Friday 14 February, 2020

Bloomberg is going after Trump on his home turf: Facebook

He spent more than $1 million a day on average during the past two weeks on Facebook, according to data compiled by NBC News. The thing is: with a net worth of $61B, he can easily afford to outspend Trump. At one level, this might be reassuring. At another, it’s deeply depressing: it means that only billionaires can play at democracy in the US now. We’re really in Larry Lessig’s Lesterland.


Are unsecured cafe wi-fi networks deliberately hostile to VPNs?

I’m in Bill’s cafe in Cambridge, which offers ‘free’ Wi-Fi — which of course I don’t trust. So I switch on my VPN to find that, mysteriously, it can’t connect to its server. And I’m wondering if this is just some kind of glitch, or a policy by the firm that provides the Wi-Fi. After all, they don’t want clients sending communications that are encrypted and therefore inscrutable for advertising and tracking purposes. In this stuff, only the paranoid survive.


Inside the mind of Dominic Cummings

Cummings is now the UK’s de facto project manager, but what does he actually believe? In a bid to find out, Stefan Collini read (almost) everything Cummings has written in the last decade. His report is fascinating, insightful and thought-provoking. I can say that because I too have been reading Cummings for years. When I say that to people in Cambridge, though, they start to back away — as if I had revealed that I was interested in UFOs. They view Cummings through a blinding haze of visceral dislike. So it’s nice to see a real heavyweight (Collini has written great stuff on CP Snow, the neoliberal ‘reform’ of UK universities and public intellectuals) taking Cummings seriously. Well worth reading in full.


I stumbled across a huge Airbnb scam that’s taking over London

Wonderful piece of investigative reporting by James Temperton in Wired. I don’t use Airbnb but I know lots of people — especially younger folk — who do. Wonder how many of them have bad experiences?


A taxonomy of privacy

Landmark 2006 article by Daniel Solove in the University of Pennsylvania Law Review. I love the way it begins:

Privacy is a concept in disarray. Nobody can articulate what it means. As one commentator has observed, privacy suffers from “an embarrassment of meanings.”

Yep. And that’s still true — fourteen years later.

Monday 27 January, 2020

Does it make sense to confine Huawei to the ‘non-core’ part of a 5G network?

This seems to be the UK’s fallback position to avoid antagonising the Chinese state (though it won’t mollify the Americans). Bruce Schneier has some interesting things to say about this. Sample:

The 5G security problems are threefold. First, the standards are simply too complex to implement securely. This is true for all software, but the 5G protocols offer particular difficulties. Because of how it is designed, the system blurs the wireless portion of the network connecting phones with base stations and the core portion that routes data around the world. Additionally, much of the network is virtualized, meaning that it will rely on software running on dynamically configurable hardware. This design dramatically increases the points vulnerable to attack, as does the expected massive increase in both things connected to the network and the data flying about it.

Second, there’s so much backward compatibility built into the 5G network that older vulnerabilities remain. 5G is an evolution of the decade-old 4G network, and most networks will mix generations. Without the ability to do a clean break from 4G to 5G, it will simply be impossible to improve security in some areas. Attackers may be able to force 5G systems to use more vulnerable 4G protocols, for example, and 5G networks will inherit many existing problems.

Third, the 5G standards committees missed many opportunities to improve security. Many of the new security features in 5G are optional, and network operators can choose not to implement them. The same happened with 4G; operators even ignored security features defined as mandatory in the standard because implementing them was expensive. But even worse, for 5G, development, performance, cost, and time to market were all prioritized over security, which was treated as an afterthought.

Schneier’s view is that “It’s really too late to secure 5G networks”. 5G security, he says,

is just one of the many areas in which near-term corporate profits prevailed against broader social good. In a capitalist free market economy, the only solution is to regulate companies, and the United States has not shown any serious appetite for that.

What’s more, U.S. intelligence agencies like the NSA rely on inadvertent insecurities for their worldwide data collection efforts, and law enforcement agencies like the FBI have even tried to introduce new ones to make their own data collection efforts easier. Again, near-term self-interest has so far triumphed over society’s long-term best interests.

And of course there’s also the fact that there have probably always been US-friendly backdoors in Cisco kit, as this report from the FT the other day suggests.


Sajit Javid and the ‘quiet hegemon‘ he’s clearly never heard about

Javid, who is currently Chancellor of the Exchequer, was grandstanding the other week about how the liberated UK would break free of EU red tape. In an interview with the Financial Times he warned UK manufacturers that “there will not be alignment” with the EU after Brexit and insisted that firms must “adjust” to new regulations.

Not surprisingly, this caused alarm in many business sectors whose prosperity depends on adhering to EU regulations. And so Javid — possibly under instruction from Number 10 — started to row back, saying that the government will only use the freedom to diverge if it thinks the change is worthwhile, and after the pros and cons have weighed up.

The Chancellor has form in shooting his mouth off. I remember that he spoke at the launch of the previous government’s White Paper on online harms. He was then Home Secretary (aka Minister of the Interior) and his speech was less about online harms and more about how he was the tough guy who would stamp out this kind of harm. In effect, it was part of his campaign to replace Theresa May, then on her last legs as Premier.

I viewed his Financial Times interview through the same lens. He’s like Boris Johnson during May’s tenure, perpetually in campaigning mode. There are however, some harsh realities about regulatory divergence that suggest he could be riding for a fall. Today, for example, the CEO of Volvo is reported (by the FT) as saying that certifying his company’s cars for the UK market would not be worth the cost if UK rules diverged significantly from the EU’s. The result, UK consumers would have a smaller range of Volvos to choose from. And there’s an interesting new book out — The Brussels Effect: How the European Union Rules the World by Ann Bradford, an academic study detailing how, in a world increasingly driven by standards, EU standards have quietly become global standards. (Think GDPR.)

In that way, the EU has become a “quiet hegemon” of which it seems the Westminster bubble is blissfully unaware.

Has the NSA really changed its mind?

Hmmm… Fascinating report in today’s NYT:

WASHINGTON — The National Security Agency has taken a significant step toward protecting the world’s computer systems, announcing Tuesday that it alerted Microsoft to a vulnerability in its Windows operating system rather than following the agency’s typical approach of keeping quiet and exploiting the flaw to develop cyberweapons.

The warning allowed Microsoft to develop a patch for the problem and gave the government an early start on fixing the vulnerability. In years past, the National Security Agency has collected all manner of computer vulnerabilities to gain access to digital networks to gather intelligence and generate hacking tools to use against American adversaries.

The foolishness of policy was critically exposed A while back when some of those tools fell into the hands of cybercriminals and other baddies, including North Korean and Russian hackers.

So does this new spirit of cooperative ness signal a real shift in strategy? Or does it just show that the agency was temporarily traumatised by accusations that its unscrupulous collection of vulnerabilities caused hundreds of millions of dollars in damage? Should we believe the declaration by Anne Neuburger, the NSA’s Cybersecurity director, that “We wanted to take a new approach to sharing and also really work to build trust with the cybersecurity community.”

Good news if she’s serious. And the theft of the tools should serve as a warning against governments’ incessant campaign for backdoors into commercial encryption systems.

A real quantum leap?

This is from the FT (behind a paywall) so it came to me via Charles Arthur’s invaluable The Overspill:

A paper by Google’s researchers seen by the FT, that was briefly posted earlier this week on a Nasa website before being removed, claimed that their processor was able to perform a calculation in three minutes and 20 seconds that would take today’s most advanced classical computer, known as Summit, approximately 10,000 years.

The researchers said this meant the “quantum supremacy”, when quantum computers carry out calculations that had previously been impossible, had been achieved.

“This dramatic speed-up relative to all known classical algorithms provides an experimental realisation of quantum supremacy on a computational task and heralds the advent of a much-anticipated computing paradigm,” the authors wrote.

“To our knowledge, this experiment marks the first computation that can only be performed on a quantum processor.”

The system can only perform a single, highly technical calculation, according to the researchers, and the use of quantum machines to solve practical problems is still years away.

But the Google researchers called it “a milestone towards full-scale quantum computing”. They also predicted that the power of quantum machines would expand at a “double exponential rate”, compared to the exponential rate of Moore’s Law, which has driven advances in silicon chips in the first era of computing.

Interesting that the article was withdrawn so precipitously. But really significant if true. After all, current encryption methods are all based on the proposition that some computations are beyond the reach of conventional machines.

Zero-days and the iPhone

This morning’s Observer column:

Whenever there’s something that some people value, there will be a marketplace for it. A few years ago, I spent a fascinating hour with a detective exploring the online marketplaces that exist in the so-called “dark web” (shorthand for the parts of the web you can only get to with a Tor browser and some useful addresses). The marketplaces we were interested in were ones in which stolen credit card details and other confidential data are traded.

What struck me most was the apparent normality of it all. It’s basically eBay for crooks. There are sellers offering goods (ranges of stolen card details, Facebook, Gmail and other logins etc) and punters interested in purchasing same. Different categories of these stolen goods are more or less expensive. (The most expensive logins, as I remember it, were for PayPal). But the funniest thing of all was that some of the marketplaces operated a “reputation” system, just like eBay’s. Some vendors had 90%-plus ratings for reliability etc. Some purchasers likewise. Others were less highly regarded. So, one reflected, there really is honour among thieves.

But it’s not just credit cards and logins that are valuable in this underworld…

Read on

Want a job? There’s a great future in cybersecurity

From an interesting New Yorker piece by Sue Halpern:

There are currently more than three hundred thousand unfilled cybersecurity jobs in both government and the private sector in the United States alone. Worldwide, the number is expected to be three and a half million by 2021; that year, cybercrime is expected to cost six trillion dollars. Even the United States military is at risk, according to last year’s Defense Department Inspector General report, which found that insecure systems left the country susceptible to missile attacks. This year’s cybersecurity-readiness review of the Navy found that “competitors and potential adversaries have exploited [Department of the Navy] information systems, penetrated its defenses, and stolen massive amounts of national security” intellectual property. And, of course, as we now know, our elections, the essential engine of our democracy, are also poorly defended. “I don’t think any of us are questioning the fact that there is a lack of cybersecurity professionals across the board, in all different types of professions,” Emmel said.

Halpern’s piece was sparked by the fact that, this summer,

the N.S.A. is running a hundred and twenty-two cybersecurity camps across the country. There are camps for girls in South Dakota, Maryland, Puerto Rico, and South Carolina; a camp in Pennsylvania that simulates an airport hack; and one in Georgia that disarms a car hacking. On the last Monday in July, as news broke that a hundred million Capital One bank accounts had been breached, I attended Camp CryptoBot, at Pace University’s Westchester campus, the only cyber camp affiliated with the Navy. A few years ago, the camp director, Pauline Mosley, a professor of information technology, found herself sitting next to an admiral at a conference and used the opportunity to deploy her pre-digital networking skills.

GCHQ, are you listening?

Sheep, goats and hotel WiFi

This morning’s Observer column:

You’ve just arrived at the hotel after a delayed flight and a half-hour wrangle with the car-hire firm. And then you remember that you’ve forgotten to pay last month’s credit card bill, and there’ll be an interest charge if you wait until you’re back at base. But – hey! – you can do it online and help is at hand. The receptionist is welcoming and helpful. They have wifi and it’s free. Relieved, you ask for the password. “Oh, you don’t need one,” he replies. “Just type in your room number and click the box.”

Phew! Problem solved. Er, not necessarily. At this point the human race divides into two groups. Call them sheep and goats. Sheep are sweet, trusting folks who like to think well of their fellow humans. Surely that helpful receptionist would not knowingly offer a dangerous service. Also, they find digital technology baffling and intimidating. And they cannot imagine why anything they do online might be of interest to anyone.
2017’s top business stories: Whole Foods, hackers and a giant rabbit
Read more

Goats, on the other hand, have nasty, suspicious minds…

Read on

The significance of the WhatsApp hack

This morning’s Observer column:

When Edward Snowden broke cover in the summer of 2013 and a team of Guardian journalists met up with him in his Hong Kong hotel, he insisted not only that they switch off their mobile phones but also that they put the devices into a fridge. This precaution suggested that Snowden had some special insight into the hacking powers of the NSA, specifically that the agency had developed techniques for covertly taking over a mobile phone and using it as a tracking and recording device. To anyone familiar with the capabilities of agencies such as the NSA or GCHQ, this seemed plausible. And in fact, some years later, such capabilities were explicitly deemed necessary and permissible (as “equipment interference”) in the Investigatory Powers Act 2016.

When Snowden was talking to the reporters in Hong Kong, WhatsApp was a four-year-old startup with an honest business model (people paid for the app), about 200m active users and a valuation of $1.5bn. In February 2014, Facebook bought the company for $19bn and everything changed. WhatsApp grew exponentially to its present ubiquity: it has more than 1.5 billion users and has spread like a rash over the entire planet.

Among its attractions is that it offers users effortless end-to-end encryption for their communications, thereby enhancing their privacy…

Read on

The technical is political. Now what?

Bruce Schneier has been valiantly going on about this for a while. Once upon a time, digital technology didn’t have many social, political or democratic ramifications. Those days are over. Universities, companies, software engineers and governments need to think about this — and tool up for it. Here’s an excerpt from one of Bruce’s recent posts on the subject:

Technology now permeates society in a way it didn’t just a couple of decades ago, and governments move too slowly to take this into account. That means technologists now are relevant to all sorts of areas that they had no traditional connection to: climate change, food safety, future of work, public health, bioengineering.

More generally, technologists need to understand the policy ramifications of their work. There’s a pervasive myth in Silicon Valley that technology is politically neutral. It’s not, and I hope most people reading this today knows that. We built a world where programmers felt they had an inherent right to code the world as they saw fit. We were allowed to do this because, until recently, it didn’t matter. Now, too many issues are being decided in an unregulated capitalist environment where significant social costs are too often not taken into account.

This is where the core issues of society lie. The defining political question of the 20th century was: “What should be governed by the state, and what should be governed by the market?” This defined the difference between East and West, and the difference between political parties within countries. The defining political question of the first half of the 21st century is: “How much of our lives should be governed by technology, and under what terms?” In the last century, economists drove public policy. In this century, it will be technologists.

The future is coming faster than our current set of policy tools can deal with. The only way to fix this is to develop a new set of policy tools with the help of technologists. We need to be in all aspects of public-interest work, from informing policy to creating tools all building the future. The world needs all of our help.

Yep.

The cost of insecurity (not to mention of Windows XP)

From The Inquirer:

THE WANNACRY RANSOMWARE ATTACK cost the already cash-strapped NHS almost £100m, the Department of Health and Social Care (DHSC) estimates.

Until now, the financial damage caused by the sweeping cyber attack – which it’s now been revealed affected 8 per cent of GP clinics and forced the NHS to cancel 19,000 appointments – has been unclear, but the DHSC estimates in a new report that the total figure cost in at £92m.

WannaCry cost approximately £19 in lost output, while a whopping £73m was racked up in IT costs in the aftermath of the attack, according to the report. Some £72m was spent on restoring systems and data in the weeks after the attack struck.

“We recognise that at the time of the attack the focus would have been on patient care rather than working out what WannaCry was costing the NHS,” the report says.

Following the attack, the NHS has pledged to upgrade all of its systems to Windows 10 after it was found that the service’s outdated, and unpatched Windows XP and Windows 7 systems were largely to blame.