If those responsible for security believe that the law does not give them enough power to protect security effectively, they must try to persuade the law-makers, Parliament and the provincial legislatures, to change the law. They must not take the law into their own hands. This is a requirement of a liberal society.
Canada, Commission of Inquiry Concerning Certain Activities of the Royal Canadian Mounted Police, Second Report: Freedom and Security Under the Law, vol 1, Part II (Ottawa: Privy Council Office, 1981) at 45.
I shifted over to this domain name, and WordPress environment, a little over eight months ago. In addition to moving multiple years of content I also committed to at least one post a week though, ideally, would post many more than that!
I’ve been largely successful with meeting those goals. As such, I’ve been able to maintain a regular personal writing habit. It’s also meant I’ve locked down some of my ruminations and thoughts so that I can reflect on them later on down the line.
However, there are some things that I’m not entirely happy with. First, I’ve been privately writing small ‘reviews’ of books and movies but haven’t gotten around to posting them here. Part of that is wanting to do them ‘well’ and the other reason is that I’m trying to decide if I should have posts and then a master page that links to the posts, or just posts, or just a page. But expect that to be figured out pretty soon.1 I also really like the idea of putting up a gear/software list of things that I routinely use, and want to steal an idea from a friend of mine who posts the podcasts that she’s really into at any given time. And I want to put some thought into developing a public blogroll, likely based on the RSS feeds that I consume, though I admit that I’m not entirely sure of the utility of blogrolls in this day and age.
The reason for contemplating these changes to some of the content and structure? Mostly because I think I can move more of my writing to this location; there’ve only been a few times that I thought I was getting too ‘close’ to mimicking the work on my professional web presence or private journal, and even then the tone was sufficiently different that it belonged here as opposed to those other locations. But I’m also motivated to modify some of the content here because I want what I write to be interesting and useful for other people; I often find that bloggers’ reviews and insights about the things they use are the only way that I discover the existence of certain tools, products, workflows, and cultural items. So I want to give back to others, just as they have freely given to me and everyone else who visits (or has visited) their sites.
I spent some time this week writing about a recent proposal to significantly weaken the security of the devices we carry with us on a daily basis. In short, I think that the proposal:
doesn’t address the real technical or policy problems associated with developing a global backdoor system to our most personal electronic devices. Specifically the architect of the solution overestimates the existent security characteristics of contemporary devices, overestimates the ability of companies to successfully manage a sophisticated and globe-spanning key management system, fails to address international policy issues about why other governments couldn’t or wouldn’t demand similar kinds of access (think Russia, China, Iran, etc), fails to contemplate an adequate key revocation system, and fails to adequately explain why why the exceptional access system he envisions is genuinely needed.
Device security, and especially efforts to weaken it, fundamentally raises technical and policy issues. Neither type of issue can be entirely divorced from the other, and it’s important to recognize that the policy issues are both domestic and international; failing to address them both, at the same time, means that any proposal will almost certainly have terminal weaknesses.
Inspiring Quotation of the Week
“Do not let anything that happens in life be important enough that you’re willing to close your heart over it.”
— Michael A. Singer
Great Photography Shots
The shots from this year’s Sony 2018 World Photography Awards are stunning. Here are some of my favourites:
Music I’m Digging
Neat Podcast Episodes
Good Reads for the Week
- How and Why to Keep Your Team Out of Communication Debt
- Is the hammer about to drop on Ontario beer?
- Life Inside S.C.L., Cambridge Analytica’s Parent Company
- Basic Income Is Already Transforming Life and Work In a Postindustrial Canadian City
- Where Countries Are Tinderboxes and Facebook Is a Match
- The Secret Language of Ships
- Dating apps are refuges for Egypt’s LGBTQ community, but they can also be traps
- ISO blocks NSA’s latest IoT encryption systems amid murky tales of backdoors and bullying
- I suspect I’ll opt to a post-per-review, with them aggregated on a distinct page. ↩
Earlier this year, I suggested that the current concerns around Facebook data being accessed by unauthorized third parties wouldn’t result in users leaving the social network in droves. Not just because people would be disinclined to actually leave the social network but because so many services use Facebook.
Specifically, one of the points that I raised was:
3. Facebook is required to log into a lot of third party services. I’m thinking of services from my barber to Tinder. Deleting Facebook means it’s a lot harder to get a haircut and impossible to use something like Tinder.
At least one company, Bumble, is changing its profile confirmation methods: whereas previously all Bumble users linked their Facebook information to their Bumble account for account identification, the company is now developing their own verification system. Should a significant number of companies end up following Bumble’s model then this could have a significant impact on Facebook’s popularity, as some of the ‘stickiness’ of the service would be diminished.1
I think that people moving away from Facebook is a good thing. But it’s important to recognize that the company doesn’t just provide social connectivity: Facebook has also made it easier for businesses to secure login credential and (in others cases) ‘verify’ identity.2 In effect one of the trickiest parts of on boarding customers has been done by a third party that was well resourced to both collect and secure the data from formal data breaches. As smaller companies assume these responsibilities, without the equivalent to Facebook’s security staff, they are going to have to get very good, very fast, at protecting their customers’ information from data breaches. While it’s certainly not impossible for smaller companies to rise to the challenge, it won’t be a cost free endeavour, either.
It will be interesting to see if more companies move over to Bumble’s approach or if, instead, businesses and consumers alike merely shake their heads angrily at Facebook’s and continue to use the service despite its failings. For what it’s worth, I continue to think that people will just shake their heads angrily and little will actually come of the Cambridge Analytica story in terms of affecting the behaviours and desires of most Facebook users, unless there are continued rapid and sustained violations of Facebook users’ trust. But hope springs eternal and so I genuinely do hope that people shift away from Facebook and towards more open, self-owned, and interesting communications and networking platforms.
Thoughtful Quotation of the Week
The brands themselves aren’t the problem, though: we all need some stuff, so we rely on brands to create the things we need. The problem arises when we feel external pressure to acquire as if new trinkets are a shortcut to a more complete life. That external pressure shouldn’t be a sign to consume. If anything, it’s a sign to pause and ask, “Who am I buying this for?”
Great Photography Shots
Music I’m Digging
Neat Podcast Episodes
Good Reads for the Week
- First XDR typhoid is on the verge of being untreatable, spreading globally
- Sweden’s violent reality is undoing a peaceful self-image
- OLPC’s $100 laptop was going to change the world — then it all went wrong
- Eyewear consumers blast effort to cease online sales
- Chat Is Google’s Next Big Fix For Android’s Messaging Mess
- I think that the other reasons I listed in my earlier post will still hold. Those points were:
1. Few people vote. And so they aren’t going to care that some shady company was trying to affect voting patterns.
2. Lots of people rely on Facebook to keep passive track of the people in their lives. Unless communities, not individuals, quit there will be immense pressure to remain part of the network. ↩
- I’m aware that it’s easy to establish a fake Facebook account and that such activity is pretty common. Nevertheless, an awful lot of people use their ‘real’ Facebook accounts that has real verification information, such as email addresses and phone numbers. ↩
The Israeli firm, a subsidiary of Japan’s Sun Corporation, hasn’t made any major public announcement about its new iOS capabilities. But Forbes was told by sources (who asked to remain anonymous as they weren’t authorized to talk on the matter) that in the last few months the company has developed undisclosed techniques to get into iOS 11 and is advertising them to law enforcement and private forensics folk across the globe. Indeed, the company’s literature for its Advanced Unlocking and Extraction Services offering now notes the company can break the security of “Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11.” Separately, a source in the police forensics community told Forbes he’d been told by Cellebrite it could unlock the iPhone 8. He believed the same was most probably true for the iPhone X, as security across both of Apple’s newest devices worked in much the same way.
If Cellebrite has, indeed, found a way of compromising all iOS devices then they’ve accomplished a pretty impressive task. I have to wonder whether the vulnerabilities emerged from studying the iBoot leak or their own software or hardware research. Assuming Cellebrite’s claims are legitimate they serve to underscore the position that government’s shouldn’t introduce backdoors or vulnerabilities into devices given that doing so will only exacerbate the existing problems associated with securing devices. Security is designed to add friction, not totally prevent an unauthorized party’s actions, and deliberately reducing such friction will put all users at greater jeopardy.
It’s the time of year when people reflect on past annual resolutions while beginning to think about what resolutions they’ll ‘commit’ to in the coming year. I enjoy the idea of establishing annual targets and goals. Not just because it’s fun to imagine how great life would be if you hit them all, but because it provides an ongoing sense of direction in what is often a rote world. More than that, resolutions, goal setting, or whatever else you call it are helpful for providing a lens through which to reflect on a year gone by.
I had one standard resolution, which I absolutely failed to make possible, and a host of them that were far more successful. I fully exited consumer debt hell, increased monthly student loan payments, photographically documented many of the major events in my life, dealt with the last administrative aspects of my last relationship, and mostly righted my financial ship. All of those were major life accomplishments and have done things like change how I visually see the world every day, how I experience my relationships with money, and how I approach my relationships today. It’s not just that I finished something but that in the course of undertaking a series of activities I’ve opened up entirely new (and, arguably, healthier) ways of seeing the world.
But there were other things that I accomplished that I think are as important as those goals that were set last year. I think I’m most proud of the fact that I can see ways in which I’ve grown emotionally. In specific, in my desire to avoid some of the mistakes of my last relationship I’ve had honest and oftentimes painful conversations that were based on what I believe to be right for me; rather than subsuming myself to make life easier I’ve just been me, even when doing so might cause challenges in my relationships. Such challenges, however, are healthy insofar as strong areas of disagreement aren’t indications of a lack of love but, instead, of a healthy set of egos that simply must come to a consensual agreement on how to proceed. Learning how to love in a healthy way has been scary while also amplifying my ability to be present and with others in ways I never understood as possible.
I’ve also managed to overcome some long held fears that were the result of bullying I experienced while growing up. The result is that I can make healthy choices for my body without having a voice in the back of my head that sabotages my efforts to be fitter, eat better, and be happier in my own body. Getting over those particular demons is especially important, in my situation, given that I’m creeping up on the age when coronary diseases start to take the lives of the men in my family.
In the coming days I’ll be thinking through the kinds of resolutions and thematics that I want to carry forward into the coming year. Centrally, I think I’m going to have ‘testable’ objectives, insofar as I’ll be able to actually measure whether or not I’ve advanced in some of the hobbies that I’m involved in, while also trying to find ways of deprioritizing activities that are pleasurable but don’t really do much to advance my physical, intellectual, artistic, professional, or emotional wellbeing.
I spent a significant amount of time thinking about the implications of path dependency in socio-technical systems over the course of my doctoral degree. For my work, I hypothesized that similar kinds of technologies in a path-dependent system would unfold in similar ways cross-jurisdictionally. This common unfolding would take place because once technological development began down a particular path, other paths would be foreclosed and a common end would be reached regardless of regulation, policy, or law.
In the work I did, this dependency wasn’t actually evidenced with much regularity. But some of that was because the technologies I was looking at were heavily socialized: they were used for a range of different tasks and, as such, their development impetuses were often decidedly non-technical. In contrast, the development of Transport Level Security (TLS) has a kind of path dependency that is notably challenging to deviate from, not just because clients and servers must implement new versions of the protocol but because developers of middle boxes simply assume technology will unfold in a given way and have developed their own technologies based on those assumptions. In reaction, the Internet community has spent a considerable amount of time trying to ameliorate the difficulties that arise when implementing new versions of the protocol, difficulties linked to assumptions as to how the protocol would, and will, develop.
Cryptographers are increasingly talking about the problems associated with adopting new versions of TLS as ‘joints’ ‘rusting shut.’ As discussed by Cloudflare, in the context of middleboxes:
Some features of TLS that were changed in TLS 1.3 were merely cosmetic. Things like the ChangeCipherSpec, session_id, and compression fields that were part of the protocol since SSLv3 were removed. These fields turned out to be considered essential features of TLS to some of these middleboxes, and removing them caused connection failures to skyrocket.
If a protocol is in use for a long enough time with a similar enough format, people building tools around that protocol will make assumptions around that format being constant. This is often not an intentional choice by developers, but an unintended consequence of how a protocol is used in practice. Developers of network devices may not understand every protocol used on the internet, so they often test against what they see on the network. If a part of a protocol that is supposed to be flexible never changes in practice, someone will assume it is a constant. This is more likely the more implementations are created.
It would be disingenuous to put all of the blame for this on the specific implementers of these middleboxes. Yes, they created faulty implementations of TLS, but another way to think about it is that the original design of TLS lent itself to this type of failure. Implementers implement to the reality of the protocol, not the intention of the protocol’s designer or the text of the specification. In complex ecosystems with multiple implementers, unused joints rust shut.
To some extent, the lesson to be taken from the efforts to update to TLS 1.3 is to have protocols which are simpler in nature and with fewer moving parts.1 Another lesson is that it takes years to actually shift the global population of Internet devices en masse to more secure ways of communicating. But perhaps the most fundamental lesson — to my mind — is that the security of the Internet is still trying to mediate and resolve problems which were initially seeded many, many years ago and which may mean it takes up to a decade to fix the specific problems to TLS 1.2.
Built infrastructure such as middleboxes isn’t updated on a regular basis because the infrastructure represents a capital cost. And so even as new protocols struggle to come to terms with the past, they do so by comforming to the paths sets down by previously deployed protocols. Even as TLS 1.3 is deployed and made usable, it will be done so based on how earlier versions of the protocol were designed and then implemented. So the questions that linger include: how will implementers of TLS 1.3 make decisions, and how will their decisions direct the development and implementation of future versions of TLS? In effect: how much will the paths of the past continue to affect how future versions of TLS can be practically — as opposed to hypothetically — developed??
“Generosity is the most natural outward expression of an inner attitude of compassion and loving-kindness.”
– Dalai Lama
Great Photography Shots
I’ve really fallen in love with some of the shots which were submitted to this year’s Sony Wold Photography Awards.
Intriguing Video Art
Music I’m Digging
Neat Podcast Episodes
Good Reads for the Week
- Who Is Reality Winner?
- A close look at the proposed “CSE Act”
- People who know how the news is made resist conspiratorial thinking
- Rey, Rose, and the Revolution
Cool Product Advice
- Per Cloudflare: David Benjamin proposed a way to keep the most important joints in TLS oiled. His GREASE proposal for TLS is designed to throw in random values where a protocol should be tolerant of new values. If popular implementations intersperse unknown ciphers, extensions and versions in real-world deployments, then implementers will be forced to handle them correctly. GREASE is like WD-40 for the Internet. ↩
New research from Google:
In this paper, we present the first longitudinal measurement study of the underground ecosystem fueling credential theft and assess the risk it poses to millions of users. Over the course of March, 2016–March, 2017, we identify 788,000 potential victims of off-the-shelf keyloggers; 12.4 million potential victims of phishing kits; and 1.9 billion usernames and passwords exposed via data breaches and traded on blackmarket forums. Using this dataset, we explore to what degree the stolen passwords—which originate from thousands of online services—enable an attacker to obtain a victim’s valid email credentials—and thus complete control of their online identity due to transitive trust. Drawing upon Google as a case study, we find 7–25% of exposed passwords match a victim’s Google account. For these accounts, we show how hardening authentication mechanisms to include additional risk signals such as a user’s historical geolocations and device profiles helps to mitigate the risk of hijacking. Beyond these risk metrics, we delve into the global reach of the miscreants involved in credential theft and the blackhat tools they rely on. We observe a remarkable lack of external pressure on bad actors, with phishing kit playbooks and keylogger capabilities remaining largely unchanged since the mid-2000s.
As the capacity of networks like Cloudflare continue to grow, attackers move from attempting DDoS attacks at the network layer to performing DDoS attacks targeted at applications themselves.
For applications to be resilient to DDoS attacks, it is no longer enough to use a large network. A large network must be complemented with tooling that is able to filter malicious Application Layer attack traffic, even when attackers are able to make such attacks look near-legitimate.
The pace of change in how DDOS attacks are being conducted, and efforts to use best and worst security practices alike to threaten Internet-connected resources, is a serious and generally under appreciated problem.