Link

VPN and Security Friction

Troy Hunt spent some time over the weekend writing on the relative insecurity of the Internet and how VPNs reduce threats without obviating those threats entirely. The kicker is:

To be clear, using a VPN doesn’t magically solve all these issues, it mitigates them. For example, if a site lacks sufficient HTTPS then there’s still the network segment between the VPN exit node and the site in question to contend with. It’s arguably the least risky segment of the network, but it’s still there. The effectiveness of black-holing DNS queries to known bad domains depends on the domain first being known to be bad. CyberSec is still going to do a much better job of that than your ISP, but it won’t be perfect. And privacy wise, a VPN doesn’t remove DNS or the ability to inspect SNI traffic, it simply removes that ability from your ISP and grants it to NordVPN instead. But then again, I’ve always said I’d much rather trust a reputable VPN to keep my traffic secure, private and not logged, especially one that’s been independently audited to that effect.

Something that security professionals are still not great at communicating—because we’re not asked to and because it’s harder for regular users to use the information—is that security is about adding friction that prevents adversaries from successfully exploiting whomever or whatever they’re targeting. Any such friction, however, can be overcome in the face of a sufficiently well-resourced attacker. But when you read most articles that talk about any given threat mitigation tool what is apparent is that the problems that are faced are systemic; while individuals can undertake some efforts to increase friction the crux of the problem is that individuals are operating in an almost inherently insecure environment.

Security is a community good and, as such, individuals can only do so much to protect themselves. But what’s more is that their individual efforts functionally represent a failing of the security community, and reveals the need for group efforts to reduce the threats faced by individuals everyday when they use the Internet or Internet-connected systems. Sure, some VPNs are a good thing to help individuals but, ideally, these are technologies to be discarded in some distant future after groups of actors successfully have worked to mitigate the threats that lurk all around us. Until then, though, adopting a trusted VPN can be a very good idea if you can afford the costs linked to them.

The Roundup for June 1-30, 2020 Edition

(Urban King by Christopher Parsons)

Welcome to this edition of The Roundup! Enjoy the collection of interesting, informative, and entertaining links. Brew a fresh cup of coffee or grab yourself a drink, find a comfortable place, and relax.


I put together, and self-published, another photobook that is entitled “Pandemic Chronicles: Book I”. Each week that my city has been in (functional) lockdown, I’ve gone out once or twice and made images while just stretching my legs outside.

Over the past four months it’s often been hard to figure out how, exactly, I’ve been processing the life changes that have been imposed as a result of the pandemic. My life has, in many respects, reverted to that of my life during my PhD. So, lots of time inside and rarely leaving leaving my home, and having considerably less social contact than normal.

I think that it’s through my photos that I can best appreciate how I’ve felt, in retrospect, and understand how those images reflect how I see the world. The book that I made isn’t particularly dark: it’s just…lonely. It showcases the city that I live in, without the people that make it the city that I love. It shows people living their lives, often alone or separate from others, or while engaging in ‘safe’ behaviours. And, towards the end, it shows the light returning to Toronto, though in a format that differs from prior summers.

Photography has, and remains, a way for me to engage a creative part of my brain that otherwise would lie fallow. And, also, it’s operated as a meditative process that uncovers how I have been in the world, and how the world has been presented to me. As someone who has struggled with the idea of a ‘narrative’ in image making, I think that this book is a breakthrough because it ‘says’ something in aggregate that is more than just a presentation of visually pleasant images: it speaks to where I live, and how it has endured in the wake of the city’s closure. Is it the height of art? No. But it’s the closest I’ve come in this medium so far!


Inspiring Quotation

“Good” can be a stifling word, a word that makes you hesitate and stare at a blank page and second-guess yourself and throw stuff in the trash. What’s important is to get your hands moving and let the images come. Whether it’s good or bad is beside the point. Just make something.

Austin Kleon

Great Photography Shots

(Photos included in ‘Pandemic Chronicles: Book I’ by Christopher Parsons)

Music I’m Digging

This month has been packed with a lot of listening, with some alternative and R&B pretty tightly mixed in with hip hop. The best of what I listened to in June includes tracks from Yung Tory’s Rastar (including Mizu, Water Pt 2, and Netflix & Chill), Kali Uchis’s TO FEEL ALIVE (EP), HONNE’s no song without you (Single), and 6LACK’s 6pc Hot(EP).

Neat Podcast Episodes

I’ve been listening to a pair of new podcast shows over the past month that I’d recommend. From the CBC, there’s This Is Not A Drake Podcast, which uses Drake as a way to talk more about the history of rap and hip hop. So far I’ve really appreciated the episode on mixtapes, as well as the connotations of Nice Guy rappers.

Very differently, I’ve also been listening to the Globe and Mail’s series, Stress Test, which is about money issues facing millennials in the time of Covid. The episodes haven’t been staggering brilliant (a lot of the advice is pretty time tested) but the caution and suggestions are all helpful reminders.

Good Reads

  • Reflections from an “Accidental” Mentor // Prof. McNamara’s discussion of what it means to be a mentor— first and foremost modelling who we are, as individuals, rather than fitting within a particular narrow category of who we are normatively expected to be—is good advice, and important if we are to expand what is ‘normal’ within academia. She also focuses on celebrating the commonality across scholars; we’re all nerds, at heart, and so should focus on those attributes to create community. I agree, but for myself it’s more than that: it’s also about ensuring that the structures of professional environments are re-articulated to enable more junior persons to experience their jobs and professions in ways that weren’t possible, previously. It’s not just about focusing on commonality but, also, assessing baseline principles and values and ensuring that they conform in theory and practice with welcoming, creative, equitable, and inclusive environments. And, finally, it’s about accepting and making clear that as mentors we are fallible and human, and creating workspaces where others can also betray these inherently human (and humanizing) characteristics.
  • Jon Stewart Is Back to Weigh In // Jon Stewart’s comments throughout this interview are worth the read; his assessment of the problems of contemporary political media—centred around the ‘need’ for content to fuel a 24/7 media environment—as well as for the media to engage in structural assessment of practices, are on point. Similarly, his discussion of the nature of racism in American society (but, also, Canada) strikes to the heart of things: even if someone isn’t deliberately malicious in deed or thought, they are conditioned by the structures of society and power in which they live their lives. And those very structures are, themselves, racist in their origin and contemporary design.
  • Hacking Security // Goerzen and Coleman do a terrific job in unpacking the history of what is secured by computer security experts, and why certain things are within or outside of bounds for securing. Critically, while experts may be involved in protecting ‘assets’ or combatting ‘abuse’, where threats to assets or abuse arise from the underlying profit mechanisms associated with large technology companies, those mechanisms are seen as outside of bounds for security teams to engage with. Similarly, the failure of security teams to consider, or address, ‘political’ issues such as abusive speech, harmful video content, or propagation of racist or white supremacist content all showcase the need to critically interrogate what is, and isn’t, made secure, and to expand security teams by adding social scientists and humanities scholars: technology is political, and we need security teams to have members who are trained and competent to consider those politics.
  • Once Safer Than Gold, Canadian Real Estate Braces for Reckoning // Canadians have been doubling down on their debt-loads for over a decade to the point, today, that on average Canadians owe north of $1.76 per $1.00 of income, with that number rising in the country’s largest cities. Housing is particularly vulnerable and, if it is destabilized, can be devastating to the Canadian economy more broadly given that it accounts for around %15 of GDP; slowdowns in housing will delay the revival of the Canadian economy, while simultaneously threatening the ability of Canadians to stay in their homes—now—or retain their savings to invest for their retirements—in the future. If anything good comes of this, maybe it will be a reminder that allocating the majority of your savings into a single asset is, indeed, not a good long-term investment solution which could have knock on effects if investors decide they want to move to their next bubble, and let the housing bubble deflate as gracefully as possible.
  • Sure, The Velociraptors Are Still On The Loose, But That’s No Reason Not To Reopen Jurassic Park // McSweeney’s, once more, showcases the merits of satire in the vein of Swift’s A Modest Proposal, this time in the era of government failures in the face of pandemic.
  • You Want a Confederate Monument? My Body Is a Confederate Monument // “I have rape-coloured skin.” Not only is this perhaps the most poignant lede I’ve come across in an opinion piece in years, it also sets the stakes for the Williams’ article; the very skin of many Americans (and Canadians) is a testament to violent and racist actions taken against women who were forced from their homes to live as slaves. That testament continues, today, and not just in the monuments that were established in the Jim Crow era to deliberately attempt to continue subjugating Black persons, but in the very skin inhabited by the grandchildren and great-grandchildren of enslaved people.
  • Vladimir Putin’s war of fog: How the Russian President used deceit, propaganda and violence to reshape global politics // I take issue with some of MacKinnon’s choice of language in the first ¼ of the article—he suggests that truth is substantively confused and that Putin’s tactics are more successful that I think are appropriate to concede—but beyond that he’s done a masterful job in creating an overview of who Putin is, what he’s done, and how he’s come to (and held onto) power. If you’re a long-time Russia watcher you may dispute where MacKinnon puts some of his emphasis, or in his assessment of some events, but I don’t think that you can deny that this is a helpful article that provide the broad contours of Putin’s life and career. And, after having read it, it will hopefully inspire people to learning more of the financial, military, or other scandals that have happened throughout Putin’s leadership of Russia.

Cool Things

  • iPad OS + Magic Trackpad 2 // Lots of people already have figured this out but…the new version of iPad OS + a Magic Trackpad 2 and a keyboard is a really, really compelling combination. I’ve using this as my writing and work system for a little while and it continues to prove to me how robust the iPad actually is, and how many of the pain points have been, or are being, ground away with each version of the operating system. That said, some of the gestures are very, very opaque—in particular those associated with the slide over window—and so you may want to review how, exactly, those gestures really work to get the most out of the process (and not get frustrated when certain windows just won’t go away!)

The Roundup for July 14-31, 2019 Edition

(Confused Exposure by Christopher Parsons)

Welcome to this edition of The Roundup! Enjoy the collection of interesting, informative, and entertaining links. Brew a fresh cup of coffee or grab yourself a drink, find a comfortable place, and relax.


I’m in the process of determining what new camera I want to buy, principally to replace my aging Sony rx100ii. That camera was bought in used condition, and has been to four continents and taken approximately 20K shots. It’s been dropped, frozen, and overheated. And even gotten a little damp from salt air! It owes me little and still produces solid (black and white) images: it seems that in my abuse I did something to the sensor, which means colour images sometimes just turn out absolutely wacky.

So what do I want versus what do I need? I know from my stats that I prefer shooting between 50mm-100mm equivalent. I know that I want a fast lens for the night.1 I don’t take action shots so I don’t need the newer Sony cameras’ tracking magic. I don’t want anything bigger than the Sony—it’s size is a killer feature because I can always carry it around—but definitely want a pop up viewfinder and a 90 degree tilt screen. I don’t want another interchangeable system: my Olympus kit has me covered on that front.

What do I want? I’d love to have easy access to an exposure dial. An internal ND filter would be super great. Some in-body image stabilization would also be stellar, and if I could squeeze in the ability to charge from a USB battery pack while keeping prices under $1,000 that would be perfect. Oh, and something better than Sony’s pretty terrible menu interface!

What don’t I need? Any more than 20MP, actual waterproofing2, a big body or permanent viewfinder, an APS-C sensor, audio-in features, dual SD card slots, or crazy fast tracking.

This currently means I’m very interested in some of the older Sony rx100 cameras—namely the iii and iv—and maybe the new Canon G5Xii. I know my actually photographic outputs are, in order, Instagram, my TV, photos on my wall (no larger than 24×36”), and then photo books. I know a 1” sensor is more than enough for all of those uses. Now I just need to see how the Canon’s reviews shake out, the cost of them, and then evaluate the differential between Canon’s and Sony’s cameras!


Inspiring Quotation

Taking pictures is savouring life intensely, every hundredth of a second.

  • Marc Riboud

Great Photography Shots

I have a set of abstract photos that I’ve taken over the years and, to date, while I appreciate them they aren’t ones that I’ve decided to print or routinely display. Still, several of the below abstracts (taken on smartphones) are inspiring just to look at and think about the process of developing the respective compositions.

(‘Last ices of the winter‘ by @paulenovemb)

(‘Untitled‘ by @lisalam628)

(‘Villa Savoye by Le Corbusier‘ by @bazillus)

(‘Untitled‘ by @reneetakespics)

Music I’m Digging

  • Goldlink – Diaspora // Goldlink’s album is a terrific summer album: lots of pop notes with a taste of Caribbean beats and good mix between somewhat gravelly male and ethereal female voices. It’s been a lot of fun to listen to while writing or reading, working out, or just doing chores around home.
  • Machine Gun Kelly – Hotel Diablo // I’m still trying to really get a handle on what I think of this album, but I’ve definitely listened to it a lot over the past week or two. I think I’m appreciating it principally for its nostalgic value: it has a lots of beats and sounds from late-90s/early-00s nu-metal and rap. So I don’t think that it’s ‘quality’ per se, but definitely speaks to my younger self.

Neat Podcast Episodes

  • Lawfare – Jack Goldsmith Talks to Former Secretary of Defense Ash Carter // To begin: I’m never a huge fan of a Secretary of Defense who is a strong advocate for war, and Ash Carter is definitely that class of Secretary. However, he provides a superb view of the entirety of the Defense Department and what goes into running it, as well as the baseline challenges of both engaging in offensive cyber operations as well as the role(s) of legal counsel in developing military operations. If you want an insiders view of the different layers of the Pentagon, and how the institution has developed over the past few decades, then this is a great episode to listen to.
  • Frontburner – What did Canadian peacekeepers accomplish in Mali? // Richard Poplak has a non-nonsense, direct, discussion with Michelle Shephard of just how little value Canada derived from its half-billion dollar peacekeeping commitment to Mali. At least part of that failure is linked to how Canada’s foreign policy had to be entirely recalculated to deal with Donald Trump when he was elected President but certainly everything cannot be laid at Trump’s feet.
  • The Secret History of the Future – Meat and Potatoes // I have to admit, I never really thought about how important potatoes were to the Europeans in establishing a reliable source of caloric intake, nor how you could connect the potato with contemporary efforts to find new foods to both feed the contemporary world and save the environment at the same time. If you want to think a bit more about the source of your food, today, and what it might mean for your food, tomorrow, then this is a solid episode to sink your…ears?…into.
  • The Secret History of the Future – Infinite Scroll // Proving once more that everything new is really just the old reborn, Slate examines how Renaissance scholars were entirely overwhelmed by information and had pretty well the exact same issues with information, then, as contemporary societies do with the growth of the Internet and rapid spread of information. It’s interesting to hear how scholars and the public fought against things like indices, tables of contents, and reviews of books; similarly, today, we hear people push back against any and all efforts to summarize, synthesize, or distil books, articles, and (even) podcasts. The commonality between the arguments of yore and today are largely identical, which speaks to how important it is to take history into account when evaluating the travails of the contemporary era.
  • Lawfare – Jonna Mendez on ‘The Moscow Rules // Ever been curious about the different tricks that were used by CIA case officers in Moscow during the height of the Cold War? Then this is the episode for you! Mendez, a former CIA officer, recounts the various techniques, technologies, and troubles that the agency developed and overcame in the process of engaging in espionage against the most equally matched adversary in the world on their home turf. Though mentioned somewhat sparingly, there are lessons to be gained from the stories she recounts from her time in the Cold War, including the very real value (at the time, for the USA) of obtaining military technology secrets well in advance of the technologies entering production: with these secrets in hand, as an example, the USA successfully built in countermeasures to Soviet radar systems. Today, you can imagine how the Chinese government’s theft of American and other allies’ military secrets may similarly position that government to develop countermeasures much, much faster than otherwise expected.

Good Reads

  • ‘Orientalism,’ Then and Now // Shatz’ review of Said’s Orientalism and application of its key insights to the geopolitical changes in how the Other is conceived of — as now a threat, not because it is external and to be created through our knowledge of it, but because it is within us and is changing ‘Us’ — presents a stark view on the era of racism, fascism, and ignorance today. Whereas the orientalism that Said focused on was, principally, that linked to elite power-knowledge constructions that served the West’s practices of colonization, today’s is born of a deliberate lack of expertise and knowledge. Whereas the past cast the Other as external and a threat, today the Other is within and consequently domestic politics is the focus of elites’ aggressions. While Shatz is hesitant to assert that the end is nigh, his hopefulness towards the end of the essay is perhaps not as hopeful as he imagines: there are, indeed, efforts to defray, mitigate, and prevent the contemporary situations of hardened and violent orientalism. But despite the power and influence of art it remains unclear to me how effective these cultural acts of resistance genuinely are against a structural practice of aggression, harm, and ignorance.
  • Congress Will Ignore Trump’s Foreign Affairs Budget Request. Others Will Not. // Both chambers of the US legislature are opposed to the significant cuts that the Trump administration has sought in its budget appropriations. However, the signals sent by the administration have meant, internal to the State department, that staff resistant to democracy promotion have enjoyed enhanced status and positions in pushing back against attempts to preach American values abroad and who are, instead, advancing the transactionalist style of politics favoured by the current administration. Simultaneously, autocratic leaders abroad have taken the administration’s stance as a signal that their activities are not going to be denounced, or strongly opposed, and sometimes even supported, by the American government. While all of these signals may change following the next presidential election (though perhaps not!), the denigration of the State department is not something that can be remedied by electing a new president: it will take decades to rebuild trust, restrengthen ties, and hire and train new staff. The long term effects of the Trump administration will be felt throughout the world for a very, very long time regardless of whether he is currently in the White House.
  • Doug Ford’s Legal Aid Guarantee // This quotation from Spratt’s assessment of the Ontario government’s cuts to legal aid speak volumes: “Unrepresented accused are also more likely to be steamrolled in our courts. You see, our justice system is adversarial and only functions if the adversaries – the prosecution and the defense – are equally matched. An impoverished, marginalized, or unsophisticated self-represented litigant stands no chance against the well-funded state. With odds stacked against them, many unrepresented accused are coerced into pleading guilty, even when they are not. Because of Ford, there will be more wrongful convictions.” Worse, given that legal aid is being cut to assist in bail hearing, more accused will simply plea out so that they can go home and work the jobs they have to try and survive; losing the job they have could have catastrophic consequences, as could being unable to get home to care for their young family members. Ford’s cuts won’t save money in the short term and will almost certainly lead to increased court time and costs, and remuneration to those improperly convicted, going decades into the future.
  • The Future of the City Doesn’t Have to be Childless// I fundamentally agree with the premise of the article written by Love and Vey. Cities are very much being designed without families—or, at least, middle and lower class—families in mind. I agree that parks and other amenities are needed, as are spaces to facilitate youth development and lower income housing. But that isn’t enough: housing has become an investment space, where hundreds or thousands of properties are traded in an instant by holding companies, and where developers are building for investors rather than residents. We need to correct the market by pushing market forces out of housing development: rental buildings need to be prioritized for development, and developers of high rise condos obligated to pay significant fees to foster inclusive social properties around their buildings. Doing anything less just picks around the edges of the catastrophes propagated by the market in urban environments.
  • The Future of Photography // I keep thinking about what kinds of cameras I want, and why, and whether I really need them given the technical characteristics of contemporary cameras. I think that this post significantly, though not quite entirely, captures my current thinking when it’s author writes: “Today all modern cameras give you an image quality that is good enough even for the most demanding applications, in fact most of us will never use their full potential. What we usually do is to make a photo book now and then but most of the time the pictures will be displayed on the internet or on our TVs. So the ever increasing resolution makes no sense anymore. If your camera has 24MP you trow away 66% of the pixels in case you display them on a 4K TV in case you use them for the internet it is 90% or more. If you change to a 61MP camera you just trow (sic) away more pixels. … I think the real key is to offer a satisfying shooting experience so that you just want to take out your camera to take some pictures. A nicely handling camera with a good shutter sound and solid lenses with a real aperture ring is all it takes. That’s why I think Fuji has grown so popular.” The only thing I’d add is this: I really, really like flip out screens and the ability to see what I’m shooting in the bright sun through a view finder.
  • Why we fight for crypto // Robert Graham has a good and high-level assessment of why calls by the US government to undermine the security provided by contemporary cryptography are wrongheaded. Worth the read to recall why all the current Attorney General’s calls, if adopted, would endanger individuals and society, and constitute irresponsible policy proposals that are not supported by an evidentiary record of requiring such modifications to cryptography.
  • How to Prevent and Treat Tick Bites and Lyme Disease // Part of a broader, and frankly disturbing, special series on ticks and the dangers they pose, Heid’s short article gives you all the information you need to limit the likelihood of getting bitten by a tick, and what to do should you discover one on you, and how to respond should lyme disease symptoms appear.
  1. Recognizing that a ‘fast’ compact lens isn’t really all that fast when looking at full frame or even APS-C equivalencies.
  2. I’m in love with the idea of shooting in the rain, but not so much the actual getting wet part, so I don’t think I need full waterproofing and most camera can take a bit of light rain here or there in my experience.
Quote

If anything, what [Bytes, Bombs and Spies] points out is how little value you can get from traditional political-science terms and concepts. Escalatory ladder makes little sense with a domain where a half-decade of battlefield preparation and pre-placement are required for attacks, where attacks have a more nebulous connection to effect, deniability is a dominant characteristic, and where intelligence gathering and kinetic effect require the same access and where emergent behavior during offensive operations happens far beyond human reaction time.

Aside

2019.1.17

Nothing quite like starting the day by refreshing a password that was apparently compromised, and then trying to determine where/how the operators might have obtained the login credentials in the first place. Still, props to Google’s AI systems for detecting the aberrant login attempt and blocking it, as well as for password managers which make having unique login credentials for every service so easy to manage/replace.

Review of the Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon

Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon

Rating: ⭐️⭐️⭐️⭐️⭐️

Zetter’s book engages in a heroic effort to summarize, describe, and explain the significance of the NSA’s and Israel’s first ‘cyber weapon’, named Stuxnet. This piece of malware was used to disrupt the production of nuclear material in Iran as part of broader covert efforts to delimit the country’s ability to construct a nuclear weapon. 

Multiple versions of Stuxnet were created, as were a series of complementary or derivative malware species with names such as Duqu and Flame. In all cases the malware was unusually sophisticated and relied on chains of exploits or novel techniques that advanced certain capabilities from academic theory to implementable practice. The reliance on zero-day vulnerabilities, or those for which no patches are available, combined with deliberate efforts to subvert the Windows Update system as well as use fraudulently signed digital certificates, bear the hallmarks of developers being willing to compromise global security for the sake of a specific American-Israeli malware campaign. In effect, the decision to leave the world’s computers vulnerable to the exploits used in the creation of Stuxnet demonstrate that offence was prioritized over defence by the respective governments and their signals intelligence agencies which authored the malware.

The book regales the reader with any number of politically sensitive tidbits of information: the CIA was responsible for providing some information on Iran’s nuclear ambitions to the IAEA, Russian antivirus researchers were monitored by Israeli (and perhaps other nations’) spies, historically the CIA and renown physicists planted false stories in Nature, the formal recognition as cyberspace as the fifth domain of battle in 2010 was merely formal recognition of work that had been ongoing for a decade prior, the shift to a wildly propagating version of Stuxnet likely followed after close access operations were no longer possible and the flagrancy of the propagation was likely an error, amongst many other bits of information.

Zetter spends a significant amount of time unpacking the ways in which the United States government determines if a vulnerability should be secretly retained for government use as part of a vulnerabilities equities process. Representatives from the Department of Homeland Security who were quoted in the book noted that they had never received information from the National Security Agency of a vulnerability and, moreover, that in cases where the Agency was already exploiting a reported vulnerability it was unlikely that disclosure would happen after entering the vulnerability into the equities process. As noted by any number of people in the course of the book, the failure by the United States (and other Western governments) to clearly explain their vulnerabilities disclosure processes, or the manners in which they would respond to a cyber attack, leaves unsettled the norms of digital security as well as leaves unanswered the norms and policies concerning when (and how) a state will respond to cyber attacks. To date these issues remain as murky as when the book was published in 2014.

The Countdown to Zero Day, in many respects, serves to collate a large volume of information that has otherwise existed in the public sphere. It draws in interviews, past technical and policy reports, and a vast quantity of news reports. But more than just collating materials it also explains the meanings of them, draws links between them that had not previously been made in such clear or straightforward fashions, and explains the broader implications of the United States’ and Israel’s actions. Further, the details of the book render (more) transparent how anti-virus companies and malware researchers conduct their work, as well as the threats to that work in an era when a piece of malware could be used by a criminal enterprise or a major nation-state actor with a habit of proactively working to silence researchers. The book remains an important landmark in the history of security journalism, cybersecurity, and the politics of cybersecurity. I would heartily recommend it to a layperson and expert alike.

Quote

If those responsible for security believe that the law does not give them enough power to protect security effectively, they must try to persuade the law-makers, Parliament and the provincial legislatures, to change the law. They must not take the law into their own hands. This is a requirement of a liberal society.

  • Canada, Commission of Inquiry Concerning Certain Activities of the Royal Canadian Mounted Police, Second Report: Freedom and Security Under the Law, vol 1, Part II (Ottawa: Privy Council Office, 1981) at 45.

The Roundup for April 23-27, 2018 Edition

Hidden Point by Christopher Parsons

I shifted over to this domain name, and WordPress environment, a little over eight months ago. In addition to moving multiple years of content I also committed to at least one post a week though, ideally, would post many more than that!

I’ve been largely successful with meeting those goals. As such, I’ve been able to maintain a regular personal writing habit. It’s also meant I’ve locked down some of my ruminations and thoughts so that I can reflect on them later on down the line.

However, there are some things that I’m not entirely happy with. First, I’ve been privately writing small ‘reviews’ of books and movies but haven’t gotten around to posting them here. Part of that is wanting to do them ‘well’ and the other reason is that I’m trying to decide if I should have posts and then a master page that links to the posts, or just posts, or just a page. But expect that to be figured out pretty soon.1 I also really like the idea of putting up a gear/software list of things that I routinely use, and want to steal an idea from a friend of mine who posts the podcasts that she’s really into at any given time. And I want to put some thought into developing a public blogroll, likely based on the RSS feeds that I consume, though I admit that I’m not entirely sure of the utility of blogrolls in this day and age.

The reason for contemplating these changes to some of the content and structure? Mostly because I think I can move more of my writing to this location; there’ve only been a few times that I thought I was getting too ‘close’ to mimicking the work on my professional web presence or private journal, and even then the tone was sufficiently different that it belonged here as opposed to those other locations. But I’m also motivated to modify some of the content here because I want what I write to be interesting and useful for other people; I often find that bloggers’ reviews and insights about the things they use are the only way that I discover the existence of certain tools, products, workflows, and cultural items. So I want to give back to others, just as they have freely given to me and everyone else who visits (or has visited) their sites.


I spent some time this week writing about a recent proposal to significantly weaken the security of the devices we carry with us on a daily basis. In short, I think that the proposal:

doesn’t address the real technical or policy problems associated with developing a global backdoor system to our most personal electronic devices. Specifically the architect of the solution overestimates the existent security characteristics of contemporary devices, overestimates the ability of companies to successfully manage a sophisticated and globe-spanning key management system, fails to address international policy issues about why other governments couldn’t or wouldn’t demand similar kinds of access (think Russia, China, Iran, etc), fails to contemplate an adequate key revocation system, and fails to adequately explain why why the exceptional access system he envisions is genuinely needed.

Device security, and especially efforts to weaken it, fundamentally raises technical and policy issues. Neither type of issue can be entirely divorced from the other, and it’s important to recognize that the policy issues are both domestic and international; failing to address them both, at the same time, means that any proposal will almost certainly have terminal weaknesses.


Inspiring Quotation of the Week

“Do not let anything that happens in life be important enough that you’re willing to close your heart over it.”

— Michael A. Singer

Great Photography Shots

The shots from this year’s Sony 2018 World Photography Awards are stunning. Here are some of my favourites:

“Untitled” from the series “Ex-Voto” © Alys Tomlinson, United Kingdom, Photographer of the Year, Professional, Discovery, 2018 Sony World Photography Awards

“Letter of departure” © Edgar Martins, Portugal, 1st Place, Professional, Still Life (Professional competition), 2018 Sony World Photography Awards

Music I’m Digging

Neat Podcast Episodes

Good Reads for the Week

Footnotes

  1. I suspect I’ll opt to a post-per-review, with them aggregated on a distinct page.

The Roundup for April 14-20, 2018 Edition

Walkways by Christopher Parsons

Earlier this year, I suggested that the current concerns around Facebook data being accessed by unauthorized third parties wouldn’t result in users leaving the social network in droves. Not just because people would be disinclined to actually leave the social network but because so many services use Facebook.

Specifically, one of the points that I raised was:

3. Facebook is required to log into a lot of third party services. I’m thinking of services from my barber to Tinder. Deleting Facebook means it’s a lot harder to get a haircut and impossible to use something like Tinder.

At least one company, Bumble, is changing its profile confirmation methods: whereas previously all Bumble users linked their Facebook information to their Bumble account for account identification, the company is now developing their own verification system. Should a significant number of companies end up following Bumble’s model then this could have a significant impact on Facebook’s popularity, as some of the ‘stickiness’ of the service would be diminished.1

I think that people moving away from Facebook is a good thing. But it’s important to recognize that the company doesn’t just provide social connectivity: Facebook has also made it easier for businesses to secure login credential and (in others cases) ‘verify’ identity.2 In effect one of the trickiest parts of on boarding customers has been done by a third party that was well resourced to both collect and secure the data from formal data breaches. As smaller companies assume these responsibilities, without the equivalent to Facebook’s security staff, they are going to have to get very good, very fast, at protecting their customers’ information from data breaches. While it’s certainly not impossible for smaller companies to rise to the challenge, it won’t be a cost free endeavour, either.

It will be interesting to see if more companies move over to Bumble’s approach or if, instead, businesses and consumers alike merely shake their heads angrily at Facebook’s and continue to use the service despite its failings. For what it’s worth, I continue to think that people will just shake their heads angrily and little will actually come of the Cambridge Analytica story in terms of affecting the behaviours and desires of most Facebook users, unless there are continued rapid and sustained violations of Facebook users’ trust. But hope springs eternal and so I genuinely do hope that people shift away from Facebook and towards more open, self-owned, and interesting communications and networking platforms.


Thoughtful Quotation of the Week

The brands themselves aren’t the problem, though: we all need some stuff, so we rely on brands to create the things we need. The problem arises when we feel external pressure to acquire as if new trinkets are a shortcut to a more complete life. That external pressure shouldn’t be a sign to consume. If anything, it’s a sign to pause and ask, “Who am I buying this for?”

Great Photography Shots

I was really stunned by Zsolt Hlinka’s architectural photography, which was featured on My Modern MET.

Music I’m Digging

Neat Podcast Episodes

Good Reads for the Week

Cool Things

Footnotes

  1. I think that the other reasons I listed in my earlier post will still hold. Those points were:

    1. Few people vote. And so they aren’t going to care that some shady company was trying to affect voting patterns.
    2. Lots of people rely on Facebook to keep passive track of the people in their lives. Unless communities, not individuals, quit there will be immense pressure to remain part of the network.

  2. I’m aware that it’s easy to establish a fake Facebook account and that such activity is pretty common. Nevertheless, an awful lot of people use their ‘real’ Facebook accounts that has real verification information, such as email addresses and phone numbers.
Link

Serious Vulnerabilities (Probably) Found in All iOS Devices

From Forbes:

The Israeli firm, a subsidiary of Japan’s Sun Corporation, hasn’t made any major public announcement about its new iOS capabilities. But Forbes was told by sources (who asked to remain anonymous as they weren’t authorized to talk on the matter) that in the last few months the company has developed undisclosed techniques to get into iOS 11 and is advertising them to law enforcement and private forensics folk across the globe. Indeed, the company’s literature for its Advanced Unlocking and Extraction Services offering now notes the company can break the security of “Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11.” Separately, a source in the police forensics community told Forbes he’d been told by Cellebrite it could unlock the iPhone 8. He believed the same was most probably true for the iPhone X, as security across both of Apple’s newest devices worked in much the same way.

If Cellebrite has, indeed, found a way of compromising all iOS devices then they’ve accomplished a pretty impressive task. I have to wonder whether the vulnerabilities emerged from studying the iBoot leak or their own software or hardware research. Assuming Cellebrite’s claims are legitimate they serve to underscore the position that government’s shouldn’t introduce backdoors or vulnerabilities into devices given that doing so will only exacerbate the existing problems associated with securing devices. Security is designed to add friction, not totally prevent an unauthorized party’s actions, and deliberately reducing such friction will put all users at greater jeopardy.