Tag: Security

Link
Posted on in Links, Reflections

The So-Called Privacy Problems with WhatsApp

(Photo by Anton on Pexels.com)

ProPublica, which is typically known for its excellent journalism, published a particularly terrible piece earlier this week that fundamentally miscast how encryption works and how Facebook vis-a-vis WhatsApp works to keep communications secured. The article, “How Facebook Undermines Privacy Protections for Its 2 Billion WhatsApp Users,” focuses on two so-called problems.

The So-Called Privacy Problems with WhatsApp

First, the authors explain that WhatsApp has a system whereby recipients of messages can report content they have received to WhatsApp on the basis that it is abusive or otherwise violates WhatsApp’s Terms of Service. The article frames this reporting process as a way of undermining privacy on the basis that secured messages are not kept solely between the sender(s) and recipient(s) of the communications but can be sent to other parties, such as WhatsApp. In effect, the ability to voluntarily forward messages to WhatsApp that someone has received is cast as breaking the privacy promises that have been made by WhatsApp.

Second, the authors note that WhatsApp collects a large volume of metadata in the course of using the application. Using lawful processes, government agencies have compelled WhatsApp to disclose metadata on some of their users in order to pursue investigations and secure convictions against individuals. The case that is focused on involves a government employee who leaked confidential banking information to Buzzfeed, and which were subsequently reported out.

Assessing the Problems

In the case of forwarding messages for abuse reporting purposes, encryption is not broken and the feature is not new. These kinds of processes offer a mechanism that lets individuals self-identify and report on problematic content. Such content can include child grooming, the communications of illicit or inappropriate messages or audio-visual content, or other abusive information.

What we do learn, however, is that the ‘reactive’ and ‘proactive’ methods of detecting abuse need to be fixed. In the case of the former, only about 1,000 people are responsible for intaking and reviewing the reported content after it has first been filtered by an AI:

Seated at computers in pods organized by work assignments, these hourly workers use special Facebook software to sift through streams of private messages, images and videos that have been reported by WhatsApp users as improper and then screened by the company’s artificial intelligence systems. These contractors pass judgment on whatever flashes on their screen — claims of everything from fraud or spam to child porn and potential terrorist plotting — typically in less than a minute.


Further, the employees are often reliant on machine learning-based translations of content which makes it challenging to assess what is, in fact, being communicated in abusive messages. As reported,

… using Facebook’s language-translation tool, which reviewers said could be so inaccurate that it sometimes labeled messages in Arabic as being in Spanish. The tool also offered little guidance on local slang, political context or sexual innuendo. “In the three years I’ve been there,” one moderator said, “it’s always been horrible.”

There are also proactive modes of watching for abusive content using AI-based systems. As noted in the article,

Artificial intelligence initiates a second set of queues — so-called proactive ones — by scanning unencrypted data that WhatsApp collects about its users and comparing it against suspicious account information and messaging patterns (a new account rapidly sending out a high volume of chats is evidence of spam), as well as terms and images that have previously been deemed abusive. The unencrypted data available for scrutiny is extensive. It includes the names and profile images of a user’s WhatsApp groups as well as their phone number, profile photo, status message, phone battery level, language and time zone, unique mobile phone ID and IP address, wireless signal strength and phone operating system, as a list of their electronic devices, any related Facebook and Instagram accounts, the last time they used the app and any previous history of violations.

Unfortunately, the AI often makes mistakes. This led one interviewed content reviewer to state that, “[t]here were a lot of innocent photos on there that were not allowed to be on there … It might have been a photo of a child taking a bath, and there was nothing wrong with it.” Often, “the artificial intelligence is not that intelligent.”

The vast collection of metadata has been a long-reported concern and issue associated with WhatsApp and, in fact, was one of the many reasons why many individuals advocate for the use of Signal instead. The reporting in the ProPublica article helpfully summarizes the vast amount of metadata that is collected but that collection, in and of itself, does not present any evidence that Facebook or WhatsApp have transformed the application into one which inappropriately intrudes into persons’ privacy.

ProPublica Sets Back Reasonable Encryption Policy Debates

The ProPublica article harmfully sets back broader policy discussion around what is, and is not, a reasonable approach for platforms to take in moderating abuse when they have integrated strong end-to-end encryption. Such encryption prevents unauthorized third-parties–inclusive of the platform providers themselves–from reading or analyzing the content of the communications themselves. Enabling a reporting feature means that individuals who receive a communication are empowered to report it to a company, and the company can subsequently analyze what has been sent and take action if the content violates a terms of service or privacy policy clause.

In suggesting that what WhatsApp has implemented is somehow wrong, it becomes more challenging for other companies to deploy similar reporting features without fearing that their decision will be reported on as ‘undermining privacy’. While there may be a valid policy discussion to be had–is a reporting process the correct way of dealing with abusive content and messages?–the authors didn’t go there. Nor did they seriously investigate whether additional resources should be adopted to analyze reported content, or talk with artificial intelligence experts or machine-based translation experts on whether Facebook’s efforts to automate the reporting process are adequate, appropriate, or flawed from the start. All those would be very interesting, valid, and important contributions to the broader discussion about integrating trust and safety features into encrypted messaging applications. But…those are not things that the authors choose to delve into.

The authors could have, also, discussed the broader importance (and challenges) in building out messaging systems that can deliberately conceal metadata, and the benefits and drawbacks of such systems. While the authors do discuss how metadata can be used to crack down on individuals in government who leak data, as well as assist in criminal investigations and prosecutions, there is little said about what kinds of metadata are most important to conceal and the tradeoffs in doing so. Again, there are some who think that all or most metadata should be concealed, and others who hold opposite views: there is room for a reasonable policy debate to be had and reported on.

Unfortunately, instead of actually taking up and reporting on the very valid policy discussions that are at the edges of their article, the authors choose to just be bombastic and asserted that WhatsApp was undermining the privacy protections that individuals thought they have when using the application. It’s bad reporting, insofar as it distorts the facts, and is particularly disappointing given that ProPublica has shown it has the chops to do good investigative work that is well sourced and nuanced in its outputs. This article, however, absolutely failed to make the cut.

Link
Posted on in Links

Explaining WhatsApp’s Encryption for Business Communications

Shoshana Wodinsky writing for Gizmodo has a lengthy, and detailed, breakdown of how and why WhatsApp is modifying its terms of service to facilitate consumer-to-business communications. The crux of the shift, really, comes down to:

… in the years since WhatsApp co-founders Jan Koum and Brian Acton cut ties with Facebook for, well, being Facebook, the company slowly turned into something that acted more like its fellow Facebook properties: an app that’s kind of about socializing, but mostly about shopping. These new privacy policies are just WhatsApp’s—and Facebook’s—way of finally saying the quiet part out loud.

What’s going to change? Namely whenever you’re speaking to a business then those communications will not be considered end-to-end encrypted and, as such, the communications content and metadata that is accessible can be used for advertising and other marketing, data mining, data targeting, or data exploitation purposes. If you’re just chatting with individuals–that is, not businesses!–then your communications will continue to be end-to-end encrypted.

For an additional, and perhaps longer, discussion of how WhatsApp’s shifts in policy–now, admittedly, delayed for a few months following public outrage–is linked to the goal of driving business revenue into the company check out Alec Muffett’s post over on his blog. (By way of background, Alec’s been in the technical security and privacy space for 30+ years, and is a good and reputable voice on these matters.)

Link
Posted on in Links

🦓 Zebra Crossing: an easy-to-use digital safety checklist

There are a lot of different security guides, but I think that in terms of trying to balancing being comprehensive, accessible, and directly actionable, Zebra Crossing is amongst the better guides out there. Who’s it for?

1. You use the internet on a day-to-day basis – for work, social media, financial transactions, etc.

2. You feel you could be doing more to ensure your digital safety and privacy, but you’re not in immediate danger. (If you are, seek out an expert for a one-on-one consult.)

3. You’re comfortable with technology. For example, you’re comfortable going into the settings section of your computer/smartphone.

How should it be used?

1. Recommendations have been sorted in ascending levels of difficulty. Start from level one and work your way up!

2. Everyone should follow the recommendations in levels one and two. They will protect you from the widely-used (yet simple) attacks. Going through them shouldn’t take more than 1-2 hours.

3. Level three is a bit more involved in terms of time and money and may not be 100% necessary. But if you’re worried at all and can afford to, we recommend going through that list too. Depending on the amount of digital housekeeping you have to do, it may take anywhere from an hour to an afternoon.

4. The scenarios listed after are for higher-stakes situations — scan them to see if any of them apply to you. (Because the stakes are higher, they assume that you’ve done everything in levels 1-3.)

Another great resource is Consumer Reports’ Security Planner. While it’s not designed to comprehensively guide you through upgrading your security profile, it is probably even better for helping individuals improve specific security practices.

Link
Posted on in Links, Reflections

VPN and Security Friction

Troy Hunt spent some time over the weekend writing on the relative insecurity of the Internet and how VPNs reduce threats without obviating those threats entirely. The kicker is:

To be clear, using a VPN doesn’t magically solve all these issues, it mitigates them. For example, if a site lacks sufficient HTTPS then there’s still the network segment between the VPN exit node and the site in question to contend with. It’s arguably the least risky segment of the network, but it’s still there. The effectiveness of black-holing DNS queries to known bad domains depends on the domain first being known to be bad. CyberSec is still going to do a much better job of that than your ISP, but it won’t be perfect. And privacy wise, a VPN doesn’t remove DNS or the ability to inspect SNI traffic, it simply removes that ability from your ISP and grants it to NordVPN instead. But then again, I’ve always said I’d much rather trust a reputable VPN to keep my traffic secure, private and not logged, especially one that’s been independently audited to that effect.

Something that security professionals are still not great at communicating—because we’re not asked to and because it’s harder for regular users to use the information—is that security is about adding friction that prevents adversaries from successfully exploiting whomever or whatever they’re targeting. Any such friction, however, can be overcome in the face of a sufficiently well-resourced attacker. But when you read most articles that talk about any given threat mitigation tool what is apparent is that the problems that are faced are systemic; while individuals can undertake some efforts to increase friction the crux of the problem is that individuals are operating in an almost inherently insecure environment.

Security is a community good and, as such, individuals can only do so much to protect themselves. But what’s more is that their individual efforts functionally represent a failing of the security community, and reveals the need for group efforts to reduce the threats faced by individuals everyday when they use the Internet or Internet-connected systems. Sure, some VPNs are a good thing to help individuals but, ideally, these are technologies to be discarded in some distant future after groups of actors successfully have worked to mitigate the threats that lurk all around us. Until then, though, adopting a trusted VPN can be a very good idea if you can afford the costs linked to them.

Posted on in Links, Roundup

The Roundup for June 1-30, 2020 Edition

(Urban King by Christopher Parsons)

Welcome to this edition of The Roundup! Enjoy the collection of interesting, informative, and entertaining links. Brew a fresh cup of coffee or grab yourself a drink, find a comfortable place, and relax.

I put together, and self-published, another photobook that is entitled “Pandemic Chronicles: Book I”. Each week that my city has been in (functional) lockdown, I’ve gone out once or twice and made images while just stretching my legs outside.

Over the past four months it’s often been hard to figure out how, exactly, I’ve been processing the life changes that have been imposed as a result of the pandemic. My life has, in many respects, reverted to that of my life during my PhD. So, lots of time inside and rarely leaving leaving my home, and having considerably less social contact than normal.

I think that it’s through my photos that I can best appreciate how I’ve felt, in retrospect, and understand how those images reflect how I see the world. The book that I made isn’t particularly dark: it’s just…lonely. It showcases the city that I live in, without the people that make it the city that I love. It shows people living their lives, often alone or separate from others, or while engaging in ‘safe’ behaviours. And, towards the end, it shows the light returning to Toronto, though in a format that differs from prior summers.

Photography has, and remains, a way for me to engage a creative part of my brain that otherwise would lie fallow. And, also, it’s operated as a meditative process that uncovers how I have been in the world, and how the world has been presented to me. As someone who has struggled with the idea of a ‘narrative’ in image making, I think that this book is a breakthrough because it ‘says’ something in aggregate that is more than just a presentation of visually pleasant images: it speaks to where I live, and how it has endured in the wake of the city’s closure. Is it the height of art? No. But it’s the closest I’ve come in this medium so far!

Inspiring Quotation

“Good” can be a stifling word, a word that makes you hesitate and stare at a blank page and second-guess yourself and throw stuff in the trash. What’s important is to get your hands moving and let the images come. Whether it’s good or bad is beside the point. Just make something.

Austin Kleon

Great Photography Shots

(Photos included in ‘Pandemic Chronicles: Book I’ by Christopher Parsons)

Music I’m Digging

This month has been packed with a lot of listening, with some alternative and R&B pretty tightly mixed in with hip hop. The best of what I listened to in June includes tracks from Yung Tory’s Rastar (including Mizu, Water Pt 2, and Netflix & Chill), Kali Uchis’s TO FEEL ALIVE (EP), HONNE’s no song without you (Single), and 6LACK’s 6pc Hot(EP).

Neat Podcast Episodes

I’ve been listening to a pair of new podcast shows over the past month that I’d recommend. From the CBC, there’s This Is Not A Drake Podcast, which uses Drake as a way to talk more about the history of rap and hip hop. So far I’ve really appreciated the episode on mixtapes, as well as the connotations of Nice Guy rappers.

Very differently, I’ve also been listening to the Globe and Mail’s series, Stress Test, which is about money issues facing millennials in the time of Covid. The episodes haven’t been staggering brilliant (a lot of the advice is pretty time tested) but the caution and suggestions are all helpful reminders.

Good Reads

  • Reflections from an “Accidental” Mentor // Prof. McNamara’s discussion of what it means to be a mentor— first and foremost modelling who we are, as individuals, rather than fitting within a particular narrow category of who we are normatively expected to be—is good advice, and important if we are to expand what is ‘normal’ within academia. She also focuses on celebrating the commonality across scholars; we’re all nerds, at heart, and so should focus on those attributes to create community. I agree, but for myself it’s more than that: it’s also about ensuring that the structures of professional environments are re-articulated to enable more junior persons to experience their jobs and professions in ways that weren’t possible, previously. It’s not just about focusing on commonality but, also, assessing baseline principles and values and ensuring that they conform in theory and practice with welcoming, creative, equitable, and inclusive environments. And, finally, it’s about accepting and making clear that as mentors we are fallible and human, and creating workspaces where others can also betray these inherently human (and humanizing) characteristics.
  • Jon Stewart Is Back to Weigh In // Jon Stewart’s comments throughout this interview are worth the read; his assessment of the problems of contemporary political media—centred around the ‘need’ for content to fuel a 24/7 media environment—as well as for the media to engage in structural assessment of practices, are on point. Similarly, his discussion of the nature of racism in American society (but, also, Canada) strikes to the heart of things: even if someone isn’t deliberately malicious in deed or thought, they are conditioned by the structures of society and power in which they live their lives. And those very structures are, themselves, racist in their origin and contemporary design.
  • Hacking Security // Goerzen and Coleman do a terrific job in unpacking the history of what is secured by computer security experts, and why certain things are within or outside of bounds for securing. Critically, while experts may be involved in protecting ‘assets’ or combatting ‘abuse’, where threats to assets or abuse arise from the underlying profit mechanisms associated with large technology companies, those mechanisms are seen as outside of bounds for security teams to engage with. Similarly, the failure of security teams to consider, or address, ‘political’ issues such as abusive speech, harmful video content, or propagation of racist or white supremacist content all showcase the need to critically interrogate what is, and isn’t, made secure, and to expand security teams by adding social scientists and humanities scholars: technology is political, and we need security teams to have members who are trained and competent to consider those politics.
  • Once Safer Than Gold, Canadian Real Estate Braces for Reckoning // Canadians have been doubling down on their debt-loads for over a decade to the point, today, that on average Canadians owe north of $1.76 per $1.00 of income, with that number rising in the country’s largest cities. Housing is particularly vulnerable and, if it is destabilized, can be devastating to the Canadian economy more broadly given that it accounts for around %15 of GDP; slowdowns in housing will delay the revival of the Canadian economy, while simultaneously threatening the ability of Canadians to stay in their homes—now—or retain their savings to invest for their retirements—in the future. If anything good comes of this, maybe it will be a reminder that allocating the majority of your savings into a single asset is, indeed, not a good long-term investment solution which could have knock on effects if investors decide they want to move to their next bubble, and let the housing bubble deflate as gracefully as possible.
  • Sure, The Velociraptors Are Still On The Loose, But That’s No Reason Not To Reopen Jurassic Park // McSweeney’s, once more, showcases the merits of satire in the vein of Swift’s A Modest Proposal, this time in the era of government failures in the face of pandemic.
  • You Want a Confederate Monument? My Body Is a Confederate Monument // “I have rape-coloured skin.” Not only is this perhaps the most poignant lede I’ve come across in an opinion piece in years, it also sets the stakes for the Williams’ article; the very skin of many Americans (and Canadians) is a testament to violent and racist actions taken against women who were forced from their homes to live as slaves. That testament continues, today, and not just in the monuments that were established in the Jim Crow era to deliberately attempt to continue subjugating Black persons, but in the very skin inhabited by the grandchildren and great-grandchildren of enslaved people.
  • Vladimir Putin’s war of fog: How the Russian President used deceit, propaganda and violence to reshape global politics // I take issue with some of MacKinnon’s choice of language in the first ¼ of the article—he suggests that truth is substantively confused and that Putin’s tactics are more successful that I think are appropriate to concede—but beyond that he’s done a masterful job in creating an overview of who Putin is, what he’s done, and how he’s come to (and held onto) power. If you’re a long-time Russia watcher you may dispute where MacKinnon puts some of his emphasis, or in his assessment of some events, but I don’t think that you can deny that this is a helpful article that provide the broad contours of Putin’s life and career. And, after having read it, it will hopefully inspire people to learning more of the financial, military, or other scandals that have happened throughout Putin’s leadership of Russia.

Cool Things

  • iPad OS + Magic Trackpad 2 // Lots of people already have figured this out but…the new version of iPad OS + a Magic Trackpad 2 and a keyboard is a really, really compelling combination. I’ve using this as my writing and work system for a little while and it continues to prove to me how robust the iPad actually is, and how many of the pain points have been, or are being, ground away with each version of the operating system. That said, some of the gestures are very, very opaque—in particular those associated with the slide over window—and so you may want to review how, exactly, those gestures really work to get the most out of the process (and not get frustrated when certain windows just won’t go away!)
Posted on in Links, Photography, Roundup

The Roundup for July 14-31, 2019 Edition

(Confused Exposure by Christopher Parsons)

Welcome to this edition of The Roundup! Enjoy the collection of interesting, informative, and entertaining links. Brew a fresh cup of coffee or grab yourself a drink, find a comfortable place, and relax.

I’m in the process of determining what new camera I want to buy, principally to replace my aging Sony rx100ii. That camera was bought in used condition, and has been to four continents and taken approximately 20K shots. It’s been dropped, frozen, and overheated. And even gotten a little damp from salt air! It owes me little and still produces solid (black and white) images: it seems that in my abuse I did something to the sensor, which means colour images sometimes just turn out absolutely wacky.

So what do I want versus what do I need? I know from my stats that I prefer shooting between 50mm-100mm equivalent. I know that I want a fast lens for the night.1 I don’t take action shots so I don’t need the newer Sony cameras’ tracking magic. I don’t want anything bigger than the Sony—it’s size is a killer feature because I can always carry it around—but definitely want a pop up viewfinder and a 90 degree tilt screen. I don’t want another interchangeable system: my Olympus kit has me covered on that front.

What do I want? I’d love to have easy access to an exposure dial. An internal ND filter would be super great. Some in-body image stabilization would also be stellar, and if I could squeeze in the ability to charge from a USB battery pack while keeping prices under $1,000 that would be perfect. Oh, and something better than Sony’s pretty terrible menu interface!

What don’t I need? Any more than 20MP, actual waterproofing2, a big body or permanent viewfinder, an APS-C sensor, audio-in features, dual SD card slots, or crazy fast tracking.

This currently means I’m very interested in some of the older Sony rx100 cameras—namely the iii and iv—and maybe the new Canon G5Xii. I know my actually photographic outputs are, in order, Instagram, my TV, photos on my wall (no larger than 24×36”), and then photo books. I know a 1” sensor is more than enough for all of those uses. Now I just need to see how the Canon’s reviews shake out, the cost of them, and then evaluate the differential between Canon’s and Sony’s cameras!

Inspiring Quotation

Taking pictures is savouring life intensely, every hundredth of a second.

  • Marc Riboud

Great Photography Shots

I have a set of abstract photos that I’ve taken over the years and, to date, while I appreciate them they aren’t ones that I’ve decided to print or routinely display. Still, several of the below abstracts (taken on smartphones) are inspiring just to look at and think about the process of developing the respective compositions.

(‘Last ices of the winter‘ by @paulenovemb)

(‘Untitled‘ by @lisalam628)

(‘Villa Savoye by Le Corbusier‘ by @bazillus)

(‘Untitled‘ by @reneetakespics)

Music I’m Digging

  • Goldlink – Diaspora // Goldlink’s album is a terrific summer album: lots of pop notes with a taste of Caribbean beats and good mix between somewhat gravelly male and ethereal female voices. It’s been a lot of fun to listen to while writing or reading, working out, or just doing chores around home.
  • Machine Gun Kelly – Hotel Diablo // I’m still trying to really get a handle on what I think of this album, but I’ve definitely listened to it a lot over the past week or two. I think I’m appreciating it principally for its nostalgic value: it has a lots of beats and sounds from late-90s/early-00s nu-metal and rap. So I don’t think that it’s ‘quality’ per se, but definitely speaks to my younger self.

Neat Podcast Episodes

  • Lawfare – Jack Goldsmith Talks to Former Secretary of Defense Ash Carter // To begin: I’m never a huge fan of a Secretary of Defense who is a strong advocate for war, and Ash Carter is definitely that class of Secretary. However, he provides a superb view of the entirety of the Defense Department and what goes into running it, as well as the baseline challenges of both engaging in offensive cyber operations as well as the role(s) of legal counsel in developing military operations. If you want an insiders view of the different layers of the Pentagon, and how the institution has developed over the past few decades, then this is a great episode to listen to.
  • Frontburner – What did Canadian peacekeepers accomplish in Mali? // Richard Poplak has a non-nonsense, direct, discussion with Michelle Shephard of just how little value Canada derived from its half-billion dollar peacekeeping commitment to Mali. At least part of that failure is linked to how Canada’s foreign policy had to be entirely recalculated to deal with Donald Trump when he was elected President but certainly everything cannot be laid at Trump’s feet.
  • The Secret History of the Future – Meat and Potatoes // I have to admit, I never really thought about how important potatoes were to the Europeans in establishing a reliable source of caloric intake, nor how you could connect the potato with contemporary efforts to find new foods to both feed the contemporary world and save the environment at the same time. If you want to think a bit more about the source of your food, today, and what it might mean for your food, tomorrow, then this is a solid episode to sink your…ears?…into.
  • The Secret History of the Future – Infinite Scroll // Proving once more that everything new is really just the old reborn, Slate examines how Renaissance scholars were entirely overwhelmed by information and had pretty well the exact same issues with information, then, as contemporary societies do with the growth of the Internet and rapid spread of information. It’s interesting to hear how scholars and the public fought against things like indices, tables of contents, and reviews of books; similarly, today, we hear people push back against any and all efforts to summarize, synthesize, or distil books, articles, and (even) podcasts. The commonality between the arguments of yore and today are largely identical, which speaks to how important it is to take history into account when evaluating the travails of the contemporary era.
  • Lawfare – Jonna Mendez on ‘The Moscow Rules // Ever been curious about the different tricks that were used by CIA case officers in Moscow during the height of the Cold War? Then this is the episode for you! Mendez, a former CIA officer, recounts the various techniques, technologies, and troubles that the agency developed and overcame in the process of engaging in espionage against the most equally matched adversary in the world on their home turf. Though mentioned somewhat sparingly, there are lessons to be gained from the stories she recounts from her time in the Cold War, including the very real value (at the time, for the USA) of obtaining military technology secrets well in advance of the technologies entering production: with these secrets in hand, as an example, the USA successfully built in countermeasures to Soviet radar systems. Today, you can imagine how the Chinese government’s theft of American and other allies’ military secrets may similarly position that government to develop countermeasures much, much faster than otherwise expected.

Good Reads

  • ‘Orientalism,’ Then and Now // Shatz’ review of Said’s Orientalism and application of its key insights to the geopolitical changes in how the Other is conceived of — as now a threat, not because it is external and to be created through our knowledge of it, but because it is within us and is changing ‘Us’ — presents a stark view on the era of racism, fascism, and ignorance today. Whereas the orientalism that Said focused on was, principally, that linked to elite power-knowledge constructions that served the West’s practices of colonization, today’s is born of a deliberate lack of expertise and knowledge. Whereas the past cast the Other as external and a threat, today the Other is within and consequently domestic politics is the focus of elites’ aggressions. While Shatz is hesitant to assert that the end is nigh, his hopefulness towards the end of the essay is perhaps not as hopeful as he imagines: there are, indeed, efforts to defray, mitigate, and prevent the contemporary situations of hardened and violent orientalism. But despite the power and influence of art it remains unclear to me how effective these cultural acts of resistance genuinely are against a structural practice of aggression, harm, and ignorance.
  • Congress Will Ignore Trump’s Foreign Affairs Budget Request. Others Will Not. // Both chambers of the US legislature are opposed to the significant cuts that the Trump administration has sought in its budget appropriations. However, the signals sent by the administration have meant, internal to the State department, that staff resistant to democracy promotion have enjoyed enhanced status and positions in pushing back against attempts to preach American values abroad and who are, instead, advancing the transactionalist style of politics favoured by the current administration. Simultaneously, autocratic leaders abroad have taken the administration’s stance as a signal that their activities are not going to be denounced, or strongly opposed, and sometimes even supported, by the American government. While all of these signals may change following the next presidential election (though perhaps not!), the denigration of the State department is not something that can be remedied by electing a new president: it will take decades to rebuild trust, restrengthen ties, and hire and train new staff. The long term effects of the Trump administration will be felt throughout the world for a very, very long time regardless of whether he is currently in the White House.
  • Doug Ford’s Legal Aid Guarantee // This quotation from Spratt’s assessment of the Ontario government’s cuts to legal aid speak volumes: “Unrepresented accused are also more likely to be steamrolled in our courts. You see, our justice system is adversarial and only functions if the adversaries – the prosecution and the defense – are equally matched. An impoverished, marginalized, or unsophisticated self-represented litigant stands no chance against the well-funded state. With odds stacked against them, many unrepresented accused are coerced into pleading guilty, even when they are not. Because of Ford, there will be more wrongful convictions.” Worse, given that legal aid is being cut to assist in bail hearing, more accused will simply plea out so that they can go home and work the jobs they have to try and survive; losing the job they have could have catastrophic consequences, as could being unable to get home to care for their young family members. Ford’s cuts won’t save money in the short term and will almost certainly lead to increased court time and costs, and remuneration to those improperly convicted, going decades into the future.
  • The Future of the City Doesn’t Have to be Childless// I fundamentally agree with the premise of the article written by Love and Vey. Cities are very much being designed without families—or, at least, middle and lower class—families in mind. I agree that parks and other amenities are needed, as are spaces to facilitate youth development and lower income housing. But that isn’t enough: housing has become an investment space, where hundreds or thousands of properties are traded in an instant by holding companies, and where developers are building for investors rather than residents. We need to correct the market by pushing market forces out of housing development: rental buildings need to be prioritized for development, and developers of high rise condos obligated to pay significant fees to foster inclusive social properties around their buildings. Doing anything less just picks around the edges of the catastrophes propagated by the market in urban environments.
  • The Future of Photography // I keep thinking about what kinds of cameras I want, and why, and whether I really need them given the technical characteristics of contemporary cameras. I think that this post significantly, though not quite entirely, captures my current thinking when it’s author writes: “Today all modern cameras give you an image quality that is good enough even for the most demanding applications, in fact most of us will never use their full potential. What we usually do is to make a photo book now and then but most of the time the pictures will be displayed on the internet or on our TVs. So the ever increasing resolution makes no sense anymore. If your camera has 24MP you trow away 66% of the pixels in case you display them on a 4K TV in case you use them for the internet it is 90% or more. If you change to a 61MP camera you just trow (sic) away more pixels. … I think the real key is to offer a satisfying shooting experience so that you just want to take out your camera to take some pictures. A nicely handling camera with a good shutter sound and solid lenses with a real aperture ring is all it takes. That’s why I think Fuji has grown so popular.” The only thing I’d add is this: I really, really like flip out screens and the ability to see what I’m shooting in the bright sun through a view finder.
  • Why we fight for crypto // Robert Graham has a good and high-level assessment of why calls by the US government to undermine the security provided by contemporary cryptography are wrongheaded. Worth the read to recall why all the current Attorney General’s calls, if adopted, would endanger individuals and society, and constitute irresponsible policy proposals that are not supported by an evidentiary record of requiring such modifications to cryptography.
  • How to Prevent and Treat Tick Bites and Lyme Disease // Part of a broader, and frankly disturbing, special series on ticks and the dangers they pose, Heid’s short article gives you all the information you need to limit the likelihood of getting bitten by a tick, and what to do should you discover one on you, and how to respond should lyme disease symptoms appear.
  1. Recognizing that a ‘fast’ compact lens isn’t really all that fast when looking at full frame or even APS-C equivalencies.
  2. I’m in love with the idea of shooting in the rain, but not so much the actual getting wet part, so I don’t think I need full waterproofing and most camera can take a bit of light rain here or there in my experience.
Quote
Posted on in Quotations

If anything, what [Bytes, Bombs and Spies] points out is how little value you can get from traditional political-science terms and concepts. Escalatory ladder makes little sense with a domain where a half-decade of battlefield preparation and pre-placement are required for attacks, where attacks have a more nebulous connection to effect, deniability is a dominant characteristic, and where intelligence gathering and kinetic effect require the same access and where emergent behavior during offensive operations happens far beyond human reaction time.

Aside
Posted on in Aside

2019.1.17

Nothing quite like starting the day by refreshing a password that was apparently compromised, and then trying to determine where/how the operators might have obtained the login credentials in the first place. Still, props to Google’s AI systems for detecting the aberrant login attempt and blocking it, as well as for password managers which make having unique login credentials for every service so easy to manage/replace.

Posted on in Review

Review of the Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon

Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon

Rating: ⭐️⭐️⭐️⭐️⭐️

Zetter’s book engages in a heroic effort to summarize, describe, and explain the significance of the NSA’s and Israel’s first ‘cyber weapon’, named Stuxnet. This piece of malware was used to disrupt the production of nuclear material in Iran as part of broader covert efforts to delimit the country’s ability to construct a nuclear weapon. 

Multiple versions of Stuxnet were created, as were a series of complementary or derivative malware species with names such as Duqu and Flame. In all cases the malware was unusually sophisticated and relied on chains of exploits or novel techniques that advanced certain capabilities from academic theory to implementable practice. The reliance on zero-day vulnerabilities, or those for which no patches are available, combined with deliberate efforts to subvert the Windows Update system as well as use fraudulently signed digital certificates, bear the hallmarks of developers being willing to compromise global security for the sake of a specific American-Israeli malware campaign. In effect, the decision to leave the world’s computers vulnerable to the exploits used in the creation of Stuxnet demonstrate that offence was prioritized over defence by the respective governments and their signals intelligence agencies which authored the malware.

The book regales the reader with any number of politically sensitive tidbits of information: the CIA was responsible for providing some information on Iran’s nuclear ambitions to the IAEA, Russian antivirus researchers were monitored by Israeli (and perhaps other nations’) spies, historically the CIA and renown physicists planted false stories in Nature, the formal recognition as cyberspace as the fifth domain of battle in 2010 was merely formal recognition of work that had been ongoing for a decade prior, the shift to a wildly propagating version of Stuxnet likely followed after close access operations were no longer possible and the flagrancy of the propagation was likely an error, amongst many other bits of information.

Zetter spends a significant amount of time unpacking the ways in which the United States government determines if a vulnerability should be secretly retained for government use as part of a vulnerabilities equities process. Representatives from the Department of Homeland Security who were quoted in the book noted that they had never received information from the National Security Agency of a vulnerability and, moreover, that in cases where the Agency was already exploiting a reported vulnerability it was unlikely that disclosure would happen after entering the vulnerability into the equities process. As noted by any number of people in the course of the book, the failure by the United States (and other Western governments) to clearly explain their vulnerabilities disclosure processes, or the manners in which they would respond to a cyber attack, leaves unsettled the norms of digital security as well as leaves unanswered the norms and policies concerning when (and how) a state will respond to cyber attacks. To date these issues remain as murky as when the book was published in 2014.

The Countdown to Zero Day, in many respects, serves to collate a large volume of information that has otherwise existed in the public sphere. It draws in interviews, past technical and policy reports, and a vast quantity of news reports. But more than just collating materials it also explains the meanings of them, draws links between them that had not previously been made in such clear or straightforward fashions, and explains the broader implications of the United States’ and Israel’s actions. Further, the details of the book render (more) transparent how anti-virus companies and malware researchers conduct their work, as well as the threats to that work in an era when a piece of malware could be used by a criminal enterprise or a major nation-state actor with a habit of proactively working to silence researchers. The book remains an important landmark in the history of security journalism, cybersecurity, and the politics of cybersecurity. I would heartily recommend it to a layperson and expert alike.

Quote
Posted on in Quotations

If those responsible for security believe that the law does not give them enough power to protect security effectively, they must try to persuade the law-makers, Parliament and the provincial legislatures, to change the law. They must not take the law into their own hands. This is a requirement of a liberal society.

  • Canada, Commission of Inquiry Concerning Certain Activities of the Royal Canadian Mounted Police, Second Report: Freedom and Security Under the Law, vol 1, Part II (Ottawa: Privy Council Office, 1981) at 45.