Link

Vulnerability Exploitability eXchange (VEX)

CISA has a neat bit of work they recently published, entitled “Vulnerability Exploitability eXchange (VEX) – Status Justifications” (warning: opens to .pdf.).1 Product security teams that adopt VEX could assert the status of specific vulnerabilities in their products. As a result, clients’ security staff could allocate time to remediate actionable vulnerabilities instead of burning time on potential vulnerabilities that product security teams have already closed off or mitigated.

There are a number of different machine-readable status types that are envisioned, including:

  • Component_not_present
  • Vulnerable_code_not_present
  • Vulnerable_code_cannot_be_controlled_by_adversary
  • Vulnerable_code_not_in_execute_path
  • Inline_mitigations_already_exist

CISA’s publication spells out what each status entails in more depth and includes diagrams to help readers understand what is envisioned. However, those same readers need to pay attention to a key caveat, namely, “[t]his document will not address chained attacks involving future or unknown risks as it will be considered out of scope.” Put another way, VEX is used to assess known vulnerabilities and attacks. It should not be relied upon to predict potential threats based on not-yet-public attacks nor new ways of chaining known vulnerabilities. Thus, while it would be useful to ascertain if a product is vulnerable to EternalBlue, today, it would not be useful to predict or assess the exploited vulnerabilities prior to EternalBlue having been made public nor new or novel ways of exploiting the vulnerabilities underlying EternalBlue. In effect, then, VEX is meant to address the known risks associated with N-Days as opposed to risks linked with 0-Days or novel ways of exploiting N-Days.2

For VEX to best work there should be some kind of surrounding policy requirements, such as when/if a supplier falsely (as opposed to incorrectly) asserts the security properties of its product there should be some disciplinary response. This can take many forms and perhaps the easiest relies on economics and not criminal sanction: federal governments or major companies will decline to do business with a vendor found to have issued a deceptive VEX, and may have financial recourse based on contactual terms with the product’s vendor. When or if this economic solution fails then it might be time to turn to legal venues and, if existent approaches prove insufficient, potentially even introduce new legislation designed to further discipline bad actors. However, as should be apparent, there isn’t a demonstrable requirement to introduce legislation to make VEX actionable.

I think that VEX continues work under the current American administration to advance a number of good policies that are meant to better secure products and systems. VEX works hand-in-hand with SBOMs and, also, may be supported by US Executive Orders around cybersecurity.

While Canada may be ‘behind’ the United States we can see that things are potentially shifting. There is currently a consultation underway to regenerate Canada’s cybersecurity strategy and infrastructure security legislation was introduced just prior to Parliament rising for its summer break. Perhaps, in a year’s time, we’ll see stronger and bolder efforts by the Canadian government to enhance infrastructure security with some small element of that recommending the adoption of VEXes. At the very least the government won’t be able to say they lack the legislative tools or strategic direction to do so.


  1. You can access a locally hosted version if the CISA link fails. ↩︎
  2. For a nice discussion of why N-days are regularly more dangerous then 0-Days, see: “N-Days: The Overlooked Cyber Threat for Utilities.” ↩︎
Link

A Brief Unpacking of a Declaration on the Future of the Internet

Cameron F. Kerry has a helpful piece in Brookings that unpacks the recently published ‘Declaration on the Future of the Internet.’ As he explains, the Declaration was signed by 60 States and is meant, in part, to rebut a China-Russia joint statement. Those countries’ statement would support their positions on ‘securing’ domestic Internet spaces and removing Internet governance from multi-stakeholder forums to State-centric ones.

So far, so good. However, baked into the Kerry’s article is language suggesting that either he misunderstands, or understates, some of the security-related elements of the Declaration. He writes:

There are additional steps the U.S. government can take that are more within its control than the actions and policies of foreign states or international organizations. The future of the Internet declaration contains a series of supporting principles and measures on freedom and human rights, Internet governance and access, and trust in use of digital network technology. The latter—trust in the use of network technology— is included to “ensure that government and relevant authorities’ access to personal data is based in law and conducted in accordance with international human rights law” and to “protect individuals’ privacy, their personal data, the confidentiality of electronic communications and information on end-users’ electronic devices, consistent with the protection of public safety and applicable domestic and international law.” These lay down a pair of markers for the U.S. to redeem.

I read this, against the 2019 Ministerial and recent Council of Europe Cybercrime Convention updates, and see that a vast swathe of new law enforcement and security agency powers would be entirely permissible based on Kerry’s assessment of the Declaration and States involved in signing it. While these new powers have either been agreed to, or advanced by, signatory States they have simultaneously been directly opposed by civil and human rights campaigners, as well as some national courts. Specifically, there are live discussions around the following powers:

  • the availability of strong encryption;
  • the guarantee that the content of communications sent using end-to-end encrypted devices cannot be accessed or analyzed by third-parties (include by on-device surveillance);
  • the requirement of prior judicial authorization to obtain subscriber information; and
  • the oversight of preservation and production powers by relevant national judicial bodies.

Laws can be passed that see law enforcement interests supersede individuals’ or communities’ rights in safeguarding their devices, data, and communications from the State. When or if such a situation occurs, the signatories of the Declaration can hold fast in their flowery language around protecting rights while, at the same time, individuals and communities experience heightened surveillance of, and intrusions into, their daily lives.

In effect, a lot of international policy and legal infrastructure has been built to facilitate sweeping new investigatory powers and reforms to how data is, and can be, secured. It has taken years to build this infrastructure and as we leave the current stage of the global pandemic it is apparent that governments have continued to press ahead with their efforts to expand the powers which could be provided to law enforcement and security agencies, notwithstanding the efforts of civil and human rights campaigners around the world.

The next stage of things will be to asses how, and in what ways, international agreements and legal infrastructure will be brought into national legal systems and to determine where to strategically oppose the worst of the over reaches. While it’s possible that some successes are achieved in resisting the expansions of state powers not everything will be resisted. The consequence will be both to enhance state intrusions into private lives as well as to weaken the security provided to devices and data, with the resultant effect of better enabling criminals to illicitly access or manipulate our personal information.

The new world of enhanced surveillance and intrusions is wholly consistent with the ‘Declaration on the Future of the Internet.’ And that’s a big, glaring, and serious problem with the Declaration.

Link

The Broader Implications of Data Breaches

Ikea Canada notified approximately 95,000 Canadian customers in recent weeks about a data breach the company has suffered. An Ikea employee conducted a series of searches between March 1 to March 3 which surfaced the account records of the aforementioned customers.1

While Ikea promised that financial information–credit card and banking information–hadn’t been revealed a raft of other personal information had been. That information included:

  • full first and last name;
  • postal code or home address;
  • phone number and other contact information;
  • IKEA loyalty number.

Ikea did not disclose who specifically accessed the information nor their motivations for doing so.

The notice provided by Ikea was better than most data breach alerts insofar as it informed customers what exactly had been accessed. For some individuals, however, this information is highly revelatory and could cause significant concern.

For example, imagine a case where someone has previously been the victim of either physical or digital stalking. Should their former stalker be an Ikea employee the data breach victim may ask whether their stalker now has confidential information that can be used to renew, or further amplify, harmful activities. With the customer information in hand, as an example, it would be relatively easy for a stalker to obtain more information such as where precisely someone lived. If they are aggrieved then they could also use the information to engage in digital harassment or threatening behaviour.

Without more information about the motivations behind why the Ikea employee searched the database those who have been stalked or had abusive relations with an Ikea employee might be driven to think about changing how they live their lives. They might feel the need to change their safety habits, get new phone numbers, or cycle to a new email. In a worst case scenario they might contemplate vacating their residence for a time. Even if they do not take any of these actions they might experience a heightened sense of unease or anxiety.

Of course, Ikea is far from alone in suffering these kinds of breaches. They happen on an almost daily basis for most of us, whether we’re alerted of the breach or not. Many news reports about such breaches focus on whether there is an existent or impending financial harm and stop the story there. The result is that journalist reporting can conceal some of the broader harms linked with data breaches.

Imagine a world where our personal information–how you can call us or find our homes–was protected equivalent to how our credit card numbers are current protected. In such a world stalkers and other abusive actors might be less able to exploit stolen or inappropriately accessed information. Yes, there will always be ways by which bad actors can operate badly, but it would be possible to mitigate some of the ways this badness can take place.

Companies could still create meaningful consent frameworks whereby some (perhaps most!) individuals could agree to have their information stored by the company. But, for those who have a different risk threshold they could make a meaningful choice so they could still make purchases and receive deliveries without, at the same time, permanently increasing the risks that their information might fall into the wrong hand. However, getting to this point requires expanded threat modelling: we can’t just worry about a bad credit card purchase but, instead, would need to take seriously the gendered and intersectional nature of violence and its intersection with cybersecurity practices.


  1. In the interests of disclosure, I was contacted as an affected party by Ikea Canada. ↩︎
Link

The So-Called Privacy Problems with WhatsApp

(Photo by Anton on Pexels.com)

ProPublica, which is typically known for its excellent journalism, published a particularly terrible piece earlier this week that fundamentally miscast how encryption works and how Facebook vis-a-vis WhatsApp works to keep communications secured. The article, “How Facebook Undermines Privacy Protections for Its 2 Billion WhatsApp Users,” focuses on two so-called problems.

The So-Called Privacy Problems with WhatsApp

First, the authors explain that WhatsApp has a system whereby recipients of messages can report content they have received to WhatsApp on the basis that it is abusive or otherwise violates WhatsApp’s Terms of Service. The article frames this reporting process as a way of undermining privacy on the basis that secured messages are not kept solely between the sender(s) and recipient(s) of the communications but can be sent to other parties, such as WhatsApp. In effect, the ability to voluntarily forward messages to WhatsApp that someone has received is cast as breaking the privacy promises that have been made by WhatsApp.

Second, the authors note that WhatsApp collects a large volume of metadata in the course of using the application. Using lawful processes, government agencies have compelled WhatsApp to disclose metadata on some of their users in order to pursue investigations and secure convictions against individuals. The case that is focused on involves a government employee who leaked confidential banking information to Buzzfeed, and which were subsequently reported out.

Assessing the Problems

In the case of forwarding messages for abuse reporting purposes, encryption is not broken and the feature is not new. These kinds of processes offer a mechanism that lets individuals self-identify and report on problematic content. Such content can include child grooming, the communications of illicit or inappropriate messages or audio-visual content, or other abusive information.

What we do learn, however, is that the ‘reactive’ and ‘proactive’ methods of detecting abuse need to be fixed. In the case of the former, only about 1,000 people are responsible for intaking and reviewing the reported content after it has first been filtered by an AI:

Seated at computers in pods organized by work assignments, these hourly workers use special Facebook software to sift through streams of private messages, images and videos that have been reported by WhatsApp users as improper and then screened by the company’s artificial intelligence systems. These contractors pass judgment on whatever flashes on their screen — claims of everything from fraud or spam to child porn and potential terrorist plotting — typically in less than a minute.


Further, the employees are often reliant on machine learning-based translations of content which makes it challenging to assess what is, in fact, being communicated in abusive messages. As reported,

… using Facebook’s language-translation tool, which reviewers said could be so inaccurate that it sometimes labeled messages in Arabic as being in Spanish. The tool also offered little guidance on local slang, political context or sexual innuendo. “In the three years I’ve been there,” one moderator said, “it’s always been horrible.”

There are also proactive modes of watching for abusive content using AI-based systems. As noted in the article,

Artificial intelligence initiates a second set of queues — so-called proactive ones — by scanning unencrypted data that WhatsApp collects about its users and comparing it against suspicious account information and messaging patterns (a new account rapidly sending out a high volume of chats is evidence of spam), as well as terms and images that have previously been deemed abusive. The unencrypted data available for scrutiny is extensive. It includes the names and profile images of a user’s WhatsApp groups as well as their phone number, profile photo, status message, phone battery level, language and time zone, unique mobile phone ID and IP address, wireless signal strength and phone operating system, as a list of their electronic devices, any related Facebook and Instagram accounts, the last time they used the app and any previous history of violations.

Unfortunately, the AI often makes mistakes. This led one interviewed content reviewer to state that, “[t]here were a lot of innocent photos on there that were not allowed to be on there … It might have been a photo of a child taking a bath, and there was nothing wrong with it.” Often, “the artificial intelligence is not that intelligent.”

The vast collection of metadata has been a long-reported concern and issue associated with WhatsApp and, in fact, was one of the many reasons why many individuals advocate for the use of Signal instead. The reporting in the ProPublica article helpfully summarizes the vast amount of metadata that is collected but that collection, in and of itself, does not present any evidence that Facebook or WhatsApp have transformed the application into one which inappropriately intrudes into persons’ privacy.

ProPublica Sets Back Reasonable Encryption Policy Debates

The ProPublica article harmfully sets back broader policy discussion around what is, and is not, a reasonable approach for platforms to take in moderating abuse when they have integrated strong end-to-end encryption. Such encryption prevents unauthorized third-parties–inclusive of the platform providers themselves–from reading or analyzing the content of the communications themselves. Enabling a reporting feature means that individuals who receive a communication are empowered to report it to a company, and the company can subsequently analyze what has been sent and take action if the content violates a terms of service or privacy policy clause.

In suggesting that what WhatsApp has implemented is somehow wrong, it becomes more challenging for other companies to deploy similar reporting features without fearing that their decision will be reported on as ‘undermining privacy’. While there may be a valid policy discussion to be had–is a reporting process the correct way of dealing with abusive content and messages?–the authors didn’t go there. Nor did they seriously investigate whether additional resources should be adopted to analyze reported content, or talk with artificial intelligence experts or machine-based translation experts on whether Facebook’s efforts to automate the reporting process are adequate, appropriate, or flawed from the start. All those would be very interesting, valid, and important contributions to the broader discussion about integrating trust and safety features into encrypted messaging applications. But…those are not things that the authors choose to delve into.

The authors could have, also, discussed the broader importance (and challenges) in building out messaging systems that can deliberately conceal metadata, and the benefits and drawbacks of such systems. While the authors do discuss how metadata can be used to crack down on individuals in government who leak data, as well as assist in criminal investigations and prosecutions, there is little said about what kinds of metadata are most important to conceal and the tradeoffs in doing so. Again, there are some who think that all or most metadata should be concealed, and others who hold opposite views: there is room for a reasonable policy debate to be had and reported on.

Unfortunately, instead of actually taking up and reporting on the very valid policy discussions that are at the edges of their article, the authors choose to just be bombastic and asserted that WhatsApp was undermining the privacy protections that individuals thought they have when using the application. It’s bad reporting, insofar as it distorts the facts, and is particularly disappointing given that ProPublica has shown it has the chops to do good investigative work that is well sourced and nuanced in its outputs. This article, however, absolutely failed to make the cut.

Link

Explaining WhatsApp’s Encryption for Business Communications

Shoshana Wodinsky writing for Gizmodo has a lengthy, and detailed, breakdown of how and why WhatsApp is modifying its terms of service to facilitate consumer-to-business communications. The crux of the shift, really, comes down to:

… in the years since WhatsApp co-founders Jan Koum and Brian Acton cut ties with Facebook for, well, being Facebook, the company slowly turned into something that acted more like its fellow Facebook properties: an app that’s kind of about socializing, but mostly about shopping. These new privacy policies are just WhatsApp’s—and Facebook’s—way of finally saying the quiet part out loud.

What’s going to change? Namely whenever you’re speaking to a business then those communications will not be considered end-to-end encrypted and, as such, the communications content and metadata that is accessible can be used for advertising and other marketing, data mining, data targeting, or data exploitation purposes. If you’re just chatting with individuals–that is, not businesses!–then your communications will continue to be end-to-end encrypted.

For an additional, and perhaps longer, discussion of how WhatsApp’s shifts in policy–now, admittedly, delayed for a few months following public outrage–is linked to the goal of driving business revenue into the company check out Alec Muffett’s post over on his blog. (By way of background, Alec’s been in the technical security and privacy space for 30+ years, and is a good and reputable voice on these matters.)

Link

🦓 Zebra Crossing: an easy-to-use digital safety checklist

There are a lot of different security guides, but I think that in terms of trying to balancing being comprehensive, accessible, and directly actionable, Zebra Crossing is amongst the better guides out there. Who’s it for?

1. You use the internet on a day-to-day basis – for work, social media, financial transactions, etc.

2. You feel you could be doing more to ensure your digital safety and privacy, but you’re not in immediate danger. (If you are, seek out an expert for a one-on-one consult.)

3. You’re comfortable with technology. For example, you’re comfortable going into the settings section of your computer/smartphone.

How should it be used?

1. Recommendations have been sorted in ascending levels of difficulty. Start from level one and work your way up!

2. Everyone should follow the recommendations in levels one and two. They will protect you from the widely-used (yet simple) attacks. Going through them shouldn’t take more than 1-2 hours.

3. Level three is a bit more involved in terms of time and money and may not be 100% necessary. But if you’re worried at all and can afford to, we recommend going through that list too. Depending on the amount of digital housekeeping you have to do, it may take anywhere from an hour to an afternoon.

4. The scenarios listed after are for higher-stakes situations — scan them to see if any of them apply to you. (Because the stakes are higher, they assume that you’ve done everything in levels 1-3.)

Another great resource is Consumer Reports’ Security Planner. While it’s not designed to comprehensively guide you through upgrading your security profile, it is probably even better for helping individuals improve specific security practices.

Link

VPN and Security Friction

Troy Hunt spent some time over the weekend writing on the relative insecurity of the Internet and how VPNs reduce threats without obviating those threats entirely. The kicker is:

To be clear, using a VPN doesn’t magically solve all these issues, it mitigates them. For example, if a site lacks sufficient HTTPS then there’s still the network segment between the VPN exit node and the site in question to contend with. It’s arguably the least risky segment of the network, but it’s still there. The effectiveness of black-holing DNS queries to known bad domains depends on the domain first being known to be bad. CyberSec is still going to do a much better job of that than your ISP, but it won’t be perfect. And privacy wise, a VPN doesn’t remove DNS or the ability to inspect SNI traffic, it simply removes that ability from your ISP and grants it to NordVPN instead. But then again, I’ve always said I’d much rather trust a reputable VPN to keep my traffic secure, private and not logged, especially one that’s been independently audited to that effect.

Something that security professionals are still not great at communicating—because we’re not asked to and because it’s harder for regular users to use the information—is that security is about adding friction that prevents adversaries from successfully exploiting whomever or whatever they’re targeting. Any such friction, however, can be overcome in the face of a sufficiently well-resourced attacker. But when you read most articles that talk about any given threat mitigation tool what is apparent is that the problems that are faced are systemic; while individuals can undertake some efforts to increase friction the crux of the problem is that individuals are operating in an almost inherently insecure environment.

Security is a community good and, as such, individuals can only do so much to protect themselves. But what’s more is that their individual efforts functionally represent a failing of the security community, and reveals the need for group efforts to reduce the threats faced by individuals everyday when they use the Internet or Internet-connected systems. Sure, some VPNs are a good thing to help individuals but, ideally, these are technologies to be discarded in some distant future after groups of actors successfully have worked to mitigate the threats that lurk all around us. Until then, though, adopting a trusted VPN can be a very good idea if you can afford the costs linked to them.

The Roundup for June 1-30, 2020 Edition

(Urban King by Christopher Parsons)

Welcome to this edition of The Roundup! Enjoy the collection of interesting, informative, and entertaining links. Brew a fresh cup of coffee or grab yourself a drink, find a comfortable place, and relax.


I put together, and self-published, another photobook that is entitled “Pandemic Chronicles: Book I”. Each week that my city has been in (functional) lockdown, I’ve gone out once or twice and made images while just stretching my legs outside.

Over the past four months it’s often been hard to figure out how, exactly, I’ve been processing the life changes that have been imposed as a result of the pandemic. My life has, in many respects, reverted to that of my life during my PhD. So, lots of time inside and rarely leaving leaving my home, and having considerably less social contact than normal.

I think that it’s through my photos that I can best appreciate how I’ve felt, in retrospect, and understand how those images reflect how I see the world. The book that I made isn’t particularly dark: it’s just…lonely. It showcases the city that I live in, without the people that make it the city that I love. It shows people living their lives, often alone or separate from others, or while engaging in ‘safe’ behaviours. And, towards the end, it shows the light returning to Toronto, though in a format that differs from prior summers.

Photography has, and remains, a way for me to engage a creative part of my brain that otherwise would lie fallow. And, also, it’s operated as a meditative process that uncovers how I have been in the world, and how the world has been presented to me. As someone who has struggled with the idea of a ‘narrative’ in image making, I think that this book is a breakthrough because it ‘says’ something in aggregate that is more than just a presentation of visually pleasant images: it speaks to where I live, and how it has endured in the wake of the city’s closure. Is it the height of art? No. But it’s the closest I’ve come in this medium so far!


Inspiring Quotation

“Good” can be a stifling word, a word that makes you hesitate and stare at a blank page and second-guess yourself and throw stuff in the trash. What’s important is to get your hands moving and let the images come. Whether it’s good or bad is beside the point. Just make something.

Austin Kleon

Great Photography Shots

(Photos included in ‘Pandemic Chronicles: Book I’ by Christopher Parsons)

Music I’m Digging

This month has been packed with a lot of listening, with some alternative and R&B pretty tightly mixed in with hip hop. The best of what I listened to in June includes tracks from Yung Tory’s Rastar (including Mizu, Water Pt 2, and Netflix & Chill), Kali Uchis’s TO FEEL ALIVE (EP), HONNE’s no song without you (Single), and 6LACK’s 6pc Hot(EP).

Neat Podcast Episodes

I’ve been listening to a pair of new podcast shows over the past month that I’d recommend. From the CBC, there’s This Is Not A Drake Podcast, which uses Drake as a way to talk more about the history of rap and hip hop. So far I’ve really appreciated the episode on mixtapes, as well as the connotations of Nice Guy rappers.

Very differently, I’ve also been listening to the Globe and Mail’s series, Stress Test, which is about money issues facing millennials in the time of Covid. The episodes haven’t been staggering brilliant (a lot of the advice is pretty time tested) but the caution and suggestions are all helpful reminders.

Good Reads

  • Reflections from an “Accidental” Mentor // Prof. McNamara’s discussion of what it means to be a mentor— first and foremost modelling who we are, as individuals, rather than fitting within a particular narrow category of who we are normatively expected to be—is good advice, and important if we are to expand what is ‘normal’ within academia. She also focuses on celebrating the commonality across scholars; we’re all nerds, at heart, and so should focus on those attributes to create community. I agree, but for myself it’s more than that: it’s also about ensuring that the structures of professional environments are re-articulated to enable more junior persons to experience their jobs and professions in ways that weren’t possible, previously. It’s not just about focusing on commonality but, also, assessing baseline principles and values and ensuring that they conform in theory and practice with welcoming, creative, equitable, and inclusive environments. And, finally, it’s about accepting and making clear that as mentors we are fallible and human, and creating workspaces where others can also betray these inherently human (and humanizing) characteristics.
  • Jon Stewart Is Back to Weigh In // Jon Stewart’s comments throughout this interview are worth the read; his assessment of the problems of contemporary political media—centred around the ‘need’ for content to fuel a 24/7 media environment—as well as for the media to engage in structural assessment of practices, are on point. Similarly, his discussion of the nature of racism in American society (but, also, Canada) strikes to the heart of things: even if someone isn’t deliberately malicious in deed or thought, they are conditioned by the structures of society and power in which they live their lives. And those very structures are, themselves, racist in their origin and contemporary design.
  • Hacking Security // Goerzen and Coleman do a terrific job in unpacking the history of what is secured by computer security experts, and why certain things are within or outside of bounds for securing. Critically, while experts may be involved in protecting ‘assets’ or combatting ‘abuse’, where threats to assets or abuse arise from the underlying profit mechanisms associated with large technology companies, those mechanisms are seen as outside of bounds for security teams to engage with. Similarly, the failure of security teams to consider, or address, ‘political’ issues such as abusive speech, harmful video content, or propagation of racist or white supremacist content all showcase the need to critically interrogate what is, and isn’t, made secure, and to expand security teams by adding social scientists and humanities scholars: technology is political, and we need security teams to have members who are trained and competent to consider those politics.
  • Once Safer Than Gold, Canadian Real Estate Braces for Reckoning // Canadians have been doubling down on their debt-loads for over a decade to the point, today, that on average Canadians owe north of $1.76 per $1.00 of income, with that number rising in the country’s largest cities. Housing is particularly vulnerable and, if it is destabilized, can be devastating to the Canadian economy more broadly given that it accounts for around %15 of GDP; slowdowns in housing will delay the revival of the Canadian economy, while simultaneously threatening the ability of Canadians to stay in their homes—now—or retain their savings to invest for their retirements—in the future. If anything good comes of this, maybe it will be a reminder that allocating the majority of your savings into a single asset is, indeed, not a good long-term investment solution which could have knock on effects if investors decide they want to move to their next bubble, and let the housing bubble deflate as gracefully as possible.
  • Sure, The Velociraptors Are Still On The Loose, But That’s No Reason Not To Reopen Jurassic Park // McSweeney’s, once more, showcases the merits of satire in the vein of Swift’s A Modest Proposal, this time in the era of government failures in the face of pandemic.
  • You Want a Confederate Monument? My Body Is a Confederate Monument // “I have rape-coloured skin.” Not only is this perhaps the most poignant lede I’ve come across in an opinion piece in years, it also sets the stakes for the Williams’ article; the very skin of many Americans (and Canadians) is a testament to violent and racist actions taken against women who were forced from their homes to live as slaves. That testament continues, today, and not just in the monuments that were established in the Jim Crow era to deliberately attempt to continue subjugating Black persons, but in the very skin inhabited by the grandchildren and great-grandchildren of enslaved people.
  • Vladimir Putin’s war of fog: How the Russian President used deceit, propaganda and violence to reshape global politics // I take issue with some of MacKinnon’s choice of language in the first ¼ of the article—he suggests that truth is substantively confused and that Putin’s tactics are more successful that I think are appropriate to concede—but beyond that he’s done a masterful job in creating an overview of who Putin is, what he’s done, and how he’s come to (and held onto) power. If you’re a long-time Russia watcher you may dispute where MacKinnon puts some of his emphasis, or in his assessment of some events, but I don’t think that you can deny that this is a helpful article that provide the broad contours of Putin’s life and career. And, after having read it, it will hopefully inspire people to learning more of the financial, military, or other scandals that have happened throughout Putin’s leadership of Russia.

Cool Things

  • iPad OS + Magic Trackpad 2 // Lots of people already have figured this out but…the new version of iPad OS + a Magic Trackpad 2 and a keyboard is a really, really compelling combination. I’ve using this as my writing and work system for a little while and it continues to prove to me how robust the iPad actually is, and how many of the pain points have been, or are being, ground away with each version of the operating system. That said, some of the gestures are very, very opaque—in particular those associated with the slide over window—and so you may want to review how, exactly, those gestures really work to get the most out of the process (and not get frustrated when certain windows just won’t go away!)

The Roundup for July 14-31, 2019 Edition

(Confused Exposure by Christopher Parsons)

Welcome to this edition of The Roundup! Enjoy the collection of interesting, informative, and entertaining links. Brew a fresh cup of coffee or grab yourself a drink, find a comfortable place, and relax.


I’m in the process of determining what new camera I want to buy, principally to replace my aging Sony rx100ii. That camera was bought in used condition, and has been to four continents and taken approximately 20K shots. It’s been dropped, frozen, and overheated. And even gotten a little damp from salt air! It owes me little and still produces solid (black and white) images: it seems that in my abuse I did something to the sensor, which means colour images sometimes just turn out absolutely wacky.

So what do I want versus what do I need? I know from my stats that I prefer shooting between 50mm-100mm equivalent. I know that I want a fast lens for the night.1 I don’t take action shots so I don’t need the newer Sony cameras’ tracking magic. I don’t want anything bigger than the Sony—it’s size is a killer feature because I can always carry it around—but definitely want a pop up viewfinder and a 90 degree tilt screen. I don’t want another interchangeable system: my Olympus kit has me covered on that front.

What do I want? I’d love to have easy access to an exposure dial. An internal ND filter would be super great. Some in-body image stabilization would also be stellar, and if I could squeeze in the ability to charge from a USB battery pack while keeping prices under $1,000 that would be perfect. Oh, and something better than Sony’s pretty terrible menu interface!

What don’t I need? Any more than 20MP, actual waterproofing2, a big body or permanent viewfinder, an APS-C sensor, audio-in features, dual SD card slots, or crazy fast tracking.

This currently means I’m very interested in some of the older Sony rx100 cameras—namely the iii and iv—and maybe the new Canon G5Xii. I know my actually photographic outputs are, in order, Instagram, my TV, photos on my wall (no larger than 24×36”), and then photo books. I know a 1” sensor is more than enough for all of those uses. Now I just need to see how the Canon’s reviews shake out, the cost of them, and then evaluate the differential between Canon’s and Sony’s cameras!


Inspiring Quotation

Taking pictures is savouring life intensely, every hundredth of a second.

  • Marc Riboud

Great Photography Shots

I have a set of abstract photos that I’ve taken over the years and, to date, while I appreciate them they aren’t ones that I’ve decided to print or routinely display. Still, several of the below abstracts (taken on smartphones) are inspiring just to look at and think about the process of developing the respective compositions.

(‘Last ices of the winter‘ by @paulenovemb)

(‘Untitled‘ by @lisalam628)

(‘Villa Savoye by Le Corbusier‘ by @bazillus)

(‘Untitled‘ by @reneetakespics)

Music I’m Digging

  • Goldlink – Diaspora // Goldlink’s album is a terrific summer album: lots of pop notes with a taste of Caribbean beats and good mix between somewhat gravelly male and ethereal female voices. It’s been a lot of fun to listen to while writing or reading, working out, or just doing chores around home.
  • Machine Gun Kelly – Hotel Diablo // I’m still trying to really get a handle on what I think of this album, but I’ve definitely listened to it a lot over the past week or two. I think I’m appreciating it principally for its nostalgic value: it has a lots of beats and sounds from late-90s/early-00s nu-metal and rap. So I don’t think that it’s ‘quality’ per se, but definitely speaks to my younger self.

Neat Podcast Episodes

  • Lawfare – Jack Goldsmith Talks to Former Secretary of Defense Ash Carter // To begin: I’m never a huge fan of a Secretary of Defense who is a strong advocate for war, and Ash Carter is definitely that class of Secretary. However, he provides a superb view of the entirety of the Defense Department and what goes into running it, as well as the baseline challenges of both engaging in offensive cyber operations as well as the role(s) of legal counsel in developing military operations. If you want an insiders view of the different layers of the Pentagon, and how the institution has developed over the past few decades, then this is a great episode to listen to.
  • Frontburner – What did Canadian peacekeepers accomplish in Mali? // Richard Poplak has a non-nonsense, direct, discussion with Michelle Shephard of just how little value Canada derived from its half-billion dollar peacekeeping commitment to Mali. At least part of that failure is linked to how Canada’s foreign policy had to be entirely recalculated to deal with Donald Trump when he was elected President but certainly everything cannot be laid at Trump’s feet.
  • The Secret History of the Future – Meat and Potatoes // I have to admit, I never really thought about how important potatoes were to the Europeans in establishing a reliable source of caloric intake, nor how you could connect the potato with contemporary efforts to find new foods to both feed the contemporary world and save the environment at the same time. If you want to think a bit more about the source of your food, today, and what it might mean for your food, tomorrow, then this is a solid episode to sink your…ears?…into.
  • The Secret History of the Future – Infinite Scroll // Proving once more that everything new is really just the old reborn, Slate examines how Renaissance scholars were entirely overwhelmed by information and had pretty well the exact same issues with information, then, as contemporary societies do with the growth of the Internet and rapid spread of information. It’s interesting to hear how scholars and the public fought against things like indices, tables of contents, and reviews of books; similarly, today, we hear people push back against any and all efforts to summarize, synthesize, or distil books, articles, and (even) podcasts. The commonality between the arguments of yore and today are largely identical, which speaks to how important it is to take history into account when evaluating the travails of the contemporary era.
  • Lawfare – Jonna Mendez on ‘The Moscow Rules // Ever been curious about the different tricks that were used by CIA case officers in Moscow during the height of the Cold War? Then this is the episode for you! Mendez, a former CIA officer, recounts the various techniques, technologies, and troubles that the agency developed and overcame in the process of engaging in espionage against the most equally matched adversary in the world on their home turf. Though mentioned somewhat sparingly, there are lessons to be gained from the stories she recounts from her time in the Cold War, including the very real value (at the time, for the USA) of obtaining military technology secrets well in advance of the technologies entering production: with these secrets in hand, as an example, the USA successfully built in countermeasures to Soviet radar systems. Today, you can imagine how the Chinese government’s theft of American and other allies’ military secrets may similarly position that government to develop countermeasures much, much faster than otherwise expected.

Good Reads

  • ‘Orientalism,’ Then and Now // Shatz’ review of Said’s Orientalism and application of its key insights to the geopolitical changes in how the Other is conceived of — as now a threat, not because it is external and to be created through our knowledge of it, but because it is within us and is changing ‘Us’ — presents a stark view on the era of racism, fascism, and ignorance today. Whereas the orientalism that Said focused on was, principally, that linked to elite power-knowledge constructions that served the West’s practices of colonization, today’s is born of a deliberate lack of expertise and knowledge. Whereas the past cast the Other as external and a threat, today the Other is within and consequently domestic politics is the focus of elites’ aggressions. While Shatz is hesitant to assert that the end is nigh, his hopefulness towards the end of the essay is perhaps not as hopeful as he imagines: there are, indeed, efforts to defray, mitigate, and prevent the contemporary situations of hardened and violent orientalism. But despite the power and influence of art it remains unclear to me how effective these cultural acts of resistance genuinely are against a structural practice of aggression, harm, and ignorance.
  • Congress Will Ignore Trump’s Foreign Affairs Budget Request. Others Will Not. // Both chambers of the US legislature are opposed to the significant cuts that the Trump administration has sought in its budget appropriations. However, the signals sent by the administration have meant, internal to the State department, that staff resistant to democracy promotion have enjoyed enhanced status and positions in pushing back against attempts to preach American values abroad and who are, instead, advancing the transactionalist style of politics favoured by the current administration. Simultaneously, autocratic leaders abroad have taken the administration’s stance as a signal that their activities are not going to be denounced, or strongly opposed, and sometimes even supported, by the American government. While all of these signals may change following the next presidential election (though perhaps not!), the denigration of the State department is not something that can be remedied by electing a new president: it will take decades to rebuild trust, restrengthen ties, and hire and train new staff. The long term effects of the Trump administration will be felt throughout the world for a very, very long time regardless of whether he is currently in the White House.
  • Doug Ford’s Legal Aid Guarantee // This quotation from Spratt’s assessment of the Ontario government’s cuts to legal aid speak volumes: “Unrepresented accused are also more likely to be steamrolled in our courts. You see, our justice system is adversarial and only functions if the adversaries – the prosecution and the defense – are equally matched. An impoverished, marginalized, or unsophisticated self-represented litigant stands no chance against the well-funded state. With odds stacked against them, many unrepresented accused are coerced into pleading guilty, even when they are not. Because of Ford, there will be more wrongful convictions.” Worse, given that legal aid is being cut to assist in bail hearing, more accused will simply plea out so that they can go home and work the jobs they have to try and survive; losing the job they have could have catastrophic consequences, as could being unable to get home to care for their young family members. Ford’s cuts won’t save money in the short term and will almost certainly lead to increased court time and costs, and remuneration to those improperly convicted, going decades into the future.
  • The Future of the City Doesn’t Have to be Childless// I fundamentally agree with the premise of the article written by Love and Vey. Cities are very much being designed without families—or, at least, middle and lower class—families in mind. I agree that parks and other amenities are needed, as are spaces to facilitate youth development and lower income housing. But that isn’t enough: housing has become an investment space, where hundreds or thousands of properties are traded in an instant by holding companies, and where developers are building for investors rather than residents. We need to correct the market by pushing market forces out of housing development: rental buildings need to be prioritized for development, and developers of high rise condos obligated to pay significant fees to foster inclusive social properties around their buildings. Doing anything less just picks around the edges of the catastrophes propagated by the market in urban environments.
  • The Future of Photography // I keep thinking about what kinds of cameras I want, and why, and whether I really need them given the technical characteristics of contemporary cameras. I think that this post significantly, though not quite entirely, captures my current thinking when it’s author writes: “Today all modern cameras give you an image quality that is good enough even for the most demanding applications, in fact most of us will never use their full potential. What we usually do is to make a photo book now and then but most of the time the pictures will be displayed on the internet or on our TVs. So the ever increasing resolution makes no sense anymore. If your camera has 24MP you trow away 66% of the pixels in case you display them on a 4K TV in case you use them for the internet it is 90% or more. If you change to a 61MP camera you just trow (sic) away more pixels. … I think the real key is to offer a satisfying shooting experience so that you just want to take out your camera to take some pictures. A nicely handling camera with a good shutter sound and solid lenses with a real aperture ring is all it takes. That’s why I think Fuji has grown so popular.” The only thing I’d add is this: I really, really like flip out screens and the ability to see what I’m shooting in the bright sun through a view finder.
  • Why we fight for crypto // Robert Graham has a good and high-level assessment of why calls by the US government to undermine the security provided by contemporary cryptography are wrongheaded. Worth the read to recall why all the current Attorney General’s calls, if adopted, would endanger individuals and society, and constitute irresponsible policy proposals that are not supported by an evidentiary record of requiring such modifications to cryptography.
  • How to Prevent and Treat Tick Bites and Lyme Disease // Part of a broader, and frankly disturbing, special series on ticks and the dangers they pose, Heid’s short article gives you all the information you need to limit the likelihood of getting bitten by a tick, and what to do should you discover one on you, and how to respond should lyme disease symptoms appear.
  1. Recognizing that a ‘fast’ compact lens isn’t really all that fast when looking at full frame or even APS-C equivalencies.
  2. I’m in love with the idea of shooting in the rain, but not so much the actual getting wet part, so I don’t think I need full waterproofing and most camera can take a bit of light rain here or there in my experience.
Quote

If anything, what [Bytes, Bombs and Spies] points out is how little value you can get from traditional political-science terms and concepts. Escalatory ladder makes little sense with a domain where a half-decade of battlefield preparation and pre-placement are required for attacks, where attacks have a more nebulous connection to effect, deniability is a dominant characteristic, and where intelligence gathering and kinetic effect require the same access and where emergent behavior during offensive operations happens far beyond human reaction time.