Persuant to my last post on cryptography and pixie dust, it’s helpful to read through Matt Green’s highly accessible article “How to ‘backdoor’ an encryption app.” You’ll find that companies have a host of ways of enabling third-party surveillance, ranging from overt deception to having access to communications metadata to compromising their product’s security if required by authorities. In effect, there are lots of ways that data custodians can undermine their promises to consumers, and it’s pretty rare that the public ever learns that the method(s) used to secure their communications have either been broken or are generally ineffective.
Category: Links
Categories
Constraints
Every product is constrained. Choose to optimise your compromises, whether you’re designing or just buying.
Matt has written one of the most succinct and clear pieces on product constraints. It’s well worth the time to read and subsequently mull over.
David Sirota of Salon has developed an excellent set of terms to speed along discussions about the contemporary American surveillance state. My own favorites include:
Least untruthful: A new legal doctrine that allows an executive branch official to issue a deliberate, calculated lie to Congress yet avoid prosecution for perjury, as long as the official is protecting the executive branch’s political interests. Usage example: Director of National Intelligence James Clapper avoided prosecution for perjury because he insisted that the blatant lie he told to Congress was merely the “least untruthful” statement he could have made.
And:
Modest encroachment: A massive, indiscriminate intrusion. Usage example: President Obama has deemed the NSA’s “collect it all” surveillance operation, which has captured 20 trillion information transactions and touches virtually all aspects of American life, a “modest encroachment” on citizens’ right to privacy.
The full listing of terms is depressingly cynical. However, the persistent – if often humorous – turn to cynicism may ultimately limit how politicians address and respond to Snowden’s surveillance revelations. What Snowden confirmed raises existential challenges to the potential to imagine, let alone actualize, a deliberative democratic state. The accompanying risk is that instead of addressing such challenges head on, citizens may retreat to cynicism rather than engaging in the hard work of recuperating their increasingly-authoritarian democratic institutions. We’re at a point where we need a more active, not more withdrawn and bemused, citizen response to government excesses.
I paid to have my latest Wired story promoted on social networks, like Twitter and Facebook, to try to show that a lot of the metrics* we use to measure a story’s success are bullshit. It worked. When the story went live today, the page appeared with more than 15,500 links on Twitter, and 6,500 likes on Facebook. The story is a part of Wired’s Cheats package for the latest issue of the magazine. It needed to go live online at the same time readers encountered it in print, and it needed to have all those social shares set up in advance.
…
The entire package was going live at once. I could publish my story a little bit early, but the timing needed to be very close. I wanted all the public-facing stats (like the 15 thousand links and Twitter and 6,000 Facebook shares) to be live by the time the text appeared. Certainly, if someone found it in print or on the tablet, it needed those metrics to already be there. To make that happen, we cheated.
…
This morning (or last night) at a little after 1 am, I added the story text, set it to the current time, and hit update. Now it showed up in RSS readers and I could openly tweet it form my main account. (I had originally used a secondary Twitter account I have for testing 3rd party stuff to link to it and score retweets.)
So now, the story goes “live” and as if by magic it has tens of thousands of social shares listed on it the instant real people start to encounter it. It worked.
*As is site traffic, to a very large extent. My original idea was to use a botnet to throw traffic at it, but Wired’s lawyers said “no, no. Don’t do that.“
And, of course, people tend to associate lots of shares with an article’s significance or influence. Consequently, by ‘cheating’ ahead of time a content owner can add a false gravitas to the content in question. I’m curious to know how search companies that, in part, use social signals to surface content deal with this kind of ‘hacking the social.’
Worries about spectrum scarcity have prompted telecommunications providers to provide their subscribers with femotocells, which are small and low-powered cellular base stations. Often, these stations are linked into subscribers’ existing 802.11 wireless or wired networks, and are used to relieve stress placed upon commercial cellular towers whilst simultaneously expanding cellular coverage. Questions have recently been raised about the security of those low-powered stations:
Ritter and his colleague, Doug DePerry, demonstrated for Reuters how they can eavesdrop on text messages, photos and phone calls made with an Android phone and an iPhone by using a Verizon femtocell that they had previously hacked.
…
They said that with a little more work, they could have weaponized it for stealth attacks by packaging all equipment needed for a surveillance operation into a backpack that could be dropped near a target they wanted to monitor.
While Verizon has issued a patch for its femtocells, there isn’t any reason why additional vulnerabilities won’t be found. By placing the stations in the hands of end-users, as opposed to retaining control over commercially deployed cellular towers, third-party security researchers and attackers can persistenty test the cells until flaws are found. The consequence of this deployment strategy is that attackers will continue to find vulnerabilities to (further) weaken the security associated with cellular communications. Unfortunately, countering attackers will significantly depend on security researchers finding the same exploit(s) and reporting it/them to the affected companies. The likelihood of security researchers and attackers finding and exploiting the same flaws diminishes as more and more vulnerabilities are found in these devices.
In countries such as Canada, for researchers to conduct their research they must often first receive permission from the companies selling the femtocells: if there are any ‘digital locks’ around the technology, then researchers cannot legally investigate the code without prior corporate approval. Such restrictions don’t mean that researchers won’t conduct research, but do mean that researchers’ discoveries will go unreported and thus unpatched. As a result, consumers will largely remain reliant on the companies responsible for the security deficits in the first place to identify and correct those deficits, but absent public pressure that results from researchers disclosing vulnerabilities.
In light of the high economic costs of such identification and patching processes, I’m less than confident that femtocell providers are going to be investing oodles of cash just to potentially as opposed to necessarily identify and fix vulnerabilities. The net effect is that, at least in Canada, telecommunications providers can be assured that the public will remain relatively unconcerned about the security of providers’ products: security perceptions will be managed by preventing consumers from learning about prospective harms associated with telecommunications equipment. I guess this is just another area of research where Canadians will have to point to the US and say, “The same thing is likely happening here. But we’ll never know for sure.”
Peter Nowak recently had a good post concerning the nature of mobile pricing in Canada. You really should go read it all. However, there was one key piece that he noted, towards the end, that deserves to be highlighted. Specifically:
It was only a few short years ago when Bell and Telus were getting pummeled by Rogers, thanks to that company’s chosen technology. Rogers, like most of the carriers in the world, went with GSM network technology while Bell and Telus opted for CDMA instead. Without getting technical, GSM won, and Apple put the exclamation point on the battle in 2007 in the form of the iPhone. Unable to offer the latest and greatest devices, including that quintessential and hotly desired device, Bell and Telus moved quickly to upgrade to the next greatest and latest 4G technology. Rogers followed suit. The same is happening in the United States, with Sprint and Verizon – both former CDMA users – both spending heavily on LTE.
Network investment in both Canada and the United States does not reflect the competitiveness of either market, but rather phone makers’ decisions on technologies. Carriers are simply being pulled along for the ride.
One thing I may indeed have been wrong about in the past is how high prices were mainly the result of the lack of foreign competition in Canada, which wasn’t legally allowed until last year. The poor technological choices made by a number of carriers can’t be discounted as a factor. The industry is now waving the billions they’re having to spend to correct those mistakes in the faces of consumers and government, with prices – be they as they are – the necessary rationalization.
A key aspect of Nowak’s argument towards the end is that network investment was driven not so much by carrier-driven decisions but by the decision of a device manufacturer: Apple. I’d not really considered how Apple’s decision to ‘cut out’ a group of telecom companies from offering the iPhone could have been/was significantly responsible for massive re-engineering and investment in compatible networking technologies (i.e. GSM). Obviously such changes to the network infrastructure came at a significant fiscal cost.
It would be interesting to take Nowak’s point and then build on it to better understand how Canadian three year contracts might have alleviated the ‘hurt’ experienced by Canadian mobile providers. Specifically, we could ask the following:
- what was the churn that Bell and TELUS experienced as a result of not being able to provide the iPhone?
- was churn in Canada comparable to the CDMA providers in the United States?
Based around these questions we could establish a working hypothesis that churn was lower in Canada than the US. If this hypothesis bore out when tested we could try to ascertain why it bore out:
- were Canadians happier with Bell and TELUS than their American counterparts?
- were Canadians unable to choose their preferred economic options at a rate comparable to American customers because of the longer contracts associated with the Canadian carriers?
- Other?
In effect the bad bets of American and Canadian carriers on CDMA offers an interesting comparative case from which we can draw inferences about the effects of the much-loathed three year cellular phone contracts in Canada. It would be awesome to see the numbers crunched to evaluate the effects of those contracts, especially before and after Bell/TELUS look launched their HSPA+ network(s). From there, I’m sure some interesting thoughts on the CRTC’s wireless code of conduct (which includes effectively mandating two year contracts) could follow: if a device as disruptive as the iPhone appears on the market, what would it do to the Canadian telecommunications market?
Categories
On the Zimmerman verdict …
So let me see if I have this straight:
In Florida, I can follow an otherwise law-abiding person around on a dark and rainy night, and if they decide I am a threat and respond, I get to shoot and kill them if I start losing the fight.
I am sure the people of Florida are sleeping much more secure in their beds knowing that this could never happen to their child or in their neighborhood.
Quality work all around.
Legalizing lethal stalking: a really great decision…
There’s a lot of confusion about the actual versus rhetorical security integrated with Apple’s iMessage product. I’ve tried to suggest, in the linked article, how Canadians can use our federal privacy laws to figure out whether Apple is, or the company’s critics are, right about the company’s security posture.
Categories
Freelancers are second-class journalists—even if there are only freelancers here, in Syria, because this is a dirty war, a war of the last century; it’s trench warfare between rebels and loyalists who are so close that they scream at each other while they shoot each other. The first time on the frontline, you can’t believe it, with these bayonets you have seen only in history books. Today’s wars are drone wars, but here they fight meter by meter, street by street, and it’s fucking scary. Yet the editors back in Italy treat you like a kid; you get a front-page photo, and they say you were just lucky, in the right place at the right time. You get an exclusive story, like the one I wrote last September on Aleppo’s old city, a UNESCO World Heritage site, burning as the rebels and Syrian army battled for control. I was the first foreign reporter to enter, and the editors say: “How can I justify that my staff writer wasn’t able to enter and you were?” I got this email from an editor about that story: “I’ll buy it, but I will publish it under my staff writer’s name.”
- Francesca Borri, Columbia Journalism Review. Woman’s Work.
FJP: A fast-paced, fiercely heartfelt essay on the downsides to freelance work abroad and the madness of war.
(via futurejournalismproject)
This speaks volumes about contemporary war reporting: not only are ‘dirty wars’ outsourced to freelancers, but the credibility linked to successfully covering them is either denigrated or obviated to the public.
Excited Pixels 