Tuesday, 23 December 2014

Response to ‘terrorism’

warning

I find this quite funny.  I think that Sony was wrong to pull the movie but not for the same reasons the media and Obama seem to have.

This isn’t a matter of capitulating with terrorism because it in no way resembles terrorism. It’s an attack on a company by people unknown - maybe a nation (perhaps North Korea) - maybe not.  The usual ways we identify attacks as coming from a nation rather than some other group are the choice of target and the sophistication of the attack. 

The attacks in this case don’t seem to have been especially sophisticated on the face of it, but that’s very hard to assess.  Sophisticated methods might have been used to find vulnerabilities and choices made to make the attacks look more amateurish. Or a sophisticated attacker might have used the least sophisticated attack that would get the job done. Or it could have been an insider.

The target certainly places North Korea as a prime suspect, but it hardly rules out anyone else, nation, group or individual. It could just as easily have been a random group with or without a grudge or an ex-employee or…

But I’m not sure it matters.  What matters is that America (and lots of Americans, non-Americans) are treating the attack as terrorist. It isn’t. The only terror induced is in Sony executives and workers.  This isn’t to say that’s not a bad thing, but it’s not terrorism.  Heads are bound to roll. I have little sympathy for the top execs, who will probably be shuffled off with a massive payment and no questions asked in their next appointment. For execs at that level, what happened in the last company stays there.  My sympathy is with the workers who are SCAPEGOAT’D and sent home without so much as a good reference and with those who lose their jobs because they’re tied in some way to a particular movie.  Those people are the victims of this attack.

And yet some responses have been extraordinary.  I said earlier that Sony was wrong to pull the movie. It was wrong to pull the movie because there wasn’t – as far as I can tell – a credible threat. Did the attack make it more likely that people would be blown up in cinemas?  So what was the threat? That more information that was damaging to Sony (which I don’t care much about) and to its employees (which I do) would be revealed. That doesn’t seem on the face of it like a good reason to shut down a movie, threatening the jobs of lots of people who wouldn’t have been the ones affected anyway.

That is the reason to not pull the movie, not some bullshit terror defence and sure as shit not some patriotic one.

Student win

Students were allowed to take a 3x5 card of notes into an exam.  One student figured out how to double the text that could fit on the card.

http://boingboing.net/2014/12/21/clever-student-uses-redblue-m.html

It’s not really a story about privacy but it’s an excellent example of being disobedient while following the rules.  Exactly the sort of thing that should be encouraged, especially in young people.

Wednesday, 17 December 2014

Canadian police can search your phone after they arrest you, can arrest you if they want to search your phone

The BBC says:

Canadian police can search the contents of a mobile phone after arrest, the Supreme Court of Canada has ruled. In a 4-3 decision, the court said a warrant was not needed as long as the search is directly related to the suspected crime and records are kept.

I resisted bolding the words that automatically stand out in bold to me.

The gist of the article is that police can search your phone if they have arrested you and really want to and that they can arrest you if they really want to search your phone.

"The intensely personal and uniquely pervasive sphere of privacy in our personal computers requires protection that is clear, practical and effective," Judge Andromache Karakatsanis wrote for the minority

The minority of people who don’t think it’s cool for police agencies to search our phones just because we’ve been arrested.

The Snowden Effect

Bruce Schneier reports that over 700 million people worldwide are taking steps to avoid government agency surveillance.

And yet the media are reporting that the Snowden revelations have had little effect on internet users’ behaviour.  38 seems like a high percentage to me.  The press always seem to think that less than half is bad and that only nearly all is good.  I wonder if that’s related to the media love of the zero sum game and apparent conviction that every issue has exactly and only 2 sides, which are always worthy of equal attention.  The articles Shcneier cites misrepresent the facts but that’s not the point:

Even so, I disagree with the "Edward Snowden Revelations Not Having Much Impact on Internet Users" headline. He's having an enormous impact. I ran the actual numbers country by country, combining data on Internet penetration with data from this survey. Multiplying everything out, I calculate that 706 million people have changed their behavior on the Internet because of what the NSA and GCHQ are doing. (For example, 17% of Indonesians use the Internet, 64% of them have heard of Snowden and 62% of them have taken steps to protect their privacy, which equals 17 million people out of its total 250-million population.)

Note that the countries in this survey only cover 4.7 billion out of a total 7 billion world population. Taking the conservative estimates that 20% of the remaining population uses the Internet, 40% of them have heard of Snowden, and 25% of those have done something about it, that's an additional 46 million people around the world.

[…] it is absolutely extraordinary that 750 million people are disturbed enough about their online privacy that they will represent to a survey taker that they did something about it.

Agreed. ~10% of the world’s people have changed their behaviour because of Snowden. That is simply astonishing and very definitely a big step in an excellent direction.  Schneier mentions Cory Doctorow’s point that we have reached peak indifference to surveillance. I don’t know whether we’ve reached that point yet, but let’s hope we’re approaching it and accelerating.

Monday, 15 December 2014

Quickies. Should probably do these on (evil) Wednesdays

Blackphone app store.

IBM gets bank security wrong.

Corporations misusing our data. People keep telling us this isn’t a big problem or it isn’t the worst problem or that it’s inevitable so we shouldn’t worry about it. Bullshit.

Anti-terrorist algorithms with bonus binary picture.

From now on: What the Fuck Wednesdays will list some of the things I haven’t managed to get round to talking about since the previous evil wednesday.

Tuesday, 9 December 2014

A Declaration of the Independence of Cyberspace

I was recently reminded of this and had to read it again.

How NSA and GCHQ are tapping internet cables

We’ve known for some time that this is happening and we’ve seen glimpses of some of the methods used, but this is the first time (to my knowledge) that we’ve had an end-to-end account of how they pulled it off.  It’s a great piece of work.

Make sure you check out the rest of the posts there.  Very interesting stuff.

HOLY CRAP that is sinister

A friend told me that his child brought home a note from his school about staying safe online.  Apparently (and quite surprisingly) it wasn’t too bad apart from one thing:  it said “never tell your password to anyone outside school” (emphasis mine).

As the friend said, this gets more sinister the more you think about it.  There’s almost nobody in a better position to groom children than their teachers. The teachers will most likely know what problems the child is having at school, which subjects they’re good at and what achievements they’ve made, whether and how they’re being bullied, what buttons to press etc.  Arming them with even more information is a bad idea. 

I don’t know yet whether the letter was talking about passwords in general or the password to its students’ school accounts.  Of course, schools (probably rightly) will have access to student accounts, but teachers and other staff knowing a student’s password is bad for lots of reasons, including:

  • They won’t leave much of a trail if they log in as the student, providing they’re careful. Which they probably would be if they were up to no good.
  • A staff member could pose as the friend of a student for a whole load of bad reasons.  Or the enemy of a student, for that matter.  Imagine how that could terrorise at least two students.
  • Staff members could edit the students’ personal data without leaving much of a trail.  I don’t know what kind of data can be found on a student’s school account, but the possibility of staff rewriting history to protect themselves or incriminate students is rather worrying.
  • Students are quite likely to use the same password on their other accounts, or their passwords might give clues to what those other passwords might be. They might also reveal how students tend to choose passwords or something personal to them. How many people use something associated with a sport team or a celebrity as a password? I frequently recommend the book Microserfs by Douglas Coupland as a brilliant insight into early-days Silicon Valley/web-bubble culture. In it, one character reveals that his password is ‘hellojed’. Jed was the character’s younger brother who died as a child and the password was the character’s way to remember him and feel sad about the loss every day.  That would be a significant vulnerability, especially for a child, which could easily be exploited.  That’s one of the reasons we shouldn’t reveal passwords or answer memorable questions honestly.
  • “Inside school” is worryingly vague.  It might imply that revealing passwords to other students might be OK.
  • Instructions like this could make people feel that there are situations where it’s safe or OK to reveal passwords or that authority figures have a right to know their passwords. Authority figures are exactly the wrong kind of people to know other people’s passwords because they have a greater ability to abuse them.
  • It is never OK to tell someone under what circumstances they must or should reveal their passwords.

I could go on.  I will if and when I can clarify exactly what the letter said.

Thursday, 4 December 2014

The Daily Mail on staying safe online

Surprisingly, it’s not a story about how (female) nipples are evil and will turn your children into rapists.  It’s about safe online banking and shopping..

http://www.dailymail.co.uk/money/bills/article-1585675/How-stay-safe-online-shopping-banking.html

My expectations weren’t high. Correctly, as it turns out.

I’d planned to do a point-by-point rebuttal (the best kind of rebuttal) but I’d be here all fucking day.  The article reads like it was written by a four-year-old who hasn’t quite grasped the concept of sentences or punctuation. Much of the advice is terrible; the suggestion to phone someone who is “good with computers” as a security countermeasure is particularly… well, I don’t know. Is it hilarious or terrifying?

The article contains no useful advice about how to bank or buy safely and its smug assertion that “We explain how you can protect yourself from online fraudsters” isn’t true. It’s deeply irresponsible, even for the Mail.

Monday, 1 December 2014

Ball dropped

Wait…. That could be misconstrued.  To be specific, Google and/or my mobile provider (O2) have dropped the ball on my privacy.  And battery life.

I got an OS update for my phone at the weekend.  At first it seemed that the only thing that had changed was that the battery meter is now white instead of green.  However something else has changed too.  Prior to the update, there was a button I could attach to the drop-down menu to toggle the GPS.  This has been replaced by a button to toggle all location services, including the GPS.  It’s all or nothing, now.

The only reason I can think of to do this is that either Google or O2 or both want even more accurate information about my location. I wouldn’t have minded at all if they’d kept the GPS toggle button and added the location services one, but they didn’t.

So location services are now always off.