Categories
Quotations

The most important detail to focus on, is (per comment 12 by Brian Trzupek above) that Trustwave knew when it issued the certificate that it would be used to sign certificates for websites not owned by Trustwave’s corporate customer.

That is, Trustwave sold a certificate knowing that it would be used to perform active man-in-the-middle interception of HTTPS traffic.

This is very very different than the usual argument that is used to justify “legitimate” intermediate certificates: the corporate customer wants to generate lots of certs for internal servers that it owns.

Regardless of the fact that Trustwave has since realized that this is not a good business practice to be engaged in, the damage is done.

With root certificate power comes great responsibility. Trustwave has abused this power and trust, and so the appropriate punishment here is death (of its root certificate).

~Christopher Soghoian, in comment about Trustwave

Categories
Links

Wind on a Leaf: Dear startups and other relevant parties: It’s 2012. It is no longer ok to

chartier:

  • Not offer a way to download our data in some sort of a standard, transparent, and at least somewhat human-siftable format
  • Hide or otherwise be opaque about precisely what personal data you smuggle out of our devices
  • Not offer a one-to-two-click process for deleting our accounts
  • Fail to actually remove our data from your servers after we delete our accounts (while complying with applicable regional laws governing data retention)
  • Believe that taking VC and selling your customers’s private information is the only way to get a company off the ground, let alone run a successful business
  • Not use SSL for passing even the slightest bit of private information

Did I miss anything?

One thing: use rhetoric and spin to try and convince users that rabidly anti-consumer practices (such as those noted above) are good for society and that this kind of ‘radical transparency’ (i.e. screwing the customer for the benefit of the bottom line) is somehow going to make the world a better and happier place.

Categories
Videos

OK GO and Advertise to Me

I had no idea that OK GO’s recent video was largely a sponsored ad for the car they’re driving.

I also don’t care, because:

  1. I had no idea what the car was until I read an analysis of the video;
  2. It’s just (to my mind) another ridiculously awesome music video from this band.

I’m willing to sit through the ‘ad’ on the basis that the ‘brand’ of the car is non-obtrusive: it’s just a particular vehicle (pardon the pun) to deliver a really cool cultural experience.

Categories
Quotations

Phone hacking, for the most part, depends on remote access. Hackers obtain unprotected phone numbers from a variety of sources – Facebook must be a favorite – or by social engineering. PINs, for the most part, are easy to guess. Hacking typically takes place in the legitimate user’s absence.

Unless Apple or Google plans to bar remote access to devices, facial recognition security surely only solves a small part of the problem. Back to the drawing board.

~Kim Davis, from Internet Evolution

Categories
Videos

Lessig Interviews Abramoff

Curious about the inner workings of Congressional and Senate corruption? Then set some time aside and watch this video. It’s a bit long – it goes for about 90 minutes – but is well worth your time.

Categories
Humour

Security Measures

Security Measures – Ric Stultz    2012

The security systems are aware, armed, and not taking prisoners.

Categories
Aside Links

iOS is a Security Vampire

I’m sorry, but what Path did is (in some jurisdictions, such as my own) arguably a criminal offence. Want to know what they’ve been up to?

When developer Arun Thampi started looking for a way to port photo and journaling software Path to Mac OS X, he noticed some curious data being sent from the Path iPhone app to the company’s servers. Looking closer, he realized that the app was actually collecting his entire address book — including full names, email addresses, and phone numbers — and uploading it to the central Path service. What’s more, the app hadn’t notified him that it would be collecting the information.

Path CEO Dave Morin responded quickly with an apology, saying that “we upload the address book to our servers in order to help the user find and connect to their friends and family on Path quickly and efficiently as well as to notify them when friends and family join Path. Nothing more.” He also said that the lack of opt-in was an iOS-specific problem that would be fixed by the end of the week. [emphasis added]

No: this isn’t an ‘iOS-specific problem’ it’s an ‘iOS lacks an appropriate security model and so we chose to abuse it problem’. I cannot, for the life of me, believe that Apple is willing to let developers access the contact book – with all of its attendant private data – without ever notifying the end user. Path should be tarred, feathered, and legally punished. This wasn’t an ‘accident’ but a deliberate decision, and there should be severe consequences for it.

Also: while the Verge author writes:

Thampi doesn’t think Path is doing anything untoward with the data, and many users don’t have a problem with Path keeping some record of address book contacts.

I think that this misses a broader point. You should not be able to disclose mass amounts of other people’s personal information without their consent. When I provide key contact information it is for an individual’s usage, not for them to share my information with a series of corporate actors to do whatever those actors want with it. The notion that a corporation would be so bold as to steal this personal information to use for their own purposes is absolutely, inexcusably, wrong.

Categories
Links Writing

The rules of a creators life

Creative Something: The rules of a creators life

I’d suggest that these 9 principles are essential to guiding me through daily life. I would want to add a tenth item though:

10. Be willing to fail, and fail often, and just be sure to learn a little from each failed project.

Categories
Humour

I’ll Call you ‘An Ambulance’, OK?

fuckyeahgenderneutralstem: Siri, please help me when i’m dying.

Siri and voice recognition gone horribly, horribly wrong (in tragically comedic ways).

Categories
Links Writing

MegaUpload’s Shutdown: Financial Implications for Artists

Mike Masnick points out something that a large portion of the media missed in initial discussions surrounding the MegaUpload seizures:

There’s a key point in all of this that we missed in our earlier analysis about paid accounts at Megaupload. In the indictment, the government seems to assume that paid accounts are clearly all about illegal infringing works. But that’s not always the case. In fact, plenty of big name artists – especially in the hip hop world – use the paid accounts to make themselves money. This is how they release tracks. You sign up for a paid account from services like Megaupload, which pay you if you get a ton of downloads. For big name artists, that’s easy: of course you get a ton of downloads. So it’s a great business model for artists: they get paid and their fans get music for free. Everyone wins. Oh… except for the old gatekeeper labels.

There were certainly a large number of files that were potentially infringing – with the ability to ascertain whether something is or isn’t infringing being impossible to conduct automatically using digital systems because of legal ambiguities – but there were also many clearly non-infringing files. Those that were directly uploaded by artists for download were amongst this latter category.

While some artists who have already made it big might suffer a decrease in revenue/earnings, but still enjoy a life dedicated to creating new works, those who have yet to ‘break through’ will suffer disproportionately from losing an easy-to-use service that could generate some revenue. The smallest artists lose, the largest lose, and consumers lose. I’m not even certain that the labels themselves ‘win’, insofar as generating bad will likely hinders their ability to establish strong (positive) brand relationships with prospective consumers.