Category: Links

Categories
Aside Links

(In)Security and Scruff

From The Verge:

Ashley: And then, you mentioned it in transit, do you store these on Scruff’s personal servers? When it’s on the server, is it encrypted? What kind of protections do you have on the server?

We take a number of steps to secure our network. Encryption is a multifaceted and multilayered question and process. Yeah, I can say that the technical architecture of Scruff is one that we have had very smart people look into. We’ve worked with security researchers and security experts to ensure that the data that’s on Scruff stays safe and that our members can use Scruff with confidence and know that their information isn’t going to be disclosed to unauthorized parties.

This is exactly the kind of answer that should set off alarm bells: the developer of Scruff doesn’t actually answer the specific and direction question about the company’s encryption policies in an equivalently direct and specific way. Maybe Scruff really does have strong security protocols in place but you certainly wouldn’t know that was the case based on the answer provided.

It’d be a great idea if someone were to develop the equivalent of the EFF’s or IX Maps’ scorecards, which evaluate the policies of digital and Internet companies, and apply it to online dating services. I wonder how well these services would actually fare when evaluated on their privacy and security and anti-harassment policies…

Categories
Links Writing

Privacy Enhancing Technologies – A Review of Tools and Techniques

From the Office of the Privacy Commissioner of Canada:

PETs are a category of technologies that have not previously been systematically studied by the Office of the Privacy Commissioner of Canada (OPC). As a result, there were some gaps in our knowledge of these tools and techniques. In order to begin to address these gaps, a more systematic study of these tools and techniques was undertaken, starting with a (non-exhaustive) review of the general types of privacy enhancing technologies available. This paper presents the results of that review.

While Privacy Enhancing Technologies (PETs) have been around for a long time there are only some which have really taken hold over time, and usually only as a result of there being a commercial incentive for companies to integrate the enhancements.

Some of the failures of PETs to be widely adopted have stemmed from the reasons specific PETs were created (to effectively forestall formal regulatory or legislative action), others because of their complexity (you shouldn’t need a graduate degree to configure your tools properly!), and yet others because the PETs in question were built by researchers and not intended for commercialization.

The OPC’s review of dominant types of PETs is good and probably represents the most current of reviews. But the specific categories of tools, types of risks, and reasons PETs have failed to really take hold have largely been the same for a decade. We need to move beyond research and theory and actually do something soon given that data is leaking faster and further than ever before, and the rate of leakage and dispersal is only increasing.

Categories
Aside Links

The Problem of Botting on Instagram

Calder Wilson at Petapixels:

Instagram’s Terms of Use make it clear that botting is a no-no. Over the past couple of years the platform has implemented anti-spam/anti-bot restriction, which does things like prevent accounts from liking too many photos in a short amount of time or commenting the same thing again and again. It’s obvious they oppose using bots ideologically, and it’s very easy to determine who’s using them or not, so why don’t they do something about it?

For one thing, Instagram is killing it right now. Every time Facebook reports their financial earnings, they need to show robust growth in their flagship products; almost just as importantly, they need to show healthy engagement. Growth and engagement are the life forces of Facebook’s stock, and any decrease in either can send shares south.

Now, consider that my @canonbw account was liking over 30,000 photos every month along with thousands and thousands of comments. That doesn’t even include the activity generated from people responding and liking my images/following me in return. If I took every Instagram user I know in my life who doesn’t use a bot, it’s more than likely that my single account generated more “activity” than everyone else over the last year combined.

If we take into account the massive number of people botting everyday all around the world, the number of likes and comments are astronomical. It’s very unlikely that this huge engagement engine will ever be shut down by Facebook Inc. The relationship between Instagram and botters is seemingly symbiotic, but I argue that in the long run, Instagram suffers.

The problems linked with false engagements fuels the life of Facebook as a public company, while turning the actual product space into one that is as demoralizing as Facebook itself. A growing number of academic articles are finding correlations between Facebook use and depression, in part linked to how much content is liked. While Instagram use remains relatively strongly correlated with happiness, will this persist with the growing rise of bots?

Categories
Links

How to Debug Your Content Blocker for Privacy Protection

Via the EFF:

Millions of users are trying to protect their privacy from commercial tracking online, be it through their choice of browser, installation of ad and tracker blocking extensions, or use of a Virtual Private Network (VPN). This guide focuses on how to correctly configure the blocking extension in your browser to ensure that it’s giving you the privacy you expect. We believe that tools work best when you don’t have to go under the hood. While there is software which meets that criteria (and several are listed in the final section of the guide), the most popular ad blockers do not protect privacy by default and must be reconfigured. We’ll show you how.

Definitely a helpful guide to help you get the most out of your Ad/Tracker Blocker.

As a note: you don’t just want to block ads and trackers for privacy reasons (linked to being surveilled as you travel around the Internet) but also for security reasons: online ads are a vector for dropping malicious payloads and even the biggest networks are periodically affected.

Categories
Links Roundup Writing

The Roundup for November 25-December 1, 2017 Edition

Photo made with iPhone 7 at the edge of Kensington Market in Toronto, Ontario. Edited in Apple Photos and Snapseed.

I’m a kind of obsessive consumer. Before I buy something I tend to get excited about it, and do a lot of research, and get super into whatever it is that has struck my fancy. When the iPhone X came out, even knowing that I wasn’t on a buying cycle this year, I still wanted it and so did dozens of hours of research. A few weeks prior I was looking at a particular Olympus lens. And before then it was a new Sony rx100 or Fuji x100.

But I’ve gotten to know myself well enough that I let myself wallow in the obsession…and then just let go. It’s a self-reflective defensive mechanism that kept my wallet pretty safe throughout the sales of Black Friday and Cyber Monday, and one that more generally has helped to lift me out of consumer debt hell over the course of the past year. Consumerism is exciting, so long as you only enjoy the dreams and avoid crushing them by actually purchasing the item(s) in question.

During the Cold War humanity did terrible things to the natural ecosystems of the world by testing nuclear weapons. Bikini Atoll is one of the areas that most felt humanity’s ugly destructive impulses. So it was pretty exciting to learn that after abandoning that part of the world for about fifty years things seem to be recovering:

The research, López says, provides at least preliminary evidence that even if you destroy an ecosystem, it can heal with time — and with freedom from human interference. Ironically, Bikini reefs look better than those in many places she’s dived.

Despite the fact that the ecosystem is healing what’s there now remains dangerous to human life. The coconuts (and coconut trees more generally) hold huge doses of radiation, and the platter-sized crabs are presumably similarly radioactive because their primary food source is coconut meat. Despite the outward appearances of healing the atoll will likely remain hostile to human life: for the foreseeable future this paradise will only be accessible to animal life and off limits to human habitation.

In some exciting personal news, I got back a review from a journal to which I’d sent an article. While some revisions are required, work that I’ve been hacking on for the past few years is more than likely going to be public in one of Canada’s law journal’s next year! Unlike some other publishing experiences this time it was a fast turn around: submit in September, hear back by end of November, revisions by January, and publication in Spring 2018. W00T!

New Apps and Great App Updates from this Week

Great Photography Shots

Jenna Martin gave herself a challenge: go to an ugly location (Lowe’s) and get some pretty shots (success, in my opinion).

Music I’m Digging

Neat Podcast Episodes

Good Reads for the Week

Cool Products

Categories
Aside Links

Supreme Court of Canada to Decide on Protection of Journalistic Material

From CBC News:

The materials at issue relate to three stories Makuch wrote in 2014 on a Calgary man, Farah Shirdon, 22, charged in absentia with various terrorism-related offences. The articles were largely based on conversations Makuch had with Shirdon, who was said to be in Iraq, via the online instant messaging app Kik Messenger.

With court permission, RCMP sought access to Makuch’s screen captures and logs of those chats. Makuch refused to hand them over.

RCMP and the Crown argued successfully at two levels of court that access to the chat logs were essential to the ongoing investigation into Shirdon, who may or may not be dead. They maintained that journalists have no special rights to withhold crucial information.

Backed by alarmed media and free-expression groups, Makuch and Vice Media argued unsuccessfully that the RCMP demand would put a damper on the willingness of sources to speak to journalists.

The conflicting views will now be tested before the Supreme Court.

This case matters for numerous reasons.

First, there has been a real drying up of certain sources, which has prevented journalists in Canada from bringing material to public light. Such material doesn’t just pertain to terrorism and foreign combatants but, also, white collar crime, political scandals, cybercrime issues, and more. The Canadian public is being badly served by the Crown’s continued pursuit of this case.

Second, this case threatens to further diminish relations between the state and non-state actors who may, as a result, be (further) biased against state authorities. It’s important to be critical of the government and especially aspects of the government which can dramatically reshape citizens’ life opportunities. But should the press gallery adopt an unwarranted and more critical and combative tone towards the government there could be a deleterious impact on the trust Canadians have in their government . By extension, this could lead to a further decline in the willingness to see the government as something that tries to represent the citizenry writ large. That kind of democratic malaise is dangerous to ongoing governance and a threat to the legitimization of all kinds of state activities.

Categories
Links

Metadata in Context – An Ontological and Normative Analysis of the NSA’s Bulk Telephony Metadata Collection Program

Abstract:

In the aftermath of the Snowden revelations, the National Security Agency (NSA) responded to fears about warrantless domestic surveillance programs by emphasizing that it was collecting only the metadata, and not the content, of communications. When justifying its activities, the NSA offered the following rationale: because data involves content and metadata does not, a reasonable expectation of privacy extends only to the former but not the latter. Our paper questions the soundness of this argument. More specifically, we argue that privacy is defined not only by the types of information at hand, but also by the context in which the information is collected. This context has changed dramatically. Defining privacy as contextual integrity we are able, in the first place, to explain why the bulk telephony metadata collection program violated expectations of privacy and, in the second, to evaluate whether the benefits to national security provided by the program can be justified in light of the program’s material costs, on the one hand, and its infringements on civil liberties, on the other hand.

A terrific paper from Paula Kift and Helen Nissenbaum.

Categories
Links

How severe will this flu season be?

From the Globe and Mail:

Every year, around February or March, the World Health Organization provides its recommendations on the composition of influenza vaccines for the northern hemisphere for the next flu season, based on its projections of what viruses are likely to be in circulation. But it’s hard to predict just how effective the vaccines will be.

In general, flu vaccines are around 50 per cent effective. But for the 2014-15 season, the vaccine effectiveness against H3N2 was less than 10 per cent. Flu shots are by no means perfect, but they’re still considered the best way of protecting people from getting sick.

The trivalent flu vaccine given this year, which contains three components, is comprised of an H1N1 vaccine component, an H3N2 component, and an influenza B component.

While the H1N1 component in this year’s flu shot has been updated for the coming season, the other two components have remained unchanged from last year’s flu vaccine, Skowronski says. Depending on which is the dominant strain this year, this could spell trouble.

“If it turns out to be a H3N2 season, then that means the vaccine effectiveness is likely to be suboptimal,” she says. That’s because last year, with the identical component, the vaccine effectiveness for H3N2 was around 35 to 40 per cent. And since the viruses are constantly changing and mutating, Skowronski says it’s unlikely the effectiveness of the same vaccine component will be any higher for the coming season. “That’s one of the unfortunate, concerning factors, frankly, from my perspective: that the H3N2 component is unchanged, yet we know the virus is changing.”

Even so, just because this year’s flu shot contains two out of three of the same components as last year’s, don’t think you won’t need to get vaccinated again if you got the shot last year. The updated influenza A component may help protect you in an influenza A outbreak, Warshawsky says. Plus, she adds, “We also know that the duration of protection doesn’t necessarily last well from one year to another. So relying on last year’s vaccine will not necessarily carry over protection to this year.”

The amount of information covered in the Globe and Mail’s article is really, really impressive. I learned a lot about the flu, vaccination, and how different vaccines interact with flu. Highly recommended.

Categories
Links

Data breaches, phishing, or malware? Understanding the risks of stolen credentials

New research from Google:

In this paper, we present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users. Over the course of March, 2016–March, 2017, we identify 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums. Using this dataset, we explore to what degree the stolen passwords—which originate from thousands of online services—enable an attacker to obtain a victim’s valid email credentials—and thus complete control of their online identity due to transitive trust. Drawing upon Google as a case study, we find 7–25% of exposed passwords match a victim’s Google account. For these accounts, we show how hardening authentication mechanisms to include additional risk signals such as a user’s historical geolocations and device profiles helps to mitigate the risk of hijacking. Beyond these risk metrics, we delve into the global reach of the miscreants involved in credential theft and the blackhat tools they rely on. We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s.

Categories
Links

Intro to Mitigating Contemporary DDOS Attacks

From Cloudflare:

As the capacity of networks like Cloudflare continue to grow, attackers move from attempting DDoS attacks at the network layer to performing DDoS attacks targeted at applications themselves.

For applications to be resilient to DDoS attacks, it is no longer enough to use a large network. A large network must be complemented with tooling that is able to filter malicious Application Layer attack traffic, even when attackers are able to make such attacks look near-legitimate.

The pace of change in how DDOS attacks are being conducted, and efforts to use best and worst security practices alike to threaten Internet-connected resources, is a serious and generally under appreciated problem.