Tag: Security

Posted on in Links, Photography, Roundup

The Roundup for July 14-31, 2019 Edition

(Confused Exposure by Christopher Parsons)

Welcome to this edition of The Roundup! Enjoy the collection of interesting, informative, and entertaining links. Brew a fresh cup of coffee or grab yourself a drink, find a comfortable place, and relax.

I’m in the process of determining what new camera I want to buy, principally to replace my aging Sony rx100ii. That camera was bought in used condition, and has been to four continents and taken approximately 20K shots. It’s been dropped, frozen, and overheated. And even gotten a little damp from salt air! It owes me little and still produces solid (black and white) images: it seems that in my abuse I did something to the sensor, which means colour images sometimes just turn out absolutely wacky.

So what do I want versus what do I need? I know from my stats that I prefer shooting between 50mm-100mm equivalent. I know that I want a fast lens for the night.1 I don’t take action shots so I don’t need the newer Sony cameras’ tracking magic. I don’t want anything bigger than the Sony—it’s size is a killer feature because I can always carry it around—but definitely want a pop up viewfinder and a 90 degree tilt screen. I don’t want another interchangeable system: my Olympus kit has me covered on that front.

What do I want? I’d love to have easy access to an exposure dial. An internal ND filter would be super great. Some in-body image stabilization would also be stellar, and if I could squeeze in the ability to charge from a USB battery pack while keeping prices under $1,000 that would be perfect. Oh, and something better than Sony’s pretty terrible menu interface!

What don’t I need? Any more than 20MP, actual waterproofing2, a big body or permanent viewfinder, an APS-C sensor, audio-in features, dual SD card slots, or crazy fast tracking.

This currently means I’m very interested in some of the older Sony rx100 cameras—namely the iii and iv—and maybe the new Canon G5Xii. I know my actually photographic outputs are, in order, Instagram, my TV, photos on my wall (no larger than 24×36”), and then photo books. I know a 1” sensor is more than enough for all of those uses. Now I just need to see how the Canon’s reviews shake out, the cost of them, and then evaluate the differential between Canon’s and Sony’s cameras!

Inspiring Quotation

Taking pictures is savouring life intensely, every hundredth of a second.

  • Marc Riboud

Great Photography Shots

I have a set of abstract photos that I’ve taken over the years and, to date, while I appreciate them they aren’t ones that I’ve decided to print or routinely display. Still, several of the below abstracts (taken on smartphones) are inspiring just to look at and think about the process of developing the respective compositions.

(‘Last ices of the winter‘ by @paulenovemb)
(‘Untitled‘ by @lisalam628)
(‘Villa Savoye by Le Corbusier‘ by @bazillus)
(‘Untitled‘ by @reneetakespics)

Music I’m Digging

  • Goldlink – Diaspora // Goldlink’s album is a terrific summer album: lots of pop notes with a taste of Caribbean beats and good mix between somewhat gravelly male and ethereal female voices. It’s been a lot of fun to listen to while writing or reading, working out, or just doing chores around home.
  • Machine Gun Kelly – Hotel Diablo // I’m still trying to really get a handle on what I think of this album, but I’ve definitely listened to it a lot over the past week or two. I think I’m appreciating it principally for its nostalgic value: it has a lots of beats and sounds from late-90s/early-00s nu-metal and rap. So I don’t think that it’s ‘quality’ per se, but definitely speaks to my younger self.

Neat Podcast Episodes

  • Lawfare – Jack Goldsmith Talks to Former Secretary of Defense Ash Carter // To begin: I’m never a huge fan of a Secretary of Defense who is a strong advocate for war, and Ash Carter is definitely that class of Secretary. However, he provides a superb view of the entirety of the Defense Department and what goes into running it, as well as the baseline challenges of both engaging in offensive cyber operations as well as the role(s) of legal counsel in developing military operations. If you want an insiders view of the different layers of the Pentagon, and how the institution has developed over the past few decades, then this is a great episode to listen to.
  • Frontburner – What did Canadian peacekeepers accomplish in Mali? // Richard Poplak has a non-nonsense, direct, discussion with Michelle Shephard of just how little value Canada derived from its half-billion dollar peacekeeping commitment to Mali. At least part of that failure is linked to how Canada’s foreign policy had to be entirely recalculated to deal with Donald Trump when he was elected President but certainly everything cannot be laid at Trump’s feet.
  • The Secret History of the Future – Meat and Potatoes // I have to admit, I never really thought about how important potatoes were to the Europeans in establishing a reliable source of caloric intake, nor how you could connect the potato with contemporary efforts to find new foods to both feed the contemporary world and save the environment at the same time. If you want to think a bit more about the source of your food, today, and what it might mean for your food, tomorrow, then this is a solid episode to sink your…ears?…into.
  • The Secret History of the Future – Infinite Scroll // Proving once more that everything new is really just the old reborn, Slate examines how Renaissance scholars were entirely overwhelmed by information and had pretty well the exact same issues with information, then, as contemporary societies do with the growth of the Internet and rapid spread of information. It’s interesting to hear how scholars and the public fought against things like indices, tables of contents, and reviews of books; similarly, today, we hear people push back against any and all efforts to summarize, synthesize, or distil books, articles, and (even) podcasts. The commonality between the arguments of yore and today are largely identical, which speaks to how important it is to take history into account when evaluating the travails of the contemporary era.
  • Lawfare – Jonna Mendez on ‘The Moscow Rules // Ever been curious about the different tricks that were used by CIA case officers in Moscow during the height of the Cold War? Then this is the episode for you! Mendez, a former CIA officer, recounts the various techniques, technologies, and troubles that the agency developed and overcame in the process of engaging in espionage against the most equally matched adversary in the world on their home turf. Though mentioned somewhat sparingly, there are lessons to be gained from the stories she recounts from her time in the Cold War, including the very real value (at the time, for the USA) of obtaining military technology secrets well in advance of the technologies entering production: with these secrets in hand, as an example, the USA successfully built in countermeasures to Soviet radar systems. Today, you can imagine how the Chinese government’s theft of American and other allies’ military secrets may similarly position that government to develop countermeasures much, much faster than otherwise expected.

Good Reads

  • ‘Orientalism,’ Then and Now // Shatz’ review of Said’s Orientalism and application of its key insights to the geopolitical changes in how the Other is conceived of — as now a threat, not because it is external and to be created through our knowledge of it, but because it is within us and is changing ‘Us’ — presents a stark view on the era of racism, fascism, and ignorance today. Whereas the orientalism that Said focused on was, principally, that linked to elite power-knowledge constructions that served the West’s practices of colonization, today’s is born of a deliberate lack of expertise and knowledge. Whereas the past cast the Other as external and a threat, today the Other is within and consequently domestic politics is the focus of elites’ aggressions. While Shatz is hesitant to assert that the end is nigh, his hopefulness towards the end of the essay is perhaps not as hopeful as he imagines: there are, indeed, efforts to defray, mitigate, and prevent the contemporary situations of hardened and violent orientalism. But despite the power and influence of art it remains unclear to me how effective these cultural acts of resistance genuinely are against a structural practice of aggression, harm, and ignorance.
  • Congress Will Ignore Trump’s Foreign Affairs Budget Request. Others Will Not. // Both chambers of the US legislature are opposed to the significant cuts that the Trump administration has sought in its budget appropriations. However, the signals sent by the administration have meant, internal to the State department, that staff resistant to democracy promotion have enjoyed enhanced status and positions in pushing back against attempts to preach American values abroad and who are, instead, advancing the transactionalist style of politics favoured by the current administration. Simultaneously, autocratic leaders abroad have taken the administration’s stance as a signal that their activities are not going to be denounced, or strongly opposed, and sometimes even supported, by the American government. While all of these signals may change following the next presidential election (though perhaps not!), the denigration of the State department is not something that can be remedied by electing a new president: it will take decades to rebuild trust, restrengthen ties, and hire and train new staff. The long term effects of the Trump administration will be felt throughout the world for a very, very long time regardless of whether he is currently in the White House.
  • Doug Ford’s Legal Aid Guarantee // This quotation from Spratt’s assessment of the Ontario government’s cuts to legal aid speak volumes: “Unrepresented accused are also more likely to be steamrolled in our courts. You see, our justice system is adversarial and only functions if the adversaries – the prosecution and the defense – are equally matched. An impoverished, marginalized, or unsophisticated self-represented litigant stands no chance against the well-funded state. With odds stacked against them, many unrepresented accused are coerced into pleading guilty, even when they are not. Because of Ford, there will be more wrongful convictions.” Worse, given that legal aid is being cut to assist in bail hearing, more accused will simply plea out so that they can go home and work the jobs they have to try and survive; losing the job they have could have catastrophic consequences, as could being unable to get home to care for their young family members. Ford’s cuts won’t save money in the short term and will almost certainly lead to increased court time and costs, and remuneration to those improperly convicted, going decades into the future.
  • The Future of the City Doesn’t Have to be Childless// I fundamentally agree with the premise of the article written by Love and Vey. Cities are very much being designed without families—or, at least, middle and lower class—families in mind. I agree that parks and other amenities are needed, as are spaces to facilitate youth development and lower income housing. But that isn’t enough: housing has become an investment space, where hundreds or thousands of properties are traded in an instant by holding companies, and where developers are building for investors rather than residents. We need to correct the market by pushing market forces out of housing development: rental buildings need to be prioritized for development, and developers of high rise condos obligated to pay significant fees to foster inclusive social properties around their buildings. Doing anything less just picks around the edges of the catastrophes propagated by the market in urban environments.
  • The Future of Photography // I keep thinking about what kinds of cameras I want, and why, and whether I really need them given the technical characteristics of contemporary cameras. I think that this post significantly, though not quite entirely, captures my current thinking when it’s author writes: “Today all modern cameras give you an image quality that is good enough even for the most demanding applications, in fact most of us will never use their full potential. What we usually do is to make a photo book now and then but most of the time the pictures will be displayed on the internet or on our TVs. So the ever increasing resolution makes no sense anymore. If your camera has 24MP you trow away 66% of the pixels in case you display them on a 4K TV in case you use them for the internet it is 90% or more. If you change to a 61MP camera you just trow (sic) away more pixels. … I think the real key is to offer a satisfying shooting experience so that you just want to take out your camera to take some pictures. A nicely handling camera with a good shutter sound and solid lenses with a real aperture ring is all it takes. That’s why I think Fuji has grown so popular.” The only thing I’d add is this: I really, really like flip out screens and the ability to see what I’m shooting in the bright sun through a view finder.
  • Why we fight for crypto // Robert Graham has a good and high-level assessment of why calls by the US government to undermine the security provided by contemporary cryptography are wrongheaded. Worth the read to recall why all the current Attorney General’s calls, if adopted, would endanger individuals and society, and constitute irresponsible policy proposals that are not supported by an evidentiary record of requiring such modifications to cryptography.
  • How to Prevent and Treat Tick Bites and Lyme Disease // Part of a broader, and frankly disturbing, special series on ticks and the dangers they pose, Heid’s short article gives you all the information you need to limit the likelihood of getting bitten by a tick, and what to do should you discover one on you, and how to respond should lyme disease symptoms appear.
  1. Recognizing that a ‘fast’ compact lens isn’t really all that fast when looking at full frame or even APS-C equivalencies.
  2. I’m in love with the idea of shooting in the rain, but not so much the actual getting wet part, so I don’t think I need full waterproofing and most camera can take a bit of light rain here or there in my experience.
Quote
Posted on in Quotations

If anything, what [Bytes, Bombs and Spies] points out is how little value you can get from traditional political-science terms and concepts. Escalatory ladder makes little sense with a domain where a half-decade of battlefield preparation and pre-placement are required for attacks, where attacks have a more nebulous connection to effect, deniability is a dominant characteristic, and where intelligence gathering and kinetic effect require the same access and where emergent behavior during offensive operations happens far beyond human reaction time.

Aside
Posted on in Aside

2019.1.17

Nothing quite like starting the day by refreshing a password that was apparently compromised, and then trying to determine where/how the operators might have obtained the login credentials in the first place. Still, props to Google’s AI systems for detecting the aberrant login attempt and blocking it, as well as for password managers which make having unique login credentials for every service so easy to manage/replace.

Posted on in Review

Review of the Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon

Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon

Rating: ⭐️⭐️⭐️⭐️⭐️

Zetter’s book engages in a heroic effort to summarize, describe, and explain the significance of the NSA’s and Israel’s first ‘cyber weapon’, named Stuxnet. This piece of malware was used to disrupt the production of nuclear material in Iran as part of broader covert efforts to delimit the country’s ability to construct a nuclear weapon. 

Multiple versions of Stuxnet were created, as were a series of complementary or derivative malware species with names such as Duqu and Flame. In all cases the malware was unusually sophisticated and relied on chains of exploits or novel techniques that advanced certain capabilities from academic theory to implementable practice. The reliance on zero-day vulnerabilities, or those for which no patches are available, combined with deliberate efforts to subvert the Windows Update system as well as use fraudulently signed digital certificates, bear the hallmarks of developers being willing to compromise global security for the sake of a specific American-Israeli malware campaign. In effect, the decision to leave the world’s computers vulnerable to the exploits used in the creation of Stuxnet demonstrate that offence was prioritized over defence by the respective governments and their signals intelligence agencies which authored the malware.

The book regales the reader with any number of politically sensitive tidbits of information: the CIA was responsible for providing some information on Iran’s nuclear ambitions to the IAEA, Russian antivirus researchers were monitored by Israeli (and perhaps other nations’) spies, historically the CIA and renown physicists planted false stories in Nature, the formal recognition as cyberspace as the fifth domain of battle in 2010 was merely formal recognition of work that had been ongoing for a decade prior, the shift to a wildly propagating version of Stuxnet likely followed after close access operations were no longer possible and the flagrancy of the propagation was likely an error, amongst many other bits of information.

Zetter spends a significant amount of time unpacking the ways in which the United States government determines if a vulnerability should be secretly retained for government use as part of a vulnerabilities equities process. Representatives from the Department of Homeland Security who were quoted in the book noted that they had never received information from the National Security Agency of a vulnerability and, moreover, that in cases where the Agency was already exploiting a reported vulnerability it was unlikely that disclosure would happen after entering the vulnerability into the equities process. As noted by any number of people in the course of the book, the failure by the United States (and other Western governments) to clearly explain their vulnerabilities disclosure processes, or the manners in which they would respond to a cyber attack, leaves unsettled the norms of digital security as well as leaves unanswered the norms and policies concerning when (and how) a state will respond to cyber attacks. To date these issues remain as murky as when the book was published in 2014.

The Countdown to Zero Day, in many respects, serves to collate a large volume of information that has otherwise existed in the public sphere. It draws in interviews, past technical and policy reports, and a vast quantity of news reports. But more than just collating materials it also explains the meanings of them, draws links between them that had not previously been made in such clear or straightforward fashions, and explains the broader implications of the United States’ and Israel’s actions. Further, the details of the book render (more) transparent how anti-virus companies and malware researchers conduct their work, as well as the threats to that work in an era when a piece of malware could be used by a criminal enterprise or a major nation-state actor with a habit of proactively working to silence researchers. The book remains an important landmark in the history of security journalism, cybersecurity, and the politics of cybersecurity. I would heartily recommend it to a layperson and expert alike.

Quote
Posted on in Quotations

If those responsible for security believe that the law does not give them enough power to protect security effectively, they must try to persuade the law-makers, Parliament and the provincial legislatures, to change the law. They must not take the law into their own hands. This is a requirement of a liberal society.

  • Canada, Commission of Inquiry Concerning Certain Activities of the Royal Canadian Mounted Police, Second Report: Freedom and Security Under the Law, vol 1, Part II (Ottawa: Privy Council Office, 1981) at 45.

Posted on in Links, Photos, Reflections, Roundup, Writing

The Roundup for April 23-27, 2018 Edition

Hidden Point by Christopher Parsons

I shifted over to this domain name, and WordPress environment, a little over eight months ago. In addition to moving multiple years of content I also committed to at least one post a week though, ideally, would post many more than that!

I’ve been largely successful with meeting those goals. As such, I’ve been able to maintain a regular personal writing habit. It’s also meant I’ve locked down some of my ruminations and thoughts so that I can reflect on them later on down the line.

However, there are some things that I’m not entirely happy with. First, I’ve been privately writing small ‘reviews’ of books and movies but haven’t gotten around to posting them here. Part of that is wanting to do them ‘well’ and the other reason is that I’m trying to decide if I should have posts and then a master page that links to the posts, or just posts, or just a page. But expect that to be figured out pretty soon.1 I also really like the idea of putting up a gear/software list of things that I routinely use, and want to steal an idea from a friend of mine who posts the podcasts that she’s really into at any given time. And I want to put some thought into developing a public blogroll, likely based on the RSS feeds that I consume, though I admit that I’m not entirely sure of the utility of blogrolls in this day and age.

The reason for contemplating these changes to some of the content and structure? Mostly because I think I can move more of my writing to this location; there’ve only been a few times that I thought I was getting too ‘close’ to mimicking the work on my professional web presence or private journal, and even then the tone was sufficiently different that it belonged here as opposed to those other locations. But I’m also motivated to modify some of the content here because I want what I write to be interesting and useful for other people; I often find that bloggers’ reviews and insights about the things they use are the only way that I discover the existence of certain tools, products, workflows, and cultural items. So I want to give back to others, just as they have freely given to me and everyone else who visits (or has visited) their sites.

I spent some time this week writing about a recent proposal to significantly weaken the security of the devices we carry with us on a daily basis. In short, I think that the proposal:

doesn’t address the real technical or policy problems associated with developing a global backdoor system to our most personal electronic devices. Specifically the architect of the solution overestimates the existent security characteristics of contemporary devices, overestimates the ability of companies to successfully manage a sophisticated and globe-spanning key management system, fails to address international policy issues about why other governments couldn’t or wouldn’t demand similar kinds of access (think Russia, China, Iran, etc), fails to contemplate an adequate key revocation system, and fails to adequately explain why why the exceptional access system he envisions is genuinely needed.

Device security, and especially efforts to weaken it, fundamentally raises technical and policy issues. Neither type of issue can be entirely divorced from the other, and it’s important to recognize that the policy issues are both domestic and international; failing to address them both, at the same time, means that any proposal will almost certainly have terminal weaknesses.

Inspiring Quotation of the Week

“Do not let anything that happens in life be important enough that you’re willing to close your heart over it.”

— Michael A. Singer

Great Photography Shots

The shots from this year’s Sony 2018 World Photography Awards are stunning. Here are some of my favourites:

“Untitled” from the series “Ex-Voto” © Alys Tomlinson, United Kingdom, Photographer of the Year, Professional, Discovery, 2018 Sony World Photography Awards
“Letter of departure” © Edgar Martins, Portugal, 1st Place, Professional, Still Life (Professional competition), 2018 Sony World Photography Awards

Music I’m Digging

Neat Podcast Episodes

Good Reads for the Week

Footnotes

  1. I suspect I’ll opt to a post-per-review, with them aggregated on a distinct page.
Posted on in Links, Photography, Photos, Reflections, Roundup, Writing

The Roundup for April 14-20, 2018 Edition

Walkways by Christopher Parsons

Earlier this year, I suggested that the current concerns around Facebook data being accessed by unauthorized third parties wouldn’t result in users leaving the social network in droves. Not just because people would be disinclined to actually leave the social network but because so many services use Facebook.

Specifically, one of the points that I raised was:

3. Facebook is required to log into a lot of third party services. I’m thinking of services from my barber to Tinder. Deleting Facebook means it’s a lot harder to get a haircut and impossible to use something like Tinder.

At least one company, Bumble, is changing its profile confirmation methods: whereas previously all Bumble users linked their Facebook information to their Bumble account for account identification, the company is now developing their own verification system. Should a significant number of companies end up following Bumble’s model then this could have a significant impact on Facebook’s popularity, as some of the ‘stickiness’ of the service would be diminished.1

I think that people moving away from Facebook is a good thing. But it’s important to recognize that the company doesn’t just provide social connectivity: Facebook has also made it easier for businesses to secure login credential and (in others cases) ‘verify’ identity.2 In effect one of the trickiest parts of on boarding customers has been done by a third party that was well resourced to both collect and secure the data from formal data breaches. As smaller companies assume these responsibilities, without the equivalent to Facebook’s security staff, they are going to have to get very good, very fast, at protecting their customers’ information from data breaches. While it’s certainly not impossible for smaller companies to rise to the challenge, it won’t be a cost free endeavour, either.

It will be interesting to see if more companies move over to Bumble’s approach or if, instead, businesses and consumers alike merely shake their heads angrily at Facebook’s and continue to use the service despite its failings. For what it’s worth, I continue to think that people will just shake their heads angrily and little will actually come of the Cambridge Analytica story in terms of affecting the behaviours and desires of most Facebook users, unless there are continued rapid and sustained violations of Facebook users’ trust. But hope springs eternal and so I genuinely do hope that people shift away from Facebook and towards more open, self-owned, and interesting communications and networking platforms.

Thoughtful Quotation of the Week

The brands themselves aren’t the problem, though: we all need some stuff, so we rely on brands to create the things we need. The problem arises when we feel external pressure to acquire as if new trinkets are a shortcut to a more complete life. That external pressure shouldn’t be a sign to consume. If anything, it’s a sign to pause and ask, “Who am I buying this for?”

Great Photography Shots

I was really stunned by Zsolt Hlinka’s architectural photography, which was featured on My Modern MET.

Music I’m Digging

Neat Podcast Episodes

Good Reads for the Week

Cool Things

Footnotes

  1. I think that the other reasons I listed in my earlier post will still hold. Those points were:

    1. Few people vote. And so they aren’t going to care that some shady company was trying to affect voting patterns.
    2. Lots of people rely on Facebook to keep passive track of the people in their lives. Unless communities, not individuals, quit there will be immense pressure to remain part of the network.

  2. I’m aware that it’s easy to establish a fake Facebook account and that such activity is pretty common. Nevertheless, an awful lot of people use their ‘real’ Facebook accounts that has real verification information, such as email addresses and phone numbers.
Link
Posted on in Links

Serious Vulnerabilities (Probably) Found in All iOS Devices

From Forbes:

The Israeli firm, a subsidiary of Japan’s Sun Corporation, hasn’t made any major public announcement about its new iOS capabilities. But Forbes was told by sources (who asked to remain anonymous as they weren’t authorized to talk on the matter) that in the last few months the company has developed undisclosed techniques to get into iOS 11 and is advertising them to law enforcement and private forensics folk across the globe. Indeed, the company’s literature for its Advanced Unlocking and Extraction Services offering now notes the company can break the security of “Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11.” Separately, a source in the police forensics community told Forbes he’d been told by Cellebrite it could unlock the iPhone 8. He believed the same was most probably true for the iPhone X, as security across both of Apple’s newest devices worked in much the same way.

If Cellebrite has, indeed, found a way of compromising all iOS devices then they’ve accomplished a pretty impressive task. I have to wonder whether the vulnerabilities emerged from studying the iBoot leak or their own software or hardware research. Assuming Cellebrite’s claims are legitimate they serve to underscore the position that government’s shouldn’t introduce backdoors or vulnerabilities into devices given that doing so will only exacerbate the existing problems associated with securing devices. Security is designed to add friction, not totally prevent an unauthorized party’s actions, and deliberately reducing such friction will put all users at greater jeopardy.

Posted on in Roundup, Writing

The Roundup for December 23-29, 2017 Edition

Bright Fathers by Christopher Parsons

It’s the time of year when people reflect on past annual resolutions while beginning to think about what resolutions they’ll ‘commit’ to in the coming year. I enjoy the idea of establishing annual targets and goals. Not just because it’s fun to imagine how great life would be if you hit them all, but because it provides an ongoing sense of direction in what is often a rote world. More than that, resolutions, goal setting, or whatever else you call it are helpful for providing a lens through which to reflect on a year gone by.

I had one standard resolution, which I absolutely failed to make possible, and a host of them that were far more successful. I fully exited consumer debt hell, increased monthly student loan payments, photographically documented many of the major events in my life, dealt with the last administrative aspects of my last relationship, and mostly righted my financial ship. All of those were major life accomplishments and have done things like change how I visually see the world every day, how I experience my relationships with money, and how I approach my relationships today. It’s not just that I finished something but that in the course of undertaking a series of activities I’ve opened up entirely new (and, arguably, healthier) ways of seeing the world.

But there were other things that I accomplished that I think are as important as those goals that were set last year. I think I’m most proud of the fact that I can see ways in which I’ve grown emotionally. In specific, in my desire to avoid some of the mistakes of my last relationship I’ve had honest and oftentimes painful conversations that were based on what I believe to be right for me; rather than subsuming myself to make life easier I’ve just been me, even when doing so might cause challenges in my relationships. Such challenges, however, are healthy insofar as strong areas of disagreement aren’t indications of a lack of love but, instead, of a healthy set of egos that simply must come to a consensual agreement on how to proceed. Learning how to love in a healthy way has been scary while also amplifying my ability to be present and with others in ways I never understood as possible.

I’ve also managed to overcome some long held fears that were the result of bullying I experienced while growing up. The result is that I can make healthy choices for my body without having a voice in the back of my head that sabotages my efforts to be fitter, eat better, and be happier in my own body. Getting over those particular demons is especially important, in my situation, given that I’m creeping up on the age when coronary diseases start to take the lives of the men in my family.

In the coming days I’ll be thinking through the kinds of resolutions and thematics that I want to carry forward into the coming year. Centrally, I think I’m going to have ‘testable’ objectives, insofar as I’ll be able to actually measure whether or not I’ve advanced in some of the hobbies that I’m involved in, while also trying to find ways of deprioritizing activities that are pleasurable but don’t really do much to advance my physical, intellectual, artistic, professional, or emotional wellbeing.

I spent a significant amount of time thinking about the implications of path dependency in socio-technical systems over the course of my doctoral degree. For my work, I hypothesized that similar kinds of technologies in a path-dependent system would unfold in similar ways cross-jurisdictionally. This common unfolding would take place because once technological development began down a particular path, other paths would be foreclosed and a common end would be reached regardless of regulation, policy, or law.

In the work I did, this dependency wasn’t actually evidenced with much regularity. But some of that was because the technologies I was looking at were heavily socialized: they were used for a range of different tasks and, as such, their development impetuses were often decidedly non-technical. In contrast, the development of Transport Level Security (TLS) has a kind of path dependency that is notably challenging to deviate from, not just because clients and servers must implement new versions of the protocol but because developers of middle boxes simply assume technology will unfold in a given way and have developed their own technologies based on those assumptions. In reaction, the Internet community has spent a considerable amount of time trying to ameliorate the difficulties that arise when implementing new versions of the protocol, difficulties linked to assumptions as to how the protocol would, and will, develop.

Cryptographers are increasingly talking about the problems associated with adopting new versions of TLS as ‘joints’ ‘rusting shut.’ As discussed by Cloudflare, in the context of middleboxes:

Some features of TLS that were changed in TLS 1.3 were merely cosmetic. Things like the ChangeCipherSpec, session_id, and compression fields that were part of the protocol since SSLv3 were removed. These fields turned out to be considered essential features of TLS to some of these middleboxes, and removing them caused connection failures to skyrocket.

If a protocol is in use for a long enough time with a similar enough format, people building tools around that protocol will make assumptions around that format being constant. This is often not an intentional choice by developers, but an unintended consequence of how a protocol is used in practice. Developers of network devices may not understand every protocol used on the internet, so they often test against what they see on the network. If a part of a protocol that is supposed to be flexible never changes in practice, someone will assume it is a constant. This is more likely the more implementations are created.

It would be disingenuous to put all of the blame for this on the specific implementers of these middleboxes. Yes, they created faulty implementations of TLS, but another way to think about it is that the original design of TLS lent itself to this type of failure. Implementers implement to the reality of the protocol, not the intention of the protocol’s designer or the text of the specification. In complex ecosystems with multiple implementers, unused joints rust shut.

To some extent, the lesson to be taken from the efforts to update to TLS 1.3 is to have protocols which are simpler in nature and with fewer moving parts.1 Another lesson is that it takes years to actually shift the global population of Internet devices en masse to more secure ways of communicating. But perhaps the most fundamental lesson — to my mind — is that the security of the Internet is still trying to mediate and resolve problems which were initially seeded many, many years ago and which may mean it takes up to a decade to fix the specific problems to TLS 1.2.

Built infrastructure such as middleboxes isn’t updated on a regular basis because the infrastructure represents a capital cost. And so even as new protocols struggle to come to terms with the past, they do so by comforming to the paths sets down by previously deployed protocols. Even as TLS 1.3 is deployed and made usable, it will be done so based on how earlier versions of the protocol were designed and then implemented. So the questions that linger include: how will implementers of TLS 1.3 make decisions, and how will their decisions direct the development and implementation of future versions of TLS? In effect: how much will the paths of the past continue to affect how future versions of TLS can be practically — as opposed to hypothetically — developed??

Inspirational Quotation

“Generosity is the most natural outward expression of an inner attitude of compassion and loving-kindness.”

– Dalai Lama

Great Photography Shots

I’ve really fallen in love with some of the shots which were submitted to this year’s Sony Wold Photography Awards.

The Horns at sunrise. © Vincent Chen, China, Entry, Open, Landscape & Nature (2018 Open competition), 2018 Sony World Photography Awards.
The Horns at sunrise. © Vincent Chen, China, Entry, Open, Landscape & Nature (2018 Open competition), 2018 Sony World Photography Awards.
Little Indian. © Virgilio Liberato, Philippines, Entry, Open, Portraiture (Open competition), 2018 Sony World Photography Awards
Little Indian. © Virgilio Liberato, Philippines, Entry, Open, Portraiture (Open competition), 2018 Sony World Photography Awards.
Lunch Break. © Omer Faidi, Turkey, Entry, Open, Street Photography (Open competition), 2018 Sony World Photography Awards.
Lunch Break. © Omer Faidi, Turkey, Entry, Open, Street Photography (Open competition), 2018 Sony World Photography Awards.

Intriguing Video Art

Music I’m Digging

Neat Podcast Episodes

Good Reads for the Week

Cool Product Advice

  1. Per Cloudflare: David Benjamin proposed a way to keep the most important joints in TLS oiled. His GREASE proposal for TLS is designed to throw in random values where a protocol should be tolerant of new values. If popular implementations intersperse unknown ciphers, extensions and versions in real-world deployments, then implementers will be forced to handle them correctly. GREASE is like WD-40 for the Internet.
Link
Posted on in Links

Data breaches, phishing, or malware? Understanding the risks of stolen credentials

New research from Google:

In this paper, we present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users. Over the course of March, 2016–March, 2017, we identify 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums. Using this dataset, we explore to what degree the stolen passwords—which originate from thousands of online services—enable an attacker to obtain a victim’s valid email credentials—and thus complete control of their online identity due to transitive trust. Drawing upon Google as a case study, we find 7–25% of exposed passwords match a victim’s Google account. For these accounts, we show how hardening authentication mechanisms to include additional risk signals such as a user’s historical geolocations and device profiles helps to mitigate the risk of hijacking. Beyond these risk metrics, we delve into the global reach of the miscreants involved in credential theft and the blackhat tools they rely on. We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s.