Re-using code has its downsides

This morning’s Observer column:

In one of those delicious coincidences that warm the cockles of every tech columnist’s heart, in the same week that the entire internet community was scrambling to patch a glaring vulnerability that affects countless millions of web servers across the world, the UK government announced a grand new National Cyber Security Strategy that, even if actually implemented, would have been largely irrelevant to the crisis at hand.

Initially, it looked like a prank in the amazingly popular Minecraft game. If someone inserted an apparently meaningless string of characters into a conversation in the game’s chat, it would have the effect of taking over the server on which it was running and download some malware that could then have the capacity to do all kinds of nefarious things. Since Minecraft (now owned by Microsoft) is the best-selling video game of all time (more than 238m copies sold and 140 million monthly active users), this vulnerability was obviously worrying, but hey, it’s only a video game…

This slightly comforting thought was exploded on 9 December by a tweet from Chen Zhaojun of Alibaba’s Cloud Security Team.…

Read on

Facebook isn’t the most toxic tech company

This morning’s Observer column:

If you were compiling a list of the most toxic tech companies, Facebook – strangely – would not come out on top. First place belongs to NSO, an outfit of which most people have probably never heard. Wikipedia tells us that “NSO Group is an Israeli technology firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click surveillance of smartphones”.

Pause for a moment on that phrase: “remote zero-click surveillance of smartphones”. Most smartphone users assume that the ability of a hacker to penetrate their device relies upon the user doing something careless or naive – clicking on a weblink, or opening an attachment. And in most cases they would be right in that assumption. But Pegasus can get in without the user doing anything untoward. And once in, it turns everything on the device into an open book for whoever deployed the malware.

That makes it remarkable enough. But the other noteworthy thing about it is that it can infect Apple iPhones…

Read on

Time to clip the wings of NSO and its Pegasus spyware

This morning’s Observer column:

What’s the most problematic tech company in the world? Facebook? Google? Palantir? Nope. It’s a small, privately held Israeli company called NSO that most people have never heard of. On its website, it describes itself as “a world leader in precision cyberintelligence solutions”. Its software, sold only to “licensed government intelligence and law-enforcement agencies”, naturally, helps them to “lawfully address the most dangerous issues in today’s world. NSO’s technology has helped prevent terrorism, break up criminal operations, find missing people and assist search and rescue teams.”

So what is this magical stuff? It’s called Pegasus and it is ultra-sophisticated spyware that covertly penetrates and compromises smartphones. It’s particularly good with Apple phones, which is significant because these devices are generally more secure than Android ones. This is positively infuriating to Apple, which views protecting its users’ privacy as one of its USPs.

How does Pegasus work? Pay attention, iPhone users, journalists and heads of government…

Read on


This blog is also available as a daily email. If you think this might suit you better, why not subscribe? One email a day, Monday to Friday, delivered to your inbox at 7am UK time. It’s free, and there’s a one-click unsubscribe if you decide that your inbox is full enough already!


Tuesday 25 August, 2020

When Britain was a world power

Inside page of a British passport in the late 1940s.

It reads:

We, Ernest Bevin, a Member of His Britannic Majesty’s Most Honourable Privy Council, a Member of Parliament, etc.etc. His Majesty’s Principal Secretary of State for Foreign Affairs, Request and require in the name of His Majesty all those whom it may concern to allow the bearer to pass freely without let or hindrance, and to afford her every assistance and protection of which she may stand in need.

Those were the days. I wonder what the Brexit version says.


Quote of the Day

“An acre in Middlesex is better than a Principality in Utopia”.

  • Thomas Macaulay

(Especially now, given London property prices.)


Musical alternative to the morning’s radio news

Grieg – Piano Concerto II. Adagio | Arthur Rubinstein (7 minutes)

Link

Rubinstein in the finest white tie I’ve ever seen. Olympic-class sharp dressing. Conducted by a youthful Andre Previn.


US Air Force shows off latest all-electric flying car, says it ‘might seem straight out of a Hollywood movie’

Er, not if it’s an action movie.

From The Register

The US Air Force has revealed a prototype of a flying car, something the American military has desired for at least a decade.

The latest build is single-person aircraft – specifically, a version of the Lift Hexa copter, which uses 18 electric motors that allow it to take off and land vertically. The vehicle was put through its paces last Friday at the Texas State Guard’s Camp Mabry base.

The craft is part of a project the Air Force is running called Agility Prime, which has tapped up Lift and other manufacturers to develop single-person “flying car” aircraft for field tests within the next three years. Other prototypes will be showcased in the coming weeks.


Picking locks with audio technology

This is interesting or alarming, depending on your point of view. From an article by Paul Marks in the August 13 edition of Communications of the ACM:

The next time you unlock your front door, it might be worth trying to insert your key as quietly as possible; researchers have discovered that the sound of your key being inserted into the lock gives attackers all they need to make a working copy of your front door key.

It sounds unlikely, but security researchers say they have proven that the series of audible, metallic clicks made as a key penetrates a lock can now be deciphered by signal processing software to reveal the precise shape of the sequence of ridges on the key’s shaft. Knowing this (the actual cut of your key), a working copy of it can then be three-dimensionally (3D) printed.

This discovery of a major vulnerability in the physical keys that millions of us use to secure domestic and workplace doors and lockers was made by cyberphysical systems researcher Soundarya Ramesh and her team at the National University of Singapore.

What’s being attacked by the NUS team are the keys to pin-tumbler locks, best known as Yale or Schlage keys, though those are just the market leaders and a whole host of other firms make them, too. Inside such locks, six metal pins, affixed to springs, are pushed up to different heights by the ridged teeth on the key, or kept low by the voids between the ridges. When all six spring-loaded pins are pushed to the correct height by the right key, the tumbler containing them is freed to turn, allowing the lock to be opened. Such a lock typically has something of the order of 330,000 possible key shapes.

Of course, these locks can be picked by a skilled operator armed with the right tools. But if s/he wants to burgle the premises again, the same painstaking procedure needs to be repeated, with a corresponding risk of detection. The 3D printing approach enables the bad actor to acquire a duplicate which if good for multiple entries.

It’s a fascinating article IMO which covers the really tricky questions — for example, how one might obtain the audio recording needed to crack the profile of the key.


Summer books #13

The Radetzky March by Joseph Roth, Penguin Modern Classics.

Joseph Roth’s masterpiece about the Austro-Hungarian empire was published in 1932. Shortly after it came out he was forced into exile by the Third Reich, after which he lived mostly in Paris and drank himself to death. It was recommended it to me by Helen Thompson, and I owe her a debt of gratitude for that. It’s one of the best novels I’ve ever read. There’s a very good New Yorker essay about him and the way his work was rediscovered by post-war generations.


This blog is also available as a daily email. If you think this might suit you better, why not subscribe? One email a day, delivered to your inbox at 7am UK time. It’s free, and there’s a one-click unsubscribe if you decide that your inbox is full enough already!


Saturday 15 August, 2020

Quote of the Day

“The whole problem with the world is that fools and fanatics are always so certain of themselves, and wiser people so full of doubts.”

  • Bertrand Russell

Musical alternative to the morning’s news

Jessye Norman: Mozart – Le Nozze di Figaro, ‘Porgi, amor, qualche ristoro’

Link


The significance of the Twitter hack

Damn! This great piece by Bruce Schneier was published on July 18 and I missed it. Growl.

Still, better late than never…

Twitter was hacked this week. Not a few people’s Twitter accounts, but all of Twitter. Someone compromised the entire Twitter network, probably by stealing the log-in credentials of one of Twitter’s system administrators. Those are the people trusted to ensure that Twitter functions smoothly.

The hacker used that access to send tweets from a variety of popular and trusted accounts, including those of Joe Biden, Bill Gates, and Elon Musk, as part of a mundane scam—stealing bitcoin—but it’s easy to envision more nefarious scenarios. Imagine a government using this sort of attack against another government, coordinating a series of fake tweets from hundreds of politicians and other public figures the day before a major election, to affect the outcome. Or to escalate an international dispute. Done well, it would be devastating.

en passant, the US is heading for an election that will not be decided on the day, but after a period (of unknown duration) while postal votes are being counted (and maybe argued over). Another Twitter hack on the lines just suggested could be catastrophic.

So here’s the nub of it:

Internet communications platforms—such as Facebook, Twitter, and YouTube—are crucial in today’s society. They’re how we communicate with one another. They’re how our elected leaders communicate with us. They are essential infrastructure. Yet they are run by for-profit companies with little government oversight. This is simply no longer sustainable. Twitter and companies like it are essential to our national dialogue, to our economy, and to our democracy. We need to start treating them that way, and that means both requiring them to do a better job on security and breaking them up.


Google’s Advertising Platform Is Blocking Articles About Racism

This is both shocking — and unsurprising:

On Martin Luther King Jr. Day this year, the Atlantic decided to recirculate King’s famous “Letter From Birmingham Jail,” which the magazine had run in its August 1963 issue and republished, in print and online, in 2018. Several hours later, the publication’s staff noticed that Google’s Ad Exchange platform, which serves many of the ads on the Atlantic’s website, had “demonetized” the page containing the letter under its “dangerous or derogatory content” policy. In other words: As part of its efforts to protect advertisers from offensive internet content with which they would not want their products to be associated, Ad Exchange had locked out one of the most important texts of the civil rights movement.

Google controls more than 30 percent of the digital ads market. A big chunk of that business happens through Ad Exchange, a marketplace for buying and selling advertising space across the web. According to its publisher policies, Google does not monetize, or allow advertising on, “dangerous or derogatory content” that disparages people on the basis of a characteristic that is associated with systemic discrimination—race, gender, sexual orientation, disability, etc. As the policy outlines, this might look like “promoting hate groups” or “encouraging others to believe that a person or group is inhuman.” Because of the scale of Google’s ad-serving business, however, it can’t enforce this policy on the front lines by hand, so instead the company uses an algorithm that, in part, scans for offensive keywords in articles. But the system doesn’t always take context into consideration. Several mainstream publishers, including Slate, have had articles demonetized under this policy when covering race and LGBTQ issues.

Automated ‘moderation’ is context-blind, in other words. It’s just another confirmation that these companies can’t fulfil their moral and ethical obligations at the scale on which they operate, given the business models on which they depend.


US Postal Service warns 46 states their voters could be disenfranchised by delayed mail-in ballots

This is paywalled on the Washington Post site, but here is the gist:

Anticipating an avalanche of absentee ballots, the U.S. Postal Service recently sent detailed letters to 46 states and D.C. warning that it cannot guarantee all ballots cast by mail for the November election will arrive in time to be counted — adding another layer of uncertainty ahead of the high-stakes presidential contest.

The letters sketch a grim possibility for the tens of millions of Americans eligible for a mail-in ballot this fall: Even if people follow all of their state’s election rules, the pace of Postal Service delivery may disqualify their votes.

The Postal Service’s warnings of potential disenfranchisement came as the agency undergoes a sweeping organizational and policy overhaul amid dire financial conditions. Cost-cutting moves have already delayed mail delivery by as much as a week in some places, and a new decision to decommission 10 percent of the Postal Service’s sorting machines sparked widespread concern the slowdowns will only worsen. Rank-and-file postal workers say the move is ill-timed and could sharply diminish the speedy processing of flat mail, including letters and ballots.

My immediate thought was that this is linked to the appointment of a Trump stooge as the Postmaster-General. But apparently it pre-dates his appointment:

The ballot warnings, issued at the end of July from Thomas J. Marshall, general counsel and executive vice president of the Postal Service, and obtained through a records request by The Washington Post, were planned before the appointment of Louis DeJoy, a former logistics executive and ally of President Trump, as postmaster general in early summer. They go beyond the traditional coordination between the Postal Service and election officials, drafted as fears surrounding the coronavirus pandemic triggered an unprecedented and sudden shift to mail-in voting.

Everywhere one looks, norms and conventions that we took for granted in liberal democracies are wilting or being undermined. The chances of the US having an uncontested election result diminish by the day.


Summer books #4

Analogia: The Entangled Destinies of Nature, Human Beings and Machines by George Dyson, Allen Lane, 2020.

I’m exactly half-way through this extraordinary book, and I still don’t know where it’s headed. But it’s an infuriatingly compelling read. George Dyson is an extraordinary member of an extraordinary family — the son of the theoretical physicist Freeman Dyson and mathematician Verena Huber-Dyson, the brother of technology analyst Esther Dyson, and the grandson of the British composer Sir George Dyson. He has led an amazing life as a roving explorer, craftsman and public intellectual. Having being brought up in Princeton, where his father was an academic in the Institute for Advanced Study, he dropped out of a couple of universities before heading for the West Coast of Canada. From 1972 to 1975, he lived in a tree-house at a height of 30 metres that he built from salvaged materials on the shore of Burrard Inlet in British Columbia. He became a Canadian citizen and spent 20 years in that part of the world designing kayaks, researching historic voyages and native peoples, and exploring the Inside Passage.

In recent decades he’s become interested in the history of computing and the direction of travel of our increasingly digitized world. Everything he’s written on these subjects interweaves his own personal history with polymathic knowledge of all kinds of subjects and speculations on what it all means for the future. This, his latest book, follows the same pattern. Where he’s heading, I suspect, is towards the conclusion that, in the end, the digital will run out of steam, and we’ll discover that analog computing (which after all is what goes on in our brains) will have the last laugh. As someone who started on analog computers before moving to digital devices I’m intrigued to see if that hunch is correct. But there’s another 150 pages to go and anything may happen: you never can tell with the Dysons. After all, George’s father devoted a couple of years of his life to a US-funded project to build a huge spaceship powered by nuclear explosions and was mightily pissed off when the US instead opted for Werner von Braun and his primitive, chemical-fuelled, rockets.


This blog is also available as a daily email. If you think this might suit you better, why not subscribe? One email a day, delivered to your inbox at 7am UK time. It’s free, and there’s a one-click unsubscribe if you decide that your inbox is full enough already!


Friday 17 July, 2020

Atul Gawande on managing Covid

He’s the best writer on medical issues I know. Last May he wrote a really useful essay in the New Yorker. I’ve just re-read it in the light of what’s happened since. It still stands out.

Two samples:

American hospitals have learned how to avoid becoming sites of spread. When the time is right to lighten up on the lockdown and bring people back to work, there are wider lessons to be learned from places that never locked down in the first place.

These lessons point toward an approach that we might think of as a combination therapy—like a drug cocktail. Its elements are all familiar: hygiene measures, screening, distancing, and masks. Each has flaws. Skip one, and the treatment won’t work. But, when taken together, and taken seriously, they shut down the virus. We need to understand these elements properly—what their strengths and limitations are—if we’re going to make them work outside health care.

Start with hygiene. People have learned that cleaning your hands is essential to stopping the transfer of infectious droplets from surfaces to your nose, mouth, and eyes. But frequency makes a bigger difference than many realize…

and

A recent, extensive review of the research from an international consortium of scientists suggests that if at least sixty per cent of the population wore masks that were just sixty-per-cent effective in blocking viral transmission—which a well-fitting, two-layer cotton mask is—the epidemic could be stopped. The more effective the mask, the bigger the impact.


Coronavirus and the dim future of (many) American universities

Scott Galloway may not be to everyone’s taste, but I like the way he thinks — and, more importantly, the stark way in which he analyses things.

This week he’s been looking at this chart (from the Chronicle of Higher education) which summarises a survey of US colleges’ intentions for the next academic year.

The relevant statistic is the 56% which apparently plan to bring student back to campus in the Fall.

The graphic below neatly summarises what this means.

Think about this. Next month, as currently envisioned, 2,800+ cruise ships retrofitted with white boards and a younger cohort will set sail in the midst of a raging pandemic. The density and socialization on these cruise ships could render college towns across America the next virus hot spots.

So why are administrators putting the lives of faculty, staff, students, and our broader populace at risk?

The ugly truth is many college presidents believe they have no choice. College is an expensive operation with a relatively inflexible cost structure. Tenure and union contracts render the largest cost (faculty and administrator salaries) near immovable objects. The average salary of a professor with a PhD (before benefits and admin support costs) is $141,476, though some make much more, and roughly 50% of full-time faculty have tenure. While some universities enjoy revenue streams from technology transfer, hospitals, returns on multibillion dollar endowments, and public funding, the bulk of colleges have become tuition dependent. If students don’t return in the fall, many colleges will have to take drastic action that could have serious long-term impacts on their ability to fulfill their missions.

That gruesome calculus, Galloway says, has resulted in “a tsunami of denial”.

Universities owning up to the truth have one thing in common: they can afford to. Harvard, Yale, and the Cal State system have announced they will hold most or all classes online. The elite schools’ endowments and waiting lists make them largely bullet proof, and more resilient to economic shock than most countries — Harvard’s endowment is greater than the GDP of Latvia. At the other end of the prestige pole, Cal State’s reasonable $6,000 annual tuition and 85% off-campus population mean the value proposition, and underlying economic model, remain largely intact even if schooling moves online.

Galloway and his team have analysed the prospects of 436 universities and then plotted their prpspects on two axes:

Value: (Credential * Experience * Education) / Tuition. Vulnerability: (Endowment / Student and % International Students). Low endowment and dependence on full-tuition international students make a university vulnerable to Covid shock, as they may decide to sit this semester/year out.

Which produces this grid:

Now of course the US Higher Education system is very different from the UK’s. But it’d be interesting to see what an analogous analysis of UK universities would show.


EU court rejects data transfer tool in Max Schrems case

This is the big story of the week (at least in the bubbles I inhabit)…

From The Irish Times:

Europe’s top court has declared an arrangement under which companies transfer personal data from the European Union to the US invalid due to concerns about US surveillance powers.

The ruling in the long-running battle between Facebook, Ireland’s Data Protection Commissioner and the Austrian privacy activist Max Schrems found that the so-called Privacy Shield agreement does not offer sufficient protection of EU citizens’ personal data.

“The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities . . . are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law,” the court said in a statement.

The ruling is a blow to the thousands of companies, including Facebook that rely on the Privacy Shield to transfer data across the Atlantic, and to the European Commission, as it unpicks an arrangement it designed with US authorities to allow companies to comply with EU data protection law.

Great ruling. It’ll be fun seeing the companies trying to find a way round it.


More than just a Twitter hack

From Om Malik:

By now, we have all heard about the takeover of the celebrity accounts and those of companies such as Apple and Uber by scammers who wanted to trick people into sending them bitcoins. There are multiple threads to this theory — Vice says that it was it might be some kind of inside job. Twitter itself says that it was a victim of social engineering. FBI is also starting an investigation. However, it is clear; this hack isn’t a joke. It can have national and international implications, as Casey Newton points out in his article for The Verge. Twitter is a significant source of dissemination of information — from weather to earthquakes to forest fires — and any disruption can cost lives.

That is why Casey is right — and collectively, we need to think about this current episode much more deeply and deliberately. Big technology platforms are now singular points of failure as much as they are single points of protection against malicious intent.

Hmmm… I’m not convinced. This particular hack was just an ingenious variation on an old scam: someone posting a link to a Bitcoin wallet with an invitation to send it some Bitcoin and receive double the amount immediately in return. You’d have to have your head examined to fall for it. The variant this time is that the scammer got into some Twitter employee’s account and used those privileges to send out the scamming tweets as if they were coming from prominent people. The big question is whether the hacker collected the DMs (Direct Messages) that those account-holders had sent to other users. If he did, then there’s big trouble ahead — and not just for the account-holders, but also for Twitter. People have been arguing for years that the private DM channel should be end-to-end encrypted, but as far as I know it isn’t.


This blog is also available as a daily email. If you think this might suit you better, why not subscribe? One email a day, delivered to your inbox at 7am UK time. It’s free, and there’s a one-click unsubscribe if you decide that your inbox is full enough already!


Tuesday 21 April, 2020

If you need cheering up, how about this?

Link

One of the great comedians of his generation. I love his epitaph: “I told you I was ill”.


Politico’s daily summary

One of the joys (well, sometimes) of my early morning is finding Politico’s daily London Playbook (i.e. newsletter) by Jack Blanchard in my inbox. This is how it opens today:

THEY’RE BACK! Parliament returns today from its extended Easter recess to lead a country utterly changed from just one month before. When the House rose on March 25, Britain had been in lockdown for less than 48 hours, and fewer than 500 U.K. citizens had died from COVID-19. Boris Johnson was still running the country and a picture of jovial health; Jeremy Corbyn was leader of the opposition and taking part in his final PMQs. The Premier League was due to resume from its brief hiatus on April 30, and most people thought “Zoom” was an ice lolly from 1986.

Fast-forward 4 weeks … and Zoom has become such a crucial part of our lives that MPs will be using it to hold debates in the Commons chamber as of tomorrow. More than 16,500 Britons have died from the illness; a fierce debate is underway about when to lift a lockdown now destroying the U.K. economy; Johnson is recuperating at Chequers after almost losing his life to COVID-19, and Keir Starmer is leading a Labour Party already plunged into fresh civil war. Dominic Raab has the nuclear codes in his pocket; Liverpool’s title charge has been suspended indefinitely, and NHS nurses have been dressing in bin bags after supplies of protective kit ran out. So MPs shouldn’t be short of things to talk about when proceedings get underway.

If you’re a politics junkie you can subscribe here


Zoom’s security woes were no secret to business partners like Dropbox

Well, well. On the day that the UK House of Commons ‘returns’ using Zoom (the House of Lords is apparently going to use a Microsoft system), the New York Times reports that Dropbox became so concerned about Zoom’s security holes that the company commissioned a number of hackers to find the holes, which they then reported to Zoom.

Zoom’s defenders, including big-name Silicon Valley venture capitalists, say the onslaught of criticism is unfair. They argue that Zoom, originally designed for businesses, could not have anticipated a pandemic that would send legions of consumers flocking to its service in the span of a few weeks and using it for purposes — like elementary school classes and family celebrations — for which it was never intended.

“I don’t think a lot of these things were predictable,” said Alex Stamos, a former chief security officer at Facebook who recently signed on as a security adviser to Zoom. “It’s like everyone decided to drive their cars on water.”

Motherboard is reporting that there are currently two Zoom zero-day exploits, one for Windows and one for MacOS, on the market.

And there’s a report that over 500,000 Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free.

But still…amphibious cars — now there’s a good idea!


Another previously-profitable business is suddenly defunct

The big in-person conferencing event is suddenly passé. As someone who has always loathed conferences, this troubles me not at all. But to those who are addicted to them, it’s obviously depressing news. Here’s one gloomy take on it all:

At the same time, it’s becoming increasingly clear that conferences won’t be returning to normal anytime soon. Mark Zuckerberg said Thursday that Facebook won’t host any events with 50 people or more until June 2021; Microsoft announced that it won’t be having in-person conferences until at least July 2021. California Gov. Gavin Newsom said this week that large gatherings in the state are “unlikely” until the availability of a coronavirus vaccine, and Los Angeles Mayor Eric Garcetti suggested that his city won’t see large-scale events until 2021. Some in the tech industry are already predicting that CES in January will be canceled, as well.

Brightcove’s Larsen acknowledged that she wouldn’t send her own team members to in-person events right now, adding: “Until there is a vaccine that works, it is going to be really hard to get 10,000 people together in a space.”

The trouble is that while Zoom and streaming technology can replace some of what people get from in-person gatherings, there are still things that will be missing. As Ben Evans says in his current newsletter:

Conferences are a bundle: the content (which works as video, mostly), but also the chance meetings & networking, and the meetings you book because everyone’s in town, and sometimes also a trade fair, and none of those work as video, far less a random text chat room. And if you do switch the in-person meeting in a hotel room in that particular city to a video call from across the world, why do you need to do it on that particular date? There’s a second wave of products to be created here, I suspect.


America’s ‘underlying conditions’

Terrific, long essay by George Packer, whose book [The Unwinding: Thirty Years of American decline] (https://amzn.to/3eF7fc6) set the scene for what the country is now experiencing. This is how the essay begins:

When the virus came here, it found a country with serious underlying conditions, and it exploited them ruthlessly. Chronic ills—a corrupt political class, a sclerotic bureaucracy, a heartless economy, a divided and distracted public—had gone untreated for years. We had learned to live, uncomfortably, with the symptoms. It took the scale and intimacy of a pandemic to expose their severity—to shock Americans with the recognition that we are in the high-risk category.

The crisis demanded a response that was swift, rational, and collective. The United States reacted instead like Pakistan or Belarus—like a country with shoddy infrastructure and a dysfunctional government whose leaders were too corrupt or stupid to head off mass suffering. The administration squandered two irretrievable months to prepare. From the president came willful blindness, scapegoating, boasts, and lies. From his mouthpieces, conspiracy theories and miracle cures. A few senators and corporate executives acted quickly—not to prevent the coming disaster, but to profit from it. When a government doctor tried to warn the public of the danger, the White House took the mic and politicized the message.

Every morning in the endless month of March, Americans woke up to find themselves citizens of a failed state. With no national plan—no coherent instructions at all—families, schools, and offices were left to decide on their own whether to shut down and take shelter. When test kits, masks, gowns, and ventilators were found to be in desperately short supply, governors pleaded for them from the White House, which stalled, then called on private enterprise, which couldn’t deliver. States and cities were forced into bidding wars that left them prey to price gouging and corporate profiteering. Civilians took out their sewing machines to try to keep ill-equipped hospital workers healthy and their patients alive. Russia, Taiwan, and the United Nations sent humanitarian aid to the world’s richest power—a beggar nation in utter chaos.

If you read nothing else today, read this.


Quarantine diary — Day 31

Link


This blog is now also available as a once-a-day email. If you think this might work better for you why not subscribe here? (It’s free and there’s a 1-click unsubscribe if you subsequently decide you need to prune your inbox!) One email a day, in your inbox at 07:00 every morning.


Wednesday 15 April, 2020

Using AI to find candidates for trying against COVID —

Er, for “AI” read machine learning. Usual mistake, but interesting nevertheless.

A team at BenevolentAI, a UK company that uses machine learning to aid drug discovery, had been searching through their database of all existing, approved drugs, searching for one that could be repurposed to treat the novel coronavirus. And according to this report they found one in just three days.

“Most drug companies had been looking at antiviral drugs, but we approached it from the other end and looked at what processes used by the virus could be disrupted,” said Peter Richardson, vice president of pharmacology at the company.

Protein kinases — enzymes that speed up chemical reactions in the body — seemed a promising area to look into. Some of these regulate the way substances can enter human cells — disrupt them, and the virus might be unable to get into the lung, heart and kidney cells it has been so prone to invading.

Baricitinib, a drug developed by Eli Lilley and approved in 2018, stood out because it not only inhibited kinases but also prevented the cytokine storms — the body’s own extreme autoimmune reactions that have led to so many fatalities with Covid-19. It was also likely to be compatible with other drugs being used to treat the disease, such as remdesivir. Richardson and a team of three part-time researchers identified an initial 370 kinase inhibitors, and then narrowed it down to six that looked most likely to work.

“It validated using AI for this kind of problem,” says Richardson. “It would have been impossible for the four of us to do it at that speed otherwise. If you took 250 people you still couldn’t do it at that pace because there would be too many competing ideas. You really can’t do it without an organised knowledge graph and the ability to query it.”

Interesting. I suppose they had to describe it as AI, given that the letters appear in the firm’s name. Benevolent Machine Learning doesn’t have the same ring to it.


How coronavirus almost brought down the global financial system

Another amazing long read from Adam Tooze, this time about how close the world came to a financial meltdown because of the Coronavirus. Most of it stuff I hadn’t known or understood. Tooze is a really phenomenal historian, with an astonishing grasp of how the finance industry works. * Crashed: How a Decade of Financial Crises Changed the World*, his history of the 2008 banking crisis, is terrific. And now he seems to be really on top of the Coronavirus crisis. I’ve been thinking that what we’re facing at the moment is what the world would have been like if the Spanish flu and the Great Depression had come together.

This essay, which is worth reading in full (requires a cup of coffee and some peace and quiet) is mainly about how the central bankers of the West succeeded — just — in avoiding a global meltdown. But it ain’t over yet. And most poor countries don’t have the resources — financial or professional — to deal with the virus.


Security for home workers

From Bruce Schneier’s blog.

When I think about how COVID-19’s security measures are affecting organizational networks, I see several interrelated problems:

One, employees are working from their home networks and sometimes from their home computers. These systems are more likely to be out of date, unpatched, and unprotected. They are more vulnerable to attack simply because they are less secure.

Two, sensitive organizational data will likely migrate outside of the network. Employees working from home are going to save data on their own computers, where they aren’t protected by the organization’s security systems. This makes the data more likely to be hacked and stolen.

Three, employees are more likely to access their organizational networks insecurely. If the organization is lucky, they will have already set up a VPN for remote access. If not, they’re either trying to get one quickly or not bothering at all. Handing people VPN software to install and use with zero training is a recipe for security mistakes, but not using a VPN is even worse.

Four, employees are being asked to use new and unfamiliar tools like Zoom to replace face-to-face meetings. Again, these hastily set-up systems are likely to be insecure.

Five, the general chaos of “doing things differently” is an opening for attack. Tricks like business email compromise, where an employee gets a fake email from a senior executive asking him to transfer money to some account, will be more successful when the employee can’t walk down the hall to confirm the email’s validity — and when everyone is distracted and so many other things are being done differently.

Worrying about network security seems almost quaint in the face of the massive health risks from COVID-19, but attacks on infrastructure can have effects far greater than the infrastructure itself.


After the analogue hammer, comes the data-driven dance.

From Sifted

“Coronavirus has reminded even the most conservative among us that there is a role for the state after all. No government can outsource their way through this test. Suddenly, the absence of data skills at the centre of government is a life and death issue. The hammer blows will decrease. As the dance begins, states must respond with agility, using public and private data. An era of central data units may emerge. Regulation for data registries and more powerful registrars seems certain as public trust in government data and a new locus for privacy and surveillance are all being tried and tested on a daily basis. This is one big A/B test for governments, whether democratic or autocratic. This may not be the internet founders’ much longed-for government 2.0 moment, but we are all in beta now.

The “hammer and the dance” metaphor is becoming a meme.


Why content moderators should be designated as key workers

Important paper from the Turing Institute arguing that, just now, the people who try to keep mis- and disinformation off social media should be regarded as part of the world’s critical infrastructure.

The current crisis surrounding COVID-19 has scaled up the challenge of content moderation, severely reducing supply and massively increasing demand. On the “supply side”, content moderators have, like other workers around the world, been told not to come into work. YouTube has already warned that, as a result, it will conduct fewer human reviews and openly admits it may make poor content takedown decisions.

On the “demand side”, the growth of the pandemic has seen an upsurge in the amount of time spent online. BT recently noted an increase in UK daytime traffic of 35-60%, and social networks report similar increases, particularly in their use for education, entertainment and even exercise. Sadly, harmful activity has increased too: Europol reports “increased online activity by those seeking child abuse material” and the World Health Organisation has warned of an emerging “infodemic” of pernicious health-related disinformation. Recently, concerns have been raised that false claims are circulating online about the role of 5G.

At a time when social media is desperately needed for social interaction, a widening gap is emerging between how much content moderation we need and how much can be delivered. As a result, AI is being asked do tasks for which it is not ready, with profound consequences for the health of online spaces. How should platforms, governments, and civil society respond to this challenge? Following Rahm Emmanuel’s exhortation to “never let a crisis go to waste,” we argue that, now that the challenges in content moderation have been exposed by the pandemic, it is time for a reset.

Yep.


Quarantine diary — Day 25

Link


his blog is now also available as a once-a-day email. If you think this might work better for you why not subscribe here? (It’s free and there’s a 1-click unsubscribe if you subsequently decide you need to prune your inbox!) One email a day, in your inbox at 07:00 every morning.


Sunday 5 April, 2020

Zoom needs to up its game — it’s playing in the big league now

This morning’s Observer column:

Then there’s the issue of security, and of encryption in particular.

“We take security seriously and we are proud to exceed industry standards when it comes to your organisation’s communications,” says the Zoom website. Any host of a meeting can “secure a meeting with end-to-end encryption”. Well, that’s not quite right, at least if by “end to end” you mean encryption where the service provider has no way of decrypting the content (as, say, with WhatsApp or Signal). The encryption on Zoom communications at the moment is the kind that protects your communications with any website with ‘https’ in its URL. But the content is unencrypted while it is passing through Zoom’s cloud servers.

There may be good reasons for this, but at the very least the company’s website shouldn’t be making exaggerated claims about encryption. It should privilege facts over marketing puffery.

And the moral of all this? Zoom is providing a service of real value in these desperate times, but it needs to grow up. It’s playing in the big league now.

Read on


It’s Zoom, Zoom, Zoom all day long

Rumours, facts, misunderstandings and hearsay about the supposed (in)security of Zoom conferencing has been rife for the last week. Lots of my friends and acquaintances have been asking me about it, in the (mistaken) belief that I know lots about it. I don’t. I only know what I read from trusted and knowledgeable sources.

The Citizen Lab report

Top of my list in this regard is the Citizen Lab at the Munk School of the University of Toronto. It was founded by Ron Deibert, who is a hero of mine, and has for years done sterling work on detecting and unearthing the tools that unscrupulous regimes and companies have developed for snooping on human rights activists, journalists and other good folks. They have now completed a pretty thorough investigation of the cryptographic protocols at the heart of Zoom’s service and published an illuminating report. It makes for fascinating reading if you’re a geek, but the gist is that their research shows that (contrary to the company’s public claims to the contrary) Zoom uses non-industry-standard cryptographic techniques with identifiable weaknesses and is thus not suitable for sensitive communications. But’s it seems ok for non-sensitive uses.

There are also potential security issues with where Zoom generates and stores cryptographic information. While based in Silicon Valley, Zoom owns three companies in China where its engineers develop the Zoom software. Its AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, are transmitted by Zoom servers to all meeting participants. In some of our tests, our researchers observed these keys being distributed through Zoom servers in China, even when all meeting participants were outside of China. A company primarily catering to North American clients that distributes encryption keys through servers in China is very concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China.

Given the sudden embrace of Zoom by a wide range of sectors across society, it is reasonable to assume that many government’s signals intelligence agencies, as well as criminals, will be subjecting Zoom to the type of analysis we did. Some of them may choose to privately exploit those weaknesses for nefarious purposes and with harmful consequences.

As a result of these troubling security issues, we discourage the use of Zoom at this time for use cases that require strong privacy and confidentiality, including:

Government communications Proprietary or confidential business activities Healthcare providers handling sensitive / confidential patient information Human rights defenders, lawyers, journalists, and others working on sensitive topics

But the good news is that

For those using Zoom to keep in touch with friends, hold social events, or organize courses or lectures that they might otherwise hold in a public or semi-public venue, our findings should not necessarily be concerning.

This is a relief because it’s more or less what I’ve been saying to friends and family. It was based on a hunch that the vulnerabilities in the Zoom system would be mainly of interest to state-level actors.

On the other hand, I hadn’t known of the extent to which Zoom’s development work is being done in China, or that data packets and encryption keys seem to pass through servers that are based there. If I were running Zoom, I’d rethink that soonest.

Good advice from Mozilla

Many of the problems that have arisen with Zoom stem from the fact that it has had massive take-up of its free offer — which means that it is now being used by millions of non-technical users who probably know relatively little about online security. So it’s good to see that the Mozilla Foundation (which provides the Firefox browsers) has published some useful tips “to make your Zoom gatherings more private”.

They are:

1. Use your account with the latest version of Zoom. Sign-in and update to the latest version of the Zoom client or app. This will give you access to the meetings that are available to invited participants and ensure that your system has up-to-date security patches.

2. Use password protection. You can make your meetings password protected to prevent people from guessing your room ID and joining.

3. Keep your Personal Meeting ID private. Don’t use your Personal Meeting ID – especially for events you’re broadly publicizing. That will stop people from trying to enter your personal room at other times. Instead, generate a unique meeting ID by scheduling the meeting.

4. “Lock out” uninvited participants. Don’t share Zoom meeting invites or Meeting IDs with anyone you don’t want to join.

5. Utilize the “mute all” feature. Using the “manage participants” function, you can mute all participants. You should not unmute them again without telling them that’s what you’re doing.

6. Stop unwanted content from being shared. You can stop participants from sharing their screen, or if necessary, stop their video. This is helpful if you’re inviting lots of people you don’t necessarily know so that someone can’t maliciously share content – a practice now known as “zoombombing.”

7. Respect chat privacy. Decide ahead of time if you will save the chat or record the video of the meeting and make sure all participants have agreed and know how you plan to use that information. Recording and saving chats may have legal implications so make sure you’ve checked into that before enabling these options.

All good advice.


Quarantine diary — Day 15

Link


This blog is now also available as a once-a-day email. If you think this might work better for you why not subscribe here? (It’s free and there’s a 1-click unsubscribe if you subsequently decide you need to prune your inbox!) One email a day, in your inbox at 07:00 every morning.


Friday 21 March, 2020

If you might find it more useful to get this blog as a daily email, why not subscribe here? (It’s free, and there’s a 1-click unsubscribe). One email, in your inbox at 07:00 every morning.


It’s the Spring Equinox!


Boris Johnson’s fianceé is pregnant and they’re living in the same house. So shouldn’t Johnson be in quarantine too?

After all, the government’s advice is that pregnant women should self-quarantine (even though there doesn’t seem to be any evidence that they are more at risk). Concealing him from public view would at least stop us being subjected to the Bertie Wooster nonsense he talked yesterday about getting this virus blighter beaten in 12 weeks. He sometimes seems incapable of engaging his brain before opening his mouth.


The Net is now vital infrastructure. So it must be protected during this crisis

As more and more people have to stay — or work from — home, the Internet is is now really part of society’s critical infrastructure. So we need to make sure that it can continue to carry the increased load that’s heading its way. That means that, in the end, some uses will have to take priority over others. I’ve been ranting for weeks that HD streaming of entertainment content should be de-prioritised, and was relieved to see that the EU has come round to that view. So it’s good to see that Netflix and YouTube announce that they will reduce streaming quality in Europe for at least the next month to prevent the internet collapsing under the strain of unprecedented usage due to the coronavirus pandemic.

Sky News reports both companies saying that the measures will affect all video streams for 30 days. “We estimate that this will reduce Netflix traffic on European networks by around 25% while also ensuring a good quality service for our members,” a Netflix spokesperson said in a statement. A spokesperson for Google, which owns YouTube, said: “We will continue working with member state governments and network operators to minimize stress on the system, while also delivering a good user experience.”

The Financial Times reports that in Italy, the first country to enact a full lockdown, there has been a three-fold increase in the use of video conferencing, which, alongside streaming and gaming, drove a 75 per cent rise in residential data traffic across broadband and mobile networks during the weekend, according to Telecom Italia. And the Spanish telecoms industry issued a warning at the start of the week to urge consumers to ration their internet usage by streaming and downloading more in off-peak hours.

This is going to get worse. What’s happening — predictably — is that whereas Internet use tended to spike in the evenings, now it’s higher (sometimes much higher) throughout the day. So we now have another curve that we need to “flatten”. And it’s possible, therefore, that the EU will have to revisit its Net Neutrality rules as a consequence.


How to Make Your Own Hand Sanitizer

Recipes from Wired magazine. I think I’ll stick to soap and water.


How will we know when we’re through this?

A question that Steven Levy asked during his interview of Larry Brilliant. (That’s the Larry Brilliant of eradicating smallpox and the famous TED talk about how to deal with pandemics.) His mantra: detect early, and respond early.

Here’s his answer to Levy’s question:

The world is not going to begin to look normal until three things have happened. One, we figure out whether the distribution of this virus looks like an iceberg, which is one-seventh above the water, or a pyramid, where we see everything. If we’re only seeing right now one-seventh of the actual disease because we’re not testing enough, and we’re just blind to it, then we’re in a world of hurt. Two, we have a treatment that works, a vaccine or antiviral. And three, maybe most important, we begin to see large numbers of people—in particular nurses, home health care providers, doctors, policemen, firemen, and teachers who have had the disease—are immune, and we have tested them to know that they are not infectious any longer. And we have a system that identifies them, either a concert wristband or a card with their photograph and some kind of a stamp on it. Then we can be comfortable sending our children back to school, because we know the teacher is not infectious.

The interview is well worth reading in full.

And when you’ve done that, watch his 2006 TED talk. You won’t regret it.