Policy wonk. Torontonian. Photographer. Not necessarily in that order.
The great evil that we as Americans face is the banal evil of second-rate minds who can’t make it in the private sector and who therefore turn to the massive wealth directed by our government as the means to securing wealth for themselves. The enemy is not evil. The enemy is well dressed.
Larry Lessig, from Republic, Lost: How Money Corrupts Congress – and a Plan to Stop it.
I get that indexing encrypted backups is a royal pain in the ass, and that doing this well is challenging to boot. That said: the notion RIM would provide discrete, encrypted, backups of the PlayBook rather than solving the problem of indexed backups is absolutely absurd.
Even in an era of 500GB+ hard drives, ‘paying’ 13GB+ for each backup is ridiculous; this kind of storage cost simply doesn’t lead to a sustainable long-term backup schema (especially when you head north to 55GB+ backups). Most users, in response, will dial back to non-encrypted backups and thus reduce the security profile of what is meant to be a secure device. This is incredibly bad form for RIM, made worse by the company’s (often contrasting) focuses on (a) consumer markets; (b) professional – and thereby more security-conscious – markets.
Apple had the same problem with storing encrypted disk profiles in the previous iteration of their operating system – OS X Snow Leopard – though this was resolved in Lion. While the lessons learned by Apple likely are not perfectly equatable to RIM’s own situation, RIM needs to move the ball ahead if they are to simultaneously deliver to their dual markets. At this point they cannot afford to satisfy only one market or the other and hope to remain competitive.
Dan Goodin has a good piece on one of Bruce Schneier’s recent talks. From the top of the article:
Unlike the security risks posed by criminals, the threat from government regulation and data hoarders such as Apple and Google are more insidious because they threaten to alter the fabric of the Internet itself. They’re also different from traditional Internet threats because the perpetrators are shielded in a cloak of legitimacy. As a result, many people don’t recognize that their personal information or fortunes are more susceptible to these new forces than they ever were to the Russian Business Network or other Internet gangsters.
The notion that government – largely composed of security novices – large corporations, and a feudal security environment (where were trust Apple, Google, etc instead of having a generalizable good surveillance footprint) are key threats of security is not terribly new. This said, Bruce (as always) does a terrific job in explaining the issues in technically accurate ways that are simultaneously accessible to the layperson. Read the article; it’s well worth your time and will quickly demonstrate some of the ‘big’ threats to online security, privacy, and liberty.
A really interesting paper on social authentication has just been released that looks at how facial identification ‘works’ to secure social networks from unauthorized access to profiles/records. The authors note that users of social networks are most concerned in keeping their interactions private from those who know the users. Specifically, from the abstract:
Most people want privacy only from those close to them; if you’re having an affair then you want your partner to not find out but you don’t care if someone in Mongolia learns about it. And if your partner finds out and becomes your ex, then you don’t want them to be able to cause havoc on your account. Celebrities are similar, except that everyone is their friend (and potentially their enemy).
Moreover, a targeted effort to identify a users’ friends on a social network – and examine their photos – will let an attacker penetrate the social authentication mechanisms. While many users would consider this a design flaw Facebook, which uses this system, doesn’t necessarily agree because:
[Facebook] told us that the social captcha mechanism was used to solve the problem of large-scale phishing attacks. They knew it was not very effective against friends, and especially not against a jilted former lover. For that, they maintain that the local police and courts are an effective solution. They also claim that although small-scale face recognition is doable, their scraping protection prevents it being used at large scales.
What Facebook is doing isn’t wrong: they simply has a particular attacker-type in mind with regards to social authentication and have deployed a defence mechanism to combat that attacker. Most users, however, are unlikely to consider that the company has a different attack scenario in mind than its end-users, leading to anger and concern when the defence for wide-scale attacks fails to protect against targeted attackers. While I don’t see this as a security or policy failure, it is suggestive that companies would be well advised to explain to their users how different security inconveniences actually interact with different hack/attack scenarios. Beyond educating users as to what they can expect from the various defence mechanisms, it might serve to raise some awareness about the different kinds of attackers that companies have to defend against. In an ideal world, this might serve as a beginning point in educating users to become more critical of the security models that are imposed upon them by corporations, governments, and other parties they deal with.
An excellent rant from Rick Mercer on the lawful access legislation that was recently tabled by the Government of Canada.
The folks at the University of Cambridge’s Security Research and Computer Laboratory have pulled together a terrific set of short (and accessible) papers on security and privacy. I’d highly recommend taking a look.
From GigaOm, we find that:
Korea Telecom in South Korea has taken an interesting twist on the idea [of network neutrality], and decided to block Samsung’s Smart TVs from accessing the Internet, according to this article from the Maeil Business Newspaper, a large S. Korean daily. That’s right, net neutrality isn’t just for applications anymore.
It’s absurd that so-called ‘SmartTVs’ are being blocked on the basis of data consumption: as content goes HD and it is piped over IP (and fibre optic lines!) it’s absurd that ‘data consumption’ could justify cutting these televisions from the IP network. No, what we’re seeing is an effort to stymie over-the-top growth unless the content owner/monopolist can find a way to extract unjustified rents. The Korean example is a clear example of why network neutrality regulations are so important.
You might think they’d grow faster with all-you-can eat, but I think it’s a testament to the fact that service providers are educating users more on their impact and IP footprint … People understand they have a 2GB or 3GB cap or whatever, so they are consuming as much as they can to get their money’s worth. Those with unlimited aren’t concerned, but aren’t using as much.
Kevin Fitchard has written one of the better (popular) pieces on why we need to get past the spectrum crisis myth. Go read it.
I love this rehash of ceiling cat
Excited Pixels