Month: April 2016

Researchers Brute-Force Shortened Links wired.com

Andy Greenberg, Wired:

The researchers’ work demonstrates the unexpected privacy-invasive potential of “brute-forcing” shortened URLs: By guessing at shortened URLs until they found working ones, the researchers say that they could have pulled off tricks ranging from spreading malware on unwitting victims’ computers via Microsoft’s cloud storage service to finding out who requested Google Maps directions to abortion providers or drug addiction treatment facilities.

In aggregate, pseudo-randomized data of any kind poses a risk if brute-force attempts are not regulated.

Around ten years ago, a bunch of URL-shortening and image hosting services sprang up — one called “idzr”, another was called “kttns”.1 These services were created in response to Twitter’s character limitations and a lack of decent image hosting at the time, and eventually beget entire companies like Droplr and CloudApp.

At the time, there was also a strong jailbreaking and customization culture for OS X, iOS, and Windows. Entire forums like Aqua Soft and Macristocracy centred around the ways in which users would tweak their home screens or modify OS X’s appearance. Many of you were probably members.

I distinctly recall someone in the #MacThemes IRC channel one day making a site that crawled a couple of these URL shortening services and displayed everything hosted on them. There was nothing particularly sensitive, as best as I can recall; occasionally, there were privately-shared icons and desktop pictures.

At any rate, the owners of the services in question quickly modified their code so that short links couldn’t be brute-forced or automatically crawled, and measures were put in place to limit access rates on any particular link.

This stuff was solved years ago on services built by a single developer. This shouldn’t be an issue at large companies like Google and Microsoft.

  1. The original, as far as I’m concerned, dznr, allowed accounts by invitation only. It was shut down in 2013. ↥︎

Motor Trend’s Fake Apple Car jalopnik.com

Patrick George of Jalopnik:

Sadly, the Motor Trend designers’ approach to an Apple Car isn’t particularly insightful. It’s an egg on wheels! With autonomous driving technology! And lots of screens! And Apple logos! And it’s built for ride-sharing! It uses the word “mobility!” […]

Even if the final design is bad and unoriginal — and it is thoroughly both of those things — no sin is greater than misleading readers and the public into thinking they had the actual car. What could have been an interesting project is tanked by a desperate attempt for attention and relevance.

Who at Motor Trend thought this would be a good idea?

Apple Reportedly Pursuing Search Improvements in the App Store bloomberg.com

So say Adam Satariano and Alex Webb of Bloomberg:

Among the ideas being pursued, Apple is considering paid search, a Google-like model in which companies would pay to have their app shown at the top of search results based on what a customer is seeking. For instance, a game developer could pay to have its program shown when somebody looks for “football game,” “word puzzle” or “blackjack.”

Paid search, which Google turned into a multibillion-dollar business, would give Apple a new way to make money from the App Store. The growing marketing budgets of app developers such as “Clash of Clans” maker Supercell Oy have proven to be lucrative sources of revenue for Internet companies, including Facebook Inc. and Twitter Inc.

Paid search tends to help bigger companies more than it does smaller ones. I certainly hope there are plans to address the challenges that face indie developers who are making great apps but struggle to get by.

Update: Apple doesn’t need “a new way to make money from the App Store”. They need a way to get developers to make more money. They need to de-crappify the Store and improve the chances of success for smaller developers. I certainly hope that sentence is Santarino and Webb’s interpretation, because if the objective of a project like this is truly to make Apple more money, that’s extremely concerning.

The RCMP Has the Master Encryption Key for Every BlackBerry motherboard.vice.com

Jordan Pearson and Justin Ling, Vice:

BlackBerry (formerly RIM) encrypts all messages sent between consumer phones, known as PIN-to-PIN or BBM messages, using a single “global encryption key” that’s loaded onto every handset during manufacturing. With this one key, any and all messages sent between consumer BlackBerry phones can be decrypted and read. In contrast, Business Enterprise Servers allow corporations to use their own encryption key, which not even BlackBerry can access. […]

According to more than 3,000 pages of court documents pertaining to the case that resulted from Project Clemenza, obtained by VICE Canada, the RCMP maintains a server in Ottawa that “simulates a mobile device that receives a message intended for [the rightful recipient].” In an affidavit, RCMP sergeant Patrick Boismenu states that the server “performs the decryption of the message using the appropriate decryption key.” The RCMP calls this the “BlackBerry interception and processing system.”

All BlackBerry devices share an encryption key? Amateur hour.

BlackBerry CEO John Chen in a 2015 corporate blog post:

We reject the notion that tech companies should refuse reasonable, lawful access requests. Just as individual citizens bear responsibility to help thwart crime when they can safely do so, so do corporations have a responsibility to do what they can, within legal and ethical boundaries, to help law enforcement in its mission to protect us.

However, it is also true that corporations must reject attempts by federal agencies to overstep. BlackBerry has refused to place backdoors in its devices and software. We have never allowed government access to our servers and never will.

While it isn’t an outright lie that BlackBerry has never allowed government access to their servers, they did turn over their encryption key to a federal agency who used it to create an interception method.

Also, how can BlackBerry promise to comply with a court order if enterprise customers are allowed to use their own encryption keys? One answer: they can’t, and Chen hoped that this blog post wouldn’t blow up in his face. Another: they can, they haven’t disclosed a true backdoor but it doesn’t seem unlikely with this Vice story, and Chen is still hoping that this blog post won’t blow up in his face.

Microsoft Sues for Right to Tell Customers When Government Requests Emails reuters.com

Sarah McBride, Reuters:

Microsoft Corp has sued the U.S. government for the right to tell its customers when a federal agency is looking at their emails, the latest in a series of clashes over privacy between the technology industry and Washington. […]

Using the Electronic Communications Privacy Act (ECPA), the government is increasingly directing investigations at the parties that store data in the so-called cloud, Microsoft says in the lawsuit. The 30-year-old law has long drawn scrutiny from technology companies and privacy advocates who say it was written before the rise of the commercial Internet and is therefore outdated.

“People do not give up their rights when they move their private information from physical storage to the cloud,” Microsoft says in the lawsuit. It adds that the government “has exploited the transition to cloud computing as a means of expanding its power to conduct secret investigations.”

It’s taken some time after Edward Snowden’s disclosures, but the tech industry isn’t standing for this shit any more. Good for them.

Ben Brooks on Consolidating 3D Touch and the Long Press brooksreview.net

Astute observation by Brooks:

If you are arguing in favor of consolidating the gestures, then the better argument is just to get rid of 3D Touch. There’s no reason to have both 3D Touch and long press if they both do the same thing and since not all new [devices] have 3D Touch — 3D Touch would be the technology to be removed.

The whole point of 3D Touch is that it adds new functionality to iOS. It isn’t simply a different interpretation of an existing gesture.

When the iPhone launched with a multitouch display, there was really only one aspect of the system that required multiple touch points: pinching to zoom web pages and photos. Many years later, we now have the ability to adjust a map’s perspective, manipulate the depth-of-field in an Instagram photo, and play instruments on an iPad. All of these features — and many more — are made possible because the hardware can accept multiple touch points. 3D Touch is, I think, set to do the same thing given some time.

In some ways, I wish Apple shipped a lesser amount of 3D Touch functionality and simply waited to see how developers would interpret it. What they have shipped ultimately feels right, more or less, though.

Good News for Electronic Privacy, for Once sacbee.com

Two great developments lately. First, a sort of state-level version of the upcoming U.S. federal bill that requires decryption of electronic communications was defeated in California. Jeremy B. White of the Sacramento Bee:

A national debate over smartphone encryption arrived in Sacramento on Tuesday as legislators defeated a bill penalizing companies that don’t work with courts to break into phones, siding with technology industry representatives who called the bill a dangerous affront to privacy. […]

Assembly Bill 1681 would authorize $2,500 penalties against phone manufacturers and operating system providers if they do not obey court orders to decrypt phones.

And another bill at the federal level is moving forward in Congress. Eric Geller of the Daily Dot:

The House Judiciary Committee unanimously passed (28-0) the Email Privacy Act, which eliminates a loophole allowing authorities to get some electronic records without a warrant. The bill, sponsored by Rep. Kevin Yoder (R-Kan.), has more than 300 sponsors and is expected to sail through the full chamber.

The Email Privacy Act requires law-enforcement agencies to get a warrant in order to demand that tech companies turn over online communication records, such as emails, instant messages, and private social-media messages. It amends the Electronic Communications Privacy Act (ECPA), which only required a warrant for messages newer than 180 days.

Small but significant steps. It’s progress.

FBI Reportedly Paid a Security Research Team for Vulnerability washingtonpost.com

Ellen Nakashima, Washington Post:

The FBI cracked a San Bernardino terrorist’s phone with the help of professional hackers who discovered and brought to the bureau at least one previously unknown software flaw, according to people familiar with the matter.

The new information was then used to create a piece of hardware that helped the FBI to crack the iPhone’s four-digit personal identification number without triggering a security feature that would have erased all the data, the individuals said. […]

The U.S. government now has to weigh whether to disclose the flaws to Apple, a decision that probably will be made by a White House-led group.

The correct thing to do would be for either the FBI or this security research team to disclose this vulnerability to Apple so that it can be fixed, though recent reports suggest that the flaw doesn’t exist in iPhones with a secure enclave. That would ensure better security for everyone using an older iPhone.

The likely outcome of this is that this particular flaw and anything else that allows the FBI to bypass security measures on any device will be kept very close to the vest, and perhaps used as a bargaining chip for when the “Compliance with Court Orders Act of 2016” gets introduced. We’ll turn over our records of your security vulnerabilities if you add a backdoor seems very much like the intelligence community party line these days.

Earnest recode.net

It’s been a hell of a month for Nest, so CEO Tony Fadell went to a company-wide Google meeting last Friday to address the concerns. Mark Bergen of Recode quotes from a transcript of his speech:

Of course, we’re not perfect. No company is. Nest isn’t perfect. I’m not perfect. No one’s perfect. But we know what our problems are. We have been addressing them over the last two years. And, frankly, we have more room to go. […]

That said, I also want to address the whole respect thing. I do respect the Nest employees. I do respect the Google employees. I respect the Alphabet employees. We try to work very hard together and partner in many different areas around the different companies.

It’s not just recent reports that paint a picture of a toxic corporate culture with Fadell as a bullying, unforgiving leader — a 2014 post by Connie Loizos quotes several employees’ gripes about the company:

Sources who spoke to StrictlyVC and asked to remain anonymous say Fadell has fashioned a hierarchical structure reminiscent of TV’s “Game of Thrones.” […]

Another employee calls it a “huge meeting culture, to the point where anyone at the director level or up spends their entire day in meetings, many of them duplicative meetings about the same subject, over and over to the point where a lot of people have complained.”

This has been a long time brewing. I’ve little doubt that Fadell earnestly believes that he’s improving and that the company is improving, but these kinds of recurring anecdotes don’t simply appear out of nowhere.

The Layer Between You and the Future buzzfeed.com

Crack reporting from Buzzfeed’s Nitasha Tiku:

Augmented reality, virtual reality, live video, 360-degree video, artificial intelligence, business bots. You name it; Facebook is about to offer you a free way to start testing it, whether that’s APIs, the kind of connective software that lets 1-800-FLOWERS make its own app on Facebook Messenger, or hardware that turned the melting heap of cameras necessary to film 360-degree video into a sleek mini-spaceship of a camera that Facebook launched at the end of today’s keynote.

Facebook doesn’t have to choose between messaging or virtual reality. It just colonizes both platforms, figures it out, offers a helping hand to the advertisers, publishers, and e-tailers considering joining, and makes itself indispensable (for a cut).

The last time I can recall a company having anything like Facebook’s drive for dominance was the Microsoft of the ’90s and early ’00s. At the time, they abused their monopoly power in software, from operating systems to applications and web browsers. Facebook is stretching itself overtop a multitude of technologies; it wants to be the start-to-finish conduit for your life. The future will be brought to you by targeted advertising.

Semi-Automated Podcast Transcription blog.timbunce.org

Tim Bunce is experimenting with podcast transcription (via Michael Tsai):

When I remember fragments of some story or idea that I recall hearing on a podcast, I’d like to be able to find it again. Without searchable transcripts I can’t. It’s impractical to listen to hundreds of old episodes, so the content is effectively lost.

Given the advances in automated speech recognition in recent years, I began to wonder if some kind of automated transcription system would be practical.

Podcasts may be a growing medium, but I’ve always had a hard time listening to them. It’s hard for me to simultaneously write code and pay attention to people speaking at the, so I often can’t listen to them at work. At other times, it’s a matter of priorities — I tend to prefer listening to music and reading over podcasts.

This frustrates me, because I know there are lots of great podcasts out there that I simply don’t have time for. A transcript will lose some of the character of the speakers, but I’ll trade that in a heartbeat for the ability to read the discussion.

This is a project Bunce is starting and is looking for help, so if you have any ideas for how he might be able to make this happen, please give him a shout.

The Mac Product Grid 512pixels.net

Stephen Hackett ruminates again on the Macintosh product strategy:

When Jobs came back, he had to tell the story that Apple was on top of its game, and a large part of that story was straightening out the mess the Mac line had become. With four main computers, it was easy to understand what Apple had for sale.

Today, the world is more complicated, and consumers want more options. Some want the most powerful notebook possible, while others value lightness and thinness above all other things.

Pop Chart Lab put Apple’s product history into a single chart, and you can see exactly where their lineup got bloated, where it got Steve’d, and how today’s lineup compares. Once the last of the non-Retina Macs are dumped from the line, it will become simpler still.

(F)utility caseyliss.com

Casey Liss:

Perhaps it’s because I have a job where I leave the house, but I can’t imagine looking down at my wrist and not seeing when my next appointment is. I can’t imagine looking down and not seeing what the temperature is outside.

I agree with this piece entirely.

The Apple Watch of today is one that I like very, very much. It fits my life and what I do every single day. On the weekend, I use the Modular face, and I love having my todo list — by way of Things — on my wrist. I can get by just fine with a pen and a notebook, or just Things on my iPhone, but having my list on my wrist is substantially more usable when I need to get a bunch of stuff done.

Weirdly, I have a hard time recommending the Watch to others. It works very well for me and my life, and it might work very well for you, too, but it feels a bit like an old Italian car right now: very desirable, but something that you’d recommend cautiously.

This isn’t a new situation for Apple. When the MacBook Air first came out, it was hard to suggest to a friend that they pick up a laptop that cost as much as a MacBook Pro but had a way smaller hard drive and a way underpowered CPU; ditto the new MacBook. Even the iPhone was a hard sell at first to BlackBerry users who couldn’t bare to lose that physical keyboard. Over time, though, these products improved and we realized what we really wanted.

That isn’t to say that products that were not well-received at their launch are destined to become a success. Apple has their fair share of those — the iPod Hi-Fi and iTunes Ping come to mind — as do plenty of other companies. Time will tell if the Watch eventually becomes a success or if it remains a niche product that Apple eventually kills. But I don’t think it’s been around for long enough to tell, contrary to alarmist Quartz headlines.

Update: I’ve just remembered that I’ve gone a while without mentioning that I still cannot run native watchOS 2 apps downloaded from the App Store on my Watch. My radar is #24143586; it dupes #24436883 (which is weird, because that one is newer, but never mind).

Many of the concerns about the Apple Watch centre around its software. I’ve heard practically no complaints about the hardware, but it doesn’t feel like Apple has lavished attention on the software in the way they have any of their other products. That’s troubling.

An IP Mapping Glitch Turned a Kansas Farm Into a Digital Hell fusion.net

Kashmir Hill, Fusion:

[…] for the last 14 years, every time MaxMind’s database has been queried about the location of an IP address in the United States it can’t identify, it has spit out the default location of a spot two hours away from the geographic center of the country. This happens a lot: 5,000 companies rely on MaxMind’s IP mapping information, and in all, there are now over 600 million IP addresses associated with that default coordinate. If any of those IP addresses are used by a scammer, or a computer thief, or a suicidal person contacting a help line, MaxMind’s database places them at the same spot: 38.0000,-97.0000.

Which happens to be in the front yard of Joyce Taylor’s house.

This is a terrifying example of what bad software design and misleading advertising begets. MaxMind markets their IP geolocation software as their “most accurate information about the location of an IP address, pinpointing it to the zip or postal code level”. So I tried it with an off-the-cuff IP address. I figured that, with 600 million of the damn things all being mapped to MaxMind’s default, I stood a pretty good chance of eventually guessing one of those.

And, on my very first try, I did: an arbitrarily-typed 72.56.122.12 address turns out to be mapped to 38, –97. There is no indication — at least, not within their homepage demo — that this is a randomly-selected default location.

An intrepid software engineer making a product dependent on IP geolocation might look at the results and MaxMind’s marketing, and reasonably conclude that this is the actual mapped location of that IP address. An interface designer might wish to make the results page of this product a little more helpful to people who can’t locate coordinates in their heads — that’s most people, weirdo — so they might add a map. Their end user will see impressive-looking coordinates and a nice-looking map with a pin marking a specific location. At every stage, there is the impression that this result has been arrived at with a high level of precision. And Joyce Taylor takes the fallout.

Update: 600 million of anything is a hard amount to grasp. To put it in more manageable terms, think of it as approximately one in every seven IP addresses ever issued that are mapped by MaxMind to a single farm in Kansas, or approximately one in every three U.S. IP addresses. Nothing says “pinpoint” like a one-in-three shot of getting the answer completely wrong.

Now You Can Never Leave Facebook newyorker.com

Joshua Topolsky, writing for the New Yorker:

I wrote several years ago that Facebook’s dream is not to be your favorite destination on the Internet; its desire is to be the Internet. It would prefer that when you connect in the digital realm—an increasingly all-encompassing expanse—you do it within Facebook, which now includes Instagram, Whatsapp, and Oculus VR (in addition to its robust news feed, its Messenger chat app, its Moments photo-sharing platform, its video-player platform… well, you get the idea). This isn’t exactly a new phenomenon; for years technology companies have waged platform battles, hoping to lock in users with hardware, software, or services that only function inside a proprietary venue. Closed systems make your patronage simpler and more consistent, and it is through a closed system that a company can most readily own and control your data, which is then converted to revenue.

If bad software design can be likened to airports, Facebook can be likened to a Vegas casino. Need to eat? There’s a buffet just over there. Is it 3:00 in the morning? The casino happens to be attached to a hotel. Want to head outside? You need to pass through the casino to do so.

Here, I must protest:

Compare Facebook’s interlocking approach with one of Silicon Valley’s most long-lived and dominant success stories: Google. Both companies have been wildly successful at upending our notions of how to navigate the world, but Google’s core product—search—is expressly designed to do the opposite of what Facebook attempts. Search, by its very nature, is an action that leads you away from the platform, into other experiences and onto other platforms. Even though Google has built up a relatively sophisticated infrastructure of services around its search product (which plenty of critics argue has created another kind of closed loop), it has never abandoned the foundational element of its business: openness.

That’s rich. The “argue” link goes to CNN’s story about the E.U.’s allegations of antitrust behaviour by Google:

For example, people searching for “running watch” will see photos, prices, ratings and links to five watches from companies that paid Google to advertise on the site. They won’t see Amazon or other rivals’ results listed first, and they’re not necessarily seeing the best or most relevant products at the top of the results.

“It’s not based on the merits of Google shopping that it always comes up first in search,” Europe’s top anti-trust official Margrethe Vestager said. “Dominant companies can’t abuse their dominant position to create advantage in related markets.”

How about their other big product, Android? While its source is ostensibly open, providing access to any of Google’s services is rigidly controlled. Last year, Google was set to increase their control over third-party uses of Android before the so-called “Silver” initiative was shelved.

Make no mistake: every company has now realized that an integrated platform strategy works to keep users within the ecosystem. Facebook has simply excelled in their ability to glue users to their properties at all times, regardless of operating system or device.

Airports Designed for Everyone but the Passenger nytimes.com

Chris Holbrook, New York Times:

The layover did not begin well. At 6 a.m., we landed at Terminal 4S, a satellite terminal. Bleary-eyed, I walked almost seven minutes to the other end of the terminal, which is lit by light fixtures that are too bright to allow you to sleep and not bright enough to read.

We were quickly whisked away via tram to a larger building, Terminal 4. Here, as with many European hubs, they don’t assign gates to flights more than an hour in advance. For those waiting, the terminal provides clusters of aqua-blue chairs that are scattered around almost haphazardly, like puddles might form after a quick rain. The banks of steel chairs have two armrests separating four chairs, which, unless you’re about 6 or younger, make it impossible to splay out.

Not only is this article great, it’s worth a second read as a parable for interface design.

On 3D Touch macworld.com

Jason Snell isn’t exactly enamoured with 3D Touch:

Although Apple’s proud of the peek/pop interface that it unveiled with the iPhone 6s, I’m skeptical of its utility. Most of the time, when I accidentally initiate a “peek” of the content behind whatever I’m pressing on, it’s content I was already trying to see by tapping. Loading a “peek” doesn’t really take any more time than actually tapping on an item and loading the result, and returning back to the previous screen seems a lot less work than holding your finger on the glass while you peruse a “peek” to see if it’s worth opening the rest of the way.

In other words, most of the time I don’t see any benefit to using 3D Touch to reveal content in apps over just tapping to reveal that content the usual way. It’s a solution to a problem we didn’t have. And this says a lot about the problem with the way Apple has deployed 3D Touch in iOS.

John Gruber agrees, and adds:

The gimmicky nature of peek/pop is alarming. I never got into “peeking” while using my 6S — like Jason argues, it solves a problem we didn’t have. It’s not any faster than just tapping whatever it is you want to see, and worse, it’s harder to read because your thumb is still there covering the display. It’s a demo feature, not a real feature, and I find that deeply worrisome.

I’m not sure I agree with these two esteemed writers. The peek gesture works surprisingly well in a lot of cases: peeking on an unfamiliar Instagram profile or a Twitter account from within Tweetbot has become second-nature for me. Instead of loading an entire timeline or photo stream, I see only very recent stuff, but I get to see their bio and full name, which is what I often care about. Similarly, peeking on a Mail message is great for previewing it but not marking it as read.

Where the peek gesture does get frustrating is when it needs to transfer significant data over an average internet connection. Peeking on a web page is almost always pointless because most pages are far too large and take a long time to load.

Both Snell and Gruber call 3D Touch problematic for this reason, but this is only a single component of it. I think the app icon shortcuts are wonderfully implemented in lots of apps — in Transit, for example, I can instantly create a route home or to work using the shortcuts on the home screen. Even selecting an appropriate Messages conversation or opening a new Safari tab from the home screen feels right.

I use the multitasking shortcut a lot, too, and the keyboard-as-cursor gesture even more. None of these things feel gimmicky or like demo features to me; they’re all practical.

Snell summed it up well, I think:

This is, I realize, [one] of the reasons I stopped using 3D Touch so much. It seemed like so many places I attempted to use the gesture resulted in a whole lot of nothing. After a while, I gave up. 3D Touch needs to be pervasive. It needs to be a gesture that works all over the place, so that using it becomes second nature.

This is absolutely true. Peek is an occasionally superfluous and frustrating gesture due to slow load times, but if it didn’t work for links in Safari, you’d think it was missing. In that sense, 3D Touch gestures need to appear in far more places, including those suggested by Snell. I certainly try it in every app that I use

As he also notes, experiences vary from person-to-person. It’s fine that neither writer ever got into peeking on anything. But to consider 3D Touch broken because of it is, I think, stretching. At worst, Apple’s implementation of these gestures is messy and inconsistent.

I’m surprised that both of them have pretty much stopped using it — Snell because he just doesn’t use 3D Touch, and Gruber because he’s using an iPhone SE. It needs refinement, but I know I use it a lot because every time I use my iPad, I try it there. I’m sure many of you are the same.

Update: Jonas Wisser:

TBH I think a lot of it comes down to discoverability and consistency. 3D Touch has neither.

As I’ve written previously, I think we’ve entered a new age of experimental and “fuzzy” interfaces. The limitations of virtual assistants like Siri and Alexa, and new interface paradigms like 3D Touch are only discoverable if they behave consistently. All of these commenters are right: 3D Touch lacks that consistency, so it becomes a game of trying its functionality blindly and hoping for the best.

In a sense, we’ve now generally embraced mystery meat navigation. As a result, the consistency in its implementation needs to be stepped up before it feels “right”.

‘Ludicrous, Dangerous, and Technically Illiterate’ wired.com

Andy Greenberg, Wired:

On Thursday evening, the draft text of a bill called the “Compliance with Court Orders Act of 2016” appeared online in an apparent leak1 from the offices of Senators Diane Feinstein and Richard Burr. It’s a nine-page piece of legislation that would require people to comply with any authorized court order for data—and if that data is “unintelligible,” the legislation would demand that it be rendered “intelligible.” In other words, the bill would make illegal the sort of user-controlled encryption that’s in every modern iPhone, in all billion devices that run Whatsapp’s messaging service, and in dozens of other tech products. “This basically outlaws end-to-end encryption,” says Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology. “It’s effectively the most anti-crypto bill of all anti-crypto bills.”

This is presumably the same bill that the White House declined to support, for what I hope are the right reasons: this is a deplorable bill, rendering all protections for personal privacy and against intruders illegal. I strongly encourage my American readers to contact their elected representatives to convey just how disastrous this bill is.

Publishers React to the Brave Browser’s Ad Manipulation ft.com

Lisa Vaas, explains on Sophos’ blog the business model used by the new Brave browser:

Brave, on the other hand, was launched with a business model that involves blocking some “bad ads” and replacing them with ads from advertisers that pay to be on Brave’s own advertising network of “clean ads” that meet its standards of not slowing down page load times or tracking users. […]

The fees Brave Software takes in from advertisers will go into one pot. The publishers get the lion’s share – 55% – weighted by how many ad impressions are served on their sites.

What’s left over gets divvied up between Brave, its ad-matching partners, and the users, with each getting 15%.

Understandably, publishers are not pleased with this arrangement. Shannon Bond, Financial Times:

“[Brave’s] argument is, ‘I will take $10 out of your wallet and give you $5, and aren’t you happy about that?’ ” said David Chavern, president of the Newspaper Association of America, a non-profit trade group representing 2,000 newspapers in the US and Canada.

Seventeen NAA members sent Mr Eich and Brave a cease and desist notice on Thursday.

For their part, Brave believes the publishers don’t fully understand the business model:

Brave is not, as the NAA asserts, “replac[ing] publishers’ ads on the publishers’ own websites and mobile applications with Brave’s own advertising.” We do not tamper with any first-party publisher content, including native ads that do not use third-party tracking.

[…]

News industry leaders rightly decry the violation of privacy inherent in some NSA or FBI tactics, yet their own complicity in tracking individuals to even more invasive degrees is not addressed.

A shorter version of this response is, in a nut, “stop relying upon third-party services to serve you tracking ads that are potentially loaded with malware; start selling your own ad inventory.”

The post kind of devolves near the end, though:

Browsers do not just play back recorded pixels from the publishers’ sites. Browsers are rather the end-user agent that mediates and combines all the pieces of content, including third-party ads and first-party publisher news stories. Web content is published as HTML markup documents with the express intent of not specifying how that content is actually presented to the browser user. Browsers are free to ignore, rearrange, mash-up and otherwise make use of any content from any source.

While technically true, Brave treads awfully close to an uncomfortable line previously drawn by content framing and JavaScript injection. Imagine if Brave interpreted and rearranged what it was presented with in a different way, perhaps by replacing all instances of the word brave with its own logo, or all images on the page with pictures of William Howard Taft. These reinterpretations would not be as user-friendly as the ad swapping Brave currently engages in, but what practical differences are there? I think these examples are comparable, and we wouldn’t tolerate that kind of browser.

Personal Data Leaked From 100 Million Citizens of Turkey and the Philippines rappler.com

These stories got somewhat buried in the wake of the Panama Papers, but are arguably just as significant. First up, Robert Tait, reporting for the Telegraph on the situation in Turkey:

Hackers claim to have accessed the personal details of nearly 50 million Turkish citizens and posted them online in a massive security breach that could seriously embarrass the country’s government.

If confirmed, it would be one of the biggest public leaks of personal data ever seen, experts said – effectively putting two-thirds of the country’s population at risk of fraud and identity theft. AP reported on Monday that it had partially verified the leak as authentic.

Personal information including national identity numbers, addresses, dates of birth and names of parents were all posted online in a downloadable 6.6 GB file.

Additionally, Michael Bueza and Wayne Manuel for Rappler, a Philippine and Indonesian news site:

Information security experts fear that what can be considered as the biggest leak of personal data in Philippine history could result in massive identity theft by preying criminals. This, after hackers boasted on March 27 that they had accessed the Comelec’s [Commission on Elections] database of 55 million registered voters and uploaded it online.

According to Trend Micro, the leaked data was significant, contrary to official denials:

Based on our investigation, the data dumps include 1.3 million records of overseas Filipino voters, which included passport numbers and expiry dates. What is alarming is that this crucial data is just in plain text and accessible for everyone. Interestingly, we also found a whopping 15.8 million record of fingerprints and list of peoples running for office since the 2010 elections.

Among the data leaked were files on all candidates running on the election with the filename VOTESOBTAINED. Based on the filename, it reflects the number of votes obtained by the candidate. Currently, all VOTESOBTAINED file are set to have NULL as figure.

The COMELEC website also shows real time ballot count during the actual elections. While COMELEC claims that this function will be done using a different website, we can only speculate if actual data will be placed here during the elections and if tampering with the data would affect the ballot count.

For many of you, these stories hit close to home — last year, the United States Office of Personnel Management, which keeps track of government employees, announced that records of between four and eighteen million employees were stolen.

And, since I mentioned the Panama Papers, Mossack Fonseca’s client portal is running an outdated version of Drupal — as in, it currently is, even after the publication of the biggest leak in the world.

There is an astonishing lack of basic information security practices at play here. Who stores their entire voter database in plain text on a public-facing website? Why are Turkey and the United States making citizens’ data available in a web-accessible manner? Why hasn’t Mossack Fonseca updated Drupal already?