Category: Writing

Categories
Links Writing

Hacking Our Humanity: Sony, Security and the End of Privacy

Hacking Our Humanity: Sony, Security and the End of Privacy :

The lesson here isn’t that Hollywood executives, producers, agents and stars must watch themselves. It isn’t to beware of totalitarian states. It’s to beware, period. If it isn’t a foreign nemesis monitoring and meddling with you, then it’s potentially a merchant examining your buying patterns, an employer trawling for signs of disloyalty or indolence, an acquaintance turned enemy, a random hacker with an amorphous grudge — or of course the federal government.

And while this spooky realization prompts better behavior in certain circumstances that call for it and is only a minor inconvenience in other instances, make no mistake: It’s a major loss. Those moments and nooks in life that permit you to be your messiest, stupidest, most heedless self? They’re quickly disappearing if not already gone.

Though I find various aspects of Bruni’s article insulting (e.g. “…the flesh that Jennifer Lawrence flashed to more people than she ever intended…”) the discussion of who are the most common threat actors that people have to worry about is a fair point. It’s also important to discuss, and discuss regularly, that the ‘defences’ which are commonly preached to protect our privacy are fraught with risk. While being silent, not associating with one another, or not reading certain things online might keep one ‘safe’, engaging in such censorious activities runs counter to the freedoms that we ought to cherish.

Such responses ignore the costs — often paid in blood or years of people’s lives— that have gone into fighting for the freedoms that we now enjoy and that are engrained in our constitutions, our laws, and our social norms. They forget the men and women who fight and die on battlefields to protect the freedoms of citizens of other nations. And, perhaps most significantly, such responses demonstrate how larger social movements directed at enshrining our freedoms through collective action are set aside, often cynically, so that we can try and resolve the problems we all face as individuals instead of as collective political actors. Self-censorship isn’t just a means of ensuring self-protection; it’s an exhibition of citizens’ unwillingness to at try and utilize our political processes to resolve common social ills.

Categories
Links Writing

Public and private sector companies vulnerable to Sony-like attacks

Public and private sector companies vulnerable to Sony-like attacks :

Christopher Parsons, the managing director of a telecom transparency project in The Citizen Lab at the University of Toronto, said agrees with Tobok; it’s not enough for companies to leave digital security to their designated IT employees or mid-level management.

“It’s an increasingly serious issue; companies not treating it at the top do so at their own peril.”

Bigger security breaches are a reality of a more digitally-literate world, Parsons said.

“If you’re dealing with a well-resourced attacker with lots of time, there’s a reasonable chance they will find some way through.”

That’s why companies also need to invest in a strong remediation strategy in case an attack does occur, he said.

I should be particularly emphatic on one point: the hack of Sony does not constitute ‘cyberwar’. To begin, the very definition of the term is ambiguous at best. Moreover, the attack on a non-critical-systems company cannot be understood as an assault on critical infrastructure systems (e.g. dams, power grids, etc) that could be interpreted as an undeclared war-like action. What has happened to Sony is a corporate tragedy and one for the textbooks on remediation and mitigation strategies. To be clear: this is a lesson for business and security textbooks, not military strategy textbooks.

Claims that the attacks on Sony are some kind of ‘warlike’ behaviour operate on the assumption that we can attribute who is responsible for the attacks. We are unable to so ascribe action at the moment. And until the NSA or the other SIGINT agencies pull stuff from their bags of tricks to more positively establish a link between the attacks on Sony and a specific nation-state threat actor with obvious war-based intentionality, any calls that we are witnessing some kind of ‘cyberwar’ are ill-considered at best, and outright ignorant at worst.

Or, alternately, such calls might constitute efforts on the parts of those with Top Secret/Special Compartmentalized information to raise awareness about some kind of ‘behind the scenes’ action. I strongly doubt those calling the Sony attacks cyberwar have access to such kinds of deeply sensitive operational, and classified, information. But perhaps I’m wrong. And, if I am, I hope they’re leaking with authorization or have particularly terrific counsel to defend them against allegations of leaking classified information.

Categories
Links Writing

FFS SSL

FFS SSL:

I just set up SSLTLS on my web site. Everything can be had via https://wingolog.org/, and things appear to work. However the process of transitioning even a simple web site to SSL is so clownshoes bad that it’s amazing anyone ever does it. So here’s an incomplete list of things that can go wrong when you set up TLS on a web site.

Now you start to add secure features to your web app, safe with the idea you have SSL. But better not forget to mark your cookies as secure, otherwise they could be leaked in the clear, and better not forget that your website might also be served over HTTP. And better check up on when your cert expires, and better have a plan for embedded browsers that don’t have useful feedback to the user about certificate status, and what about your CA’s audit trail, and better stay on top of the new developments in security! Did you read it? Did you read it? Did you read it?

It’s a wonder anything works. Indeed I wonder if anything does.

Without any doubt this is one of the better(?) rants about SSL/TLS that I’ve read recently. And given my own recent experiences in setting up SSL/TLS on another site I entirely empathize: it was a horrible experience that involved tracking down what was causing things to break, when they were breaking, and how to remedy them. It was a non-trivial learning experience and that was a very simple site. Large sites….well, I shudder to consider the work entailed in securing them.

(As a sidenote: yes, SSL/TLS is broken. But it adds friction to mass surveillance processes and at little cost to the visitor of websites/users of web services. It’s a pain for those delivering content, but that’s a pain that it’s arguably appropriate for those content providers to bear.)

Categories
Writing

Sadness and Fury Call for Enhanced Democracy, Not Enhanced Security

Today was deeply disturbing for me: what should have been a routine day of presenting at a conference panel turned into a day where I (and other conference members) were placed into lockdown (along with thousands of others in downtown Ottawa and government offices) in the wake of a serious crimes event.

The panel was for the IIC-Canada, and we were to discuss the topic of telecommunications transparency reporting. Immediately prior to the panel, however, a gunman shot and killed a reserve soldier standing guard at the National War Memorial in Ottawa. The gunman then proceeded to Parliament where he was ultimately shot dead. He was killed inside the central block.

Shortly after the panel, and just as lunch began, the second floor of the convention centre was cleared and we were moved to the third floor. It was a bit strange, truth be told: we moved using cargo elevators so as to keep people away from the building’s exterior windows. Then, after several hours under lockdown we were all freed to leave.

We were never in any particular danger. The lockdown was just a precaution for safety’s sake.

Nevertheless I’m sad. And furious. Absolutely furious that a reservist was killed at a war memorial. Enraged that someone had the audacity to enter the Parliament with the intent to cause serious harm and death to those within. Sickened that bad legislation may follow from the attack, an attack which targeted people who have committed themselves to protecting and advocating for Canadians. Public service is an honourable calling and the criminal targeted exactly those who had heard the call.

Thus far the Canadian media has generally been balanced. And I think my reaction – sadness and anger – is in common with many Canadians. We’re not terrified. We’re righteously pissed off at the individual or individuals who choose to attack the symbolic heart of our democracy.

No matter how problematic the laws passed, however dysfunctional the party politics, and regardless of the bad-behaviours in Parliament, our MPs are there to peacefully and verbally resolve and address the issues of the day. Words are the way that problems are addressed and dealt with; they are not solved using violence involving martial weaponry.

The solution to the attack today is not more weapons and less public access to Parliament or more constrained or secured debate but the opposite: equivalent parliamentary security and access to Parliament, and even more robust and transparent parliamentary debate. We can choose to seek vengeance or simply carry on in the face of this attack. I, like many or most Canadian, pray that the latter approach is adopted over the former.

Categories
Links Writing

Stop trying to sell me wrist-worn smartphones

Stop trying to sell me wrist-worn smartphones :

Everyone seems to be going down the same route of trying to shrink smart technology to the size of a watch instead of working to smarten up the watches we already have. It’s approaching the problem from the wrong direction, which might explain why the solutions we’ve seen so far have all been inadequate in some way or another. Mostly it’s about the size. Today’s smartwatches contain the best miniaturized technology available, but remain too large — even if they do try to patch over it with fine leather strapspolished metal designs, and gorgeous AMOLED screens.

It absolutely baffles me who, exactly, smart watches are being designed for. The notion that something would be buzzing on my wrist (in my own, very anecdotal case) hundreds of times a day as I receive email, retweets, LinkedIn invites, text messages, hangouts messages, and so forth is absolutely absurd. That’s noise that I want to avoid or minimize, not enhance and maximize.

I own one, very nice, watch that I wear on special circumstances. It’s beautiful and is powered by kinetic motions. It’s light enough that it doesn’t annoy the hell out of me, but heavy enough that it’s comfortable on my wrist. And, in all cases, it doesn’t beep, buzz, or otherwise interfere with my daily life.

To my mind, the ‘rationale’ for smart watches is really predicated on the absurd sizes that smartphones are reaching. With phones increasingly being sold with 5 inch, or larger, screens the devices are eyesores whenever they’re pulled out and their screens examined.

That’s a very, very bad rationale to build a product on and (to my mind) indicates the failure of smartphone design. And the solution that failure isn’t smart watches but more humane-sized phones.

Categories
Links Writing

The Only Thing Worse Than Getting a Ph.D. in Today’s Academic Job Market

The Only Thing Worse Than Getting a Ph.D. in Today’s Academic Job Market:

Dissertations—some 250 pages of original research in the humanities, and topping 400 in the social sciences—are objectively, indisputably difficult. It sometimes takes years just to collect data or comb through the necessary archives, and then the damn thing must be written, often in total isolation. Dissertations are not impossible, but they are very hard, and most people in the world—including, perhaps, you, my friend—cannot complete one.

… there are the inner hindrances, the ones that cause procrastination, and then shame, and then paralysis. Here’s my favorite: believing, erroneously, that one must read and master every single word of existing scholarship before even beginning to write. Here’s my least favorite (which happens to my clients all the time): refusing to turn in any chapter that isn’t perfect, and thus not turning in anything at all—which results in the adviser getting irate, which puts even more pressure on the student to be even more perfect, ad infinitum. This is how dissertations are stalled, often forever.

So what can be done to fix this? The Izzy Mandelbaums of academia may argue the system is fine the way it is: In a field that requires extended independent work to succeed, the trial by fire of the dissertation is an apt initiation. (“All aboard the pain train!”) But does it have to be this way? I see no reason why, for example, more dissertation advisers couldn’t be enthusiastic about seeing early drafts, to provide guidance and support. Some already do this (mine did), but far too many of my clients say their advisers won’t even look at anything that isn’t “polished.” Every adviser who says this is part of the problem.

Another step in the right direction would be not just to hold dissertation workshops, but also to make them mandatory. A lot of grad students are simply too paralyzed (or ashamed to admit they don’t know what they’re doing) to attend one of their own volition. A mandatory workshop frees them to get the help they need, without having to admit they need help.

The belief that someone has ’failed if they do not complete their doctoral degree is absolutely frustrating and absurd; I’ve seen brilliant people leave not because they couldn’t write, not because they couldn’t publish, but because there were bureaucratic hoops they were emotionally ill-suited to handle. And instead of working with them – people who could have easily been the next leaders of their respective fields, and who were already emerging as such as doctoral students – they were instead cast aside. This is pre-defence of comprehensive exams, pre-defence of dissertation proposal, and thus way before the defence (or writing of) their dissertation itself.

For those ‘stuck’ at the dissertating point, I think that having regular (ideally weekly) meetups is incredibly helpful for successful completion, second in value only to regular (ideally bi-weekly) meetings with one’s supervisor. I was blessed to have an outstanding advisor who was willing to read early-draft work and provide valuable feedback, with most feedback returned in 2 weeks or so of me giving it to him. He shared with me thoughts and guidance, as well as tactics for moving forward. Sometimes I didn’t understand why he wanted what he wanted, to the point where it sometimes took years for me to implement the changes. Not because I didn’t want to, not because I wasn’t willing to (somewhat) blindly accept his proposed revisions, but because I wasn’t at a stage to understand what he was even proposing. Only by having regular, ongoing, contact with both dissertating peers and one’s supervisor does such nuance and advice become tangible and real in my experience.

The other helpful thing about regular peer-based meetings is you can set weekly goals, monthly goals, and semester-length goals. And you just chip away at them, every week. Ideally the group has at least one person who can drive a meeting so it’s quick and efficient and often asks pain-in-the-ass questions (e.g. It’s great that you’re working on that conference paper, but can you state how it fits with the dissertation, and what working on that paper will do over the next week/month/term in terms of advancing the dissertation)? In my experience, when I ran such meetings, they would take the following format:

  • meet at coffee shop, order coffee (5–10 minutes)
  • go around the table, reminding the group what each person committed to accomplishing and then asking whether each member met their goals (5–10 minutes)
  • go back around the table, getting members to commit to next week’s/month’s goals (5–10 minutes)
  • meeting adjourned
  • Total time: 15–30 minutes

Our meetings typically had been 4–7 people and, for those who attended and committed regularly, worked out well. We also had a deal where if you failed to accomplish any of your weekly goalsyou bought someone a coffee next week. It was a very small, but useful, measure to ensure that each person accomplished at least one of their goals set the prior week. And, if they failed, to have some ‘pain’ associated with that failure.

Categories
Links Writing

The Little-Known Loophole Obscuring Facebook and Google’s Transparency Reports

The Little-Known Loophole Obscuring Facebook and Google’s Transparency Reports:

The number of user data requests to Internet giants from foreign governments, are being lost in a legal loophole.

For some time I’ve been asking corporate executives how they do, or don’t, account for legal requests served by Canadian authorities on American social networking companies. And the obscurity has been noted in work I’ve previously published on this topic. In an admittedly selfish way, it’s terrific to see a Canadian reporter look into this issue further only to learn that the transparency numbers provided by Google et. al. do not fully account for non-US authorities’ requests for data.

Hopefully we’ll see other journalists, in countries the US has Mutual Legal Assistance Treaties (MLATs) with, file similar requests to better break down how many requests their domestic law enforcement agencies are issuing to the American companies responsible for storing and transiting so much of our personal data. While Google and other companies should be congratulated for their work it’s apparent that corporate transparency isn’t enough: we need better government accountability and corporate transparency to properly understand how, why, and how often authorities request (and receive) access to privately held telecommunications data.

Categories
Links Writing

How Apple and Google plan to reinvent healthcare

How Apple and Google plan to reinvent healthcare:

For many years the digital health industry has been driven by wearable devices like the Fitbit, Nike’s Fuelband, and Jawbone’s Up. But if the titans of the smartphone industry succeed in creating a dominant platform for health and fitness data, this business could be in trouble. “A lot of the basic functions we have seen in fitness wearables — tracking your steps, taking your heart rate — those functions will become basic features on a smartphone or smartwatch,” says Wang.

As someone who’s worn one of these trackers for years now [1] and who is obsessive about carrying my smartphone, I cannot disagree more. My phone does rough calculation of how much I move every month and it’s routinely off by absolutely enormous magnitudes. [2] To some extent, that’s because the phone isn’t calibrated to precisely monitor how far I walk. To a greater extent, however, it’s because while I’m obsessive about keeping my phone around me it’s actually not on my person for about 30% of my movements each day. I don’t carry my phone at night when walking the dog, or necessarily when I’m wander around the building I work in.

For people who want just casual or ambient information about movement a smartphone might be fine. But anyone who is even moderately interested in tracking their activity for health reasons isn’t going to be willing to ‘guesstimate’ 1/3 of their day’s activity. The real power of smartphones is delivering information-rich notifications or aggregating data from a variety of sensors; it’s the software that they bring, first and foremost, that is their value add. And I think that for the fitness device companies to be successful they’ll need to develop powerful data mobilization schemes – you’ll need to be able to integrate data from the fitness hardware to any smartphone OS – to really capture significant portions of the market over the longer-term. I don’t buy the idea that people will keep buying sub-par products because the data is bound within a specific operating system or mobile phone ecosystem. Though, perhaps that’s just me as someone who hops between smartphone and smartphone OSes every 12–14 months.

  1. I’ve lost a pair of Fitbits, returned another, and currently use a Jawbone UP 24. I bought my first Fitbit in April 2012.  ↩
  2. As an example, My Jawbone tracked me walking somewhere between 135–150 miles last month whereas Google suggested I walked just 30–40 miles.  ↩
Categories
Links Writing

Canadians are lax on privacy, Senate committee hears

Canadians are lax on privacy, Senate committee hears:

Bill S-220 would create parliamentary committee to oversee intelligence and security efforts

The fact that a former director of CSEC is asserting that it’s Canadians’ own fault that their privacy is being infringed upon is hopefully just rhetoric and not reflective of his real beliefs. As he must know, there are enormous pressures that individuals face to use contemporary communications services and never be cognizant of the full ramifications about the use of those services.

Such pressures have little to nothing to do with social media: just consider the leaking of information from mobile and desktop systems that follows from just leaving the device on or using it for the most basic functionalities. In the drive to make corporate consumer surveillance ‘transparent’ consumers have become grossly disadvantaged; learning and understanding how systems work, today, requires an immense effort. Such an effort should not be demanded to log into email or social media accounts, or fully grasp why a targeted ad has been displayed.

Of course, Mr. Adams knows this. He understands that privacy has not been designed into services and that, once alerted to gross and pervasive failures, informed people are routinely astounded, shocked, and angry. Most of the Internet uses the equivalent of Pintos and the NSA, CSEC, and other five eyes partners know exactly where the gas tanks are. They’re just reluctant to tell the rest of us and then blame us when we learn we’ve been rolling around the Internet-equivalent of privacy deathtraps.

Categories
Links Writing

Low-level federal judges balking at law enforcement requests for electronic evidence

Low-level federal judges balking at law enforcement requests for electronic evidence:

Among the most aggressive opinions have come from D.C. Magistrate Judge John M. Facciola, a bow-tied court veteran who in recent months has blocked wide-ranging access to the Facebook page of Navy Yard shooter Aaron Alexis and the iPhone of the Georgetown University student accused of making ricin in his dorm room. In another case, he deemed a law enforcement request for the entire contents of an e-mail account “repugnant” to the U.S. Constitution.

For these and other cases, Facciola has demanded more focused searches and insisted that authorities delete collected data that prove unrelated to a current investigation rather than keep them on file for unspecified future use. He also has taken the unusual step, for a magistrate judge, of issuing a series of formal, written opinions that detail his concerns, even about previously secret government investigations.

“For the sixth time,” Facciola wrote testily, using italics in a ruling this month, “this Court must be clear: if the government seizes data it knows is outside the scope of the warrant, it must either destroy the data or return it. It cannot simply keep it.”

Broad based access to telecommunications information can be extremely revealing: law enforcement know this, civil advocates (and defence attorneys) know this, and (increasingly) justices know this. And as justices in particular become more cognizant of just what law enforcement agencies are accessing, and of authorities’ decisions to not target their searches but instead collect (and retain) the entirety of people’s personal information, we’ll see more and more pushback against authorities’ overreaches.

Politics and justice tend to move slowly, often to the point where they ‘lag’ a decade or more behind technology and social norms. However, even these conservative systems tend to eventually correct themselves. As federal American judges ‘balk’ at over collection we’ll see these issues of evidence collection rise through the courts until, hopefully, a good ruling is issued by the Supreme Court of the United States. And then we’ll move onto the next overreach that authorities identify and begin exploiting…