Posts

Are the Authorities Confusing a PRISM Problem with an Encryption Problem?

CNN has its own version of updated reporting from the Paris attack. It provides a completely predictable detail inexplicably not included in the weekend’s big NYT story: that the one phone with any content on it — as distinct from a pure burner — had Telegram loaded on it.

Several hours earlier, at 2:14 p.m., while they were still at the Alfortville hotel, the Bataclan attackers had downloaded the encryption messaging app Telegram onto their Samsung smart phone, according to police reports. No recovered content from the messaging app is mentioned in the French police documents, suggesting there were likely communications by the Bataclan attackers that will never be recovered.

As well as offering end-to-end encryption, the Telegram messaging app offers an option for users to “self-destruct” messages. At 4:39 p.m. on November 13, one of the attackers downloaded detailed floor plans of the Bataclan venue onto the Samsung phone and conducted online searches for the American rock band playing there that night, the Eagles of Death Metal.

I predicted as much in my post on that NYT story.

My suspicion is that, as had been reported, rather than emails ISIS relied on Telegram, but used in such a fashion that would make it less useful on burner phones (“secret” Telegram chat are device specific, meaning you’d need a persistent phone number to use that function). But if these terrorists did use Telegram, they probably eluded authorities not because of encryption, but because it’s fairly easy to make such chats temporary (again, using the secret function). Without Telegram being part of PRISM, the NSA would have had to obtain the metadata for chats via other means, and by the time they IDed the phones of interest, there may have been no metadata left.

If ISIS’ use of Telegram (which was publicly acknowledged when Telegram shut down a bunch of ISIS channels in the wake of the attack) is what anonymous sources keep insisting is an encryption problem, then it suggests the problem is being misportrayed as an encryption one.

True, Telegram does offer the option of end to end encryption for its messaging. There are questions about its encryption (though thus far it hasn’t been broken publicly). So it does offer users the ability to carry out secret chats and to then destroy them, which may be where the concern about all the “scoured” “email” in the NYT piece comes from, the assumption these terrorists have used Telegram but deleted those messages.

But as the Grugq points out, it’s a noisy app in other ways that the NSA should be able to exploit.

Contact Theft

When registering an account with Telegram, the app helpfully uploads the entire Contacts database to Telegram’s servers (optional on iOS). This allows Telegram to build a huge social network map of all the users and how they know each other. It is extremely difficult to remain anonymous while using Telegram because the social network of everyone you communicate with is known to them (and whomever has pwned their servers).

Contact books are extremely valuable information. We know that the NSA went to great lengths to steal them from instant messenger services. On mobile the contact lists are even more important because they are very frequently linked to real world identities.

Voluminous Metadata

Anything using a mobile phone exposes a wide range of metadata. In addition to all the notification flows through Apple and Google’s messaging services, there is the IP traffic flows to/from those servers, and the data on the Telegram servers. If I were a gambling man, I’d bet those servers have been compromised by nation state intelligence services and all that data is being dumped regularly.

This metadata would expose who talked with who, at what time, where they were located (via IP address), how much was said, etc. There is a huge amount of information in those flows that would more than compensate for lacking access to the content (even if, big assumption, the crypto is solid).

He spends particular time on Telegram’s Secret chat function (the one that allows a person to destroy a chat). But he doesn’t talk about how that might play into the extensive use of burners that we’ve seen from ISIS. Secret chats are device specific (that is, they can be sent only to a numbered device, not an account). That would make the function very hard to integrate with disciplined burner use, because the whole point of burners is not to have persistent telephone numbers. How will a terrorist remember the new number he wants to associate with a Telegram secret chat? Write it on a piece of paper?

In other words, it seems you could use one (disciplined burners) or another (full use of Telegram with persistent phones), the latter of which would provide its own kind of intelligence. It may well be ISIS does merge these two uses, but if so we shouldn’t expect to see Telegram on their true burner phones. Plus, assuming the bearer of the phone speaks that dialect the Belgians were struggling to translate, voice calls on burners would be just as useful as transient use of Telegram.

But that’s probably not the real problem for authorities. In fact, if known terrorists had been using, say, WhatsApp rather than Telegram for such encrypted chats, authorities might have had more information on their network than they do now. That’s because WhatsApp metadata would be available under PRISM, whereas to get Telegram data, non-German authorities are going to have to go steal it.

If that supposition is correct, it would suggest that the US should drop all efforts to make Apple phones’ encryption weaker. So long as it has the presumed best security (notwithstanding the iMessage vulnerability just identified by researchers at Johns Hopkins), people from around the world will choose it, ensuring that the world’s best SIGINT agency could have ready access. If Telegram is perceived as being better — or even being close, given the location — people of all sorts will prefer that.

That won’t give you the content, in either case (even if you had the Moroccan translators you needed to translate, if that indeed remained a problem for authorities). But you’re better off having readily accessible metadata than losing it entirely.

Monday Morning: Synthesized Brain

When you need a break this hectic Monday morning, take five minutes and watch ANA from Factory Fifteen. I’m intrigued by the props and set — how much is CGI, and how much is actual production line? What company allowed this production company access to their equipment?

Though snappy and visually engaging, the story’s not realistic — yet. But much of the equipment on the production line is very close to that used in manufacturing today. And just as depicted in this short film, the weakest link is the human.

Worth keeping in mind this week as we plow deeper into the conflict at the intersection of humans and devices. Speaking of which…

Apple-heavy week ahead

  • Hearing in California tomorrow in front of Judge Sheri Pym over the San Bernardino’s shooter’s iPhone. Be sure to read Marcy’s take on the hearing and witnesses.
  • WLTX of Columbia SC posted a timeline of #AppleVsFBI events — unfortunately, it starts on February 16 with Judge Pym’s order to Apple.
  • NYT reported last week that Apple employees may quit if Apple is ordered to cooperate and write security-undermining code. But is this a deliverable in itself? The article offered an incredible amount of detail about Apple’s operations; if employees quit, any entities observing the technology company will know even more. Has this shakedown been designed to yield information about Apple’s operations, while risking corporate and personal security?
  • Apple will release information about new products today at a media event. The buzz may be less about the new products than the hearing tomorrow.
  • An iPhone 6 bursting into flames during a flight to Hawaii didn’t help Apple. One might wonder why this particular phone flamed out so spectacularly as it’s a relatively new device.

HEADS UP TECH USERS

  • Kindle users: Amazon is forcing a mandatory update across all its older Kindle reader devices. Deadline: TOMORROW MARCH 22 — after that date, users will have to manually update devices and download books via PC and not over the internet.
  • Tweetdeck users: Owner Twitter will kill the Windows app on April 15th. After that time, Windows-based users will need to use a browser. Can’t blame Twitter–it’s ridiculously expensive to write and service so many apps when the same devices usually have a browser.
  • Android users: 1) Protect your privacy and security by checking these settings; 2) Check this setting, stat, to prevent unauthorized access.
  • Nexus users: Make sure you have the latest patch issued last week. All other Android users should nag their equipment makers for their version of the same patch.

Before the machines complete their occupation of our world…

  • Nice read on law emerging with the rise of robots. Too bad none of them really incorporate Asimov’s Three Laws of Robotics. (The Atlantic)
  • Want to bet the overlords will argue workers should be paid less because they don’t have to work as hard wearing an exoskeleton — like these at Panasonic? (By the way, DARPA, that’s yet another commercially-developed exoskeleton near release; where’s yours/ours?) (Mashable)
  • Artificial intelligence already pitted against humans by those bloody banksters. Watch this video and ask yourself if this guy from Global Capital Acquisitions realizes there are humans at the nodes of the investment network whose lives are affected by his blah-blah-blah-babbling about artificial intelligence. STG he could be a machine himself. (Bloomberg)
  • Myths about AI busted – another solid read. Combined with the preceding Bloomberg bankster video it reinforces AI threat awareness. (Gizmodo)

After watching that video at Bloomberg, I think we’re a lot closer to ANA than we realized. Watch your backs — Monday is certainly gaining on you, if robots aren’t.

Friday Morning: F for Free and Favorite

Congratulations! You made it to another Friday! The end of the week means jazz here, until I run out of genres. This Friday I’m not covering a genre, though. I’m pointing you to one of the most surprising and utterly awesome gifts jazz lovers and historians could get.

1,000 hours of free jazz, ready to download.

Holy mackerel! I almost fainted when @OpenCulture tweeted last week about David W. Niven’s collection shared with the public at Archive.org. Just as amazing is Niven’s commentary, providing context we would never otherwise have about each piece.

I’ll embed some Louis Armstrong at the bottom of this post to get your weekend started. Mark this collection as one of my favorite things ever.

Malware discovered, targeting non-jailbroken Apple iOS devices in China
This is the second China-specific malware that researchers at Palo Alto Networks have found this year. Gee, why China?

UK’s Labour Party wankers want ‘Snoopers’ Charter’ because Snowden
Just the wankers, mind you, though it’s hard to tell which MPs were the wankers as Labour and SNP sat on their hands during the vote for the Investigatory Powers Bill (IPB), not wanting to appear obstructive. Fondly called the ‘Snoopers’ Charter,’ the bill replaces Regulation of Investigatory Powers Act (RIPA) and passed in the House of Commons on its second reading. The bill allows the UK government to amass all Internet Connection Records (ICRs) for a year’s time, including telecommunications connections. Restrictions on which government entities have access to these records and for what purpose is muddy at best, and the cost of collecting and storing these records will be borne by the network service providers who in turn will need to raise their rates. Sane people understand the IPB as passed is atrocious. The bill would not have passed the second reading at all had all of Labour and the SNP voted against it, but a number of wankers argue Edward Snowden is reason enough to dragnet the entire UK’s internet activity — which makes no sense whatsoever, based on the bill’s current formulation. The ‘Snoopers’ Charter’ now enters the Committee Stage, where it’s hoped somebody catches a cluestick and puts the brakes on this current iteration of government panopticon.

U.S. National Highway Traffic Safety Administration and FBI warn about automobile hacking
Hmm. A little late to the party after at least four different vulnerabilities were revealed over the last year, but better late than never. Rather annoying the public needs to be on guard against automakers’ naiveté/stupidity/hubris.

Google’s parent Alphabet selling its robot division Boston Dynamics
Remember the creepy four-legged robot ‘Big Dog’? It and its developer are up for grabs. Google (before it became Alphabet) bought Boston Dynamics in 2013, but now finds the firm doesn’t fit its strategy. Worth noting differences in reaction to the news:

The tone of the MIT Review piece — technology’s coolness is sufficient rationale for its creation and existence — offers interesting insight, explaining how awful technology ends up commercialized in spite of its lack of fitness.

Let’s call it a week and get on with our weekend. Have a good one!

Thursday Morning: A Little Green Around The Gills

Happy St. Patrick’s Day to those of you who observe this opportunity to drink beer (tinted green or otherwise) and eat boiled dinner and wear green! We’ll know the hardcore among you tomorrow by your hangovers.

Folks overseas don’t understand how St. Patrick’s Day blew up to the same proportions as other holidays like Halloween, blaming it on American commercialization. But the holiday as observed in the U.S., like Halloween, has roots in immigration. Four to five million Irish immigrated to the U.S.; their descendants here are nearly 40 million today, roughly seven times the number of actual Irish in Ireland now. With this many Irish-Americans, even a tepid observation of St. Patrick’s Day here would be visible abroad.

In addition to all things green, we’ll be watching this week’s second #FlintWaterCrisis hearing. Representatives Chaffetz and Cummings can go all shouty on Michigan’s OneLawyeredUpNerd Governor Rick Snyder and EPA’s Gina McCarthy though I have my doubts anything new will emerge. (And you’ll see me get really angry if Rep. SlackerForMichigan Tim Walberg shows up to merely make face on camera. Useless helicoptering.)

Unlike Tuesday, I hope like hell somebody brings up Legionnaire’s cases and deaths in Flint after the cut-over of Flint’s water to Flint River. Thousands of children may have been permanently poisoned by lead, but people sickened and died because of this complete failure of government-as-a-business.

I can’t stress this enough: There were fatalities in Flint because of the water.

Hearing details – set a reminder now:

Thursday 17-MAR — 9:00 AM — Gov. Snyder (R-MI) & EPA Head McCarthy: House Hearing on Flint, MI Water Crisis (est 3 hours, on C-SPAN3)   Link to House Oversight Committee calendar entry

You can find my timeline on Flint’s water here — as noted Tuesday, it’s a work in progress and still needs more entries.

Moving on…

Apple leaves Amazon for Google’s cloud service
Wait, what?! File under ‘Wow, I didn’t know!’ because I really though Apple housed all its cloud services under its own roof. I mean, I’ve written about data farms before, pointed to a new Apple location. I didn’t know Apple had outsourced some of its iCloud to Amazon.

Which makes Senator Ron Wyden’s remarks about asking the NSA with regard to the San Bernardino shooter’s iPhone even more interesting.

No wonder Apple is moving to Google, considering Amazon’s relationship with certain government agencies as a cloud service provider. Some of Apple’s data will remain with Amazon for now; we might wonder if this is content like iTunes versus users’ data. Keep your eyes open for future Apple cloud migrations.

US Navy sailors’ electronic devices combed for data by Iran
Gee, encrypted devices and communications sure are handy when members of the military are taken into custody by other countries. Too bad the Navy’s devices weren’t as secure as desired when Iran’s navy detained an American vessel in January this year. To be fair, we don’t know what all was obtained, if any of the data was usable. But if the devices were fully encrypted, Iran probably wouldn’t have said anything.

American Express’ customers’ data breached — in 2013
Looks like a select number of AmEx customers will receive a data breach notice with this explanation:

We became aware that a third party service provider engaged by numerous merchants experienced unauthorized access to its system. Account information of some of our Card Members, including some of your account information, may have been involved. It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure.

The breach happened on December 7, 2013, well into the Christmas shopping season, but we’re just finding out now? “Third party service” means “not our fault” — which may explain why AmEx shareholders (NASDAQ:AXP) haven’t been notified of a potential risk to stock value as yet. Who/what was the third party service? Where’s their notification to public and shareholders?

I need to brew some coffee and limber up before the hearing on Flint, track down my foam footballs and baseballs to throw at the TV while Gov. Snyder goes on about how sorry he is and how he’s going to fix Flint’s water crisis. Oh, and find an emesis basin. See you here tomorrow morning!

Wednesday Morning: Place Your Bets

About 11:00 a.m. EST today President Obama will announce his nominee to the Supreme Court to fill Antonin Scalia’s seat on the bench.

Apart from Sri Srinivasan, widely mentioned as the likely nominee, who is a possible candidate? Share your guess and then place your bets on Most-Likely Nominee and offer odds on a recess appointment.

Heads up: Your browsing could put you at risk of ransomware
I suppose the news that really big and popular sites were afflicted by ransomware within the last week explains why I had yet another Adobe-brand update pushed at me. Sites affected included The New York Times, the BBC, MSN, and AOL, along with others running a compromised ad network serving ransomware.

PSA: Make sure all your data files are backed up off your PC, and have access to software to rebuild your machine, in case your device is held for ransom.

#AppleVsFBI: Apple filing in California yesterday
Funny how different the characterizations of the 26-page filing. Here’s two:

  • The Guardian (emphasis mine):

    Apple’s lawyers tried to lower the temperature in the company’s fight with the US government on Tuesday, telling a federal judge that America’s Justice Department is well-meaning but wrong in its privacy standoff with the iPhone maker.

  • Forensic scientist Jonathan Ździarski: “Here, Apple is saying, ‘If it pleases the court, tell the FBI to go fuck themselves.'”

Zika virus: even uglier than expected

Stray cats, rounded up…

  • DARPA appeals to Maker/DIY/geek-nerd types, asks them to weaponize everyday devices (IEEE Spectrum) — I find this incredibly creepy; why is DARPA doing this, if the point is to prevent harm to the public from consumer products? Why not FTC/FCC/DOE instead of the military? And what happens to the feckless DIYer who accidentally hurts someone in the course of trying this stuff at home? Will DARPA indemnify them? Or are these informal adjuncts supposed to assume liability though they are doing military and law enforcement research? And what about the participants — will their identities be “harvested” for unspecified use in the future? So much stupid.
  • US transport secretary Anthony Foxx says, “It’s not a surprise that at some point there would be a crash of any technology that’s on the road,” (The Guardian) — in regards to the recent crash of a Google self-driving car with a bus. If it’s not a surprise, why are these on the road so soon? Don’t argue humans crash; these driverless vehicles are supposed to be BETTER than humans, and the public’s roadways shouldn’t be corporate laboratories.
  • PA man charged with phishing celeb women to gain access to their personal photos and videos (The Guardian) — Oddly, he’s not charged with distribution of the celebs’ pics in what became known as ‘The Fappening.’ A perfect example of the kind of crime which would be made easier and more widespread if Apple’s security was weakened — and law enforcement struggles with tackling it now.

That’s a wrap, for now, furballs all cleaned out of the holding bins. See you tomorrow morning!

Monday Morning: Feeling Rather Mussorgsky

It’s not even 7:00 a.m. here as I start to write this post, and the day is already frantic — like Mussorgsky’s Night on Bald Mountain. I don’t expect a placid ending to the first day of this week, either.

Strap in, lock and load.

Volkswagen on a roll — downhill, fast

  • A former employee who worked at the Michigan-based Volkswagen Group of America’s data processing center filed suit for wrongful termination. The employee lost their job after warning against data deletion after the U.S. Department of Justice ordered VW to halt normal data deletion processes to preserve potential evidence. Michigan is an at-will state, meaning employees can be fired for any reason at any time if they do not have a contract. However, employers may not fire workers in retaliation for refusing to do illegal acts or for reporting violations of health and safety code. Not a sketchy situation at all…this case might be an opportunity for discovery.
  • VW cutting jobs back home in Germany, with administrative roles taking the biggest hit. At the same time, VW says it intends to hire more software and technology personnel as it shifts away from traditional automotive technology. Huh — not a move I would expect when VW clearly hasn’t a handle on electronic vehicle technology.
  • Car sales are up 6.3 percent in the EU, but VW-brand car sales are off 4 percent. Ford and GM’s Opel picked up what VW lost in terms of sales.

Asking oranges from Apple

  • USDOJ hint-hints with little subtlety it will demand Apple’s source code. By subtlety, I mean a footnote shaped like a cudgel in its response to #AppleVsFBI:

    The FBI cannot itself modify the software on Farook’s iPhone without access to the source code and Apple’s private electronic signature.

    The government did not seek to compel Apple to turn those over because it believed such a request would be less palatable to Apple. If Apple would prefer that course, however, that may provide an alternative that requires less labour by Apple programmers.

    You can read Marcy’s take on the USDOJ’s Lavabit gambit for more.

  • The mega-sized tech companies who support Apple are now doubling down on encryption. Couldn’t see that coming, huh?
  • Some speculate WhatsApp as a communications technology may be the next focus of law enforcement in wake of #AppleVsFBI.
  • John Oliver does a Deep Dive into #AppleVsFBI — amusing take, but Oliver and his writing team have far too simplistic a take on this case. It’s not just that FBI wants a ‘master key,’ or that the FBI relies on All Writs to make its demand on Apple. It’s about forcing a company to create something entirely new, and something that’s not intrinsically part of its product.

Another energy industry executive dead
Josh Comstock, CEO of C&J Energy Services in Houston, Texas, died unexpectedly on Friday. He passed away in his sleep at age 46. Comstock was a supporter of NHRA drag racing. His company, which provided hydraulic fracturing (fracking) services, lost considerable value over the last year with the sharp drop in oil prices and field development.

Oil dudes are under a lot of stress these days.

And it being a Monday, so are we. Relax when you can, gang. I’m clocking out.

Friday Morning: Lovely

We made it to Friday! Yay! And that means another jazz genre. This week it’s shibuya-kei, a sub-genre/fusion born of Japanese jazz. Our sample today is by Kenji Ozawa. Note how damned perky it is, blending jazz elements with pop and synthpop. Its cuteness might also be described as kawaii, but that’s a whole ‘nother topic.

Some other shibuya-kei artists you might want to try are Paris Match (Metro), Aira Mitsuki (Butterly), Maki Nomiya (Shibuya-kei Standards), Takako Minekawa (Plash), and Kensuke Shiina (Luv Bungalow).

Get your mellow on and jazz your Friday up.

Urgent: Update Adobe Flash immediately if you apply patches manually
Go to this Security Bulletin link at Adobe for details. The update fixes 23 vulnerabilities, one or more of which are being used in exploits now though information about attacks are not being disclosed yet. And yes, this past Tuesday was Patch Tuesday, but either this zero-day problem in Flash was not known then, or a solution had not yet been completed, or…whatever. Just make sure you check all your updates, with this Adobe Flash patch at the top of the list.

USDOJ doing its PR thing on #AppleVsFBI
After reports this week that FBI director James Comey was a political liability in the case against Apple, U.S. Attorney General Loretta Lynch appeared on Stephen Colbert’s The Late Show to make the case for Apple writing code as requested by USDOJ. She said,

“First of all, we’re not asking for a backdoor, nor are we asking anyone to turn anything on to spy on anyone. We’re asking them to do what their customer wants. The real owner of the phone is the county, the employer, of one of the terrorists who is dead,”

Right. And my iPhone-owning kid wants a ham sandwich — will Apple write an app on demand for that, just because my kid’s the owner of the iPhone?

Look, nearly all software is licensed — the San Bernardino shooter’s iPhone may be property of the county that employed him, but the iOS software is property of Apple. Maybe Lynch needs a ham sandwich, too, a little boost in blood sugar to grok this point.

Volkswagen’s Terrible, No Good, Very Bad Week continues

  • Looks like VW’s U.S. CEO Michael Horn bailed out because he butted heads with the Holzkopfs in German leadership (Jalopnik)
  • By butting heads, that is to say, Horn dislikes the idea of jail time (Forbes) — though naming executives is pro forma on such lawsuits, if Horn was only in his role for roughly 18 months and this fraud goes back 8-9 years, AND Germany’s executive team disagreed with Horn’s proposal for U.S. dealers and vehicle owners, he’s reasonably twitchy about sticking around.
  • VW updated its emissions standards defeat code after its existence was revealed (Forbes) — wanna’ bet it was a software patch?

Stray cats and dogs

  • White House wants +20M more Americans on broadband (DailyDot) — Under ConnectALL initiative, a new subsidy program will help low income citizens get online with broadband access.
  • Pew Research study shows 15% of Americans still not online (Pew Research Center) — Rural, low income, minority, elderly are most likely not to have internet access; they’re the same target group as proposed federal ConnectALL program.
  • But good luck with broadband speed or cable TV content if HBO-TWC-Charter continue to scuffle over the TWC-Charter merger (AdAge) — Yet another example of the fundamental conflict between content makers and internet providers; internet providers should focus on the quality of their internet service, not on the content in the ‘series of tubes’ they supply.`

And just for giggles, note the Irish economy has expanded at fastest rate since 2000. Gee, I wonder what would happen to the Irish economy if major tech companies like Apple moved to Ireland?

I’m out of here — have a great weekend!

Thursday Morning: Things Are Gonna’ Change

After Tuesday’s primaries and last night’s Democratic candidates’ debate, surely something will change in messaging and outreach.

And surely something will change on the other side of the aisle given the continued rampage of ‘Someone With Tiny Hands.”

Calls to mind an animated movie popular with my kids a few years ago.

Moving on…

Volkswagen and the Terrible, Horrible, No Good, Very Bad Week

  • USDOJ subpoenaed VW under recent banking law (CNBC) — This is the first such application of the Financial Institutions Reform, Recovery and Enforcement Act (Firrea) since it was signed into law in 1989 in response to the savings and loan scandal. The law was used to target bank fraud in subprime mortgages after the 2008 financial crisis. (Caveat: that link at CNBC autoplays video. Bad practice, CNBC very bad.)
  • VW’s US CEO Michael Horn departs with marked haste (Bloomberg) — Huh. Interesting timing, that. A subpoena and an exit inside 48 hours? The phrases “mutual agreement” and “leave to pursue other opportunities” are very telling. IMO, Volkswagen Group’s response to the scandal has been lackluster to obstructionist, and Horn might not want to be the automaker’s sin eater here in the U.S.
  • Not looking good in Germany for VW, either, as prosecutors expand their investigation (Business Insider) — 17 employees now under scrutiny, up from six.
  • VW’s South Korean offices raided (Reuters) — Wondered when South Korea would catch up after all the recenty happy-happy about clean diesel passenger vehicle sales.

I feel like I’m telling a child Santa Claus is a lie and the Easter Bunny doesn’t exist, but it’s important to this scandal to grasp this point: There is no clean diesel technology. There is no clean diesel technology coming any time soon. Invoke a little Marcus Aurelius here and look at this situation and its essential nature, by asking why VW cheated and lied and did so for so long.

Because there is no clean diesel technology.

And the clock is tick-tick-ticking — the court case in California gave VW 30 days to come up with a technical solution. Mark your calendar for March 24, people.

A – Apple, B – Bollocks, C – Cannot…

Panopticonic POV

  • Defense Department used surveillance drones over U.S. for a decade (USA Today) — All legit, though, nothing to see here, move along. Disregard the incomplete list of flights, just trust.
  • What will happen when your neighbors can buy a StingRay on the cheap to listen in on your cellphone calls? (Bloomberg) — Worse thought: what if they’ve already built one?
  • If you’re a commercial trucker, chances are anybody can track you (Naked Security) — Read this, especially the pointers at the bottom of the article. (Personal tip from me: If you’re a female trucker, use a gender neutral name or initials in the workplace. Insist your employer respects this practice.)

That’s enough damage for one day. Things have got to change.

On Jim Comey’s Attempts to Force Apple to Change Its Business Model

As he has said repeatedly in Congressional testimony, FBI Director Jim Comey wants to change Apple’s business model.

The former General Counsel for defense contractor Lockheed and hedge fund Bridgewater Associates has never, that I’ve seen, explained what he thought Apple’s business model should be, or how much he wants to change it, or how the FBI Director put himself in charge of dictating what business models were good for America and what weren’t and why we’re even asking that in an age of multinational corporate structures.

It seems there are three possible business models Comey might have in mind for Apple:

  • The AT&T (or Lockheed) model, in which a provider treats federal business as a significant (in Lockheed’s case, the only meaningful) market, and therefore treats federal requests, even national security ones, as a primary market driver; in this case, the Feds are your customer
  • The Google model, in which a provider sees the user’s data as the product, rather than the user herself, and therefore builds all systems so as to capture and use the maximal amount of data
  • A different model, in which Apple can continue to sell what I call a walled garden to customers, still treating customers as the primary market, but with limits on how much of a walled garden it can offer

I raise these models, in part, because I got into a conversation on Twitter about what the value of encryption on handsets really is. The conversation suffered, I think, from presuming that iPhones and Android phones have the same business model, and therefore one could calculate the value of the encryption offered on an iPhone the same way one would calculate the value of encryption on an Android phone. They’re not.

Even aside from the current difference between Google’s business model (the data model at the software level, the licensing model at the handset level) versus Apple’s model, in Apple’s model, the customer is the customer, and she pays a premium for an idyllic walled garden that includes many features she may not use.

I learned this visiting recently with a blind friend of mine, whom I used to read for on research in college, who therefore introduced me to adaptive technologies circa 1990 (which were pretty cutting edge at the time). I asked her what adaptive technologies she currently uses, thinking that as happened with the 90s stuff the same technology might then be rolled out for a wider audience in a slightly different application. She said, the iPhone, the iPhone, and the iPhone. Not only are there a slew of apps available for iPhone that provide adaptive technologies. Not only does the iPhone offer the ability to access recorded versions of the news and the like. But all this comes standard in every iPhone (along with other adaptive technologies that wouldn’t be used by a blind person any more than most sighted ones). All iPhone users pay for those adaptive technologies as part of their walled garden, even though even fewer realize they’re there than they realize their phone has great encryption. But because they pay more for their phone, they’re effectively ensuring those who need adaptive technologies can have them, and on the market leader in handsets. Adaptive technologies, like online security, are part of the idyllic culture offered within Apple’s walled garden.

The notion that you can assign a value to Apple’s encryption, independent of the larger walled garden model, seems mistaken. Encryption is a part of having a walled garden, especially when the whole point of a walled garden is creating a space where it is safe and easy to live online.

Plus, it seems law enforcement in this country is absolutely obtuse that the walled garden does provide law enforcement access in the Cloud, and they ought to be thrilled that the best encryption product in the world entails making metadata — and for users using default settings, as even Syed Rizwan Farook seems to have been — content readily available to both PRISM and (Admiral Rogers made clear) USA Freedom Act. That is, Apple’s walled garden does not preclude law enforcement from patrolling parts of the garden. On the contrary, it happens to ensure that American officials have the easiest ability to do so, within limits that otherwise ensure the security of the walled garden in ways our national security elite have been both unwilling and even less able to do.

But there’s one more big problem with the fanciful notion you can build a business model that doesn’t allow for encryption: Signal is free. The best app for encrypted calls and texts, Signal, is available free of charge, and via open source software (so it could be made available overseas if Jim Comey decided it, too, needed to adopt a different business model). The attempt to measure in value what value encryption adds to a handset is limited, because someone can always add on top of it their own product, so any marginal value of encryption on a handset would have to make default encrypted device storage of additional marginal value over what is available for free (note, there is a clear distinction between encrypting data at rest and in motion, but the latter would be more important for anyone conducting nefarious actions with a phone).

Finally, there’s one other huge problem with Comey’s presumption that he should be able to dictate business models.

Even according to this year’s threat assessment, the threat from hacking is still a greater threat to the country than terrorism. Apple’s business model, both by collecting less unnecessary data on users and by aspiring to creating a safe walled garden, offers a far safer model to disincent attacks (indeed, by defaulting on encryption, Apple also made iPhone theft and identity via device theft far harder). Comey is, effectively, trying to squelch one of the market efforts doing the most to make end users more resilient to hackers.

The only model left–that could offer a safer default environment–would effectively be an AT&T model pushed to its limits: government ownership of telecoms, what much of the world had before Reagan pushed privatization (and in doing so, presumably made the rest of the world a lot easier for America to spy on). Not only would that devastate one of the brightest spots in America’s economy, but it would represents a pretty alarming move toward explicit total control (from what it tacit control now).

Is that what former Hedgie Jim Comey is really looking to do?

One final point. While I think it is hard to measure marginal value of encryption, the recent kerfuffle over Kindle makes clear that the market does assign value to it. Amazon dropped support for encryption on some of its devices last fall, which became clear as people were no longer able to upgrade. When they complained in response, it became clear they were using Kindles beyond what use Amazon envisioned for them. But by taking away encryption users had already had, Amazon not only made existing devices less usable, but raised real questions about the CIA contractor’s intent. Pretty quickly after the move got widespread attention, Amazon reversed course.

Even with a company as untrustworthy and data hungry as Amazon, removing encryption will elicit immediate distrust. Which apparently is not sustainable from a business perspective.

Tuesday Morning: Some Kind of Freak

Today’s the intersection of my Gwen Stefani jag and International Women’s Day 2016. Need some more estrogen-powered music to celebrate IWD? Try this list — note and compare Lesley Gore’s You Don’t Own Me and Nancy Sinatra’s These Boots Are Made for Walking against more recent tunes like No Doubt’s Just A Girl.

Let’s roll…

Volkswagen shocked, SHOCKED! the EPA went public on the diesel emissions standards cheat
But by the time the EPA made public statements regarding VW, the German automaker had already known about the International Council on Clean Transportation’s research results for a year and had yet to reveal to shareholders the risk of prosecution and penalties. VW’s leadership hoped for a mild and quiet slap on the hands and enough time for a technical solution before the EPA’s disclosure:

“In the past, even in the case of so-called ‘defeat device’ infringements, a settlement was reached with other carmakers involving a manageable fine without the breach being made public,” VW argued. “And in this case, the employees of Volkswagen of America had the impression on the basis of constructive talks with the EPA that the diesel issue would not be made public unilaterally but that negotiations would continue.”

Hope somebody is looking at insider trading for any sign that VW executives were unloading stock in the period between September 2014 when ICCT’s results were published, and when the EPA went public in 2015. Wonder what penalties there are under German/EU laws for this?

USDOJ appealed last week’s ruling in Brooklyn iPhone 5S case
At the heart of this appeal is Apple’s past cooperative actions when federal law enforcement asked for assistance in unlocking iPhones. Apple, however, said past acquiescence is not consent. USDOJ has now asked for review of Judge Orenstein’s ruling.

Apple co-founder Steve Wozniak appeared on Conan, sided unsurprisingly with Apple
Woz admitted to having tried his hand at writing viruses for Mac, but the entire premise terrified him, compelling him to destroyed his efforts. Video of his appearance included at this link.

France to punish phonemakers for encryption, while UK’s GCHQ says it should get around encryption
A narrow body of water, a different language, and a recent terrorist attack make for very different reactions to encrypted communications. France’s Parliament voted yesterday to punish phonemakers which do not cooperate with law enforcement on unencrypting data; the bill is not yet law, subject to further parliamentary process. Meanwhile, Britain’s spy chief said he hopes methods can be developed to get around encryption without building backdoors.

Drive-by quickies

And it’s Presidential Primary Day in Michigan, Mississippi, Idaho, Hawaii. I may avoid social media for most of the day for this reason. Hasta pasta!