Quotulatiousness

June 4, 2014

Bruce Schneier on the human side of the Heartbleed vulnerability

Filed under: Technology — Tags: , , , — Nicholas @ 07:24

Reposting at his own site an article he did for The Mark News:

The announcement on April 7 was alarming. A new Internet vulnerability called Heartbleed could allow hackers to steal your logins and passwords. It affected a piece of security software that is used on half a million websites worldwide. Fixing it would be hard: It would strain our security infrastructure and the patience of users everywhere.

It was a software insecurity, but the problem was entirely human.

Software has vulnerabilities because it’s written by people, and people make mistakes — thousands of mistakes. This particular mistake was made in 2011 by a German graduate student who was one of the unpaid volunteers working on a piece of software called OpenSSL. The update was approved by a British consultant.

In retrospect, the mistake should have been obvious, and it’s amazing that no one caught it. But even though thousands of large companies around the world used this critical piece of software for free, no one took the time to review the code after its release.

The mistake was discovered around March 21, 2014, and was reported on April 1 by Neel Mehta of Google’s security team, who quickly realized how potentially devastating it was. Two days later, in an odd coincidence, researchers at a security company called Codenomicon independently discovered it.

When a researcher discovers a major vulnerability in a widely used piece of software, he generally discloses it responsibly. Why? As soon as a vulnerability becomes public, criminals will start using it to hack systems, steal identities, and generally create mayhem, so we have to work together to fix the vulnerability quickly after it’s announced.

May 30, 2014

“French spies [are] number two in the world of industrial cyber-espionage”

Filed under: China, Europe, France, Government, Technology, USA — Tags: , — Nicholas @ 08:11

High praise indeed for French espionage operatives from … former US Secretary of Defence Robert Gates:

Former spy and defense department secretary Robert Gates has identified France as a major cyber-spying threat against the US.

In statements that are bound to raise eyebrows on both sides of the Atlantic, Gates (not Bill) nominated French spies as being number two in the world of industrial cyber-espionage.

“In terms of the most capable, next to the Chinese, are the French – and they’ve been doing it a long time” he says in this interview at the Council on Foreign Relations.

Rather than a precis, The Register will give you some of Gates’s (not Bill) words verbatim, starting just after 21 minutes in the video, when he answers a question about America’s recent indictment of five Chinese military hackers.

“What we have accused the Chinese of doing – stealing American companies’ secrets and technology – is not new, nor is it something that’s done only by the Chinese,” Gates tells the interviewer. “There are probably a dozen or fifteen countries that steal our technology in this way.

“In terms of the most capable, next to the Chinese, are probably the French, and they’ve been doing it a long time.

May 27, 2014

Internet privacy advice for kids (who are not “Digital Natives”)

Filed under: Business, Media, Technology — Tags: , , , , , — Nicholas @ 13:15

Cory Doctorow sympathizes with young people who have literally grown up with the internet:

The problem with being a “digital native” is that it transforms all of your screw-ups into revealed deep truths about how humans are supposed to use the Internet. So if you make mistakes with your Internet privacy, not only do the companies who set the stage for those mistakes (and profited from them) get off Scot-free, but everyone else who raises privacy concerns is dismissed out of hand. After all, if the “digital natives” supposedly don’t care about their privacy, then anyone who does is a laughable, dinosauric idiot, who isn’t Down With the Kids.

“Privacy” doesn’t mean that no one in the world knows about your business. It means that you get to choose who knows about your business.

It’s difficult to explain to people just how open their online “secrets” really are … and that’s not even covering the folks who are specifically targets of active surveillance … just being on Facebook or other social media sites hands over a lot of your personal details without your direct knowledge or (informed) consent. But you can start to take back some of your own privacy online:

If you start using computers when you’re a little kid, you’ll have a certain fluency with them that older people have to work harder to attain. As Douglas Adams wrote:

  1. Anything that is in the world when you’re born is normal and ordinary and is just a natural part of the way the world works.
  2. Anything that’s invented between when you’re fifteen and thirty-five is new and exciting and revolutionary and you can probably get a career in it.
  3. Anything invented after you’re thirty-five is against the natural order of things.

If I was a kid today, I’d be all about the opsec — the operational security. I’d learn how to use tools that kept my business between me and the people I explicitly shared it with. I’d make it my habit, and get my friends into the habit too (after all, it doesn’t matter if all your email is encrypted if you send it to some dorkface who keeps it all on Google’s servers in unscrambled form where the NSA can snaffle it up).

Here’s some opsec links to get you started:

  • First of all, get a copy of Tails, AKA “The Amnesic Incognito Live System.” This is an operating system that you can use to boot up your computer so that you don’t have to trust the OS it came with to be free from viruses and keyloggers and spyware. It comes with a ton of secure communications tools, as well as everything you need to make the media you want to send out into the world.
  • Next, get a copy of The Tor Browser Bundle, a special version of Firefox that automatically sends your traffic through something called TOR (The Onion Router, not to be confused with Tor Books, who publish my novels). This lets you browse the Web with a much greater degree of privacy and anonymity than you would otherwise get.
  • Learn to use GPG, which is a great way to encrypt (scramble) your emails. There’s a Chrome plugin for using GPG with Gmail, and another version for Firefox
  • If you like chatting, get OTR, AKA “Off the Record,” a very secure private chat tool that has exciting features like “perfect forward secrecy” (this being a cool way of saying, even if someone breaks this tomorrow, they won’t be able to read the chats they captured today).

Once you’ve mastered that stuff, start to think about your phone. Android phones are much, much easier to secure than Apple’s iPhones (Apple tries to lock their phones so you can’t install software except through their store, and because of a 1998 law called the DMCA, it’s illegal to make a tool to unlock them). There are lots of alternative operating systems for Android, of varying degrees of security. The best place to start is Cyanogenmod, which makes it much easier to use privacy tools with your mobile device.

WSJ – “…the Canadian government is paying almost 80% of his developers’ salaries”

Filed under: Business, Cancon, Economics, Government, Technology — Tags: , , — Nicholas @ 07:32

Stephen Gordon linked to this rather boggling Wall Street Journal article that outlines how the Canadian and provincial governments are attempting to lure start-up technology businesses to locate in Canada with vast bribes of taxpayer money:

Imagine you are launching or running a startup and there’s a place where all of your developers — the biggest expense for most tech companies — cost one quarter what they do in Silicon Valley. Sure, it’s cold there, but talent is plentiful and the locals are friendly. Would you trade your hash browns for poutine?

Adam Adelman, co-founder of Mighty Cast, a startup working on a new kind of wearable technology, recently told me the Canadian government is paying almost 80% of his developers’ salaries. And that’s not a tax credit. It’s a rebate, a check he gets from the government whether or not his startup makes money.

Even at Mighty Cast, a two-year-old hardware startup, salaries have been 80% of expenses. Combine that with the lower salaries demanded by engineers in Montreal, where Mighty Cast moved its headquarters after its genesis in Silicon Valley, and Mr. Adelman says he’s able to stretch his angel round of investment four times as far.

So the federal government is literally giving away money to start-up tech companies to compete at a huge advantage against actual Canadian companies? Nearly 80% of the payroll is funded from taxes, partly collected from the domestic competition? Does this seem like a good idea to anyone who isn’t already drawing 100% of their income from Ottawa?

The government is particularly badly suited to picking technology winners, and this program sounds like a vast give-away for the well-connected few, literally at the expense of everyone else. Maple-flavoured crony capitalism, with the official stamp of approval of Stephen Harper’s “conservative” government.

May 25, 2014

Russian rocket export ban means increasing opportunities for private enterprise in space

Filed under: Russia, Space, Technology, USA — Tags: , , , , — Nicholas @ 09:46

Strategy Page looks at the knock-on effects of the Russian government banning the export of rocket engines to the United States:

The U.S. government is being forced to use satellite launchers developed without government financing because the usual methods of obtaining these launchers is falling apart and currently is unable to supply enough rockets to get all American military satellites into orbit. The immediate cause of this problem is the recent (since earlier this year) Russian aggression against Ukraine. The U.S. responded to this aggression by placing sanctions on some Russian officials and firms. Russia responded to that by halting RD-180 shipments to the United States. That’s breach of contract and it will do enormous damage to Russian exports in the future because now many countries and firms realize that a contract with a Russian firm can be cancelled by the Russian government for any reason. This was always seen as a risk when doing business with Russia and many Western firms declined to do so or have pulled out of Russia in the last decade because of the growing unreliability of Russia as a business partner. The RD-180 affair got a lot of publicity, all of it bad with regard to future Russian exports of high-end industrial items. Europe, which gets about a third of its natural gas from Russia, is already looking for alternate sources and investors are fleeing Russia (and taking their money with them).

[…]

This is good news for the new private firms that are developing rockets for launching stuff into orbit. One such firm is SpaceX (Space Exploration Technologies Corporation) and is has been trying to break the current cartel controlling U.S. government satellite launch services. Since 2006 all this business has gone to a government-approved monopoly called the ULA (United Launch Alliance) which is composed of Lockheed Martin (Atlas 5 rocket) and Boeing (Delta 4). These two firms have dominated U.S. space launches for over half a century. Because of the RD-180 the Atlas 5 is more attractive (in terms of performance and price) than the Delta 4. Meanwhile SpaceX expects to have Atlas 5 competitor ready in a few years.

In 2012 SpaceX obtained its first contract to launch U.S. military cargo into space. SpaceX had earlier obtained a NASA contract which included 12 deliveries to the International Space Station (at $134 million each). What makes all this so noteworthy is that SpaceX developed its own launch rockets without any government help. SpaceX also developed the Dragon space vehicle, for delivering personnel and supplies to the International Space Station.

SpaceX has since proved that its rockets work and is pointing out that the SpaceX rockets can do the job cheaper that ULA. Currently ULA gets a billion dollar a year subsidy from the government that SpaceX would not require. SpaceX still has to get all the paperwork and approvals done so that they can handle classified missions. SpaceX does not see this as a problem, it’s simply going to take another year to satisfy all the bureaucrats and regulations.

May 24, 2014

The technological democratization of law enforcement and the rise of “Little Brother”

Filed under: Liberty, Technology, USA — Tags: , , , , — Nicholas @ 09:44

If you care about your privacy, you’re equally worried about the intrusive surveillance state and the unconstrained snooping of corporations. You may now need to worry about your snoopy neighbours also getting in on the act, as Declan McCullagh explains on Google+. This is a response to someone on a private mailing list for Silicon Valley folks, who said that he had no issue with automated collection of license plate data:

Tomorrow one of your PV [Portola Valley] neighbors will set up a computer-connected camera on private property and aimed at the street. It records all those “plates exposed” going by and, by doing optical character recognition with free software such as ANPR MX (C# code, BSD-licensed), it records every time a car goes by. The DMV will happily provide drivers’ names based on the license plate*; there’s even a process for “bulk quantities” of data.** That information doesn’t include a home address, but that’s easy to come by through other searches.

Then the neighbor launches PVPeopleTracker.com. It updates in real time showing whenever someone is at home, and marks their house in bright red if they’re gone on an extended trip. If there are odd patterns of movement compared to a baseline — perhaps suspicious late-night outings — those can be flagged as well. Any visitor to PVPeopleTracker.com can sign up for handy free email alerts reporting at what time their targeted house becomes vacant each weekday morning. Other network-linked cameras in PV can supplement the PVPeopleTracker.com database, so that everyone driving in town will have their movements monitored, archived, and publicly visible at all times.

With more than one network-linked camera separated by a known distance by roads with known speed limits, it would be simple to calculate speeding violations and send automated alerts, with MP4 videos attached as evidence, to the sheriff and CHP. PVPeopleTracker.com can also be cross-referenced against databases showing, say, marijuana convictions; if your movement profile matches a known drug trafficker, law enforcement can be alerted. (Sorry about those false positives!)

May 23, 2014

QotD: Futurologists

Filed under: Media, Quotations, Science, Technology — Tags: , , , , — Nicholas @ 00:01

Futurologists are almost always wrong. Indeed, Clive James invented a word – “Hermie” – to denote an inaccurate prediction by a futurologist. This was an ironic tribute to the cold war strategist and, in later life, pop futurologist Herman Kahn. It was slightly unfair, because Kahn made so many fairly obvious predictions – mobile phones and the like – that it was inevitable quite a few would be right.

Even poppier was Alvin Toffler, with his 1970 book Future Shock, which suggested that the pace of technological change would cause psychological breakdown and social paralysis, not an obvious feature of the Facebook generation. Most inaccurate of all was Paul R Ehrlich who, in The Population Bomb, predicted that hundreds of millions would die of starvation in the 1970s. Hunger, in fact, has since declined quite rapidly.

Perhaps the most significant inaccuracy concerned artificial intelligence (AI). In 1956 the polymath Herbert Simon predicted that “machines will be capable, within 20 years, of doing any work a man can do” and in 1967 the cognitive scientist Marvin Minsky announced that “within a generation … the problem of creating ‘artificial intelligence’ will substantially be solved”. Yet, in spite of all the hype and the dizzying increases in the power and speed of computers, we are nowhere near creating a thinking machine.

Bryan Appleyard, “Why futurologists are always wrong – and why we should be sceptical of techno-utopians: From predicting AI within 20 years to mass-starvation in the 1970s, those who foretell the future often come close to doomsday preachers”, New Statesman, 2014-04-10.

May 16, 2014

The built-in confusion about net neutrality

Filed under: Business, Government, History, Technology, USA — Tags: , , , , — Nicholas @ 12:33

While I’ve been following the net neutrality debate, I was still unconvinced that either side had the answers. In a post from 2008, ESR helps to explain why I was confused:

Let it be clear from the outset that the telcos are putting their case for being allowed to do these things with breathtaking hypocrisy. They honk about how awful it is that regulation keeps them from setting their own terms, blithely ignoring the fact that their last-mile monopoly is entirely a creature of regulation. In effect, Theodore Vail and the old Bell System bribed the Feds to steal the last mile out from under the public’s nose between 1878 and 1920; the wireline telcos have been squatting on that unnatural monopoly ever since as if they actually had some legitimate property right to it.

But the telcos’ crimes aren’t merely historical. They have repeatedly bargained for the right to exclude competitors from their networks on the grounds that if the regulators would let them do that, they’d be able to generate enough capital to deploy broadband everywhere. That promise has been repeatedly, egregiously broken. Instead, they’ve creamed off that monopoly rent as profit or used it to cross-subsidize competition in businesses with higher rates of return. (Oh, and of course, to bribe legislators and buy regulators.)

Mistake #1 for libertarians to avoid is falling for the telcos’ “we’re pro-free market” bullshit. They’re anything but; what they really want is a politically sheltered monopoly in which they have captured the regulators and created business conditions that fetter everyone but them.

OK, so if the telcos are such villainous scum, the pro-network-neutrality activists must be the heroes of this story, right?

Unfortunately, no.

Your typical network-neutrality activist is a good-government left-liberal who is instinctively hostile to market-based approaches. These people think, rather, that if they can somehow come up with the right regulatory formula, they can jawbone the government into making the telcos play nice. They’re ideologically incapable of questioning the assumption that bandwidth is a scarce “public good” that has to be regulated. They don’t get it that complicated regulations favor the incumbent who can afford to darken the sky with lawyers, and they really don’t get it about outright regulatory capture, a game at which the telcos are past masters.

[…]

In short, the “network neutrality” crowd is mainly composed of well-meaning fools blinded by their own statism, and consequently serving mainly as useful idiots for the telcos’ program of ever-more labyrinthine and manipulable regulation. If I were a telco executive, I’d be on my knees every night thanking my god(s) for this “opposition”. Mistake #2 for any libertarian to avoid is backing these clowns.

In the comments, he summarizes “the history of the Bell System’s theft of the last mile”.

May 15, 2014

The NSA’s self-described mission – “Collect it all. Know it all. Exploit it all.”

Filed under: Government, Liberty, Media, Technology — Tags: , , , , — Nicholas @ 07:31

In The Atlantic, Conor Friedersdorf reviews Glenn Greenwald’s new book, No Place to Hide:

NSA - New Collection Posture

Collect it all. Know it all. Exploit it all.

That totalitarian approach came straight from the top. Outgoing NSA chief Keith Alexander began using “collect it all” in Iraq at the height of the counterinsurgency. Eventually, he aimed similar tools at hundreds of millions of innocent people living in liberal democracies at peace, not war zones under occupation.

The strongest passages in No Place to Hide convey the awesome spying powers amassed by the U.S. government and its surveillance partners; the clear and present danger they pose to privacy; and the ideology of the national-security state. The NSA really is intent on subverting every method a human could use to communicate without the state being able to monitor the conversation.

U.S. officials regard the unprecedented concentration of power that would entail to be less dangerous than the alternative. They can’t conceive of serious abuses perpetrated by the federal government, though recent U.S. history offers many examples.

[…]

But it is a mistake (albeit a common one) to survey the NSA-surveillance controversy and to conclude that Greenwald represents the radical position. His writing can be acerbic, mordant, biting, trenchant, scathing, scornful, and caustic. He is stubbornly uncompromising in his principles, as dramatized by how close he came to quitting The Guardian when it wasn’t moving as fast as he wanted to publish the first story sourced to Edward Snowden. Unlike many famous journalists, he is not deferential to U.S. leaders.

Yet tone and zeal should never be mistaken for radicalism on the core question before us: What should America’s approach to state surveillance be? “Defenders of suspicionless mass surveillance often insist … that some spying is always necessary. But this is a straw man … nobody disagrees with that,” Greenwald explains. “The alternative to mass surveillance is not the complete elimination of surveillance. It is, instead, targeted surveillance, aimed only at those for whom there is substantial evidence to believe they are engaged in real wrongdoing.”

That’s as traditionally American as the Fourth Amendment.

Targeted surveillance “is consistent with American constitutional values and basic precepts of Western justice,” Greenwald continues. Notice that the authority he most often cites to justify his position is the Constitution. That’s not the mark of a radical. In fact, so many aspects of Greenwald’s book and the positions that he takes on surveillance are deeply, unmistakably conservative.

May 14, 2014

Turning pixel weapons into bronze and steel

Filed under: Gaming, Technology, Weapons — Tags: , — Nicholas @ 07:41

I thought this Geek & Sundry project might be interesting. It’s called Arcade Arms and the idea is they take a weapon from an online game and try to create a real-world version, then use that to see what kind of damage you can do with it. The first episode is about a massively oversize mace from the game Elder Scrolls Online:

Published on 13 May 2014

Jake Powning shows Nika Harper how to forge the Mace of Molag Bal, featured in The Elder Scrolls series. Then Andre Sinou shows her how much damage a mace can really do!

Get Elder Scrolls Online for yourself: http://www.elderscrollsonline.com

In Arcade Arms Nika brings gaming into real life by taking the most potent digital weapons, from Final Fantasy XIV‘s Gae Bolg to Elder Scrolls Online‘s Mace of Molag Bal, and smashing things with their real life counterparts.

Real world downer note: most single-handed weapons were significantly lighter than this fantasy mace: it clocks in at 35 pounds, which is a lot more weight than you’d be able to swing in a real fight (their combat demonstrator also points this out … and note how much smaller the examples he shows are compared to the “Mace of Molag Bal”).

I’d hoped there would be more “how we made this” footage, but I understand the majority of the audience only really want to see how much damage the weapon can do…

May 12, 2014

Amazon gets a patent for a decades-old photographic technique

Filed under: Bureaucracy, Business, Government, Technology — Tags: , , — Nicholas @ 06:42

Stephen Shankland provides another exhibit in the patent-system-is-broken case:

Amazon - Studio Arrangement patent

Photographers are hooting derisively at a patent Amazon won in 2014 for a photography lighting technique that’s been in use for decades, a patent that’s helped undermine the credibility of the patent system.

Amazon’s patent 8,676,045, granted in March and titled “Studio Arrangement,” describes a particular configuration of the photography subject in the foreground and a brightly lit white screen behind, an approach that “blows out” the background to cleanly isolate the subject.

It’s a fine idea, but not a novel invention, argued David Hobby, a professional photographer since 1988 who runs the Strobist site that for years has been a popular source of advice on flash photography. He used the approach himself as a staff photographer on his first job decades ago for a business publication.

May 11, 2014

The NSA worked very hard to set themselves up for the Snowden leaks

Filed under: Government, Liberty, Technology — Tags: , , , , , — Nicholas @ 10:30

A few days back, Charles Stross pointed out one of the most ironic points of interest in the NSA scandal … they did it to themselves, over the course of several years effort:

I don’t need to tell you about the global surveillance disclosures of 2013 to the present — it’s no exaggeration to call them the biggest secret intelligence leak in history, a monumental gaffe (from the perspective of the espionage-industrial complex) and a security officer’s worst nightmare.

But it occurs to me that it’s worth pointing out that the NSA set themselves up for it by preventing the early internet specifications from including transport layer encryption.

At every step in the development of the public internet the NSA systematically lobbied for weaker security, to enhance their own information-gathering capabilities. The trouble is, the success of the internet protocols created a networking monoculture that the NSA themselves came to rely on for their internal infrastructure. The same security holes that the NSA relied on to gain access to your (or Osama bin Laden’s) email allowed gangsters to steal passwords and login credentials and credit card numbers. And ultimately these same baked-in security holes allowed Edward Snowden — who, let us remember, is merely one guy: a talented system administrator and programmer, but no Clark Kent — to rampage through their internal information systems.

The moral of the story is clear: be very cautious about poisoning the banquet you serve your guests, lest you end up accidentally ingesting it yourself.

May 6, 2014

Reset the Net on June 5th

Filed under: Liberty, Media, Technology — Tags: , , , — Nicholas @ 09:58

At Wired, Kim Zetter talks about an initiative to reclaim (some measure of) privacy on the internet:

A coalition of nearly two-dozen tech companies and civil liberties groups is launching a new fight against mass internet surveillance, hoping to battle the NSA in much the same way online campaigners pushed back on bad piracy legislation in 2012.

The new coalition, organized by Fight for the Future, is planning a Reset the Net day of action on June 5, the anniversary of the date the first Edward Snowden story broke detailing the government’s PRISM program, based on documents leaked by the former NSA contractor.

“Government spies have a weakness: they can hack anybody, but they can’t hack everybody,” the organizers behind the Reset the Net movement say in their video (above). “Folks like the NSA depend on collecting insecure data from tapped fiber. They depend on our mistakes, mistakes we can fix.”

To that end, the groups are calling on developers to add at least one NSA resistant feature to mobile apps, and on websites to add security features like SSL (Secure Socket Layer), HSTS (HTTP Strict Transport Security), and Perfect Forward Secrecy to better secure the communication of users and thwart government man-in-the-middle attacks.

May 1, 2014

SpaceX and the successful re-entry experiment

Filed under: Space, Technology — Tags: , , , , — Nicholas @ 07:58

Amanda Wills talks about the most recent SpaceX achievement:

When SpaceX launched its Dragon supply mission to the International Space Station on April 18, it tried something revolutionary after the spacecraft was safely in orbit.

Behind the scenes, CEO Elon Musk and his team had been testing the reusability of this rocket. On that Friday, the team returned part of it to Earth for the first time in history. Once Dragon was in space, the first stage separated and re-entered Earth’s atmosphere. As the helium-filled rocket slowed, it extended four 25-foot-long landing legs and used its thrusters to briefly hover over the Atlantic Ocean before plopping down ever so gently onto its surface.

Musk and his team pulled it off — a huge feat considering that the chance of success was only around 30% to 40%. The SpaceX team recovered the raw video from the camera that was on board Falcon 9, and software engineers have spent the last week trying to repair the footage, which was taken just before splashdown.

[…]

The team was able to bring back the first stage. The rocket was clearly vertical — an important detail in testing reusable rockets — and the soft landing was successful. However, the weather wasn’t cooperative that day and the stage was destroyed by rough waves. Fortunately, Musk said his team was able to recover bits of the rocket.

April 30, 2014

What if real life had lag like online games do?

Filed under: Humour, Technology — Tags: , — Nicholas @ 00:01

You wouldn’t accept lag offline, so why do it online? ume.net, a fiber broadband provider that offers up to 1000 Mbit/s, performed an experiment. Four volunteers got to experience internet’s biggest disturbance in real life – lag.

H/T to Jeff Sher for the link.

« Newer PostsOlder Posts »

Powered by WordPress