The War On Users

This piece just went out in the weekly newsletter, along with breach, robot and TSA news and some breaking news about a voter information breach. You can subscribe to the newsletter here or read the current issue here.

A few weeks ago I send myself an email. Because oddly it’s still the easiest way to move individual files from one device to another. I send it without subject or content, just the attachment. A few seconds later the email hits my tablet but I can see even without opening the email that there’s content.

What’s this, then?

Opening the email I find that my antivirus attached a signature at the end of my email advertising itself. “This email was scanned by Avast Antivirus and is safe!” or some similar foolishness. Of course, never having authorized the program to attach signatures to my email I was more than a little curious and annoyed. Digging into the program I found that since I had updated the program engine that day it added a function to attach its own signature to my emails and then automatically opted me in without so much as a courtesy notification. This kind of thing, of course, is not the way legitimate software acts. This is the stink of malware. So I abandoned the antivirus I’ve used and recommended for years and wondered just what the hell they were thinking.

Avast’s egregious fuckery falls into place with a dynamic that’s seized the technology world and undone decades of careful work: put simply, it’s a war on users. User loyalty is no longer a prominent dynamic, nor is usability. Nearly every service I use now puts things in between me and what I want to get done. Apple’s Music app reworked the user interface to advertise its own junk before you could actually get to a place to play your music that you had on your device. Google Play Music now does the same thing, spawning me into the “Listen” screen where they want me to buy their streaming service. It takes me an extra few clicks to just get to my damn MP3s. Twitter’s begun destroying its own usability by displaying tweets out of chronological order in timelines.

There is a war on users and what suffers is not only our productivity and efficiency but really the enjoyability of the platforms pulling these shenanigans. I shouldn’t have to paw through three different screens just to get to the music I bought through your app. I know you have new streaming services or some exclusive concert you’d like me to listen to. I don’t care. We spent three decades perfecting user interfaces according to User Experience (UX) guidelines – make things simpler, easier, faster. And we’ve undone that in the span of three years just to badger people into buying extra crap.

I had a nightmare once that coin-operated video game arcades never existed as we know them (and I have fond, fond memories of spending hours in Hampton Beach arcades feeding in quarter after quarter). In the nightmare you only got to the games after watching a revenue-generating advertisement and then passing through a series of screens “offering” extra paid services of the arcade. We got what we paid for but only after we saw what they wanted – and we all accepted it.

The war on users goes beyond UI and UX considerations. It’s obstructionist product placement. Word-of-mouth is no longer the goal for these services. They demand captive ears and eyes. And short of building our own platforms we suffer at their whims.

This is the future. Things should be getting easier for us, right?

Encryption is Math, not Politics

Just sent out issue 2 of the Neurovagrant Newsletter, containing this and more.


Last week security researcher Chris Vickery uncovered a massively insecure database belonging to the Hello Kitty line of products – which include a number of online components. Vickery found that the details of some 3.3 million accounts could be accessed including real name, gender, country of origin, password and birthday. Even more troubling is the fact that most of these accounts likely belong to children – and coming so quickly in the wake of the VTech toymaker hack in which four million parent accounts and six million child profiles were compromised, it should cause each parent about to buy an internet-connected toy some pause.

Vickery wasn’t done there. That week he “was on a rampage, reporting data breaches for companies and services like MacKeeper, security vendor for Macs (13 million accounts); OkHello, video chat app (2.6 million accounts); Slingo, online gaming site (2.5 million accounts); iFit, fitness app (576,000 accounts); Vixlet, social network (377,000 accounts); California Virtual Academies, online school network (74,000 accounts); and Hzone, dating app for HIV patients (5,027 accounts).”

On Thursday Juniper Networks announced that its Virtual Private Network operating system ScreenOS had been compromised for at least the last four years. Juniper is a giant in the VPN business, which allow you to do things like access work networks from outside the office or protect your internet traffic from those seeking to intercept it. It appears two separate backdoors were installed into ScreenOS including one that utilized a cryptographic algorithm known to have been weakened at the direction of the National Security Agency – dual_ec_drbg. Attackers took advantage of engineered weaknesses to intercept the traffic of Juniper clients. To what extent is not yet known, but again: the backdoor had been present for the past four years.

Enter most of the 2016 presidential candidates. The entirety of the GOP candidates appear to be “against encryption” – a laughably simple argument considering encryption powers just about every bit of commerce and civic life we’re involved in. Encryption safeguards your card information when you purchase something on the internet but also when you use a card in-store; the point-of-sale machine connects to a payment processor, and when the encryption and/or segmentation there fails we see retail store POS breaches like Target or the processor-side TJX/Heartland breach. A strong economy relies on strong encryption. So does a strong healthcare system – healthcare breaches constitute the lion’s share of breaches in the past several years. Strong government itself relies on strong encryption. The OPM hackof this year shows us that. Not only did attackers gain an incredible data trove on law enforcement, intelligence and military members but having extended access to the database raises the specter of information being added, allowing deep infiltration of important institutions.

The encryption debate – often termed The Crypto Wars by those involved – popped up repeatedly since we became an information-heavy society. The latest round of Crypto Wars all but ended earlier this year in a resounding defeat for those seeking weaker encryption thanks to a strong, universal agreement among security experts that installing system backdoors cannot be done without weakening the system to other attackers. We cannot produce a golden key that only allows authorized access. Backdoors are by definition security vulnerabilities. Encryption in the sense we talk about it whether we’re talking about credit card payment systems or messaging apps is a form of mathematics. When we talk about algorithms we’re not talking about some kind of arcane code but rather mathematical formulas. A formula is a relationship. The right relationships between variables can do things like create nearly-unguessable random number sequences. Tweak that relationship even a little bit – as was done with dual_ec_drbg mentioned above – and you instantly change the formula in huge ways, sometimes drastically reducing the amount of computer power/time needed to work out what numbers the formula is going to produce.

This is a vast simplification of the math involved – but it is math. No amount of magical thinking or politicking will change the fact that encryption is, at is core, a mathematical problem. And unlike statistics shenanigans politicians are used to playing when it comes to polling these numbers don’t bend.

The Crypto-Wars reignited after the Paris attacks. Oddly so, since there’s not one iota of evidence that attackers used encryption. FBI Director Comey continues to make statements in his interest about terrorists using encryption and those statements continue to be disproven as investigations move forward and we learn more details. Statements like “their phones included encryption” are disingenuous at best – all modern cellphones include encryption of various sorts. The authorities depend on vague and unprovable statements and emotion to sway public opinion while information security experts have issued a resounding opinion: you cannot build a backdoor that no one else can exploit.

Hillary Clinton has called for a “Manhattan Project” in order to help law enforcement break into encrypted communications while leaving them secure and this is as doomed a project as that of any Republican. The comparison to the original Manhattan Project is an immediate failure: they were working with the physics, Hillary wants experts to work against the math. Mathematics is not an issue you can legislate or threaten your way out of, something the Catholic Church learned the hard way ages ago. Tweak the smallest parameter in an algorithmic relationship and you put at risk anything in that system – financial access, health data, intelligence agent backgrounds and their biometrics.

In crypto even more than in politics, we ignore the numbers at our peril.

Errata: Linux 0day, Blockchain stock sales, Diffie-Hellman hardening, Schoolgirls, OPM, Pixel-C

Hector Marco: Back to 28: Grub2 Authentication 0-DayBunch of Linux distros apparently launch into rescue shell when you hit backspace 28 times at Grub (bypassing authentication). Are you kidding me with this?

Engadget via pi8you: Bitcoin tech approved as a way to issue shares – “[Overstock] built its own crypto-currency tech via a subsidiary called T0 (T-Zero), and uses open-source Colored Coins to issue stock in the form of “blockchains,” a type of electronic ledger.” – Rumor is that Overstock lost a boatload of money integrating bitcoin into their sales platform. Wonder if this is doubling down on a bad bet.

Farsight Security: Hardening Encrypted Communications Against Diffie-Helman Precomputation AttacksGreat primer on strengths and weaknesses of current encryption schemes and applying that knowledge to your own servers.

Motherboard: What the Hell Is Up with This Homicidal Japanese Schoolgirl Simulator? – “I still got busted though. I guess I forgot to get rid of the bloody clothes. One day, I’ll figure out how to get off clean, and then it will be just me and the boy I like. Senpai will be mine.”

Milton Security: New report shows extent of OPM failure in breach – “The OPM inspector general has found that in OPM’s haste to set up protection services, the agreement with CSID violated federal contracting regulations. OPM did not provide a full scope of work, they failed to do enough market research, they had an incomplete acquisition plan, and exceeded dollar limits on blanket agreements.” – Definition of omnishambles.

TNW: Google’s AMA for the Pixel C went sideways as Redditors exposed its flaws – “When Redditors weren’t taking the Googlers to task for the Pixel C’s lack of stylus, not packaging the keyboard with the device or Android’s lack of split-screen functionality, they were going hard about SD Card support and its price point.” – Kind of disappointed in the Pixel C in the sense that Google seems to have fallen to thinking “If we build the hardware, they will come” and little else.

Errata: Racist Michigan Rep, Active Shooter Insurance, Academic Heist, Carson’s Still an Idiot

Raw StoryMich. Repub ripped after suggesting that making black students white would ‘fix’ school issues – ‘Footage posted by the American Federation of Teachers (AFT) shows Knollenberg saying during a state Senate committee meeting on Thursday, “You mentioned these school districts failing, and you mention economically disadvantaged and non-white population are contributors to that. I know we can’t fix that. We can’t make an African-American white. That’s just, it is what it is.”’ – also – ‘He denied citing race as a specific factor and pointed out that he has a black employee at his insurance company.’ – Horrifying.

CNBCInterest in active shooter insurance grows – “The insurance policy covers potential liability if an institution is deemed not to have taken the steps needed to prevent gun violence, according to Fortune.” – WELL now that insurers are set to make a profit off mass shootings I think it’s even safer to say legislators are going to do fuck all about the issue. The NRA profiting off putting the country at risk isn’t enough – now the financiers are in on it. I’m waiting for securitization of security-weakening legislation, a new derivatives market that lays bets on the specifics of the next shooting.

ReutersCzech MEP accused of trying to snatch 350 million euros from Swiss bank – “They include Miloslav Ransdorf, 62, an expert on Karl Marx and a former philosophy teacher who speaks about dozen languages and who has served in the European Parliament since the Czech Republic’s entry to the European Union in 2004.” – Can’t wait for the movie version of this.

MSNBCBen Carson to veterans: ‘Deal with the transgender thing somewhere else’ – ‘“If you can’t lift, you know, a 175 pound person on your shoulder and hoist them out of there, I don’t want you as my backup,” he continued.’ – I love that a guy who had the courage to direct an armed robber at someone else and brag about it finds himself fit to judge combat readiness.

NBCPresident Jimmy Carter Says Cancer in Brain Is GoneThe one good bit of news I’ve seen all December. So thankful for this.

Fucking with the Data Gods

First of December and my head’s still stuck in early AD, maybe even late BC. Still thinking about one of the images from my last post – namely, pre-Christian Britons depositing weapons and riches into lakes to honor and impress the gods. It hit me after writing about that in one context (projecting Fiction Conditions) that it serves well in another. I’m taken right now by how well it describes our current approach to data.

As valuable as it is, we toss our data in lakes with all the rest. We toss it in as tribute to the Data Gods in exchange for the hope that they’ll grant us favor, extend useful services, light a path towards prosperity and productivity. And we offer data to project current or idealized status as well – instagramming delicious-looking meals, vlogging the unboxing of expensive gadgets, curating and authoring tweets to portray a certain image. Young people broadcast pictures of themselves holding wads of cash. Older people curate their daily activities and accomplishments for others to marvel at. We’re projecting to peers rather than the gods, but the latter could hardly fail to take notice. I’ve not yet seen a social media algorithm tailored to call people on their bullshit.

(That’s what we’re supposed to do, I suppose.)

Our idealized or weaponized self-data joins the rest in the lake and, as Briton axes, the lake itself is conquered by Romans and sold off to speculative entrepreneurs looking to recover, sort and profit off the contents. They do this in the hopes that they’ll eventually be the conquering Romans – and then the gods themselves, having preempted the established order by lighting just the right signal fire on just the right hill. We’re the Postconquered. We thought we were giving to the gods and gave ourselves to the Romans instead. Who promptly sold us to the Shkrelis.

George Dyson’s SALT talk had a great image, that of canoe construction. Canoes are built in one of two ways: in environments with little wood, only the frame is built from wood and a skin is stretched over it. In wood-rich environments canoes are dug out from larger blocks of wood reflecting the resource abundance. We now approach information in the latter way, carving information out of much larger blocks.

Now that we take such an active role in that, even our dugout methods produce data. As does, of course, commercial activity. And we now seem to be incentivized to keep making canoes and keep engaging in transactions not for the commercial value but the data value. The details are more valuable than the material-driven profit. We’re on the radar screen of the data gods and it only refreshes when we produce more data – so they want us to keep producing data for data’s sake.

I’m left thinking, in the end, of Gemma Galdon Clavell’s charge from FutureEverything 2015: get acquainted with your data-double and then sabotage it.

Imagine an entire nation of lakes sold off on the speculation that they contain insight-heavy riches only to discover they’re little more than mud and oil-slick mirages. The few services tossed our way – the Gmails, the Twitters – crumble as they realize the lakes are fouled, the data spurious. But not immediately. Much like the whole online ad business seems to be built on flimsy, deceptive foundations big data could persist for a while. Could fool itself and the tiers of business that filter down from the hilltop.

Until a reckoning. Or until a disruptive signal fire is lit for all to see.

Geldon Clavell’s charge in mind do we continue as the Postconquered data sources, or do we begin to fuck with the gods?