The War On Users

This piece just went out in the weekly newsletter, along with breach, robot and TSA news and some breaking news about a voter information breach. You can subscribe to the newsletter here or read the current issue here.

A few weeks ago I send myself an email. Because oddly it’s still the easiest way to move individual files from one device to another. I send it without subject or content, just the attachment. A few seconds later the email hits my tablet but I can see even without opening the email that there’s content.

What’s this, then?

Opening the email I find that my antivirus attached a signature at the end of my email advertising itself. “This email was scanned by Avast Antivirus and is safe!” or some similar foolishness. Of course, never having authorized the program to attach signatures to my email I was more than a little curious and annoyed. Digging into the program I found that since I had updated the program engine that day it added a function to attach its own signature to my emails and then automatically opted me in without so much as a courtesy notification. This kind of thing, of course, is not the way legitimate software acts. This is the stink of malware. So I abandoned the antivirus I’ve used and recommended for years and wondered just what the hell they were thinking.

Avast’s egregious fuckery falls into place with a dynamic that’s seized the technology world and undone decades of careful work: put simply, it’s a war on users. User loyalty is no longer a prominent dynamic, nor is usability. Nearly every service I use now puts things in between me and what I want to get done. Apple’s Music app reworked the user interface to advertise its own junk before you could actually get to a place to play your music that you had on your device. Google Play Music now does the same thing, spawning me into the “Listen” screen where they want me to buy their streaming service. It takes me an extra few clicks to just get to my damn MP3s. Twitter’s begun destroying its own usability by displaying tweets out of chronological order in timelines.

There is a war on users and what suffers is not only our productivity and efficiency but really the enjoyability of the platforms pulling these shenanigans. I shouldn’t have to paw through three different screens just to get to the music I bought through your app. I know you have new streaming services or some exclusive concert you’d like me to listen to. I don’t care. We spent three decades perfecting user interfaces according to User Experience (UX) guidelines – make things simpler, easier, faster. And we’ve undone that in the span of three years just to badger people into buying extra crap.

I had a nightmare once that coin-operated video game arcades never existed as we know them (and I have fond, fond memories of spending hours in Hampton Beach arcades feeding in quarter after quarter). In the nightmare you only got to the games after watching a revenue-generating advertisement and then passing through a series of screens “offering” extra paid services of the arcade. We got what we paid for but only after we saw what they wanted – and we all accepted it.

The war on users goes beyond UI and UX considerations. It’s obstructionist product placement. Word-of-mouth is no longer the goal for these services. They demand captive ears and eyes. And short of building our own platforms we suffer at their whims.

This is the future. Things should be getting easier for us, right?

Encryption is Math, not Politics

Just sent out issue 2 of the Neurovagrant Newsletter, containing this and more.


Last week security researcher Chris Vickery uncovered a massively insecure database belonging to the Hello Kitty line of products – which include a number of online components. Vickery found that the details of some 3.3 million accounts could be accessed including real name, gender, country of origin, password and birthday. Even more troubling is the fact that most of these accounts likely belong to children – and coming so quickly in the wake of the VTech toymaker hack in which four million parent accounts and six million child profiles were compromised, it should cause each parent about to buy an internet-connected toy some pause.

Vickery wasn’t done there. That week he “was on a rampage, reporting data breaches for companies and services like MacKeeper, security vendor for Macs (13 million accounts); OkHello, video chat app (2.6 million accounts); Slingo, online gaming site (2.5 million accounts); iFit, fitness app (576,000 accounts); Vixlet, social network (377,000 accounts); California Virtual Academies, online school network (74,000 accounts); and Hzone, dating app for HIV patients (5,027 accounts).”

On Thursday Juniper Networks announced that its Virtual Private Network operating system ScreenOS had been compromised for at least the last four years. Juniper is a giant in the VPN business, which allow you to do things like access work networks from outside the office or protect your internet traffic from those seeking to intercept it. It appears two separate backdoors were installed into ScreenOS including one that utilized a cryptographic algorithm known to have been weakened at the direction of the National Security Agency – dual_ec_drbg. Attackers took advantage of engineered weaknesses to intercept the traffic of Juniper clients. To what extent is not yet known, but again: the backdoor had been present for the past four years.

Enter most of the 2016 presidential candidates. The entirety of the GOP candidates appear to be “against encryption” – a laughably simple argument considering encryption powers just about every bit of commerce and civic life we’re involved in. Encryption safeguards your card information when you purchase something on the internet but also when you use a card in-store; the point-of-sale machine connects to a payment processor, and when the encryption and/or segmentation there fails we see retail store POS breaches like Target or the processor-side TJX/Heartland breach. A strong economy relies on strong encryption. So does a strong healthcare system – healthcare breaches constitute the lion’s share of breaches in the past several years. Strong government itself relies on strong encryption. The OPM hackof this year shows us that. Not only did attackers gain an incredible data trove on law enforcement, intelligence and military members but having extended access to the database raises the specter of information being added, allowing deep infiltration of important institutions.

The encryption debate – often termed The Crypto Wars by those involved – popped up repeatedly since we became an information-heavy society. The latest round of Crypto Wars all but ended earlier this year in a resounding defeat for those seeking weaker encryption thanks to a strong, universal agreement among security experts that installing system backdoors cannot be done without weakening the system to other attackers. We cannot produce a golden key that only allows authorized access. Backdoors are by definition security vulnerabilities. Encryption in the sense we talk about it whether we’re talking about credit card payment systems or messaging apps is a form of mathematics. When we talk about algorithms we’re not talking about some kind of arcane code but rather mathematical formulas. A formula is a relationship. The right relationships between variables can do things like create nearly-unguessable random number sequences. Tweak that relationship even a little bit – as was done with dual_ec_drbg mentioned above – and you instantly change the formula in huge ways, sometimes drastically reducing the amount of computer power/time needed to work out what numbers the formula is going to produce.

This is a vast simplification of the math involved – but it is math. No amount of magical thinking or politicking will change the fact that encryption is, at is core, a mathematical problem. And unlike statistics shenanigans politicians are used to playing when it comes to polling these numbers don’t bend.

The Crypto-Wars reignited after the Paris attacks. Oddly so, since there’s not one iota of evidence that attackers used encryption. FBI Director Comey continues to make statements in his interest about terrorists using encryption and those statements continue to be disproven as investigations move forward and we learn more details. Statements like “their phones included encryption” are disingenuous at best – all modern cellphones include encryption of various sorts. The authorities depend on vague and unprovable statements and emotion to sway public opinion while information security experts have issued a resounding opinion: you cannot build a backdoor that no one else can exploit.

Hillary Clinton has called for a “Manhattan Project” in order to help law enforcement break into encrypted communications while leaving them secure and this is as doomed a project as that of any Republican. The comparison to the original Manhattan Project is an immediate failure: they were working with the physics, Hillary wants experts to work against the math. Mathematics is not an issue you can legislate or threaten your way out of, something the Catholic Church learned the hard way ages ago. Tweak the smallest parameter in an algorithmic relationship and you put at risk anything in that system – financial access, health data, intelligence agent backgrounds and their biometrics.

In crypto even more than in politics, we ignore the numbers at our peril.

Errata: Linux 0day, Blockchain stock sales, Diffie-Hellman hardening, Schoolgirls, OPM, Pixel-C

Hector Marco: Back to 28: Grub2 Authentication 0-DayBunch of Linux distros apparently launch into rescue shell when you hit backspace 28 times at Grub (bypassing authentication). Are you kidding me with this?

Engadget via pi8you: Bitcoin tech approved as a way to issue shares – “[Overstock] built its own crypto-currency tech via a subsidiary called T0 (T-Zero), and uses open-source Colored Coins to issue stock in the form of “blockchains,” a type of electronic ledger.” – Rumor is that Overstock lost a boatload of money integrating bitcoin into their sales platform. Wonder if this is doubling down on a bad bet.

Farsight Security: Hardening Encrypted Communications Against Diffie-Helman Precomputation AttacksGreat primer on strengths and weaknesses of current encryption schemes and applying that knowledge to your own servers.

Motherboard: What the Hell Is Up with This Homicidal Japanese Schoolgirl Simulator? – “I still got busted though. I guess I forgot to get rid of the bloody clothes. One day, I’ll figure out how to get off clean, and then it will be just me and the boy I like. Senpai will be mine.”

Milton Security: New report shows extent of OPM failure in breach – “The OPM inspector general has found that in OPM’s haste to set up protection services, the agreement with CSID violated federal contracting regulations. OPM did not provide a full scope of work, they failed to do enough market research, they had an incomplete acquisition plan, and exceeded dollar limits on blanket agreements.” – Definition of omnishambles.

TNW: Google’s AMA for the Pixel C went sideways as Redditors exposed its flaws – “When Redditors weren’t taking the Googlers to task for the Pixel C’s lack of stylus, not packaging the keyboard with the device or Android’s lack of split-screen functionality, they were going hard about SD Card support and its price point.” – Kind of disappointed in the Pixel C in the sense that Google seems to have fallen to thinking “If we build the hardware, they will come” and little else.

Errata: Racist Michigan Rep, Active Shooter Insurance, Academic Heist, Carson’s Still an Idiot

Raw StoryMich. Repub ripped after suggesting that making black students white would ‘fix’ school issues – ‘Footage posted by the American Federation of Teachers (AFT) shows Knollenberg saying during a state Senate committee meeting on Thursday, “You mentioned these school districts failing, and you mention economically disadvantaged and non-white population are contributors to that. I know we can’t fix that. We can’t make an African-American white. That’s just, it is what it is.”’ – also – ‘He denied citing race as a specific factor and pointed out that he has a black employee at his insurance company.’ – Horrifying.

CNBCInterest in active shooter insurance grows – “The insurance policy covers potential liability if an institution is deemed not to have taken the steps needed to prevent gun violence, according to Fortune.” – WELL now that insurers are set to make a profit off mass shootings I think it’s even safer to say legislators are going to do fuck all about the issue. The NRA profiting off putting the country at risk isn’t enough – now the financiers are in on it. I’m waiting for securitization of security-weakening legislation, a new derivatives market that lays bets on the specifics of the next shooting.

ReutersCzech MEP accused of trying to snatch 350 million euros from Swiss bank – “They include Miloslav Ransdorf, 62, an expert on Karl Marx and a former philosophy teacher who speaks about dozen languages and who has served in the European Parliament since the Czech Republic’s entry to the European Union in 2004.” – Can’t wait for the movie version of this.

MSNBCBen Carson to veterans: ‘Deal with the transgender thing somewhere else’ – ‘“If you can’t lift, you know, a 175 pound person on your shoulder and hoist them out of there, I don’t want you as my backup,” he continued.’ – I love that a guy who had the courage to direct an armed robber at someone else and brag about it finds himself fit to judge combat readiness.

NBCPresident Jimmy Carter Says Cancer in Brain Is GoneThe one good bit of news I’ve seen all December. So thankful for this.

Fucking with the Data Gods

First of December and my head’s still stuck in early AD, maybe even late BC. Still thinking about one of the images from my last post – namely, pre-Christian Britons depositing weapons and riches into lakes to honor and impress the gods. It hit me after writing about that in one context (projecting Fiction Conditions) that it serves well in another. I’m taken right now by how well it describes our current approach to data.

As valuable as it is, we toss our data in lakes with all the rest. We toss it in as tribute to the Data Gods in exchange for the hope that they’ll grant us favor, extend useful services, light a path towards prosperity and productivity. And we offer data to project current or idealized status as well – instagramming delicious-looking meals, vlogging the unboxing of expensive gadgets, curating and authoring tweets to portray a certain image. Young people broadcast pictures of themselves holding wads of cash. Older people curate their daily activities and accomplishments for others to marvel at. We’re projecting to peers rather than the gods, but the latter could hardly fail to take notice. I’ve not yet seen a social media algorithm tailored to call people on their bullshit.

(That’s what we’re supposed to do, I suppose.)

Our idealized or weaponized self-data joins the rest in the lake and, as Briton axes, the lake itself is conquered by Romans and sold off to speculative entrepreneurs looking to recover, sort and profit off the contents. They do this in the hopes that they’ll eventually be the conquering Romans – and then the gods themselves, having preempted the established order by lighting just the right signal fire on just the right hill. We’re the Postconquered. We thought we were giving to the gods and gave ourselves to the Romans instead. Who promptly sold us to the Shkrelis.

George Dyson’s SALT talk had a great image, that of canoe construction. Canoes are built in one of two ways: in environments with little wood, only the frame is built from wood and a skin is stretched over it. In wood-rich environments canoes are dug out from larger blocks of wood reflecting the resource abundance. We now approach information in the latter way, carving information out of much larger blocks.

Now that we take such an active role in that, even our dugout methods produce data. As does, of course, commercial activity. And we now seem to be incentivized to keep making canoes and keep engaging in transactions not for the commercial value but the data value. The details are more valuable than the material-driven profit. We’re on the radar screen of the data gods and it only refreshes when we produce more data – so they want us to keep producing data for data’s sake.

I’m left thinking, in the end, of Gemma Galdon Clavell’s charge from FutureEverything 2015: get acquainted with your data-double and then sabotage it.

Imagine an entire nation of lakes sold off on the speculation that they contain insight-heavy riches only to discover they’re little more than mud and oil-slick mirages. The few services tossed our way – the Gmails, the Twitters – crumble as they realize the lakes are fouled, the data spurious. But not immediately. Much like the whole online ad business seems to be built on flimsy, deceptive foundations big data could persist for a while. Could fool itself and the tiers of business that filter down from the hilltop.

Until a reckoning. Or until a disruptive signal fire is lit for all to see.

Geldon Clavell’s charge in mind do we continue as the Postconquered data sources, or do we begin to fuck with the gods?

Errata: In-game Nuke Disarmament,VR, Toy Hack, Smart TV hack, Trump & Heller

Ars TechnicaThe worldwide effort to disarm Metal Gear Solid V’s nuclear weapons – ‘As Konami recently officially announced, a “secret nuclear disarmament event” will be triggered for all players only when “All nuclear weapons on the regional server corresponding to your console or platform must have been dismantled. In other words, the amount of nukes on your platform’s server must be equal to 0.”‘ – This is going to be fascinating to watch play out – principle-driven or benefit-driven disarmament leaving parties at a tactical disadvantage, and how that’ll affect gameplay. Factions already rising.

Motherboard One of the Largest Hacks Yet Exposes Data on Hundreds of Thousands of Kids – “The personal information of almost 5 million parents and more than 200,000 kids was exposed earlier this month after a hacker broke into the servers of a Chinese company that sells kids toys and gadgets…” – Why you should rethink buying your kid internet-connected toys (they almost invariably require giving up personal information). Info included headshots of kids as well as their chat logs. Good god.

Motherboard Real Drugs, Virtual Reality: Meet the Psychonauts Tripping in the Rift – ‘ “Soon after dosing I had forgotten that I had the Rift on. The simulation was a grasslike landscape but I was too tripped out to actually walk around using the controller. I was sitting in my desk chair which has rubbery armrests. At some point I started to think I was a rabbit bunny thing, and started biting the rubbery armrests of my chair like a maniac thinking it was a carrot.”’

MotherboardSex Ed in VR Can Prepare Young Women for Actual Sex – “Using Oculus technology, users would enter dozens of lifelike scenarios to role-play consent, proper contraception use and other components of safe sex from a first-person perspective.”

Universe TodayEarth May Be “Hairy” with Dark Matter – “Prézeau used computer simulations to discover that when dark matter stream passes through a planet — dark matter passes right through us unlike ordinary matter — it’s focused into an ultra-dense filament or hair. Not a solo strand but a luxuriant crop bushy as a brewer’s beard.” – I always knew the universe approved of my beard. Now I have proof.

Security LedgerRansomware Works on Smart TVs, Too!Spent a chunk of this weekend (in a Manhattan hotel) pondering Smart TVs as a platform to eavesdrop on people using insecure hotel wifi and pass on infections. More to come later – maybe in fiction, maybe just pondering.

Finally, was reading the fantastic comic Transmetropolitan in some downtime and was reminded of just how much Ellis foresaw Trump and his fans through the guise of Bob Heller:



Competing Magics and Fiction Conditions

Leaving my mid-Manhattan hotel to write at the Starbucks across the street: almost a smart idea.

Almost because: it is blasting Christmas music on November 29th. An impossibly young-sounding baby wails from the lower level trying to make its discomfort heard over the louder wail of festive saxophones.

I hear you, kid. I hear you.

Headphones are an option for me of course. One I’ve chosen. But there’s a problem: I’m primed to attend to underlying patterns and background stimuli. With that priming background music pops out from behind whatever I have playing.

I attend to the background. It’s a defense mechanism since that’s where my comfort lies. Conversations filter through even as I try to meld into the wall. Festive saxophones switch out for playful trumpets and well-meaning crooners intruding on my playlist.

Every time Christmas comes around I end up thoughtful about the period when Christianity overtook Paganism, especially through Briton eyes. The pagans saw it as a landscape of competing magics, according to archaeologist Barry Cunliffe among others. That war all but ended as Saint Patrick defied tradition to light the signal fire on the Hill of Slane first – rather than that on the Hill of Tara, as an insult to the primacy of the pagan nobility of Tara.

Magics never stop competing. They change and morph and adapt – or they’re not magics. More than fifteen hundred years after Patrick’s king-of-the-hill game I am surrounded by the recent trappings of his faith – now manifested in a jolly piano tune about travel, snow, something about a fire. The front window of this Starbucks is pasted with holly and mistletoe decals. Someone somewhere is upset that my coffee cup is red and lacks overt deference to the upcoming holiday.

Most people don’t give a shit.

Magics never stop competing, especially in New York City, I’ve found. This is my second trip here in three months – and the twenty years before that. The personal enterprise and entrepreneurship on display still hasn’t ceased to amaze me. Every corner in Manhattan someone else trying to make it work, but even more than that, trying to make it look like it’s working. The appearance, the display, the forward-looking optimism that whatever magic they’re weaving is working. That the mere portrayal that it’s working adds to its arcane power and future momentum.

British writer Warren Ellis recently charged an audience to act like they live in the Science Fiction Condition – “like you can do magic and hold séances for the future and build a brightness control for the sky. Act like you live in a place where you could walk into space if you wanted.” Britons have excelled at that kind of projection for ages. They used to toss all manner of weapons, coinage and other riches into various lakes not just as religious tribute but as a forward-looking projection of how they wanted deceased to appear in the afterlife. Not to indicate current status – but to display their own sort of Fiction Condition even to the gods.

And as magics go, so this went – the conquering Romans later sold interests in British lakes to entrepreneurs looking to recover their riches. Strange women lying in ponds distributing swords may be no basis for a system of government, but it seemed to work fine as a basis for speculative investment. It can’t be any sillier than the securitization of mortgage clearing-house fraud that exploded in 2008, anyway.

Paradigms change – entire worldviews – and we’re all still looking to show the future how great we are there, even if we’re not quite there yet.

Someone a few tables over is talking about an app they’re building. The speakers are promising good times to come through happy, sentimental jazz. I’m maintaining my own Fiction Condition for the moment.

And still wondering what lake to drain for my treasure.

Review: Coming Out Like A Porn Star

Just finished reading my nineteenth book of the year, Coming Out Like a Porn Star: Essays on Pornography, Protection, and Privacy edited by Jiz Lee. On its face the book consisted of, as the description says, “personal stories of porn performers “coming out” to family, friends, partners, lovers and community.” Beyond the immediate experiences of that were intricate, complex portrayals of identity and self that quickly serve to shatter the stereotype of shallow or uneducated porn performers and sex workers.

In part the book serves as a new call to justice – a rallying cry for an end to the stigma around such sex work. The book itself is performative – as Dr. Mireille Miller-Young notes the history of Stonewall and similar acts as “the mounting awareness and activism of a new generation of queer people who did not wish or were not able to keep their sexual and gender identities and expressions “in the closet.” They bravely defied abuse by eschewing the tactics previous generations of queer people employed to survive harassment.” Careful to explain she’s not drawing an equivalency between sex work and racism, sexism or homophobic oppression, Miller-Young emphasizes that “these oppressive forces overlap and intersect in important ways” and such work has begun “claiming visibility as a tactic for gaining freedom.” The essays therein serve a dual purpose – some make bold, unapologetic, damn strong arguments for the destigmatization of sex work.

Others simply and heartbreakingly examine the penalties society levies for engaging in such work. Cyd Nova laid out one of the clearest and most stark visions – stalking, disownment, firing or objectification and estrangement. Nova condensed the threat of coming out perfectly: “This is the real grip of the painful coming-out narrative. It interrupts the concept that certain types of love are unconditional. In our society, it is considered acceptable for someone’s family to decide to take away their love for their child because of a choice they make.”

Emma Claire provided a related poignant moment in explaining how even less-harsh family narratives served to hurt more than help. ‘I heard, “We will love you no matter what” when I came out as a woman, which kind of sounded like I did something wrong rather than, “I have unconditional love for you and celebrate you.”’

So many other good points were made throughout the book. Tobi Hill-Meyer’s calling out of the ways porn is treated differently, as it’s criticized for rampant sexism while so much more popular media and even “educational” material got a pass. Both Tina Horn and Milcah Halili Orbacedo joining Jiz Lee in highlighting that their activities in porn were products of informed, negotiated consent and control, pleasure and performance combining with the personal agency long mythologized as absent from sex workers. AliceInBondageLand on getting into porn because she couldn’t find any that represented her identity. Zahra Stardust on how sex workers are “not a walking research project to appease the voyeurism and sexual tourism of middle-class careerist professionals who want access to our sexual communities while avoiding stigma and protecting their reputation” – something that struck me I had spent most of the book doing, to my discredit.

The other theme that struck me as both important and lovely were the ways in which contributors wrote about their own identity. Identity’s a funny thing with me as I’ve been through many of them over my thirty plus years, less sexual than existential, and multiple essays spoke to that idea in incredibly eloquent ways. Gala Vanting’s loving exploration of her “multi-whore identity” as central and normal, capped off with “What if I concerned myself more with coming in to me than on how best to come out to you?” Hayley Fingersmith’s incredible description of wearing masks. James Darling’s countless coming-outs amidst a certain amount of holding back. Lorelei Lee on truth and names.

There is no better topic to end on, I think, than the hopes and wishes of authors in Lee’s ‘Coming Out Like a Porn Star.” Amidst their past hurts and elations, alongside how they carry themselves presently, many covered how they’d like dialogue to continue. How they want to see it – or how they are consciously trying to shape it through they way they live. Which goes back to Miller-Young, destigmatization and defying a culture that requires sex workers to adhere to victimhood and shame. Lee’s own point about not subscribing to spectrums of shame, that “it doesn’t help to throw other kinds of porn or sex work under the bus,” stands out. Andre Shakti’s commonsense approach to treating “a supposedly radical issue (queerness, nonmonogamy, atheism, gender nonconformity) with the same nonchalance as you would a less controversial topic (accounting, marriage, cooking, the weather).” Drew DeVeaux on recognizing that porn stars, trans folks and others are not only recipients of care or services but also providers – that they have agency, goddammit. They not only play important, active roles in their own lives but those of many others as well.

(I spent ten minutes on that last sentence – “but those of” threw me off, which is sort of the point. How do I articulate that sex workers or other marginalized people are a massive force in the world at large without using a marginalizing term like “mainstream society?” Or by using “but those of many cisgendered folks as well” suggesting that services towards cisgendered folk are inherently different, in a separate category? I am so new to all this.)

To sum all this up bluntly – Jiz Lee’s “Coming Out Like a Porn Star” allowed me to enter a lot of personally painful areas of those involved with no threat to myself, other than to my preconceived notions. The essays were not just accessible but often brilliantly written and covered depth I hadn’t even conceived of surrounding the issues involved. I recommend it to everyone. Five stars, no bullshit.

I’ll leave off with one of my favorite quotes of the book, from Cinnamon Maxxine: “Fuck that. Fuck them. Do you.”

Errata: iPhone hack bounty, Unclaimed Dead, Fire Ant Swarms, Nanoparticles, Cancer-killing Viruses, more

Million-dollar bounty paid out for iPhone hack.

Fascinating article from the Journal of Forensic Sciences: “Who are the Unclaimed Dead?

Fascinating Motherboard article on the liquid properties of fire ant swarms.

Emergent Futures relaying studies on the neurological aspects of mystical and mysterious experiences.

The runaway billion-dollar JLENS blimp was finally downed thanks to hundreds of shotgun blasts from Pennsylvania police.

Engadget: HTC has begun refusing to offer guidance on its corporate future. Also, Seattle cop who developed transparency-oriented software has left the force, apparently due to departmental politics.

Also Engadget: how medicine-covered nanoparticles could help stroke victims.

Ars Technica on cancer-killing viruses.