ‘grisly’ images that clearly show the penetration of skin. Blood or other aspects of a violent act are permitted, but the barrier of the skin is seen as special. This is suggestive of the ‘kinds’ of violence that Facebook recognizes as more or less appropriate for public viewing while imposing a particular cultural norm on a global network.
  • There is “No exception for news or awareness related content.” Thus, any news that is shared by Facebook members must conform to a specific norm of ‘appropriateness’ and failure to conform results in the removal of the content. Such an attitude speaks poorly of the company’s willingness to act as a site for individuals to communicate fully and openly: Facebook is declaring that their monetization depends, in part, on everyone being happy (or at least not shocked) and thus prohibits certain modes of expression.

Credible Threats

  • Point (3), that any threat to a head of state should be escalated, regardless of credibility, is problematic for three reasons. First: it will capture a vast number of users in a dragnet and it is unclear just little would place a user within this net (e.g. would “I fucking hate X and wish we’d just kill X” qualify?) Second: it stinks of an effort to pass responsibility to another party, so that if a particular message is ever linked to an attack then Facebook would be minimally responsible. Third: the number of potential threats can outpace professional security audit staff’s capability to ascertain real/false threats. Dragnet surveillance for this kind of behaviour is a poor means of identifying actual threats.

Those are some of my thoughts about this particular document. There are others that are still crystallizing and once/if I develop a full thought about the document I’ll be sure to post it.

Categories
Links

Reasons To Not Use A Proxy Server

Some of the reasons to be concerned about using unknown third-parties’ proxy services.

Categories
Links

Police Look Up Woman’s License 425 Times

We should never forget that a large number of data/privacy breeches start from within a bureaucracy/organization. When an audit was performed on the drivers license database in Minnesota, auditors found that a staggering number of officers had ‘checked up’ on a woman’s profile. From the article on this:

The numbers were astounding: One hundred and four officers in 18 different agencies from around the state had accessed her driver’s license record 425 times in what could be one of the largest private data breaches by law enforcement in history.

The Department of Public Safety sent letters to all 18 agencies demanding an Internal Affairs investigation of the 104 officers. If the cops are found to be in violation of federal privacy law, they could be fired.

It isn’t enough to assume that the police are all knights in shining armour, incapable of doing wrong. No: they’re people, with all the expected foibles and failings. Give them information and powers and they will abuse them. The only questions are when and with what consequence.

Categories
Links

Phishing on Mobile Devices

A good paper on (you guessed it!) phishing on mobile devices. Paper is here (.pdf) and abstract is below.

We assess the risk of phishing on mobile platforms. Mobile operating systems and browsers lack secure application identity indicators, so the user cannot always identify whether a link has taken her to the expected application. We conduct a systematic analysis of ways in which mobile applications and web sites link to each other. To evaluate the risk, we study 85 web sites and 100 mobile applications and discover that web sites and applications regularly ask users to type their passwords into contexts that are vulnerable to spoofing. Our implementation of sample phishing attacks on the Android and iOS platforms demonstrates that attackers can spoof legitimate applications with high accuracy, suggesting that the risk of phishing attacks on mobile platforms is greater than has previously been appreciated.

 

Categories
Links

Security Bugs In Google Chrome Extensions

A piece that was authored last September, enumerating some of the security issues with Google Chrome Extensions. The authors:

reviewed 100 Chrome extensions and found that 27 of the 100 extensions leak all of their privileges to a web or WiFi attacker. Bugs in extensions put users at risk by leaking private information (like passwords and history) to web and WiFi attackers. Web sites may be evil or contain malicious content from users or advertisers.  Attackers on public WiFi networks (like in coffee shops and airports) can change all HTTP content.  We’ll show you how you can prevent attacks on your extension using Content Security Policy.

In a followup, the authors have published a full report (here) that outlines their methodology and identifies the extensions that, as of February 2012, remain unpatched.

Check out the article, and some of the other great pieces that they’ve published on security.

Categories
Aside

How long American telcos hold onto customer data

Categories
Links

Internet Voting is a Bad, Bad Idea

Last year The Star ran an article detailing the merits of online voting. You get the usual benefits: increased turnout, happier constituents, and enhanced convenience. What the article entirely misses, of course, are the security and associated legitimacy issues linked with voting online. An academic blogger, writing before the article, notes that:

‘securing’ the Internet is a Herculean task. It absolutely cannot be regarded as a ‘secure’ development environment, especially when dealing with matters that are highly sensitive to political, technical, and social fault conditions. Such conditions may be worse that a fail condition, on the basis that faults generate fear and concern without a clear indication that something has gone wrong. In the case of an election, a perceived exploitable fault condition threatens to undermine political legitimacy and politically-generated solidarity on grounds that electoral results might be questionable. Thinking back our bridge example, a ‘fail’ might be a bridge collapsing. A ‘fault’ might include cracks spanning the support columns that cause motorists to avoid using the bridge out of fear, even though the cracks do not endanger the bridge’s stability. If ‘faults’ cannot be corrected, then there may be general fear about the validity of an election even if the election is not manipulated. If a ‘fail’ condition occurs but is not detected, then there may be a perception of electoral legitimacy without the election actually being legitimate.

Elections are not something to be trivially tampered with. Heightened conveniences should not trump electoral security and legitimacy. While paper voting is annoying it is a far more ‘secure’ method than online voting mechanisms. It really isn’t too much to ask/expect of people to mail in a vote, go to a polling station, or (quite reasonably) abstain from the process for their own reasons. We should not undermine a foundation of democracy just to make things a little bit more convenient.

Categories
Links

American Link To Greek Surveillance Debacle?

In 2004 it was discovered that parties unknown had been secretly monitoring a hundred of Greece’s top politicians and bureaucrats. An article from 2011 reveals that,

According to what sources told Kathimerini, the experts found that a mobile phone connection that had been purchased in the name of the US Embassy in Athens was used on one of these phones. Sources said that Dasoulas is now investigating whether any suspects who are not protected by diplomatic immunity could face charges.

Ericsson, which supplied the telephone exchange that was hacked into, and Vodafone, which was the service provider, were both fined by ADAE in 2007 for failing to protect the privacy of those who had their phones hacked, which included the head of the National Intelligence Service (EYP), several ministers and members of the armed forces, but the Council of State later cancelled these penalties.

The followup, of whether the Americans were actually involved, is ongoing as far as I can tell. Regardless of the culprits it’s instructive that even the head of the intelligence service was successfully targeted. We need to be mindful of how surveillance technologies are deployed in our communications networks, not just because we worry about how our own government might use the technologies, but also because of how other third-parties might use the technologies against the citizenry.