Author: Christopher Parsons

Policy wonk. Torontonian. Photographer. Not necessarily in that order.

Categories
Writing

So Now I’m Here

For the past decade and a half I’ve been publishing on a variety of platforms. Livejournal. Tumblr (a bunch of different times). A long lasting WordPress instantiation (and a few that weren’t so long lasting), plus some offline places where I reflect on more personal things and some online places that died relatively fast or of ignominious ends (remember Posterous?).1

The Experience of Online Publishing

Each of the online platforms I’ve previously used have seen me experiment with different aspects of self-publishing. From spreading my content all over the Internet I’ve learned about a few things about what matters to me:

  1. Publishing platforms need to emphasize the importance of user interfaces and user experiences.
  2. Platforms need to appreciate that if they aren’t seen trustworthy then fewer people will publish using them.
  3. In some cases, companies that are offering online platforms need to help users make at least some tweaks to the publishing environment so that they can personalize the space to their content.
  4. Publishing platforms need to consider how to help users develop and foster a positive community that is inviting to new users and readers.

I’ve ultimately grown disenchanted with each of the major and minor writing platforms I’ve used over the years for one reason or another:

  • Livejournal (that social network of yore) was a product of its time in every sense. The user interface was crude, if serviceable. The community finding aspects were pretty decent for its time. But innovation slowed and being sold to a Russian company raised pretty serous questions about censorship arose. (I went from Livejournal to WordPress, where a lot of my content has lived ever since.)
  • Tumblr remains, at least as I’ve experienced it, a burning garbage fire of user interface issues. I’ve gone back several times over the past six or seven years and it never seems to have really improved from its basic state. The sale to Yahoo! – a company that can’t secure itself from toddlers, it seems – makes that a space less than inviting to add content to: will it be there tomorrow? And if so, who will be in charge of losing users’ logins, passwords, security questions, and content next?
  • While I use WordPress on a regular basis, and one installation has held my professional work for a decade, I don’t want yet another platform I have to secure from third-parties. The functionality is great but maintenance is something I want to do less of, not more.

But, if I’m being entirely honest, only part of the problem of finding outlets for my creative instincts has to do with the different platforms. A bigger problem is directly tied to me.

Professional Appropriation of Creativity

My professional job involves a lot of writing. The majority of the writing that I’ve done for ‘myself’ over the past decade has generally linked my public and professional personas. To my chagrin, most of the public places I’ve written have ultimately been appropriated by, and arguably undermined by, that public-professional persona.2

The result is that I really haven’t had (or maintained) a good place to place my creative outputs that extend beyond my professional work. Things that are about different pieces of technology I’m using and why, what I think about different photos that I’ve taken over the years, or comments on politics, reflections on poignant books or articles I’ve come across, as well as other things that catch my fancy. Sure there are microblogging sites but I want something more substantive and meaty and long-lasting than 140 characters.

If I thought I could write more personal, non-professional, pieces on the website that bears my own name I probably would. But that doesn’t feel like a real option for me: doing so would overlap my professional and personal lives more than I’m comfortable with, while also running the risk of weakening the professional ‘value’ I’ve build up in that long-lasting website.

So, Now I’m Here.

Medium has terrific typography and the people who routinely write here that I follow tend to be doing interesting and involving work. The topics are diverse. The publishing process seems pretty solid and made with the user in mind. And I already know a lot of people who are writing here, which definitely helps to make this a more inviting writing space.

So while my professional work is going to remain stovepiped in my long lasting WordPress blog, I think I’m going to see what it’s like to use Medium as a place for my own work. Things that are less serious. Things that just don’t really belong in my other writing environments. Things that are personal but not so personal that they have to be kept from public eye entirely.

NOTE: This was initially published on Medium in early 2017.

  1. 1 I’m excluding the other ‘microblogging’ sites that we all use, like Twitter, Facebook, or Instagram. ↩︎
  2. 2 To say that I’ve had bad work-life balance in the past is an understatement. I was 90% work, 10% life. I attribute that lack of balance, in part, to my professional appropriation of my creative spaces. ↩︎
Categories
Links

$1,700 per month to live in a rebuilt garage in the Junction Triangle

Not everyone wants to live in such a small space. And—surprise, surprise—the suite isn’t legal, which is why the owners requested that we not publish their full names or address. And then there’s the fact that the kitchen doesn’t have a stove or oven, just a hot plate.

Let’s see how quickly the city finds this, and shuts it down, given the publicity that Toronto Life gave it. Separately: it costs $1,700 to live in a garage in Toronto right now?!

Categories
Links

Ransomware app hosted in Google Play infects unsuspecting Android user

Ars Technica:

In 2012, Google unveiled a cloud-based scanner dubbed bouncer that was billed as a way for the company to detect malicious apps before they were made available in Play. Five years later, discovery of malicious apps like Charger are a regular occurrence. Google makes little reference to the tool these days.

Android: a new bag of hurt found each week.

 

Categories
Links Writing

WhatsApp’s new vulnerability is a concession, not a backdoor

The underlying weakness has to do with alerts rather than cryptography. Although they share the same underlying encryption, the Signal app isn’t vulnerable to the same attack. If the Signal client detects a new key, it will block the message rather than risk sending it insecurely. WhatsApp will send that message anyway. Since the key alert isn’t on by default, most users would have no idea.

It’s a controversial choice, but WhatsApp has good reasons for wanting a looser policy. Hard security is hard, as anyone who’s forgotten their PGP password can attest. Key irregularities happen, and each app has different policies on how to respond. Reached by The Guardian, WhatsApp pointed to users who change devices or SIM cards, the most common source of key irregularities. If WhatsApp followed the same rules as Signal, any message sent with an unverified key would simply be dropped. Signal users are happy to accept that as the price of stronger security, but with over a billion users across the world, WhatsApp is playing to a much larger crowd. Most of those users aren’t aware of WhatsApp’s encryption at all. Smoothing over those irregularties made the app itself simpler and more reliable, at the cost of one specific security measure. It’s easy to criticize that decision, and many have — but you don’t need to invoke a government conspiracy to explain it.

A multitude of secure messaging applications are vulnerable to keys being changed at the server level without the end-user being notified. This theoretically opens a way for state security agencies to ‘break into’ secured communications channels but, to date, we don’t have any evidence of a company in the Western or Western-affiliated world engaging in such behaviours.

There are laws that require some types of communications to be interceptable. Mobile communications carried by telecommunications carriers in Canada must be interceptable, and VoIP along with most other kinds of voice communications that are transmitted by equivalent carriers are subject to interception in the United States. There are not, however, similar demands currently placed on companies that provide chat or other next-generation communications system.

While there are not currently laws mandating either interception or decryption of chat or next-generation communications it remains plausible that laws will be introduced to compel this kind of functionality. It’s that possibility that makes how encryption keys are managed so important: as politicians smell that there is even the possibility of demanding decrypted communications the potential for such interception laws increases dramatically. Such laws would formalize and calcify vulnerabilities into the communications that we use everyday, to the effect of not just ensuring that domestic authorities could always potentially be listening, but foreign and unauthorized parties as well.

Categories
Links

Evaluating the Buzzfeed dossier, by a former Intelligence Analyst

Individual details, like lawyer Michael Cohen’s trip to Prague or the spelling of a name or two, may indeed be disproven. Not everything in these reports is 100% accurate.

However, it is extremely important to emphasize that micro-level inaccuracies do not detract from the credibility of the two broad points that I establish above: that Trump’s organization has had a relationship with the Kremlin and that he is subject to blackmail.

This is one of the better analyses of how to understand the dossier that was released this week on Donald Trump’s activities in Russia and involvement with the Russian government.

Categories
Links Writing

Demand for secret messaging apps is rising as Trump takes office

From The Verge:

Marlinspike’s goal isn’t unicorn riches, but unicorn ubiquity. For that, he wants to make encrypted messaging as easy — as beautiful, as fun, as expressive, as emoji-laden — as your default messaging app. His reason: if encryption is difficult, it self-selects for people willing to jump through those hoops. And bad guys are always willing to jump through the hoops. “ISIS or high-risk criminal activity will be willing to click two extra times,” he told me. “You and I are not.”

Marlinspike’s protocol for secure communication is incredibly effective at protecting message content from third party observation. Few protocols are nearly as effective, however, and most chat companies now claim that they offer ‘secure’ communciations. Almost no consumers are situated to evaluate those claims: there are known deficient applications that are widely used, despite the security community having identified and discussed their problems. Encryption isn’t actually going to provide the security that most users think it does so unless the best-of-class protocols are widely adopted.1

The problem of imperfect consumer knowledge is a hard one to solve for, in part because the security community cannot evaluate all claims of encryption. In work that I’ve been involved in we’ve seen simplistic ciphers, hard coded passwords, and similar deficiencies. In some cases companies have asserted they secure data but then fail to encrypt data between smartphone apps and company servers. It’s laborious work to find these deficiencies and it’s cheap for companies to claim that they offer a ‘secure’ product. And it ultimately means that consumers (who aren’t experts in cryptography, nor should they be expected to be such experts) are left scratching their head and, sometimes, just throwing their hands up in frustration as a result of the limited information that is available.

  1. Admittedly, Marlinspike’s goal is to spread his protocol widely and the result has been that the largest chat service in the world, WhatsApp, not provides a robust level of communications security. To activate the protocol in other chat services, such as Google’s Allo or Facebook’s Messenger you need to first set up a private conversation. 

 

Categories
Links

Google warns journalists and professors: Your account is under attack

From Ars Technica:

A Google spokesman, citing this overview of the warnings, said it’s possible that the recent flurry may refer to hacking attempts that happened over the past month, as opposed to events that occurred more recently. He said Google officials deliberately delay warnings to prevent those behind the attacks from learning researchers’ sources and methods for detecting the attacks. The delays apply only to attack attempts, rather than cases where attacks result in a successful account takeover.

Phishing and account takeover is a very real threat. Yes, particular persons are sometimes targeted because they are personally identified as ‘high value targets’. However, persons antecendent to them are also targeted because high value targets can be more mindful of possible efforts to phish their credentials, while less mindful about clicking links from friends and family. As a result, the persons who the high value target communicates with may be used as the proxy to attacking the high value target.

Do you know someone who might be a target? Such as a prominent lawyer, business person, or politician? Or just someone who, themselves, would have access to such prominent persons or to sensitive information? If so, then you could be targeted by a sophisticated attacker not because you, yourself, are interesting but because you’re a gateway to those who are.

Categories
Links Writing

ThyssenKrupp secrets stolen in ‘massive’ cyber attack

Per Reuters:

ThyssenKrupp said it waited to publicize the attack while it identified, then cleansed infected systems in one concerted, global action before implementing new safeguards to monitor its computer systems. “It is important not to let the intruder know that he has been discovered,” a spokesman said.

A criminal complaint was filed with police in the state of North Rhine-Westphalia and an investigation is ongoing, it said. State and federal cyber security and data protection authorities were kept informed at each stage, as well as Thyssen’s board.

Secured systems operating steel blast furnaces and power plants in Duisburg, in Germany’s industrial heartland in the Ruhr Valley, were unaffected, the company said.

No breaches were found at its marine systems unit, which produces military submarines and warships.

A previous cyber attack caused physical damage to an unidentified German steel plant and prevented the mill’s blast furnace from shutting down properly.

The shift towards automation of critical infrastructure and industry systems means that we can reduce costs of production while (in many cases) improve worker safety by keeping workers away from particularly dangerous areas of manufacturing facilities. At the same time, however, by digitizing functions that were once performed using analogue or network-disconnected systems the attack surface of these facilities increases: whereas once a human insider might have been needed, now an attacker just needs an implanted computer that is on, or can gain access to, the relevent network.

The problems linked to digitizing infastructure and manufacturing systems are not going to improve quickly: attackers are just now really starting to launch targeted attacks, and the investmentments made by companies in their equipment are not going to be just thrown out. That means that many systems and companies will likely remain exposed to possible attack for years, if not decades, barring a significant shift in security culture.

Categories
Links

The London Tube Is Tracking Riders with Their Phones

From Wired:

An agency like TfL could also use uber-accurate tracking data to send out real-time service updates. “If no passengers are using a particular stairway, it could alert TfL that there’s something wrong with the stairway—a missing step or a scary person,” Kaufman says. (Send emergency services stat.)

The Underground won’t exactly know what it can do with this data until it starts crunching the numbers. That will take a few months. Meanwhile, TfL has set about quelling a mini-privacy panic—if riders don’t want to share data with the agency, Sager Weinstein recommends shutting off your mobile device’s Wi-Fi.

So, on the one hand, they’ll apply norms and biases to ascertain why their data ‘says’ certain things. But to draw these conclusion the London transit authority will collect information from customers and the only way to disable this collection is to reduce the functionality of your device when you’re in a public space. Sounds like a recipe for great consensual collection of data and subsequent data ‘analysis’.

Categories
Links Writing

Partnering to help curb the spread of terrorist content online

Facebook, Microsoft, Twitter, and YouTube are coming together to help curb the spread of terrorist content online. There is no place for content that promotes terrorism on our hosted consumer services. When alerted, we take swift action against this kind of content in accordance with our respective policies.

Starting today, we commit to the creation of a shared industry database of “hashes” — unique digital “fingerprints” — for violent terrorist imagery or terrorist recruitment videos or images that we have removed from our services. By sharing this information with each other, we may use the shared hashes to help identify potential terrorist content on our respective hosted consumer platforms. We hope this collaboration will lead to greater efficiency as we continue to enforce our policies to help curb the pressing global issue of terrorist content online.

The creation of the industry database of hashes both shows the world that these companies are ‘doing something’ without that something being particularly onerous: any change to a file will result it in having a different hash and thus undetectable by the filtering system being rolled out by these companies. But that technical deficiency is actually the least interesting aspect of what these companies are doing. Rather than being compelled to inhibit speech – by way of a law that might not hold up to a First Amendment challenge in the United States – the companies are voluntarily adopting this process.

The result is that some files will be more challenging to find without someone putting in the effort to seek them out. But it also means that the governments of the world cannot say that the companies aren’t doing anything, and most people aren’t going to be interested in the nuances of the technical deficits of this mode of censorship. So what we’re witnessing is (another) privatized method of censorship that is arguably more designed to rebut political barbs about the discoverability of horrible material on these companies’ services than intended to ‘solve’ the actual problem of the content’s creation and baseline availability.

While a realist might argue that anything is better than nothing, I think that the very existence of these kinds of filtering and censoring programs is inherently dangerous. While it’s all fine and good for ‘bad content’ to be blocked who will be defining what is ‘bad’? And how likely is it that, at some point, ‘good’ content will be either intentionally or accidentally blocked? These are systems that can be used in a multitude of ways once established, and which are often incredibly challenging to retire when in operation.