Link

MPs consider contempt charges for Canadian company linked to Cambridge Analytica after raucous committee meeting

Aggregate IQ executives came to answer questions before a Canadian parliamentary committee. Then they had the misfortune of dealing with a well-connected British Information Commissioner, Elizabeth Denham:

At Tuesday’s committee meeting, MPs pressed Silvester and Massingham on their company’s work during the Brexit referendum, for which they are currently under investigation in the UK over possible violations of campaign spending limits. Under questioning from Liberal MP Nathaniel Erskine-Smith, Silvester and Massingham insisted they had fully cooperated with the UK information commissioner Elizabeth Denham. But as another committee member, Liberal MP Frank Baylis, took over the questioning, Erskine-Smith received a text message on his phone from Denham which contradicted the pair’s testimony.

Erskine-Smith handed his phone to Baylis, who read the text aloud.  “AIQ refused to answer her specific questions relating to data usage during the referendum campaign, to the point that the UK is considering taking further legal action to secure the information she needs,” Denham’s message said.

Silvester replied that he had been truthful in all his answers and said he would be keen to follow up with Denham if she had more questions.

It’s definitely a bold move to inform parliamentarians, operating in a friendly but foreign jurisdiction, that they’re being misled by one of their witnesses. So long as such communications don’t overstep boundaries — such as enabling a government official to engage in a public witchhunt of a given person or group — these sorts of communications seem essential when dealing with groups which have spread themselves across multiple jurisdictions and are demonstrably behaving untruthfully.

Link

No: Inheritance

Photo by Andy Tootell on Unsplash

I’ve been slowly listening through The Heart, which is a podcast of personal documentaries and essays. The episode ‘No: Inheritance‘ is a hard listen: it’s the sound of saying, and ignoring, the word “no”‘. The episode is a re-telling of two cases where the host’s utterances were ignored; one is dramatized, the other a recording of the event.

Throughout the episode the host ruminates on what consent is, and was, and how it was understood, and why her consent was ignored. It digs into the anger, shame, and strategies that she and other women adopt in response to men ignoring the word “no”. It sketches out why some women just let things continue and the mental traumas that follow.

These are the kinds of stories that men need to hear. They need to sit and listen, carefully, so that they can appreciate the concerns and traumas that many women have either experienced themselves or worry about experiencing in the future. It’s episodes like this that make it very clear how important it is to regularly obtain consent and to respect the decisions that are made by one’s partner regardless if they’re a partner for a night or for the rest of your life.

Link

The Cure For Pessimism? Action

GQ has a good interview with Yvon Chouinard, the founder of Patagonia. It’s far-ranging, covering the company’s attitude to making clothing, to climate change, to politics. But what really struck me was this:

Gradually, the conversation went even darker. About Trump, Chouinard added, “It’s like a kid who’s so frustrated he wants to break everything. That’s what we’ve got.” I asked sarcastically if any part of him was an optimist. Marcario, sitting next to him, laughed loudly. “Did you just ask Yvon if he’s an optimist?” Chouinard smiled and cocked his head. “I’m totally a pessimist. But you know, I’m a happy person. Because the cure for depression is action.”

I would note that I think action is the cure for pessimism, as opposed to depression; one is a state of mindset whereas the other is often a serious mental condition that can require professional assistance. But that nitpick aside, I think he’s correct that you press through pessimism by acting to make the world a little bit better every day than how you started it.

Link

Apple Pay Has Problems

John Gruber is ripping into the Wall Street Journal for their reporting on Apple Pay. Specifically, he complains that the Journal didn’t explain how to remove an alert that is meant to encourage people to set up Apple Pay, agrees that Apple has done a bad job explaining how Apple Pay is more secure than using an actual credit card, and mocks an analyst’s comparison to Apple Pay to Microsoft’s antitrust cases in the 1990s and early 2000s.

I agree with a lot of what John wrote but, at the same time, think that it’s all too easy to dismiss complaints about Apple Pay. I work amongst an incredibly technical group of colleagues. Many of us have iPhones. But I’m the only person who uses Apple Pay with any regularity…and I’ve run into issues time after time. Let me list some of the problems I’ve experienced:

  1. I tried to return an item I bought using Apple Pay (linked to my credit card). But when I returned it the credit card number displayed on the receipt was different from that on my credit card…so the retailer refused to take the return.1 It was only after I undertook some independent research that I figured out how to pull up the temporarily assigned number in Apple Pay and, then, additional time to educate the frontline staff, the manager, and then wait for the manager to call central office to confirm they could process the return. Time to return a product to a store that was down the street from me? About 3-4 hours split over 2 days. I wouldn’t have the same issue if I’d just bought the item with my physical credit card.2
  2. Apple Pay doesn’t work as reliably with tap-enabled Point of Sale machines. I’d say that I have about an 85-90% ’hit’ rate with Apple Pay versus using the tap feature of my credit card. That makes Apple Pay less convenient than a tap-enabled credit card or debit card.
  3. Various Point of Sale machines have disabled tap and force me to use one of my chip/PIN cards. This is typically done in restaurants or retail locations where either they can’t afford to fix their Point of Sale machine or refuse to pay to enable the feature (or simply haven’t upgraded their machines to accept tap payments). So I have to carry my regular credit card and debit card with me, wherever I go, on the basis that I can’t trust that I can use Apple Pay at any given location.
  4. Sometimes Apple Pay just doesn’t work. I have no idea what the problem is but there are times where I just have to remove the cards and re-add them to Apple Pay. I don’t know why this takes place but it happens at least once a year. And I find out about it when I’m trying to pay for something. I don’t have this problem with my credit card.3

Do I like Apple Pay? I do, actually, and I use it a lot. But I’m willing to deal with the above teething issues as an early adopter. Security is fine and good, but for the majority of people usability is the most important component of using a product. And Apple Pay remains, in my eyes, only mostly-usable. It needs to be a lot more reliable before it is adopted by the mainstream.

  1. I know: this is a security feature (one I love!) but it’s a feature that’s been introduced without an equally clear explanation of how to find the temporarily used number. This education needs to happen at both the end-user and retailer level.
  2. And I have no clue what you’d do if you lost your phone or it was stolen between the time of purchasing an item with Apple Pay and wanting to return it.
  3. To be fair, I have to replace my debit card (rarely used either as the card or in Apple Pay) approximately every six months because it just stops working. But this hasn’t ever happened with my credit card, which is my primary way of paying for everything.
Link

Cellebrite can unlock any iPhone (for some values of “any”)

An update by Ars Technica on Cellebrite’s ability to access the content on otherwise secured iOS devices:

Cellebrite is not revealing the nature of the Advanced Unlocking Services’ approach. However, it is likely software based, according to Dan Guido, CEO of the security firm Trail of Bits. Guido told Ars that he had heard Cellebrite’s attack method may be blocked by an upcoming iOS update, 11.3.

“That leads me to believe [Cellebrite] have a power/timing attack that lets them bypass arbitrary delays and avoid device lockouts,” Guido wrote in a message to Ars. “That method would rely on specific characteristics of the software, which explains how Apple could patch what appears to be a hardware issue.”

Regardless of the approach, Cellebrite’s method almost certainly is dependent on a brute-force attack to discover the PIN. And the easiest way to protect against that is to use a longer, alphanumeric password—something Apple has been attempting to encourage with TouchID and FaceID, since the biometric security methods reduce the number of times an iPhone owner has to enter a password.

This once again confirms the importance of establishing strong, long, passwords for iOS devices. Sure they’re less convenient but they provide measurably better security.

Link

Serious Vulnerabilities (Probably) Found in All iOS Devices

From Forbes:

The Israeli firm, a subsidiary of Japan’s Sun Corporation, hasn’t made any major public announcement about its new iOS capabilities. But Forbes was told by sources (who asked to remain anonymous as they weren’t authorized to talk on the matter) that in the last few months the company has developed undisclosed techniques to get into iOS 11 and is advertising them to law enforcement and private forensics folk across the globe. Indeed, the company’s literature for its Advanced Unlocking and Extraction Services offering now notes the company can break the security of “Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11.” Separately, a source in the police forensics community told Forbes he’d been told by Cellebrite it could unlock the iPhone 8. He believed the same was most probably true for the iPhone X, as security across both of Apple’s newest devices worked in much the same way.

If Cellebrite has, indeed, found a way of compromising all iOS devices then they’ve accomplished a pretty impressive task. I have to wonder whether the vulnerabilities emerged from studying the iBoot leak or their own software or hardware research. Assuming Cellebrite’s claims are legitimate they serve to underscore the position that government’s shouldn’t introduce backdoors or vulnerabilities into devices given that doing so will only exacerbate the existing problems associated with securing devices. Security is designed to add friction, not totally prevent an unauthorized party’s actions, and deliberately reducing such friction will put all users at greater jeopardy.