Matt Mayberry, who works at a California startup called Dopamine Labs, says it’s common knowledge in the industry that Instagram exploits this craving by strategically withholding “likes” from certain users. If the photo-sharing app decides you need to use the service more often, it’ll show only a fraction of the likes you’ve received on a given post at first, hoping you’ll be disappointed with your haul and check back again in a minute or two. “They’re tying in to your greatest insecurities,” Mr. Mayberry said.
I didn’t know that how ‘likes’ were doled out were designed to get you to keep coming back into social media applications. If Instagram is toying with its users this way then I’m going to seriously evaluate whether I ever want to use the application again. Activities like those described are just slimy and I don’t feel the need to provide such companies with either my content or my attention.
In my role as the head of Microsoft security, I personally spent many years explaining to antivirus vendors why we would no longer allow them to “patch” kernel instructions and data structures in memory, why this was a security risk, and why they needed to use approved APIs going forward, that we would no longer support their legacy apps with deep hooks in the Windows kernel — the same ones that hackers were using to attack consumer systems. Our “friends”, the antivirus vendors, turned around and sued us, claiming we were blocking their livelihood and abusing our monopoly power! With friends like that, who needs enemies? They just wanted their old solutions to keep working even if that meant reducing the security of our mutual customer — the very thing they were supposed to be improving.
Anti-virus programs remain a problem in terms of the attack surface they can open up. This surface, combined with the failure of many products to effectively identify and act on malware signatures, means that consumers tend to put far too much trust in products that often function poorly at best.
I have no idea whether or not this speech might herald Oprah’s potential entry into politics as a candidate, or as an effort to leverage her reputation and power to equalize power imbalances in the media and entertainment space, or as part of another activity that she plans on undertaking. What I do know is that her speech is amazingly powerful and has parallels with some of the best speeches of Obama that launched him as a candidate: if this was her political ‘coming out’ speech then it’s remarkably impressive in its accessibility to the general public and depth of meaning and importance to the public writ large.
Robert Graham has helpfully explained what the Meltdown and Spectre vulnerabilities mean for most end-users. In short: patch now and things should be ok. But chipmakers and OS vendors are going to have to rethink some baseline ways of doing business.
Per Wordfence there are four reasons for supply-chain (i.e. plugin-based) attacks on WordPress installations:
The first reason is simply scale. According to w3techs, WordPress powers 29.2% of all websites – a massive user base to go after. In addition, at the time of this writing there were 53,566 plugins available for download in the official WordPress.org plugin repository. That is a lot to work with on both fronts.
Secondly, the WordPress.org plugin directory is an open, community-driven resource. According to the plugin guidelines page, “It is the sole responsibility of plugin developers to ensure all files within their plugins comply with the guidelines.” This means that while there is a small team tasked with managing the plugin repository and another small team focused on security, ultimately users rely on plugin developers to keep them safe.
Thirdly, most WordPress sites are managed pretty casually. Making a change to a website at a larger company might include code review, testing and a formal change control process. But that’s probably not happening consistently, if at all, on most smaller websites. In addition, many site owners don’t monitor their WordPress sites closely, which means malware can often remain in place for many months without being discovered.
Lastly, the WordPress plugin repository has a huge number of abandoned plugins. When we looked back in May, almost half of the available plugins hadn’t been updated in over two years. This represents a great opportunity for ne’er do wells looking to con unsuspecting plugin authors into selling something they created years ago and have moved on from.
The aforementioned points outline why acquiring and infecting WordPress plugins is a reasonable way of penetrating WordPress installs. However, I think that Wordfence is missing the most important reason that such attacks succeed: few actual users of WordPress are technically component to monitor what, exactly, their plugins are doing. Nor are the shared hosting services particularly good at identifying and alerting technically-illiterate users that their sites are compromised and what the site owners need to do to remediate the intrusion.
Trying to get individual users to more carefully monitor how their plugins work is a fool’s errand. What’s needed is for hosts to provide a community service and actively not just identify hijacked plugins (and sites) but, also, provide meaningful remediation processes. User education and alerts aren’t enough (or even moderately sufficient): companies must guide site owners through the process of cleaning their sites. Otherwise malware campaigns aimed at WordPress will persist and grow over time.
We’ve touched on the cliches, we’ve touched on the physiology (much more detail in this and this article) but we haven’t touched on some things that generally make sense; I use the term ‘generally’ because as always there are exceptions dependent on the subject, scene and communicative intent of the photographer. Whilst for instance hard shadows usually make for interesting architectural images, they aren’t always so good for senior portraits or product photography. But this can be simplified into a logical statement like “shadows can assist with spatial orientation of a composition, and enhancing texture” – which I think is legitimate. But ultimately, the photographer has to decide if they actually want an obvious spatial orientation or not – they may not, for instance, if the intention is to make an extremely abstract composition. The example images given deliberately violate at least one, sometimes more, of the commonly bandied photographic rules – yet to my eyes at least, they still work.
I hadn’t really considered how the human body helps to dictate or guide the ‘rules’ of photography. While Ming Thein’s discussion is brief it’s perhaps useful for opening up new ways of thinking about the photos that we choose to take, and how deliberate shots vary from snapshots.
This focus on signals and technical intelligence persisted until much more recently, multiple former U.S. intelligence officials told me. “It was almost like everyone they had there was a technical guy, as opposed to a human-intelligence guy,” one former official recalled. “The way they protected those people — they were rarely out in the community. It was work, home, work, home. When they’d go out and about, to play hockey or to drink, they’d be in a group. It was hard to penetrate.” The same official also noted that San Francisco was integral to the discovery by U.S. intelligence of a new class of Russian “technical-type” intelligence officer, working for the rough Russian equivalent of the National Security Agency, before this organization was eventually folded by Putin back into the FSB. This group, which was not based at the consulate itself, was identified via its members’ travel patterns — they would visit the Bay Area frequently — and the types of individuals, all in high-tech development, with whom they sought contact. According to this former U.S. official, these Russian intelligence officers were particularly interested in discussing cryptology and the Next Generation Internet program.
But it was the consulate’s location — perched high atop that hill in Pacific Heights, with a direct line of sight out to the ocean — that likely determined the concentration of signals activity. Certain types of highly encrypted communications cannot be transmitted over long distances, and multiple sources told me that U.S. officials believed that Russian intelligence potentially took advantage of the consulate’s location to communicate with submarines, trawlers, or listening posts located in international waters off the Northern California coast. (Russian intelligence officers may also have been remotely transmitting data to spy stations offshore, multiple former intelligence officials told me, explaining the odd behaviors on Stinson Beach.) It is also “very possible,” said one former intelligence official, that the Russians were using the San Francisco consulate to monitor the movements, and perhaps communications, of the dozen or so U.S. nuclear-armed submarines that routinely patrol the Pacific from their base in Washington state.
All in all, said this same official, it was “very likely” that the consulate functioned for Russia as a classified communications hub for the entire western United States — and, perhaps, the entire western part of the hemisphere.
There is a lot to this very long form piece, including descriptions of Russian intelligence operations and communications patterns, how lawful Russian overflights of American territory might be used for a variety of intelligence purposes, and the Trump administration’s likely cluelessness about why closing the Russian consulate in San Francisco was so significant. But most interestingly, for me, was how the consulate likely functioned as an outpost for Russian signals intelligence operations, both due to the depth of analysis in the article but also for what it tells us about how Western-allied consulates and diplomatic facilities are likely used.1 In effect, the concerns raised by former FBI and other American counter-intelligence officers speaks to how America and her allies may conduct their own forms of surveillance.
In a provincial sense, the concerns and opinions espoused by American counter-intelligence officers also raises questions as to the role of Canada’s significant number of diplomatic facilities scattered throughout China and other regions where the United States is more challenged in building out State Department facilities. ↩
Seizing on immigration as the cause of countless social and economic problems, Mr. Trump entered office with an agenda of symbolic but incompletely thought-out goals, the product not of rigorous policy debate but of emotionally charged personal interactions and an instinct for tapping into the nativist views of white working-class Americans.
Donald Trump isn’t so much tapping into ‘nativist’ views as, instead, exploiting citizens’ unawareness of the benefits of both immigration and trade. Immigrants contribute to the tax base, take less time off, and their direct descendants also contribute more to the tax base than ‘long-term’ citizens. Immigration is a net gain for ‘regular’ American workers but they haven’t been told just how, and why, their own lives and the social benefits they draw on are significantly improved by immigration into America.
Even as the administration was engaged in a court battle over the travel ban, it began to turn its attention to another way of tightening the border — by limiting the number of refugees admitted each year to the United States. And if there was one “deep state” stronghold of Obama holdovers that Mr. Trump and his allies suspected of undermining them on immigration, it was the State Department, which administers the refugee program.
The State Department is a core centre of American soft power; it’s programs, educational efforts, international outreach, and more are responsible for spreading American values around the world.1 That the administration is hollowing out the department is the truest evidence that the Trump administration is unaware of how, and why, America has managed to maintain its position in the world. While American military might is significantly responsible for the development and maintenance of its imperial stature in the world, this stature is solidified and extended through an adoption of American values. Such values are more than those associated with the military; they’re linked with those spread by staff from State who promote American values in more formal diplomatic efforts as well as the other range of activities undertaken by consular and embassy staff throughout the world.
It is incredibly hard to believe that the Trump administration is barely one year into a four year term. Given the lasting damage the administration has already done to America’s ability to project power around the world, it’s hard to imagine just what America’s stature will be in a few more years. But what’s most significant is that his administration has learned so quickly how to engage in the deliberate hollowing out of the institutions which have long been hallowed to Americans. This kind of learning is indicative that the administration might be successful on more of its more outrageous campaign promises, promises which are being supported by the Congress and Senate, and thus indicative of a broader series of values (or lack thereof) which are held by many American politicians.
In the interests in disclosure: I will personally be enrolled in the State Department’s International Visitor Leadership Program in the coming fall. ↩
My less-busy times this week were spent writing out notes, cards, emails, and other correspondence to some of the most important people in my life. It’s been a challenging year; the world seems to be falling apart due to changes in American politics, deaths and illnesses by family and friends have been hard to take, and the tempo for high-quality professional work never really slows down. And so I took some time writing to the people I’ve most closely worked with, supported, or been supported by to thank them for just being present and active in my life.
I find writing these sorts of messages of thanks, encouragement, and praise challenging. They’re not the kind of thing that I have ever really received much of throughout my personal or professional life; it’s just not normal in my family to communicate our deep feelings for one another, and in academe the point is to move to the next project (and subject it to critique) instead of dwelling on past projects and receiving accolades for them. But as challenging as I find writing these messages they have a profound personal impact: by pulling together my thoughts and writing them down and sending them, I’m humbled by realizing just how blessed I am to be surrounded by the kind, funny, supporting, and amazing people in my life.
There used to be a time when a lot more holiday cards, notes, and messages were sent back and forth between people this time of year. And many people still send cards, but don’t take the time — five, ten, or even twenty minutes — to handwrite a real thought to whomever the recipient happens to be. But those are the cards and notes and emails that people carry with them for years, packing them carefully away as they move from one physical or digital home to another. They don’t cost a lot of money to produce, and in the case of email are almost entirely free, but they show that you’ve spent time thinking about a specific person. And that time, in and of itself, is indicative of someone’s importance in your life.
So before you go out and spend money on another present consider taking that time and, instead, writing a letter or note to whomever the recipient is. Chances are good that they’ll remember and treasure the message you left with them for longer than any material possession your might give them.
Some of the bigger news in the Apple world, this week, has focused on changes to how Apple treats older iPhones which are suffering battery degradation. While the majority of the reporting is focused on how iPhone 6 and 6s devices are experiencing slowdowns — which is the change Apple has imposed as of iOS version 11.2.0 — iPhone 7 devices are also exhibiting the slowdowns as they suffer battery degradation.
I’m of mixed minds on this. I see this as an effort by Apple to avoid having to replace batteries on older (but not THAT old) devices but in a sneaky way: the company’s lack of transparency means that it appears that Apple is trying to pull a fast one on consumers. This is especially the case for those consumers who’ve purchased Apple Care; if their devices are suffering known problems, then Apple should at the minimum be notifying owners to bring the devices in for servicing on a very proactive basis, and that doesn’t seem to have been the case.
So, on the one hand, this is Apple being sneaky.
But on the other it’s a semi-elegant engineering problem to resolve a hard-to-fix problem. We use our smartphones with such regularity and subject them (and, in particular, their batteries) to such exceptional abuse that degradation has to happen. And so I think that Apple stuffing processors into devices (at least in the current and last generation) that are excessive for daily use means the slowdowns are less problematic for most users. They might think that their devices are a bit slower but, generally, still be able to use them for about as long as they used to use them. And that length of use is what most people measure ‘battery life’ by so…maybe Apple is dealing with the problem the way users would actually prefer.
That Apple doesn’t change out batteries when they’re worn down, however, emphasizes that it’s a pretty good idea to resell your devices every year or so in order to get the best return for them as well as in order to enjoy the best performance from your iPhone. And I guess, as a byproduct, if you’re buying a second-hand iPhone you should definitely do a battery test before handing over your cash.
Inspiring Quotation
“Giving is about more than donating money. It’s about sharing your capabilities, content, and connections—and above all, giving others the chance to be heard, respected, and valued.”
Southern Xinjiang, where Korla is located, is one of the most heavily policed places on earth.
In Hotan, police depots with flashing lights and foot patrols are set up every 500 meters. Motorcades of more than 40 armored vehicles rumble down city boulevards. Police checkpoints on every other block stop cars to check identification and smartphones for religious content.
Xinjiang’s published budget data shows public security spending this year is on track to increase 50 percent from 2016 to roughly 45 billion yuan ($6.8 billion) after rising 40 percent a year ago. It’s quadrupled since 2009, when a Uighur riot broke out in Urumqi, killing nearly 200 people.
But much of the policing goes unseen.
Shoppers entering the Hotan bazaar must pass through metal detectors and place their national identification cards on a reader while having their faces scanned. AP reporters were stopped outside a hotel by a police officer who said the public security bureau had been remotely tracking the reporters’ movements by watching surveillance camera footage.
The government’s tracking efforts have extended to vehicles, genes and even voices. A biometric data collection program appears to have been formalized last year under “Document No. 44,” a regional public security directive to “comprehensively collect three-dimensional portraits, voiceprints, DNA and fingerprints.” The document’s full text remains secret, but the AP found at least three contracts referring to the 2016 directive in recent purchase orders for equipment such as microphones and voice analyzers.
The extent of the of technical and human surveillance, and punishments that are meted out for failing to adequately monitor family members and friends, is horrifying.1 And while the surveillance undertaken in this area of China is particularly severe, the kinds of monitoring that occur in China is more extensive and ever-present throughout the country than many people who haven’t travelled into China can appreciate. The Chinese surveillance infrastructure is the kind of apparatus that exists to sustain itself, first and foremost, by ensuring that contrary ideologies and philosophies are threatened and — where possible — rendered impotent by way of threats and fear.
While much of the contemporary surveillance is now provided by Chinese-based companies it’s worth remembering that, historically, this equipment was sold by Western companies. ↩
Excited Pixels 