June 15, 2013
The Spoils of Secrecy: Media Madness and NSA Conspiracies Run Amok
In one of the arguably most classic lines in any film, Strother Martin, in his role as "Captain" in 1967's "Cool Hand Luke," famously noted that: "What we've got here is ... failure to communicate."
When it comes to the current mixed-up, confused, conflated, and contradictory mess of NSA-related stories now being deployed as click-bait on media sites around the Net, that observation couldn't be more true.
It's difficult to imagine how the Obama administration could have screwed up the messaging any worse than they have on all this, unless they appointed Donald Trump as White House spokesman.
More and more, this whole situation seems like the escalating madness of a Fellini movie, with a dash of Kafka and a pinch of George Orwell thrown in for good measure. A tasty treat it isn't.
This evening, basing their blaring headlines apparently mainly on an out-of-context quote from a single Congressman, we have stories that range from NSA targeting specific phone calls without conventional court warrants (likely), all the way to the "every call is being recorded and no special authorization of any kind is required to listen in" (extremely unlikely on both counts). And of course, all manner of theories regarding email and other Internet communications surveillance are being haphazardly tossed into the mix as well.
As this narrative has morphed to ever more dramatic levels in the absence of clear, concise, comprehensive explanations to the American people of actual capabilities and associated policies, we're faced with a mishmash of hearsay and rumors, bit and pieces of information that can be interpreted in myriad ways without context, and all manner of agendas being played out simultaneously like some sort of circus of the bizarre.
Mass hysteria plays into conspiracy theories, and most observers don't have the technical background to even begin reasonable analysis of what's actually happening, even apart from the policy-related aspects.
These are the spoils of secrecy, the ration of Tantalus, and unless the Obama administration puts its cards completely on the table now -- not in terms of operational data but regarding programs and policies actually in place -- we will shortly pass the point of no return for any sort of rational discussion about these important national security issues.
We may, in fact, have already passed beyond the event horizon into a black hole of distrust from which we cannot readily escape. And such deep distrust is almost certainly far worse than the actual realities of the NSA and other national security programs that are now being revealed in disparate fragments, encouraging the most alarming, most conspiratorial assessments, no matter how exaggerated those assessments may be compared with the underlying realities themselves.
Congress and George W. Bush created this PATRIOT Act monster, sleeping like Godzilla on the ocean floor, waiting to be awoken and render random destruction in his wake.
Barack Obama and later congressional officials voluntarily chose to keep this nightmarish behemoth alive and well fed -- the responsibility now falls directly on their own heads.
A vacuum of truth is easily filled with fear, hysteria, and insanity. Paranoia breeds where facts are sparse.
It's time for the administration and congress to come clean with the American people and the rest of the world. The reality of what you're doing is almost certainly far less dramatic and invasive than the conspiracy theories you've allowed to flourish are now insisting.
Tell us what you're doing. Tell us why. Make your case.
No more pontificating. No more evasions. No more clever word games and dissembling that aren't fooling anyone.
Treat us like Americans.
That's all we expect. That's all we ask.
That's all we demand.
The Government's FISA Requests Shell Game Scam
In the latest chapter of the federal government's "we don't trust the American people to tie their own shoelaces" saga, we saw two major Internet firms ostensibly release new information yesterday about key national security (e.g. FISA) user data requests that they receive, but in reality the government has forced them to play the old "three card monte" scam on us all.
You know the con? It's a classic version of the notorious "shell game" (only performed in this case with three slightly bent playing cards) where we're tricked into losing bets -- through diversion -- into believing a card is in one place, when it's actually somewhere else. This ripoff has its roots in antiquity.
Here's how the federal government version works. Prior to yesterday, Google, Microsoft, and Twitter had released transparency reports about takedowns and government requests for user data. Google has been doing this on a rather detailed, routine basis for quite sometime, and has recently begun including some data regarding National Security Letter (NSL) requests received, in terms of broad ranges of numbers and users/accounts affected -- more specific data release was forbidden by the government.
In the wake of false accusations and conspiracy theories surrounding the Snowden NSA saga, Google very recently wrote a letter to the Department of Justice asking permission to reveal aggregate range and scope for FISA requests, which are more directly related to NSA activities. Microsoft and Facebook followed up with similar letters within hours.
Yesterday, with some fanfare, Facebook announced that it had reached an independent agreement with the government to release some FISA data, but -- and this is crucial -- it would be combined with all other law enforcement requests, everything from a local sheriff trying to find a missing child to -- we assume -- Dr. Evil demanding billions of dollars not to blow up the planet.
Facebook released this combined clump of data yesterday -- their first "transparency report" of any kind, by the way. Shortly thereafter, Microsoft made a similar release, but noted that it was disappointed that they could not break out the FISA requests separately.
Google -- which as we've seen has led the way in transparency reports -- late yesterday refused to play along. They noted that under the policy that Facebook and Microsoft had accepted, Google would be required to combine all law enforcement related data requests, including conventional, NSL, and FISA.
Google asserts -- and I agree -- that this would actually be a step backwards in terms of transparency. Remember, Google was already splitting out NSL requests separately from other law enforcement requests, but accepting the government's terms for release of FISA range data would mean all of this information would now have to be aggregated. There would be no way to discern what parts of the law enforcement total related to NSL (or FISA) at all.
Twitter immediately and wisely endorsed Google's rejection of the new reporting policy.
It's critical to keep in mind that with all this data, we're only talking about approximate ranges, and no details about specific requests at all.
Why is the government trying so hard to muddy and dissemble even this modest data? Our adversaries have long known that national security data requests (both NSL and FISA) occur. How can mere broad ranges for numbers of requests and users/accounts totals be a national security risk to reveal?
There appears to be only one logical answer. They aren't a national security risk at all.
But the government perpetually views us all as untrustworthy children. Of late, it appears that they consider most of us to be potential suspects as well.
And in keeping with that pervasive secrecy mindset, they'll willingly allow conspiracy theories to flourish and to allow the reputation of important U.S. firms to be falsely dragged through the mud -- not actually in the name of national security, but in the name of protecting the power and funding of their individual intelligence empires.
This attempt to play a fast and loose shell game with this data doesn't only reveal deep hypocrisy on the part of the government, but by any normal ethical standards should be deeply embarrassing to them as well.
But just as that three card monte scammer is immune to embarrassment, it appears that our leaders are so sure of themselves, so positive of their superiority, that they have become similarly inured to criticism.
In the long run, that attitude may be more dangerous to what makes America great than all of our actual and would-be adversaries rolled into one.
And that's a very sad, but pretty sure bet, indeed.
June 13, 2013
Why Edward Snowden May Be the Wackos' Dream Come True
NSA leaker/whistleblower Edward Snowden may yet have some real "bombshells" to divulge, but at least for the moment it seems possible pull back our vantage point a bit, and start thinking about the likely results of what he's done so far. Be warned, you may not enjoy this analysis very much.
It's clear what he's done to his own life. From this point forward into the foreseeable future, he'll be on the run, in exile, or in prison. To hear administration, congressional, and other officials foaming at the mouth about the supposedly enormous damage he's done to USA national security, it's obvious they want to lock him up and throw away the key (we can discard the "they're gonna kill him with drones" ravings of Ron Paul, however).
The fact is that -- based on what we know so far -- Snowden has done little if any real damage, because his "revelations" have been so relatively inconsequential for anyone who has been paying attention.
Comparisons are frequently being made with Bradley Manning, but they are mostly inappropriate. Manning was a "data dumper" -- he basically grabbed all the classified materials he could get his hands on and sent them off to a third party. This included an enormous cache of detailed operational data. I won't argue here the intricacies of his case, other than to note that it's entirely different from Snowden's, except for the foundational fact that they both obviously did violate information secrecy laws associated with their clearances, which can carry very significant penalties even on a standalone basis.
In contrast, Snowden (at least so far) hasn't released any specific operational data, only rather broad outlines (largely without context, and in some key respects subject to misinterpretation) about NSA programs that -- and this is the important part -- NSA watchers (and presumably our adversaries) have long surmised existed. And Snowden himself has muddied the picture by adding what are clearly embellishments and exaggerations to some of his stories, for motives known only to himself.
Anyone who has followed the history of NSA, particularly since the PATRIOT Act, but even long before, would have assumed that telephone metadata records were easily available to NSA for analysis. Remember, these are the same records that the phone companies have been treating as a profit center -- selling to third parties for commercial purposes -- for many years! To assume the government couldn't get their hands on them -- when fly-by-night solicitation companies could -- would be nonsensical. Confirmation is interesting, but hardly revelatory.
Other parts of his information are even less surprising. We already knew that FISA/NSL data requests/demands are routinely made of Web service providers. We could assume NSA maintains massive, advanced databases of metadata and other information. It's long been obvious that the U.S. engaged in offensive as well as defensive "cyberwar" operations, in the finest tradition of "Spy vs. Spy."
The ostensibly most alarming parts of Snowden's "revelations" are where he obviously is -- let's be charitable in our choice of terminology -- exaggerating.
There is no believable evidence to suggest that he had the wiretapping and email spying capabilities (or authority) that he has claimed. In fact, such capabilities simply do not exist in the form he described. There are technical as well as policy reasons to be quite confident about this.
Similarly unsupportable on technical and policy grounds are suggestions that NSA or other outside entities have direct access to rummage around on fishing expeditions in Google, Facebook, or other major Web service company servers. Even if you bizarrely and with notable paranoia buy into discredited "they're all evil" conspiracy theories and want to assume that statements denying the existence of such programs are outright lies, there's simply no practical way the necessary engineering could have been accomplished and kept secret, and mass resignations would have been obvious at these firms had word of such projects leaked internally (as would be inevitable).
Sticking with the facts that make sense (and not the paranoid ramblings) it still wouldn't be fair to say that Snowden hasn't moved the ball. He has indeed gotten the issues back into public discourse again, where they have long been largely ignored. Unfortunately, even this may not have the results that might be hoped.
The logical, confirmable facts about NSA and other surveillance are bad enough. Articles and postings condemning them (including my own) are appropriate, but mostly could have been written two weeks ago (before most of us had heard of Snowden) or even anytime since the passage of PATRIOT -- or even earlier. And in fact, such essays have indeed been written, all along. Snowden's "revelations" have added little of overall note, relatively.
The history of surveillance and intelligence in this country has long been one of constant oscillation. There are abuses revealed and Congress cracks down a bit, but over time this lightens up, and the pendulum swings the other way again. Over and over.
In today's situation, there will be hemming and hawing, and perhaps a bit more transparency for a while. Unrelated to Snowden, a court decision suggests that we may be able to learn more about the rationale behind some FISA court decisions. We can hope that DOJ allows Google, Facebook, Microsoft and others to report aggregate data and scope information about FISA requests, as these firms have requested.
But it's already obvious that NSA and the administration are going to stand behind their "these programs are critical to stopping terrorists" mantra, and will trot out just enough information (without sufficient details to understand if these events would have been thwarted without expansive access to phone metadata, for example) to keep their co-opted Congress on their side.
In the end, especially in the long run, little will change. And given one major (or perhaps even minor) new successful terrorist attack, you can bet that we will move backwards in terms of civil liberties at an enormous rate, even though this will not stop terrorism, and will help the terrorists succeed in destroying our country's greatest ideals from within.
In the meantime, conspiratorial wackos and political opportunists are thrilled with Snowden. They are spinning his information -- particularly his unsupportable exaggerations that play into their preexisting mindsets, to their full advantage.
One need only look at a single video to get an idea of how this is playing out in the political sphere -- this sickly amusing compilation of FOX News' Sean Hannity vigorously praising the same PATRIOT/NSA surveillance programs under Bush that he is now condemning under Obama.
And herein, unfortunately, may be Snowden's ultimate, most apparent long-range effect -- providing fuel for the conspiracy theorists and most hypocritically dangerous of politicians and their minions.
We can reasonably assume that this was not Snowden's intention.
It may, however, turn out to be his legacy.
June 11, 2013
National Security FISA Secrecy: Hiding from the American People
The embers have been smoldering for years, but the coals are now catching fire -- and this time, all the hand-waving and government pontificating in the world is unlikely to tamp down a potential inferno.
Ever since 9/11 and the Bush-era enactment of the PATRIOT Act, now with the complicity of President Obama, the U.S. government appears to have had two classes of adversaries in its sights.
The first is the terrorists and other truly evil forces whose goal indeed is to maim and kill innocents. We applaud appropriate measures to root out such evil and bring it to justice.
The second target, however, appears to have actually been the American people themselves.
It's difficult to imagine an alternative logical explanation -- even given government's historical proclivity to stamp information TOP SECRET first and ask questions -- well, usually never.
The proof is in the disgusting, absolutely insane amount of government secrecy that has hidden some projects -- as well as even broad data regarding activities that we already know about -- that involve our personal information.
We've been talking about the truths and falsehoods told about some of these projects over the last few days, but the bottom line is that even when there is no possible national security downside to at least permitting the American people to know about the existence of particular programs and/or the broad scope of their activities, the government has arrogantly tried to keep them secret from all but a privileged and largely co-opted few.
An obvious example is the use of FISA national security user data requests (a more appropriate word would be "demands") directed to the major Web services.
The government has steadfastly sought to avoid public knowledge even in general terms of the true numbers of such requests -- which the receiving firms then vet and either approve or challenge.
There is no rational way that transparency in terms at least aggregate numbers of (for example) FISA requests could possibly do any harm to actual national security efforts.
Only one explanation seems logical. The government is afraid of us -- you and me. They're terrified (no pun intended) that if we even knew the most approximate ranges of how many requests they're making, we would suspect significant abuse of their investigatory powers.
In the absence of even this basic information, conspiracy theories have flourished, which incorrectly assume that the level of data being demanded from Web services is utterly unfettered and even higher than reality -- and the government's intransigence has diverted people's anger inappropriately to those Web services. A tidy state of affairs for the spooks and their political protectors.
Google has now taken a major step toward pushing back on this unacceptable situation.
In a letter sent today to the U.S. Attorney General and FBI Director, Google's chief legal officer, David Drummond, has formally requested that the government give Google (and by extension, other firms) the right to at least include in Transparency Reports aggregate information regarding the number and scope of national security (including FISA) requests and disclosures that Google is required to process.
The letter notes that permission was already granted for some transparency related to National Security Letters (NSLs), with no ill effects.
The government's stance regarding FISA activities feeds the false memes that these Web services have something to hide. They don't, but the government -- in their desperation to keep us all in the dark -- has made it impossible for these firms to demonstrate their innocence.
This must end. Nobody is suggesting that the details of these data demands be arbitrarily made public, only that the broad scope and scale of FISA activity be at least reasonably transparent.
Stop treating Web services -- and the American people -- as your enemies. Stop behaving as if we're no more to be trusted than the terrorists and evil that you (and we) wish to neutralize.
You can take a major step yourself toward demonstrating that you trust and respect the American people, by responding positively to Google's letter and request.
Prove to us that you're actually on the people's side -- not only your own.
Snowden's NSA Truths, Untruths, and Where We Go from Here
As the NSA/Snowden situation gradually comes into sharper focus (though not Snowden himself, who is apparently on the run after exiting his luxury hotel in Hong Kong) we are faced with an interesting dilemma.
Some of what he has claimed is clearly true and has been acknowledged. Some of what he claims is obviously false. And various aspects of his claims (or at least how his claims have been interpreted) are logically false.
There is a lingering sense that he may have grabbed and released some materials without necessarily ever having been "read into" all of the associated programs or understanding them in context.
We know his stated, altruistic motives. There also seems a bit of "martyr complex" in his behavior, but psychology isn't my specialty.
Nor am I in the "revenge, retribution, and punishment" department -- our public officials seem to have those aspects well in hand with rather bloodthirsty calls for him to be publicly drawn and quartered even before a full investigation and trial.
In the Snowden "true column" so far, we have the telephone metadata collection programs, which authorities have now admitted have been long in place.
A Republican congressman who was a key author of the PATRIOT Act has been making a lot of hay over the last couple of days claiming that the program is an overreach of PATRIOT authorization.
It likely was not -- and he knows it. Such abominations in PATRIOT have been loudly protested by civil liberties groups at every opportunity. The congressman knew full well what he was authorizing. Known informally as "Mr. Impeachment," he was already calling for Obama's impeachment before any of these current NSA stories, and was a key force in pushing through Clinton's impeachment years ago. Now that he sees a political opportunity to try distance himself from the legislative monster he created, he's trying to change history. It won't work.
Odds are that courts will find that the appropriate notifications were provided to the necessary legislators, and that the abuses of privacy represented by the NSA telco metadata program will be found to be legal.
In the Snowden "logically false category" to date, we have the claims (or interpretations by media and others) that the major Internet companies have provided direct NSA access to Web company servers, allowing the intelligence community free reign to rummage through user data.
The firms have all categorically denied this, and it seems clear that the PRISM program in question is actually a FISA/NSL compliance mechanism, with all data demands individually vetted and then either accepted or challenged by the firms.
And then there's the "obviously false" category. Snowden claims that, "Any analyst at any time can target anyone ... I, sitting at my desk, certainly have the authorities to wiretap anyone -- from you or your accountant, to a federal judge, to even the President."
Even if a 29-year-old outside firm NSA contractor had the technical means to perform such actions on such a scale -- which seems unlikely in the extreme -- we know with absolute certainty that he would not have had the authority to do so. Period.
So on this point he is certainly outright lying, exaggerating, or is seriously misinformed. Take your pick.
What this all means for Snowden's overall credibility remains to be seen, but we can still draw some useful conclusions from the situation even now.
Some pundits have declared these events the "death knell" of cloud computing. This is not the case, though we can stipulate that government overuse of FISA/NSL authorizations appears to be a genuine problem.
Cloud resource systems provide so much value to users, in terms of capabilities and reliability among so many other factors, that it is impossible to contemplate most consumers moving forward with alternative models, especially considering the ever more demanding requirements for features, storage space, and other functionalities that consumers and businesses are demanding.
Having said that, I believe consideration should be given to providing cloud-based document and email systems the capability to provide at least limited locally-homed capabilities for special cases.
Various systems already come close to this. Gmail and Google Drive now provide excellent "offline" access capabilities, allowing creating, reading, replying, and otherwise manipulating materials without an Internet connection, using later connections to synchronize data automatically.
Perhaps an additional capability could be "local sync only" -- meaning that connections would only be used to sync the copies between local devices, but not leave copies on the central servers.
To be clear, I don't see such an capability as being practical for more than a limited subset of overall use cases. Perhaps some users would want to tag some specific documents, or correspondence with particular parties, for handling in this manner, with the understanding that they'd be giving up major capabilities for those items by not being able to work with them via the full-featured Web interfaces on central systems.
And I believe it would be entirely appropriate for services to set reasonable limits on the use of such "local" capabilities, at least for services being provided without fees.
But the cloud is crucial to our computing and communications futures, and ultimately our main goal in this context must be to bring our laws back into a real balance, where government secrecy isn't an ever expanding default condition, and civil liberties once again attain the stature of overriding importance that our Founding Fathers so earnestly intended.
As is so often the case, we must deal with these issues in both the technology and policy realms -- one or the other alone won't do, and the tasks involved will be anything but trivial, especially in the current political environment.
Still, the first step on this road is a realization of the scope involved, and in that respect Snowden's NSA saga -- even given the apparent melange of his various truths and non-truths -- has served a useful purpose.
Now the ball is in our corner, and there's hard work ahead.
Interesting times, indeed.
June 10, 2013
NSA, Buffalo Springfield, and the Triumph of Paranoia
In the nearly 10 years since I've been authoring this blog, I can't recall a previous period of so many lengthy posts, one after another on a single topic, as has been the case with the current NSA saga.
We've already discussed the details as we know them at the moment, as described in NSA "Whistleblower" Snowden: Hero? Fool? Traitor? Or ... ? and its ancestor postings.
So this morning I was trying to think of a unifying theme of sorts that I could use to wrap up the current round -- when an old "Buffalo Springfield" classic played forth from the music stream I had running in the background, and handed me the answer across the decades.
In their 1967 song "For What It's Worth" -- often mistakenly thought to be an anti-Vietnam war piece, but actually written as a statement about civil rights in the aftermath of a notorious "riot" and police actions on the Sunset Strip here in L.A. -- Buffalo Springfield sang these words:
Paranoia strikes deep.
Into your life it will creep.
It starts when you're always afraid.
And therein resides the key -- not just to NSA and Snowden's story, but to so much in our contemporary lives and reaching back to the dawn of human history as well.
Paranoia and its close sibling "conspiracy theories" in fact are the only real "winners" in the entire chain of events rolling out before us over the last few days, along with the historical genesis of those events.
Paranoid terrorists and their attacks. Paranoid reactions to those attacks by Congress and yes, by the majority of Americans as well. Knee-jerk legislation like the PATRIOT Act that gave paranoia the force of law. Paranoid NSA programs. Paranoid claims about those NSA programs. Paranoid accusations against Internet firms. And on ... and on ... and on.
Conspiracy theories thrive on paranoia -- the mother's milk of emotion over logic, of fear over reason, blurring the lines between real enemies, genuine abuses, and the unreal, fantasy theories that permeate our brains like so much booze on a drinking binge.
And the recent NSA-related events seem virtually purpose-built to feed that paranoia, piling onto the inherent fears that so many persons have about the rapid pace of our technologies, so complex that it might as well just be magic as far as vast numbers of our fellow travelers are concerned.
So we have fear of cookies, fear of Web ads, fear of tracking, fear of Wi-Fi, fear of malware, and again on and on -- mixing hard technical realities with the acid blend of paranoia itself, leaving especially the nontechnical observers in a dizzying spin, gasping for air, unable to separate any underlying truths from exaggerated claims and purposeful obfuscations.
The nightmare demon, the terrifying "they" seems omnipresent, lurking in the shadows, ready to strike, feeding on a steady diet of misinformation.
They are listening. They are lying. They are covering up something.
They are out to get us.
And no matter how many times it seems demonstrated that particular fears are misplaced, that only means we haven't dug deep enough, haven't considered every fanciful possibility, haven't allowed our phobias sufficient and full bloom.
The negative stands proudly unprovable, while the path of paranoia seems clear by comparison. The glass stands half empty rather than half full, as our leaders with only the best of intentions remodel society and laws in the name of what's worst and most feared, rather than in hope for a better and brighter tomorrow.
The red pill or the blue pill -- it matters not, for in the empire of paranoia, all paths ultimately lead to the inner circles of our own man-made hells.
It's way too early to fully understand the entire scope and purposes of the NSA programs that are now in the headlines. But the odds are we'll learn that NSA, exercising its own paranoia, did pretty much exactly what a paranoid Congress and paranoid administrations wanted NSA to do in the wake of 9/11, as horror at the attacks quickly gave way to jingoism, and our Founding Fathers' dreams of ascendant civil liberties gave way to the kind of political madness that has destroyed an array of civilizations down the span of the centuries.
And throughout it all, as the truths and conspiracy theories and exaggerations mix and mingle into a diseased, opaque pool of pestilence -- within yet above the fray, reigning as sovereign -- paranoia itself sits on its blood-soaked throne -- smiling, nodding in satisfaction, and knowing that in the end, it has indeed triumphed yet again.
June 09, 2013
NSA "Whistleblower" Snowden: Hero? Fool? Traitor? Or ... ?
Oops. I'd thought there was a good probability I could get through today without having to post again about the ever more confusing NSA mess.
Not a chance, as it turns out.
This saga is now taking on the various aspects of a 60s-era spy spoof film, and its bizarre twists and turns are making David Lynch's 1984 production of "Dune" look clear and easily comprehensible by comparison.
Here's where we stand.
Word is out that the NSA leaker, "whistleblower," or whatever your preferred terminology may be, is Edward Snowden, a 29-year-old former CIA tech assistant who (until very recently) was a contract worker at NSA on behalf of various outside firms, like Dell and Booz Allen.
Snowden is now reportedly holed up in a hotel room in Hong Kong, and states that he hopes to achieve asylum in Iceland.
He asserts that he has done "nothing wrong."
There's already a video of him floating around, declaring how he leaked NSA documents on principle because he was so concerned about where NSA was heading and how it is violating the rights of Americans. It's quite stirring.
As you probably already know by now, I am acutely displeased by the situation associated with surveillance in this country, as noted yesterday in Internet Shattered: Spies, Spooks, and Disgust.
Snowden is already being hailed as a "hero" in many quarters, and comparisons are being made to U.S. Army leaker (or whistleblower -- again, your choice) Bradley Manning (whose trial, coincidentally, has just gotten underway).
The comparison may be apt, but not necessarily in a straightforward manner. Both of these cases seem far from black and white, and Snowden's situation brings with it some real head-scratching questions.
I'm immediately struck by Snowden's current choice of Hong Kong as a place of refuge. He says the choice was based on their "spirited commitment to free speech and the right of political dissent." I'm not entirely sure that he's talking about the same Hong Kong I know, which is actually part of China, operates only with China's sufferance, and -- we can logically assume -- is saturated with Chinese Intelligence.
But hell, Snowden was doing work for NSA -- maybe he has special knowledge that makes Hong Kong/China a good pick, even if it wouldn't ordinarily be on most free speech advocates' short lists.
We're also told that Snowden is "lining the door of his hotel room with pillows to prevent eavesdropping," and "puts a red hood over his head and laptop to avoid cameras capturing his passwords."
I'll admit to being puzzled by such actions. Neither of them are likely to negatively impact skilled eavesdroppers in any significant way, given the tradecraft available today. Maybe this is just a cover story (no pun intended) and he's actually using an array of high-tech CIA/NSA gadgetry to protect himself. As James Bond knows, it seems like "Q" is never around when you really need him.
But all of this is really only the kind of material that might make for an intriguing movie trailer.
The core, most important aspects of this situation, relate to the actual information that Snowden leaked (or "whistleblew"). And here matters get murky in short order.
We at least seem to have enough information now to make some broad characterizations.
As much as I abhor NSA obtaining telephone call metadata and the scope of government FISA user data demands to Web services, it appears at this time that most or all of this activity has not only unfortunately been legal, but could reasonably be anticipated as logical outcomes of the PATRIOT Act and other related legislative and court actions.
There was those of us who tried to point out these risks at every opportunity. We were routinely shouted down, sometimes being told that it was un-American even to bring up the issues.
Nothing really to be gained now by reminders that "We told you so."
But back to Snowden's data.
The (sadly, unsurprising) confirmation of the "Phone companies to NSA" telephone call metadata connection is certainly useful, and indeed a cause for broad condemnation, concern, and even anger about our blossoming surveillance society, as I've noted in my postings over the last few days.
And word about NSA's methodologies for organizing and indexing a broad range of globally collected metadata ("Boundless Informant" -- gotta love these names) is certainly intriguing, even though very much along the lines of what we would have expected and frankly, unless one buys into associated conspiracy theories, not particularly dramatic. More confirmation that NSA is collecting a lot of data, but we already basically knew that.
It's in the PRISM documents that I feel the situation becomes most problematic, because I believe strongly that these have done real damage to innocent parties and have played directly into insipid, emotional, false conspiracy theories that have become a scourge, especially in our toxic political environment.
The PRISM documents have been widely touted as "proving" that NSA has "back doors" into the servers of Google, Facebook, and other firms, through which NSA could query and extract personal user data without interaction or control from these firms themselves. A truly horrendous prospect -- if it were true.
The named firms quickly refuted the accusations. They insist that there are no "back doors," that all data requests (e.g., via FISA mechanisms) are individually vetted, then either approved, appealed, or taken to court when the firms felt that the requests were overly broad or otherwise inappropriate.
Of course you can never prove a negative. As I noted yesterday, the conspiracy fans have now run wild, convinced that the firms are outright lying, colluding, and worse.
I can't say the following strongly enough. To believe these conspiracy theories is to assume that the individuals dealing with these matters at these firms are ethically vacuous, have no backbone, or are genuinely evil. This is all simply false.
I personally know a variety of persons at these firms who by any rational analysis would have to know about such "back door" systems if they existed, and who would be unwilling to suffer their presence.
The kinds of engineering that would be required to implement such mechanisms would be extremely complex at the global scale of these firms. I simply do not believe that they could be designed, deployed, or maintained without so many persons finding out about them that they'd be essentially open secrets internally.
And while the government can use an NSL (National Security Letter) to prevent someone from revealing the existence of something -- for example by forcing them to stand mute to a question -- you can't force someone to outright lie in the manner that would be represented by these firms' explicit denials.
What's more, I strongly believe that any attempt to push through such systems would have resulted in levels of resignations immediately obvious to outsiders.
The folks I know at these firms are among the most ethically responsible that I've ever encountered. I do not accept that they would quietly play along with the kinds of NSA schemes that some are alleging. Period.
And even those allegations are foggy. It can be easily argued that it was actually media misinterpretations and sensationalism that led to the "back door" claims. Those same NSA documents could even more reasonably be interpreted to be discussing exactly what these firms have said was the case -- providing properly and legally vetted responses to individual FISA and similar government user data requests. No "back doors" -- no direct, uncontrolled access to user data on servers.
At this stage, it's impossible to easily ameliorate the damage already done by this set of hyperbolic, false allegations that will likely now take on a life of its own.
Which brings us now to a fairly obvious query. Why were the PRISM docs dumped on the media in the manner that they were, especially when their seeming vagueness plays so neatly into conspiratorial mindsets?
I don't know the answer to that question.
Nor will I attempt here to answer the question posed as the topic of this piece. I don't know what Edward Snowden really is. Perhaps he is indeed a hero. Or a combination hero and fool. Or perhaps something else. You'll have to make up your own mind, in the fullness of time.
I do know one thing absolutely. I'll take the word of the people I know at these firms, persons I like and believe -- over the word of NSA and all the spooks, ex-spooks, and contract spooks on the planet.
We are dealing with a complex situation with fragmentary information being dribbled to us by the media out of context. Eventually we'll presumably have a more complete understanding of the various facets involved.
The conspiracy theorists can whine, the haters can hate -- they can all get their jollies as they will. But for me it's all about what's logical, reasonable, and most of all about the individuals I trust and care about.
Be seeing you.
June 08, 2013
Internet Shattered: Spies, Spooks, and Disgust
I've spent literally my entire adult life (and even before) working on Internet technologies and policies, one way or another, reaching back to early ARPANET days at UCLA -- a project rooted in Department of Defense funding, it's worthwhile to remember.
Over that time, there have been many related high points and low points, events joyful or upsetting, but never -- not even close -- have I felt so completely, utterly disgusted with a situation associated with the Net as I am today.
The apparently true facts we're learning about our own government's spying abuses against its own citizens are bad enough. But we also are faced with stomaching the incredibly hypocritical and disingenuous pronouncements of intelligence agencies, administration officials, and Congressional leaders, as they point fingers back and forth about who knew what when, who approved which program, and why we citizens shouldn't be at all concerned.
To make matters worse, mixed in with misinformation and purposeful obfuscations, these actions have played directly into the hands of conspiracy theorists who are now working overtime to damage the very parties most in a position to help hold back unacceptable government prying into our affairs.
It is in fact the major Web services providers like Google, Twitter, Facebook, and others, who have become the most effective holding lines against government overreaching. Most smaller firms or individuals don't have the financial or legal resources to fight back against overly broad data demands and other government abuses.
Thanks to the damage done by distorted dribbling of information over the last few days about telephone metadata collection, PRISM, and now new stories and government generated gobbledygook explanations just today, people all over the world are confused and upset, wondering how deeply the USA is spying on the Internet and its users, the telephone system, and perhaps their supermarket loyalty cards.
Even though the major Web firms categorically denied providing "back door" en masse data access to NSA, and accurately asserted that all data requests are vetted by those firms (and sometimes pushed back against in court), the last few days' worth of false charges have led to a torrent of people flooding comments and postings (not to mention my inbox). Their rants proclaim that the firms are lying, they're in bed with the government, this is proof you can't believe anything these companies say, and gigabytes of other assorted paranoid rot. I won't even address these ravings here. They generally demonstrate a profound lack of knowledge regarding both global-scale software engineering and the legal process. They're illogical, irrational, and are most appropriately filed in Area 51, right next to the outer space aliens' rumpus room.
The government has been feeding this conspiratorial mindset against these firms for years. It has tried its best to scare the hell out Internet users, by attempting to falsely convince them that cookies are evil incarnate, open Wi-Fi access ports are somehow to be considered private, and that anonymous ad personalization systems will kill the family dog, if not your children.
All the while, we see now that the real abuses have been orchestrated and planned from within the Beltway for many years, by officials totally convinced that they are so much smarter, so much more worldly, so much more entitled than the rest of us, that they've evolved the art of political and bureaucratic hypocrisy and insanely exaggerated secrecy to a level unimagined by the most skillful con men and swindlers in history.
In this case, we're not just being swindled out of uncountable hundreds of billions of dollars being sucked into black budget "everything is called terrorism now!" ratholes, but we've been cheated by the politicians, spooks, and spies out of something even more important in the long run -- trust.
No matter how ostensibly laudable their motives, these officials and minions with their vast and secretive funding, are steadfast in their belief that the American people cannot be trusted -- after all, we're just the little people compared with the giant brains of Congress and the intelligence agencies. Pat us on the head, tell us some scary stories (leave out the inconvenient details of course), and scoot us all back to our rooms.
Now hear this!
We're on to you. Not just here in the U.S. but other governments around the world who are playing the same games with their citizens. We don't need any wacky conspiracy theories -- the facts that are demonstrable are sufficient.
We know that you desperately fear an Internet that you can't control, where every byte of data and every activity log isn't unencrypted and available at your immediate beck and call.
We know you want to control what sites are available and what sites say, dictate the results search engines may show, and generally treat the Net as your own global intelligence fetish supreme.
How about this? If you believe you can honestly make the case that you need to know everyone we call on the phone, have access on demand to virtually everything we do on our computers, and otherwise treat us with such suffocatingly, "loving" contempt -- get out here and convince us.
No more hiding behind vast secrecy that serves your own desire for agency empire building far more than actual national security needs. No more smoke screens blown at Congress pressuring them to approve your schemes without details or debate on the theory that they're just too secret for Congress to really trouble itself about.
And enough of trying to turn us against the very Internet firms that have the ethical and legal stamina not to let us be flattened like worms under your national security steamroller.
While we're at it, oh spies, spooks, and affiliated politicos, one other piece of free advice.
Go grab or download yourself a copy of the Constitution of the United States. It's widely available, at least for the moment. Pay particular attention to the Bill of Rights.
Take it home. Discuss it with your spouse and children -- your children in particular probably already understand it far better than you do.
Those documents were written by a bunch of rather ordinary men of extraordinary vision and resolve. They knew that even a well-meaning government can easily descend into abuse and tyranny, and they knew that protecting fundamental rights requires not treating everyone as a potential suspect, or everything they do or say as subject to access and analysis by the King's representatives and sycophants.
They knew what freedom meant, while your actions now -- regardless of your motives -- are treating their efforts with vast contempt.
We are proud to be Americans, but we are also enormously saddened and disgusted by your behavior.
And that's the truth.
My "Hangout On Air" Discussion of NSA, PRISM, Cyberwar, and More (7 June 2013)
Related blog posting: Inside PRISM: Why the Government Hates Encryption
June 07, 2013
Inside PRISM: Why the Government Hates Encryption
Addendum (1:12 PM): Google's Larry Page and David Drummond are categorically denying that Google gives the government open-ended, back-door access to user data. This appears to confirm my speculation (for Google at least) that these firms are still tightly controlling data access by reviewing and addressing each data demand on an individual and responsible basis. And keep something in mind -- the government can use legal means to try force you to be silent about a matter, but they can't force you to lie, unless they're resorting to waterboarding and shock collars for Internet executives.
Addendum (10:05 PM): Hangout On Air video discussion of this and related topics recorded this evening (55 minutes) is now available for viewing at this link and via the embed below.
Yesterday in The Soviet Surveillance States of America we began connecting some of the dots associated with the new disclosures of the U.S. federal government's collection of telephone and Internet data.
Since the initial reports, we've now been informed by officials that they only actually look at the telephone connection "metadata" in the course of specific, targeted investigations, and that the Internet data slurping associated with PRISM is directed at foreign nationals in foreign countries (though Americans can be accidentally sucked into the system as well).
We're told by administration spokesmen and top members in Congress that this is all for our own good, presumably as are ubiquitous CCTV cameras, license plate readers, DNA swabbing of innocent persons, and all the other varied inputs (some of which we possibly don't know about) feeding to our law enforcement and intelligence agencies.
Our fearless leaders seem startled that there's such a negative reaction to these new revelations. "Calm down children, we know what's best for you!" appears to be the common refrain.
What they forget -- or more likely are conveniently ignoring -- is that we Americans are a historically rather strange breed when it comes to an innate distrust of government. Frequently these concerns go completely overboard, but when government actually does play into the hands of the conspiracy theorists it does nobody any good at all. (On the other hand, we continue to have evidence that our government is so leaky that keeping a really big secret for long is an intense challenge.)
If you really want to incur the ire of most honest Americans, treat them all like they're criminal or terrorist suspects.
Now, what's really going on with PRISM? The government admits that the program exists, but says it is being "mischaracterized" in significant ways (always a risk with secret projects sucking up information about your citizens' personal lives). The Internet firms named in the leaked documents are denying that they have provided "back doors" to the government for data access.
Who is telling the truth?
Likely both. Based on previous information and the new leaks, we can make some pretty logical guesses about the actual shape of all this.
Here's my take.
First, I believe it's reasonable to assume that significant targeted use of DPI -- Deep Packet Inspection -- is in place, most or all of it outside the control (or even perhaps knowledge) of major Internet sites (but quite possibly associated specifically with major ISPs and backbone providers).
Just as I doubt that "all phone calls are being recorded," I doubt that a mass collection of non-targeted Internet data is going on. Not only would this be technically enormously difficult when you consider traffic patterns and volumes, but would not likely be useful from an analysis standpoint compared with more careful targeting of specific communications, even with the improvements in analysis tools we are aware of (and/or can speculate exist in the shadows).
We do know for certain that the government has become very insistent on two fronts -- wanting virtually instantaneous access to specific stored and real-time user data on demand, and getting it in the clear (that is, unencrypted).
So long as most people don't bother to encrypt their email and other data the latter point is largely moot. The government is mostly concerned that someday down the line ubiquitous encryption will take hold -- that is, strong encryption by default -- that would be time consuming for the spooks to crack on an independent basis.
An intriguing outline becomes clear. The government likely doesn't have "back doors" into major Internet sites that would allow government access to those sites' user data on a "willy-nilly" basis. But it does seem reasonable to assume (especially based on the historical record associated with telephony, e.g. CALEA) that the government has pressured major Internet sites to deploy the means for rapid access to specific data requests that would be mediated by gatekeepers at those firms.
That is, NSA (or whomever) would have an expedited means to present a firm with (for example) a court order or National Security Letter. If legal counsel at the firm determines that this is a valid and sufficiently narrow demand, the mechanism would be in place to immediately provide access (perhaps one-shot, perhaps ongoing for some period) to that specific data (likely related to specific user accounts).
In other words, what we're likely talking about with PRISM isn't a "back door" for rummaging around through data in an uncontrolled manner, but rather a technical and legal protocol for the government to quickly gain access to specific data under order when the firm involved agrees that the order is valid and chooses not to challenge it.
Overall, this regime would replace much slower, largely ad hoc systems for responding to data demands, with a pipeline that can provide that data to government directly -- but the firms still control the valve on that pipe and which data is permitted to flow into it, allowing the firms to fight orders that they do not consider reasonable, focused, or otherwise valid.
This kind of scenario may help to explain the seeming contradictions of what we're now hearing about PRISM, and seems to sync well with the battles over government access to user data that we already know about, and with government demands that when they do get such access, they have some way to get the data in unencrypted form.
But even if my speculation about the relatively constrained nature of PRISM is correct, the potential for government abuse of such deployed systems is still enormous.
Such surveillance environments drastically undermine our own ability to criticize similar and worse abuses by other countries. And here at home, the "you have nothing to fear from surveillance if you have nothing to hide" argument does not play well with most honest Americans. Faith in cloud computing and storage models -- which I feel are enormously important to us all in so many ways and bring with them vast benefits to consumers -- are predicated on users trusting that their cloud data will be at least as safe from government abuses as their data would be on their own local hard drives.
The rise of ubiquitous encryption will over time likely be unstoppable, and will change the face of these issues in major ways that we cannot predict with confidence.
We can, however, predict with considerable assurance that any government and any officials -- regardless of political parties -- who insist on treating the American people as suspects, as ignorant children whose personal data should be available to government prying merely at its beck and call, are ultimately helping to destroy critical underpinnings of what has made this country great.
If we continue to permit this, the ultimate fault and blame will not be with our government or our leaders, but rather with ourselves.
June 06, 2013
The Soviet Surveillance States of America
[Please note: Reference links associated with this item are at the end of the posting.]
In Theodore J. Flicker's prescient, darkly comical 1967 film -- "The President's Analyst" -- there's a bit of dialogue I've quoted many times over the decades. A Soviet spy and an American spy, friends of long standing, despite being on opposite sides, are working together informally. When the object of their common search appears to have been kidnapped right under their noses, the American spy suggests that the phone booth they'd been using was tapped.
The Russian is incredulous. "Are you trying to tell me that every phone in the country is tapped?" "That's what's in my head," replies the U.S. agent. "But Don! This is America, nor Russia!" exclaims the Russian.
The film's parallels go even further. The U.S. is being essentially run by the bureaucrats of the law enforcement and intelligence agencies -- spying and wiretapping everywhere, while the president is implicitly relegated to the role of a largely impotent bystander.
Needless to say, the movie did not go over well with the U.S. authorities in 1967. It's likely nobody would dare produce such a film today.
For students of U.S. intelligence and law, the new confirmation that the federal government has been collecting phone call detail records en masse on Americans shouldn't come as a big surprise. The major phone companies have long considered such data a mere commodity, and built enormous businesses selling this kind of information to third parties, emboldened by a variety of court decisions.
The knee-jerk PATRIOT Act legislation following 9/11 set the stage for even worse abuses in this sphere -- even though one of its authors is today claiming that this isn't what he actually had in mind. Apology not accepted -- the abuse potential of PATRIOT was obvious from day one.
Still, the current round of revelations are obviously very upsetting, more so for how they help us connect the dots than for their specifics in this case.
While we've only seen one leaked document so far in this round, we can safely assume that similar orders exist for every other major telecom carrier, reaching back to at least 2006 and the Bush administration. Given NSA's known proclivity for the "vacuum cleaner" approach to data collection -- essentially that they don't consider "mere" collection an abuse, or even really collection at all until specific data is analyzed -- such activities likely go back even further in at least some respects.
We now also have confirmation that top Congressional leaders have known about this -- some of them likely since the very beginning. Their remarks today are enormously telling and troubling.
We're told that this massive operation was justified because it "stopped a terrorist" attack. That could mean pretty much anything, considering the low threshold now employed to define violent acts as terrorism. But how are we to know if any sort of reasonable balance has been achieved between our civil rights vs. "preventing attacks" of any sorts? Would the same effect be achievable in a much less invasive manner? Why bother even figuring that out if you can just order the phone companies to give you everything.
Leaders are now also informing us that there were no complaints from citizens about the program (unsurprising, given that it was, you know, classified) and that we shouldn't be concerned because it's been going on for at least seven years -- it's nothing new, we're reassured. (Why are you upset that you just found out I've been sleeping with your wife? We've been screwing each other since 2006!)
The generally bipartisan nature of the "nothing to worry about" pronouncements today are quite noteworthy, and while we already knew pretty well how Congress operates, one might wonder why President Obama has been co-opted into such invasions of our civil liberties, apparently by continuing the abuses initiated by his GOP predecessor.
I have a theory about that, which explains why political parties just don't matter in these situations.
Remember that law enforcement and intelligence agencies are mainly bureaucratic organizations, desperate to protect their own turfs and funding. (In "The President's Analyst" the "FBR" and "CEA" were always at each other's throats -- the "real" initials were dubbed out in post-production after actual threats from the government!)
My guess is that as soon as a new president is sworn in -- regardless of political party -- the heads of the various interested agencies march into the Oval Office and present the new head of state with "The Briefing Book of Doom (BBD)."
The BBD would be designed to scare the president out his or her wits by drawing the bleakest, most alarming possible picture of world threats, and emphasizing how any attempt to reign in previous abuses by these agencies could (it is claimed) result in catastrophe ("and by the way, we need much more money, too!")
Few persons are going to have the spine to stand up to such a collective onslaught from the spooks, designed to appeal to emotion rather than reason and logic. It matters not if your affiliation is Republican, Democrat, or Jedi Master.
In this way, the unelected bureaucrats have usurped enormous power, in a manner eerily reminiscent in some ways of the old Soviet Union.
Back to connecting those dots. Even as I'm typing these words, more new revelations are circulating today, about a highly classified program named "PRISM" tying the FBI and NSA directly into major Internet services to gather email, audio, video, photographs, documents, and connection logs. This appears to have also begun under Bush, and grown exponentially since then. Some in Congress have reportedly known about this all along also. PRISM is reportedly not a mass data collection system per se, but rather a means for the government to access specified data as quickly as possible. [Addendum: 5:34 PM - Most or all of the firms described in the PRISM story ("Washington Post" links - see below) are denying involvement.]
Again, such a program has been long suspected, and helps to explain the government's push for extended CALEA access and their increasingly loud demands for easy means to obtain the "plain text" (unencrypted) contents of encrypted Internet data streams and associated services. [Blog Update (June 7, 2013): Inside PRISM: Why the Government Hates Encryption (What PRISM likely is -- and isn't)]
We can also assume that most postal transactions have long been at least tracked.
I'm frequently asked if it's likely that the government is collecting the actual contents of phone calls on a large-scale basis, bringing us back around to our Soviet and American movie spy friends.
As far back as 2006, I speculated that the technology to do this was within reach, but that for practical reasons a "record every call" approach seemed unlikely. Even now, with the massive improvements in tech since then, I still suspect that actual call recording tends to be quite focused, rather than comprehensive, for technical reasons beyond the scope of this posting. In absolute terms though, it may still be quite large.
We also now can begin to understand the depths of the threats and pressures that the government -- via National Security Letters and these various classified programs -- have been asserting against major Internet firms.
Reading between the lines of the cases we already knew about, firms like Google and others have been trying to warn us about this -- the best that they could do given the constraints forced upon them by a secretive government.
I also personally believe that we now can see more clearly the depth of hypocrisy and diversion involved in the government spending so much effort publicly attacking harmless, anonymous, personalized Internet ad systems, while at the same time engaging in such massive, secret, highly personal, and deeply invasive intrusions of their own citizens' lives.
Beyond all this, there's a truly upsetting question. If our own government is willing to go this far at this stage in such a bipartisan manner -- republicans and democrats alike -- what might happen if someday a small nuke or dirty bomb is detonated in a U.S. city? Even if relatively few persons were actually harmed, how long would any of our remaining civil liberties be intact? You know the answer.
I called this posting "The Soviet Surveillance States of America" -- but perhaps not for the reasons you might have suspected. While the old Soviet Union (and unfortunately, increasingly the new Russia) certainly have engaged in evil acts, it would not be truthful to suggest that all of their associated motivations were necessarily actually evil themselves.
Much more dangerous than true evil itself is leaders who honestly feel that they are doing the right thing for their countries and people, and slide down the slippery slope of increasingly intrusive civil liberties decimations in the process. It is in this way that many of history's worst tyrannies were gestated -- pulled into a putrid pit via a chain of ostensibly noble deeds.
The old USSR likely would have made many of the same pro-surveillance arguments that our leaders here are making today, if the technology in focus now had actually existed then.
We've all heard it said that "The road to hell is paved with good intentions."
It's something to remember, comrades. Something definitely to remember.
- - -
June 05, 2013
Don't Always Assume the Worst! - Facebook Falsely Accused of Purposely Blocking Data Downloads
Regular readers know that I'm no fan of Facebook -- I don't use it myself and I'm surviving very nicely without it, thank you.
But common sense gave way to fuzzy thinking and rumormongering today, when a story spread like wildfire across the Net -- via Slashdot, Reddit, and an array of other sites, claiming that Facebook was now purposely blocking users from downloading their "timeline" (still often called "wall") postings data, as had been previously possible.
This rumor may have started with an angry blog posting at a site which I'll not provide with link juice here today. The posting apparently wasn't inaccurate in describing problems that the author was having downloading their Facebook data, but rather in the implication that this was a purposeful policy change by Facebook -- and this latter concept became the tinderbox that set off angry comments and dialogue around the Web.
I suspected from the outside that this was likely just a bug. I now have confirmation from two Facebook engineering sources that this is indeed the case, and that a fix is likely to go live within a few days.
There were multiple reasons from the outset to suspect that we were dealing with an engineering glitch and not a policy change.
Perhaps the most obvious of these is that it simply would not make any kind of sense for Facebook to make such a change! I've been pretty critical of Facebook's handling of various privacy matters over time, particularly in terms of their specific user-facing implementations.
But to suddenly block this type of user data download would be ludicrous on its face and incredibly counterproductive to both Facebook and its users. The negative PR and in some countries regulatory blowback would likely be enormous. It would be utterly illogical.
Other clues that this was just a bug were also apparent.
The relevant Facebook help pages regarding data downloads and exports said nothing to indicate that such a policy change had taken place.
There was enormous inconsistency in user reports regarding this situation today. Some users reported that the data in question was missing from their downloads. Some claimed they couldn't download at all. Others were able to export all their data -- including timeline/wall data -- completely intact without difficulties.
While it's always possible that variations in user experience are the result of an engineering change being gradually rolled out across the platform, this just didn't seem to make sense in today's instance, especially given the other facts.
I understand that it may be human nature much of the time to emotionally believe the worst, but seriously, today's policy change rumors should really have been suspicious to just about everyone, given even a bit of real thought.
In an age when all manner of bizarre and inane conspiracy theories thrive, I can't say that I'm surprised when a false rumor like this gets traction bouncing around the Web's echo chamber.
But let's face it -- if we're actually going to automatically assume evil decisions every time there's an operational issue in these highly complex systems, it's a pretty sad commentary about our society overall.
I'm pretty sure we can do much better than that if we try.
June 04, 2013
Google Glass Meets the Horrifying Internet Porn Shortage!
Brace yourself. If you're not sitting down, I urge you to do so. There's devastating news afoot.
The Internet is apparently running out of pornography.
I know this comes as a shock. OK, it's not quite as bad as running low on cute kitty photos and videos, but it's pretty darned close.
Now if you're like me, you may not have actually realized that the Net is in such a dire, porn-starved condition. After all, at first glance, it seems like any legal porn you might want to see (and considerable amounts you might prefer not to see) are easily and openly available from a vast number of Web venues.
But appearances can be deceiving. And judging from some of the wailing I've been hearing since Google announced that they will not approve porn-oriented apps for the Developer Preview of Google Glass, I can only assume that a devastating porn shortage snuck up on us while we were busily building animated meme GIFs.
The inevitable cries of censorship are already being heard. They're nonsense, of course. I'm about as strong a free speech advocate as you're likely to find, but censorship is the domain of governments, not other organizations or individuals. Just as your local supermarket isn't required to carry "Hustler" magazine, there's no legal requirement that any firm approve any particular sort of app. And so long as we're talking about legal content that is readily available from other venues, and we're not discussing ISPs trying to micromanage which sites their customers can access, the consternation seems misplaced.
Decisions to keep mainstream app stores reasonably family friendly just don't really upset me. Let's face it, they're not the only games in town -- sideloading and other similar widely known techniques generally allow for users to obtain content and apps from other sources if they choose to do so.
There's an important distinction here. Not wanting to be actively engaged in the distribution and marketing of porn-related apps and materials is utterly different than saying that you want to ban such items.
But I think it's fair to say that most people don't want it slammed at them either. When I occasionally see unsolicited graphic sexual content in my Google+ notification stream, I usually report it much as I would any other kind of spam. I'm not condemning the porn per se, I'm saying that it is being inappropriately thrust upon me -- no pun intended.
When it comes to Google Glass in particular, Google's deliberate, arguably conservative, go-slow approach that some observers find frustrating is actually entirely appropriate. Glass represents the first real steps into the mass marketing of general purpose wearable computing devices, and as I've noted in The Coming War Against Personal Photography and Video, Glass is already being targeted from some quarters as a proxy for forces who would like to greatly restrict public photography in general. Adding porn into the mix at this incipient stage would provide yet another target for knee-jerk reactions, and risk diverting attention from an array of extremely positive and innovative applications for this technology.
The policy issues surrounding all this are inevitably going to be entangled with politics and politicians, and while I hesitate to say "Luddites" in this context, there is a definite impression that there are folks out there who would very much prefer that this whole area be dealt with through emotional haranguing rather than thoughtful and logical analysis.
In any case, fear not -- the Internet is a very big place. Your porn cup still runneth over if you wish, the porn desert is not upon us, your prurient interests need not cower for fear of starvation.
Rumors of the Internet Porn Apocalypse are unfounded.
And now that we've settled that, we can all get back to the important work of churning out the cat memes.
June 03, 2013
The Fearless Password Killers, or Pardon Me, But Your Teeth Are in My Data
A few days ago, in Die Passwords! Die!, I suggested that the venerable password -- despite the addition of extremely useful techniques such as multiple-factor authentication and other extensions -- is coming to the end of its usefulness in our 21st century computing and communications environments, and I discussed some possible evolutionary authentication regimes that seem likely to ultimately replace passwords in many venues.
Most of the reaction was quite positive, but there definitely are dissenters within my inbox as well, largely paraphrasing Mark Twain from 1897, to the tune that "The report of the death of passwords is an exaggeration."
This conveniently permits me to wring some additional mileage out the implicit horror movie motif of "Die Passwords! Die" -- and I'm not letting that opportunity pass by unrealized to its full potential.
We need only look to the stereotypical vampire film for inspiration.
Our heroes "the vampire killers" arrive in a small village. Usually there's a leader who has some sort of honorific prepending their name, like Professor Abronsius, Captain Kronos, or Dr. Van Helsing. The remainder of the crew are usually essentially the flunkies who sharpen the wooden stakes.
Despite the often horrific attacks visited on the townspeople at intervals by the local vampire or vampires, the residents may simply want the vampire hunting visitors to just go away, leave well enough alone. They've learned to live with the vampires -- deploy plenty of garlic and an occasional sacrificed virgin -- and fear any "tampering" will just make matters even worse.
To compare the "password protectors" with these terrified villagers is tempting but not entirely fair, since there are indeed arguments to be made in favor of preserving at least the outlines of our existing password system, though I personally don't feel that those arguments on balance win the day.
It's suggested that hardware-based systems could isolate password-related data in a way rendering it at least theoretically invulnerable to the sort of password hash file breaches that have now become all too common. But buying and installing new specialized hardware like this seems like a non-starter for most environments, both from cost and an array of logistical standpoints.
We're urged to find ways to get users to pick longer passwords and more random passwords. We're told we must convince them not to share passwords in ways that would allow a failure at a weak site to compromise authentication at a stronger unaffiliated site. We're reminded again about multiple-factor authentication, key management tools, one-time password systems, and other purported silver bullets.
And indeed, all of these methodologies -- to one extent or another in different sorts of consumer and enterprise environments -- can definitely make a big difference toward improving authentication security -- if designed properly, if implemented appropriately, if deployed correctly, and if used responsibly and diligently by consumers. That's a whole bunch of "ifs" to deal with.
But it's still all ultimately a holding action. You may be able to momentarily stall your friendly neighborhood vampire by holding a crucifix in front of their face, but you can't keep up that pose indefinitely, and vampires can be remarkably patient in such situations -- they usually have more time than you do.
I understand why many persons have concerns about "federated" authentication systems, biometric or other personal identifiers, and various combinations and permutations of these concepts.
And as I've acknowledged, doing these systems right -- in ways that provide appropriate compartmentalization and granularity of access to authentication credentials -- is an extremely complex task from both policy and technical standpoints. Yes, there are lots of "ifs" here as well.
But there is a big difference with these non-password techniques, and while I don't want to sound condescending about this, the truth is that if we depend on most non-techie, busy users to voluntarily manage their password environments correctly in the long-term, we are actually doing them a grave disservice.
It's easy for techies (perhaps like you, certainly like me) to forget that most users don't have the time nor inclination to be worrying about authentication details -- until something goes wrong, and panic sets in. It's not the techies I'm worried about -- we'll manage one way or another -- but it's the consumers who don't want to have to be security experts just to access their mail or bank accounts. The more complicated the demands we make of them -- choose the right passwords -- use the correct key management tools -- do this -- don't do that -- the less likely that we're going to see good outcomes overall.
In the final analysis, this is why I feel that passwords have seen their day, why we must be moving on and finding our way to better solutions, albeit requiring a lot of deep thinking and hard work on our parts.
You can try live with vampires, and you may manage it for awhile -- but in the long run it's going to be either them -- or you.
I strongly believe that we have the technological capabilities to solve authentication problems in ways that will be better for consumers and everyone else involved, without leaning on password models that are increasingly problematic.
We know how to solve such problems, if we set our minds to it -- it's very much part and parcel of what we do best.
In other words, it's -- wait for it -- in our blood.
May 31, 2013
Die Passwords! Die!
In one form or another -- verbal, written, typed, semaphored, grunted, and more -- passwords broadly defined have been part of our cultures pretty much since the dawn of humans at least. Whether an 18 character mixed-case password replete with unusual symbols, or the limb-twisting motions of a secret handshake, we've always needed means for authentication and identity verification, and we've long used the concept of a communicable "secret" of some kind to fill this need.
As we plow our way ever deeper into the 21st century, it is notable that most of our Internet and other computer-based systems still depend on the basic password motif for access control. And despite sometimes herculean efforts to keep password-based environments viable, it's all too clear that we're rapidly reaching the end of the road for this venerable mechanism.
That this was eventually inevitable has long been clear, but recent events seem to be piling up and pointing at a more rapid degeneration of password security than many observers had anticipated, and this is taking us quickly into the most complex realms of identity and privacy.
Advances in mathematical techniques, parallel processing, and particularly in the computational power available to password crackers (now often using very high speed graphics processing units to do the number crunching) are undermining long held assumptions about the safety of passwords of any given length or complexity, and rendering even hashed password files increasingly vulnerable to successful attacks. If a single configuration error allows such files to fall into the wrong hands, even the use of more advanced password hashing algorithms is no guarantee of protection against the march of computational power and techniques that may decimate them in the future.
What seems like an almost daily series of high profile password breaches has triggered something of a stampede to finally implement multiple-factor authentication systems of various kinds, which are usually a notch below even more secure systems that use a new password for every login attempt (that is, OTP - One-Time Password systems, which usually depend on a hardware device or smartphone app to generate disposable passwords).
As you'd imagine, the ultimate security of what we might call these "enhanced password" environments depends greatly on the quality of their implementations and maintenance. A well designed multiple factor system can do a lot of good, but a poorly built and vulnerable one can give users a false sense of security that is actually even more dangerous than a basic password system alone.
Given all this, it's understandable that attention has now turned toward more advanced methodologies that -- we hope -- will be less vulnerable than any typical password-based regimes.
There are numerous issues. Ideally, you don't want folks routinely using passwords at all in the conventional sense. Even relatively strong passwords become especially problematic when they're used on multiple systems -- a very common practice. The old adage of the weakest link in the chain holds true here as well. And the less said about weak passwords the better (such as "12345" -- the kind of password, as noted in Mel Brooks' film "Spaceballs" -- that "an idiot would have on his luggage") -- or worse.
So, much focus now is on "federated" authentication systems, such as OAuth and others.
At first glance, the concept appears simple enough. Rather than logging in separately to every site, you authenticate to a single site that then (with your permission) shares your credentials via "tokens" that represent your desired and permitted access levels. Those other sites never learn your password per se, they only see your tokens, which can be revoked on demand. For example, if you use Google+, you can choose to use your Google+ credentials to access various other cooperating sites. An expanding variety of other similar environments are also in various stages of availability.
This is a significant advance. But if you're still using simple passwords for access to a federated authentication system, many of the same old vulnerabilities may still be play. Someone gaining illicit access to your federated identity may then have access to all associated systems. This strongly suggests that when using federated login environments you should always use the strongest currently available practical protections -- like multiple-factor authentication.
All that being said, it's clear that the foreseeable future of authentication will appropriately depend heavily on federated environments of one form or another, so a strong focus there is utterly reasonable.
Given that the point of access to a federated authentication system is so crucial, much work is in progress to eliminate passwords entirely at this level, or to at least associate them with additional physical means of verification.
An obvious approach to this is biometrics -- fingerprints, iris scans, and an array of other bodily metrics. However, since biometric identifiers are so associated with law enforcement, cannot be transferred to another individual in cases of emergency, and are unable to be changed if compromised, the biometric approach alone may not be widely acceptable for mass adoption outside of specialized, relatively high-security environments.
Wearable devices may represent a much more acceptable compromise for many more persons. They could be transferred to another individual when necessary (and stolen as well, but means to render them impotent in that circumstance are fairly straightforward).
A plethora of possibilities exist in this realm -- electronically enabled watches, bracelets, rings, temporary tattoos, even swallowable pills -- to name but a few. Sound like science-fiction? Nope, all of these already exist or are in active development.
Naturally, such methods are useless unless the specific hardware capabilities to receive their authentication signals is also present, when and where you need it, so these devices probably will not be in particularly widespread use for the very short term at least. But it's certainly possible to visualize them being sold along with a receiver unit that could be plugged into existing equipment. As always, price will be a crucial factor in adoption rates.
Yet while the wearable side of the authentication equation has the coolness factor, the truth is that it's behind the scenes where the really tough challenges and the most seriously important related policy and engineering questions reside.
No matter the chosen methods of authentication -- typed, worn, or swallowed -- one of the most challenging areas is how to appropriately design, deploy, and operate the underlying systems. It is incumbent on us to create powerful federated authentication environments in ways that give users trustworthy control over how their identity credentials are managed and shared, what capabilities they wish to provide in specific environments, how these factors interact with complex privacy parameters, and a whole host of associated questions, including how to provide for pseudonymous and anonymous activities where appropriate.
Not only do we need to understand the basic topology of these questions and develop policies that represent reasonable answers, we must actually build and deploy such systems in secure and reliable ways, often at enormous scale by historical standards. It's a fascinating area, and there is a tremendous amount of thinking and work ongoing toward these goals -- but in many ways we're only just at the beginning. Interesting times.
One thing is pretty much certain, however. Passwords as we've traditionally known them are on the way out. They are doomed. The sooner we're rid of them, the better off we're all going to be.
Especially if your password is "12345" ...
May 24, 2013
USA Intellectual Property Theft Commission Recommends Malware!
Oh boy. The "Commission on the Theft of American Intellectual Property" has released its long awaited report, and it's 90 or so pages of doom, gloom, and the bizarre -- including one section that had me almost literally doing a "spit-take" onto my screens while sipping my morning coffee.
I'm not going to try critique the entire report here and now. As you'd expect, it presents a dire scenario of intellectual property theft run amok, and while offering only a few words of lip service to the grossly flawed measurement methodologies that vastly overstate dollar losses in various sectors, the report instead suggests that those exaggerations are actually understatements -- that the problem is far, far worse than we ever imagined. Oh, the horror. The horror.
But we expected this sort of skew to massively hyperbolize the underlying actual problems of IP theft.
What you may not have expected, however, is that the authors of this report appear to have been smoking "funny cigarettes" during its drafting. OK, we don't know this for a fact, but it's otherwise difficult to wrap your mind around this specific proposal in the "cyber" section of the report:
"Additionally, software can be written that will allow only authorized users to open files containing valuable information. If an unauthorized person accesses the information, a range of actions might then occur. For example, the file could be rendered inaccessible and the unauthorized userís computer could be locked down, with instructions on how to contact law enforcement to get the password needed to unlock the account. Such measures do not violate existing laws on the use of the Internet, yet they serve to blunt attacks and stabilize a cyber incident to provide both time and evidence for law enforcement to become involved."
Booooing! Say what? Is this the parody section of the report? Something from "The Onion" or perhaps a "Saturday Night Live" skit?
I'm afraid they're serious. And what they're proposing is no less than the legitimizing of a form of malware that has attacked vast numbers of Internet users, costing them immense lost time, money, and grief.
You may have been unlucky enough to see this for yourself. It comes in various forms, but generally it claims to be a law enforcement warning (often saying it's from the FBI). It accuses you of having some kind of "illicit" material (usually a copyright violation and/or porn) on your system, and demands that you contact an address for "more information" -- or even that you make immediate payment of a "fine" to release your computer. Your webcam may even be surreptitiously used to include your photo to further confuse and upset you.
Of course, this is all a scam. If you go to that address, you'll likely download more malware, or be directed to provide credit card or bank account info to pay for your "violation" of law. Even if you pay, you have no assurance that this malware will go away. Even if it does seem to release you, it may hang around in the background sucking up your private information, bank account access data, and who knows what else.
Consumers attacked by this class of malware have spent enormous sums to get it actually cleaned out, and very many have been directly defrauded by it as well. And of course, these systems can't be used for anything else while the malware is actively threatening you.
So now we have the IP Commission suggesting that firms be allowed to use basically this same technique -- pop up on someone's computer because you *believe* they've stolen something from you, terrify them with law enforcement threats, and lock them out of their (possibly crucial) data and applications as well.
What the hell are these guys thinking? Outside of the enormous collateral damage this sort of "permitted malware" regime could do to innocents -- how would the average user be able to tell the difference between this class of malware and the fraudulent variety that is currently a scourge across the Net?
What's more, how can it possibly be justified to lock users out of their systems on this sort of unilateral basis? How much "theft" -- even when it actually occurred -- is enough to justify locking someone out of their private applications and data, some of which may be absolutely necessary to their daily lives.
I could get into a lot of technical details about this, but we can just cut to the chase for now: the whole concept is utterly insane, and frankly calls into question the competency of the commission in general.
With our own commissions coming up with idiotic, dangerous nonsense like this, we may have more to worry about from their kind of thinking than from the "cyber-crooks" themselves.
And that's really, seriously, scary.
May 23, 2013
For Shame: The Internet Cruelty Machine Torments GIF Inventor
I've never been quite sure what it is about the Net that tends to bring out, amplify, and exacerbate the cruel, infantile, and snarky side of so many people, including persons who really, seriously should know better.
Perhaps they get caught up in the moment like a rioting crowd, and the degrees of separation from "real life" -- allowing the easy spouting of bile that most of them would never do in person -- is also in play.
But none of this is any excuse for acting like a jerk.
Case in point, the rampant, mean-spirited attacks now being widely deployed against Steve Wilhite, who created the omnipresent "GIF" graphics format in 1987 while at CompuServe. Still widely used for conventional photos even in the face of more recent formats, it is the backbone of repeating animated image displays, from funny cats to serious diagrams.
A couple of days ago Steve -- who suffered a stroke in 2000 and now primarily communicates using email over the Net itself -- accepted a well-deserved lifetime achievement "Webby" award.
In the course of subsequent discussion, he noted his long-standing belief that GIF -- a term we must remember he invented -- should be pronounced with a soft G rather than a hard G -- not the first time this issue has arisen by any means.
Immediately, the Web pounced in ridicule, with satirical articles, obscene comments, and even a video whose producer claims is in fun but just comes off crude and cruel -- like pulling wings off insects.
As it happens, I've always pronounced GIF with a hard G -- not Steve's pronunciation. I always figured that since the G stood for Graphics, the hard G made the most sense. And I'm not going to change that now.
But for the love of the Net and basic human decency, can't we give the man an award -- someone who provided us with a tool that has become part and parcel of the Web -- without tormenting him afterwards like children during recess torturing another kid about the pronunciation of his name?
As the creator of GIF, Steve Wilhite outranks us all when it comes to what he feels is the "official" pronunciation. But you and I can still pronounce GIF any way we choose, and we can do so without behaving like asses.
Consider growing up just a little bit people, please.
May 20, 2013
Yahoo's Big Tumble Into Big Porn, Big Sleaze, and Perhaps, Big Trouble
By now you've likely heard that Tumblr is selling itself to Yahoo for just over a billion bucks in cash. Oh wait, excuse me, that's Tumblr. -- officially, there's a period after Tumblr, a flourish added to the current vogue of purpsly drpping leters frm yor nme.
Yahoo wants to be "cool" again -- young, hip, bad, fresh, sick, tight -- or whatever your favorite current euphemism for youth monetization might be.
In furtherance of this worthy end, Yahoo will be providing Tumblr's (insert the periods yourself if you must) 26-year-old, high school dropout founder with a payday of something on the order of a quarter of a billion dollars -- and each Tumblr employee something like a paltry six meg each.
To which I say -- more power to them! Man, if you can get it, take it! While it appears that P.T. Barnum never actually uttered the phrase usually attributed to him -- concerning the birth rate of suckers -- it's true nonetheless.
In the last couple of days, I've realized that a surprising number of folks have either never heard of Tumblr, or purport to know virtually nothing about its content and user policies. The old echo chamber strikes again -- it's easy for us to forget that not everyone spends their days thinking about the Net.
The fact is that Tumblr brings to Yahoo a rather fascinating dilemma. It would be unfair to call Tumblr a sleaze site per se -- because they do host a wide variety of utterly un-sleazy materials posted by their freewheeling users on a virtually endless series of "microblogs."
But, truth be told, Tumblr is also an almost bottomless pit of seamy, gross, and in some cases borderline illicit postings of all sorts.
The topic range in these particular categories is both broad and deep, and of the sort to make your creepy Uncle Ernie both pant and vomit with joy.
We're not talking here simply about happy adult pornography, but bestiality, self-mutilation, racism, anorexia fan sites, near c-porn, and so, so much more.
Which brings us back to Yahoo.
I'm a first amendment, free speech guy, and so my concern in this context is not with that Tumblr content itself -- however disgusting I personally find much of it to be. Like I say all the time, censorship on the Internet doesn't work and just makes things worse -- don't even try it.
But seeming corporate hypocrisy related to a billion dollar acquisition really bugs me.
Yahoo is claiming that it's going to be "hands off" Tumblr -- that (at least for now) Tumblr will operate separately with no changes to their usage terms.
"Tumblr and Yahoo will be independent," said Yahoo today -- on the same day they moved (with considerable fanfare) the Yahoo official blog to a tumbler.com address. Hmm.
But sooner or later, Yahoo is going to want to monetize the Tumbler throngs, and therein awaits the advertising trap.
Pretty much the worst thing that could happen to most major advertisers is to have their products pitched in conjunction with serious sleaze, especially in this age of flash boycotts.
What to do? Well, obviously Yahoo will be pushing for Tumbler users to be rigorous about accurately labeling their sites -- e.g. as "Not Safe For Pretty Much Anyone" -- but just like right now, many users will ignore this, and likely others will begin purposely mislabeling as a form of protest against Yahoo's takeover.
Algorithms can try to ferret out some of this automatically -- "Running Procedure sicko_seek-pns49300A.3" -- but a lot will still slip through, so to speak.
All told, it's almost impossible to visualize anything beyond a relatively near-term future where the existing full content range on Tumblr will be tolerable to Yahoo.
My guess is that Yahoo will be subtly working to drive out those "troublesome" aspects of the Tumblr user base over time -- one way or another -- ideally before the first big public blowup in the "Yahoo era" over Tumblr content.
This won't happen overnight. It's in Yahoo's interests right now to try make Tumblr users of all stripes feel that they're wanted, valued, and cherished. Welcome to the joyful embrace of Yahoo!
But if I were a Tumblr user with content that was, shall we say, considerably divergent from the mainstream, I'd be starting to look around right now for a different place to host my stuff, and some new URLs to forward over to good ol' Uncle Ernie.
May 19, 2013
Attack of the Google Snarkers
I hadn't planned on writing anything about this, but watching the continuing stream of obnoxious snarking -- both in blogs and some mainstream media -- following Larry Page's appearance at the end of Wednesday's "Google I/O" keynote, my irritation level has risen to the point where some comment seems apropos.
Let's get the disclaimer out of the way. I've never met Larry. I am currently consulting to Google. Everything I say here represents my thoughts only, and any blame for them should be attributed to me alone. OK, let's move on.
Regular readers know that I am not a fan of snark in general. In fact, snarky comments are one of the easiest ways to get bounced from my Google+ threads. As far as I'm concerned, they're almost always cheap shots aimed at minimizing real issues, to try get a quick "gee, ain't I clever" laugh. Some folks love that stuff. That's their choice, of course. Personally, I feel they usually detract from serious and useful discussion.
I dare say I wasn't the only one surprised when Larry walked on stage Wednesday. There was no obvious reason why he had to do that, not to mention his extended Q&A with the audience.
In the wake of this, we've seen pundits and writers attempting to characterize his remarks in a variety of snarky ways. I'm not going to provide those venues with link juice here.
And in fact, that kind of snarking is painfully representative of the kinds of attitudes that have driven our political system into toxic paralysis, making it so difficult for so many creative people to ponder the big questions, to consider the tough "what ifs?," without being mercilessly attacked by the champions of the status quo.
My interpretation of Larry's remarks is that he wasn't revealing a specific business plan, he was exploring a *philosophy* bigger than the limitations and constraints that encumber us today -- not just at the nexus of government vs. technology but in many other ways as well.
It is *incredibly* important that such thinking be encouraged, not attacked or ridiculed.
To ponder what could be achieved with different legal constraints than exist today is both valid and valuable, because we don't live in a static world at all -- much as some people would prefer as little change as possible.
Well within the lifetimes of many of you reading this, it was *illicit* to plug your own equipment -- even the simplest of phones -- into a telephone line. This seems inconceivable today, but imagine if nobody back then had pondered the question of what might be accomplished if we could legally hook our own data and other devices to the telephone network. Very likely, the Internet as we know it today might not exist at all.
Google is large and influential, and there are many venues for reasoned discussion about Google-related issues.
But snarking -- especially aimed at an individual like Larry who voluntarily chose to share some personal and philosophical thoughts very much worth pondering -- yes, especially the snarking we've heard over the last few days, is counterproductive, disgraceful, and -- to the detriment of us all -- very much calculated to discourage honest consideration of our complex and mutable futures.
The purveyors of such poison should not only be shunned, but should be utterly ashamed of themselves.
May 11, 2013
Newt Gingrich Meets the Smartphone (Annotated Edition) [Video]
Newt Gingrich Meets the Smartphone (Annotated Edition)
(YouTube / 3 minutes)
May 09, 2013
A 3D-Printed Gun Meets the Streisand Effect
Regular readers here and in other venues will know by now that I am a very strong supporter of gun control legislation (now more popularly called "gun safety" regulation for political correctness). Not only that, I consider the NRA and its minions inside and outside of government to be directly responsible for millions of innocent deaths at the bidding of their gun merchant supporters. And that's just for starters.
But even I can recognize bogosity when I see it.
By now you've probably heard about the downloadable plans for printing a plastic gun on a (currently fairly expensive, but cheaper they will continue to become) 3D printer.
After the simple gun was determined to essentially function as designed, the plans were posted to the Web a couple of days ago.
Today comes word that, reportedly, the U.S. State Department has asked the plans' distributor to remove them from the Net, while legal issues are being explored.
The parties involved have apparently complied.
But over 100K copies of those plans had already been downloaded.
You know where this is going.
The very act of attempting to bottle up this data has drawn far more attention to the plans themselves than would otherwise likely have been the case -- a textbook definition of the so-called "Streisand Effect" in action, a phenomenon we've discussed here many times in the past.
And of course, the plans themselves are still trivially available.
I found them -- intact and complete -- on a mirror site within 30 seconds, using an obvious three word search query, just a few minutes ago.
Outside of the just plain uselessness of trying to block such information after it has already been published -- how many times must this truism be repeated? -- there are a couple of other obvious ironies in play.
One is that just as attempts to censor the Net will almost always be ultimately futile (but still potentially very damaging to individuals or organizations caught up in those attempts), trying to control 3D printing is almost certainly going to be equally (if not even more) futile in the long run.
And the other irony? Who the hell needs to print a gun when the NRA and its ilk have made it trivial for pretty much anyone, including the mentally ill, people on the no-fly terrorism watch list, and basically anyone else not carting around pressure-cooker bombs (and maybe them too), to easily and legally purchase cheap, powerful, much more effective weapons with a nod and a wink at any gun show -- no background checks usually required!
So all around, from every angle, this whole story only serves to demonstrate the depth of society's confusion regarding the Internet, 3D printing, and guns.
To paraphrase the inestimable "Firesign Theatre" -- I'm afraid we may all be bozos on this bus.
Obama and Others: When "Transparency" Becomes a Wolf in Sheep's Clothing
When you're basically a techie who thinks a lot about policy -- as I am -- there's a natural tendency to approach issues specifically and individually, like bugs to be stamped out of complex program code.
Frankly, it's also easier to write that way, to focus on individual issues rather than broader, often conflicting concepts -- that can be far more difficult to paint into an intelligible portrait of words.
But the old platitudes and idioms like "not seeing the forest for the trees" or "connecting the dots" exist for a reason. Sometimes you do need to take the "long view" -- both in space and time -- to really understand what's going on, and how we're likely to be impacted.
I was reminded of this today, as I noted all the excitement around the Net over the Obama administration's announcement of a "government open data" initiative, to help make previously unavailable or hard to access data broadly available to the public to "Enhance Government Efficiency and Fuel Economic Growth" -- as the White House press release puts it.
This is certainly a welcome development in government transparency, well deserving of praise. The excitement is understandable.
And yet ...
Over the last few days there have been other reminders relating to this administration -- paralleling distressing events in Europe and elsewhere -- that remind us how "transparency" can be a nightmarish technological trap as well, depending upon how "transparency" is defined, and who is defining it.
For it's the same Obama administration pushing for "open government data" that is also pushing for a vast expansion of FBI access to our telecommunications and other personal data.
The reported scope of this thrust is both deep and wide. Demands that Internet services provide "real-time" wiretapping facilities -- ironic for an administration pushing cybersecurity, given that such mechanisms actually weaken security by providing new avenues for black hat hacking.
And this is the same administration that is actively fighting to maintain the intolerable legal structure under which warrantless access to our centrally stored email and other data has become such a travesty, threatening consumer confidence in the very cloud-based services that are a crucial aspect of our modern Internet environment.
It appears that President Obama doesn't only ostensibly want government to be transparent to us, but also that everything we write or say on the phone or Internet should be "transparent" to government as well.
That's a rather Faustian sort of bargain that I suspect most of us didn't know we were signing up for, so to speak.
To be sure, this isn't a mindset restricted to Obama, or one political party, or even the USA.
Over in Europe (and elsewhere) a similar "wolf in sheep's clothing" hypocrisy has also taken hold in governments, in dimensions ranging from censorship to surveillance.
In the EU, demands for massive law enforcement inspired, government-mandated consumer data retention regimes have become common, at the same time that dangerous, Orwellian concepts like "the right to be forgotten" and micromanaged censorship of search results are frequently promoted by regulators and other officials.
Meanwhile, we see a fetishistic focus on harmless Web cookies and anonymous ad personalization systems that have hurt nobody, while government demands for politically expedient censorship (doomed to ultimate failure, but still intensely harassing and treacherous) continue to intensify.
Some of these specific hypocrisies are also beginning to show up here in the U.S. as well.
It is almost a given that governments -- going back to the dawn of human civilization -- will rarely be able to resist the urge to try entice us with shiny baubles with one hand, while eviscerating our liberties with the other.
You don't even need to invoke concepts like "evil" to understand this. More often than not, these leaders genuinely feel that they're doing this for our own good, to protect all the "little people" who just don't understand what we really need.
Given that this is pretty much the historical status quo, you may feel comfortable with this state of affairs, or at least resigned to it.
That would be an unfortunate attitude in the extreme, for all of us.
Because the Internet, with its inherent ability to allow us to communicate directly and instantly between individuals, countries, and cultures in a manner never before imagined, does provide us with enormously powerful tools and capabilities unavailable to citizenries of the past.
This is why, not at all coincidentally, that so many governments around the globe are trying so very hard to control the Net, to shape it to their own image -- a task fortunately made very difficult by the Internet's fundamental design philosophy.
But that technological genius will be of comparatively little use to us if we don't avail ourselves of it, and especially if we don't "connect the dots" and "see the forest for the trees" in terms of the issues where the Internet's communications power can be brought productively to bear, especially when governmental hypocrisies are involved.
Governments will keep trying to entice us with their baubles, but the Internet is the very foundation of our rights and freedoms for the future -- most especially for the "little people" like us.
May 08, 2013
Search Like a Spook! - NSA's Guide to Web Research!
Search Like a Spook! - NSA's Guide to Web Research! Just declassified! Not a joke! How to "hack" search engines like a government agent!
Seriously, this 600+ page PDF, which NSA just released under a FOIA request, is 100% legit. I downloaded it myself from NSA, and am providing this local copy as a public service. It's over 40MB, so please be patient.
May 06, 2013
Adobe Gives the Little Guys the Finger
You may have heard by now that Adobe, long-time manufacturer of Photoshop and related software products, has finally brought out the big hammer, and smashed it down firmly on the heads of individuals and small businesses.
What? You haven't heard this?
Perhaps you heard that Adobe is switching to an "Internet always required, subscription only" model for their "Creative Suite" products. If you've seen those articles today, you probably saw business writers waxing poetic over what a wonderful move this is by (and for) Adobe. These same authors are generally implying that it's a great deal for users, too.
And it is -- if you're willing to let Adobe weld a ring and chain to your nose (and wallet).
The clue to this seeming paradox is revealed if you look at the reader comments on most of these articles, which (at least so far) seem to be overwhelmingly negative.
How could this be? After all, these have always been premium software products, why should anyone get bent out of shape by their move to a subscription model and requiring the Net for use?
The devil, as always, is in the details.
There are some applications that naturally benefit greatly from a move to "the cloud" in various contexts, especially when staying up to the minute with security fixes is involved.
Email and document collaboration are two obvious examples, with Microsoft trying to play catch-up with Google in this context.
And even then, pricing matters -- a lot.
Basic Google services are free. The business version of Google Apps is $5/user/month (a bit less on an annual basis).
But Adobe is aiming for much bigger bucks -- their pricing schedule shows monthly fees up to an order of magnitude higher than that $5, or even much more.
Now, obviously Photoshop has a very different feature set than Google Docs.
And Adobe's prices have always been of the premium variety, even as increasingly powerful Open Source tools (like GIMP, for example) have become very widely available.
For larger businesses for whom cost isn't much of an object, it's (as the old saying goes) six of one or half a dozen of the other whether they're on a subscription model with Adobe or not. They're likely pretty much locked-in anyway for logistical and workflow reasons if nothing else.
But if you're like an awful lot of people and smaller businesses I know, you've justified the premium price of Adobe Creative software products on the basis that you simply didn't need to upgrade them all that often for the features you need.
Perhaps you skipped every other upgrade cycle, or upgraded even less frequently, and have been quite happy anyway.
Well, Adobe isn't happy with you. They want you to be upgraded at all times at those premium prices, no ifs, ands, or buts. And not only are you forced to pay premium prices, if you ever stop paying, you're left with ... nothing. You don't even have an older version that suited you just fine to run any more. Poof!
Adobe claims their pricing offers an "inexpensive" way into their Creative world (hey, even pay without an annual commitment if you're willing to hand over a lot more cash -- not a small increment, mind you).
But this is the oldest game in the book, evolved to a fine art by generations of used car salesmen. Hook in the suckers by concentrating only on the monthly fee, and by all means don't let them think about how those will be adding up over the months and years.
Again, we're not talking $5 a month here. We're talking much higher amounts.
It seems obvious that part of Adobe's plan (in addition to the added anti-piracy, forced connectivity aspects) is to cull the herd of those "unproductive ingrates" -- the customers who simply refused to upgrade every cycle to get the latest fancy doodads that they didn't require or use. And in the process, Adobe wants to sucker in folks who don't bother calculating the cumulative costs on those monthly charges, even though most of these users would likely do just fine with some of the great Open Source alternatives (if they even know about them, which they probably don't).
I've actually been a long-time supporter of Adobe products like Photoshop and Premiere. But yes -- I'll admit it -- I'm one of those "bottom-feeders" by Adobe's definition, who somehow has managed to be satisfied with older versions of their products without frequently funneling more cash in Adobe's direction.
I'm also a big supporter of cloud-based services -- they can bring great benefits in an array of contexts -- where they're appropriate, make sense, and above all are appropriately priced.
But as we see with Adobe, it's also possible to use this model and an aggressive pricing structure to fleece the sheep, and frankly, I believe that is what Adobe is doing here as far as individuals and many small businesses are concerned.
Of course, this is only my opinion. Perhaps you disagree with me totally regarding Adobe's new philosophy.
In that case, you might wish to wander over to the many articles about Adobe's changes that are filling up with negative comments from upset Adobe users.
I'm sure that Adobe would appreciate your posted thoughts in support of their brave new world.
May 04, 2013
Dealing with Claims That the Government is Recording All Phone Calls
You may have heard buzzing by now that the talking heads of cable news are all aflutter over comments (on CNN) by a "former FBI counterterrorism agent" implying that the federal government is recording all domestic telephone calls, and need merely to go digging into that archive to find "conversations of interest" related to the Boston bombings.
OK, let's talk about this for a moment (no pun intended). Many years ago, I publicly discussed the data requirements for "recording all telephone calls" and postulated that it was becoming technically feasible. This is not, however, the same as saying it is actually being done. There are several considerations.
First, I take anything said by "former FBI counterterrorism" operatives with more than a grain of salt. This whole sector -- like the intelligence community in general -- is rife with layers of purposeful misdirection and obfuscation. Never take anything you hear from these spooks at face value. Never.
It is now fairly well known that NSA, et al. have for decades taken the view that "merely" recording traffic is different from actually examining it -- but this has been almost entirely in the scope of international communications, and I know of no legal predicate under which NSA (or FBI, or another government entity) could collect *domestic* communications legally *en masse* as described. Of course, laws can be broken.
But the biggest reason I am doubtful of these claims is that I find it difficult to believe that surreptitious data collection of phone calls on that scale is possible without a very noticeable dribble of very explicit leaks. Somehow the same people who feel that the government is incompetent at most things believe that the government could keep all that data bottled up, with all those enticing phone calls (whether related to national security or just phone sex), without leaks.
I'm not talking here about one guy with claims about a secret telco cabinet.
There'd be so many people at various levels who would have to be involved in such a massive operation as a vacuum cleaner recording of domestic calls, that it's almost inconceivable there wouldn't be leaks not only about specifics of the program but of actual calls. The amount of money that would be offered by the gossip sites alone would be astronomical.
There's another problem too. You can't explicitly *use* any of the data from such a program without risking its exposure and an enormous blowback against everyone involved. Even if you only use the data to try track other leads, you risk massive unraveling if anybody slips up on something of this scope.
Now, obviously, I could be wrong in my speculation. I have no inside knowledge to impart. Perhaps somewhere inside the Beltway there are guys sitting at giant screens in hidden basements reading this right now and chuckling at my naivete.
Or perhaps, we're indeed being suckered by claims of capabilities that do not actually exist.
We shall see in the fullness of time.
May 02, 2013
Expel and Arrest the Best Students: The USA's Road to Ruin
By now you've probably heard the story of 16-year-old Kiera Wilmot in (you almost could guess this) the once great but now poster child for government mediocrity state of Florida.
When she mixed a couple of chemicals together as an experiment on school grounds, she created a micro-explosion -- really just a loud poof -- that didn't hurt anybody or damage anything. The same sort of experiment that thousands of creative youngsters have performed for generations, back in the days when chemistry sets still had actual chemicals in them, and creativity itself wasn't considered to be a crime.
Should she have been doing this without explicit permission and supervision? Probably not. A reasonable punishment might have been a safety lecture, or at the far end a couple of days of after school detention.
But this is Florida. Her high school called out the goon squad, had her arrested, hauled away in handcuffs, and charged with a felony (to be tried as an adult) -- possession/discharge of a weapon on school grounds and discharging a destructive device. In other words, the lunatic State of Florida is hell bent on destroying her life.
Did I mention that Kiera is also black? Good ol' Florida. If there's one thing you can depend on from the "Sunshine State," it's that when it comes to health care, the justice system, education, and pretty much everything else, they'll do everything in the most punitive, unthinking, unethical, and morally corrupt manner possible.
Just to be clear, I'm not saying that everyone in Florida fits these deplorable categories. But the people of Florida get the kind of government they vote for, and can't complain if they're judged by the results, just like everywhere else.
And I'll even cut Florida a break. They're not alone in their idiotic, asinine behavior when it comes to education and dealing with kids.
Across the country, we've been treated to a late night horror movie sequence of young children -- some barely able to walk by themselves -- being tasered, handcuffed, arrested, interrogated, expelled, and worse for all manner of harmless behaviors -- with school district officials usually hiding like cowards behind so-called "zero tolerance" rules that help to make the USA educational system a laughingstock of the world.
When we have little children being accosted by authorities for biting their cookies into the shape of a gun, you know the lunatics are running the asylum.
I haven't heard reports of American children being waterboarded by school officials yet, but given the actions of officials to date -- most of whom probably shouldn't be let anywhere near children at all -- we'd be unwise to totally discount the possibility of such behavior. (You think I'm exaggerating? You've heard the one about the strip searches of kids to try find a few missing dollars? When you have that kind of perverted antisocial mentality running schools, I'd submit that pretty much anything could happen.)
Now admittedly, there are some things that the American educational system is good at. For example, there's increasing evidence that we're just stellar at driving children to the edge of mental and physical illness (and increasingly, beyond the edge) with standardized tests that often cover material that was never taught, and that put such pressures on the system that kids are vomiting and teachers are rigging results to try get by. Great work, if your goal is making sure that our country's competitive decline in the global community becomes the most permanent and prominent aspect of our history going forward.
But everything is relative, and we can pull the camera back even farther, and see how the failings of our schools represent the broader failings of a corrupt and toxic political process, with many prominent politicians sounding like they themselves never made it past third grade. But ask them to quote the bible, and they'll bend your ear with their explanations of what God wants for us all.
Small wonder then that we see increasing political attacks on science research and funding, and attempts to replace peer review with bible thumping.
Sometimes it's not easy to see the forest for the trees.
But when it comes to the utter insanity that has increasingly become part and parcel of our educational and political systems, the "connect the dots" cause and effect is staring us in the face, directly from the mirror.
This is our fault. It is perhaps the ultimate realization of Pogo's "We have met the enemy and he is us."
We have permitted this nonsense, this anti-intellectual horror to metastasize throughout our society, even as we push into the Internet age where science, reason, and education will be critical, crucial, indispensable to our personal and collective futures.
It is unacceptable for the small and perverse minds who would declare an inquisitive teenager a felon, or a cookie-wielding child a menace, to be anointed with such power to literally destroy our civilization -- piece by piece, child by child.
For it is in education and our children that the entirety of our legacy ultimately rests. It is not at all an exaggeration to suggest that if we don't change course from toxic stupidity, we are ultimately and deservedly doomed.
Changing the course of a gigantic ship headed toward a waterfall of destruction cannot be accomplished instantly.
But we can at the very least begin by introducing a modicum of common sense back into school policies that currently seem to have been based on prison procedures, and to stop using handcuffs, jail cells, and electric prods as our most visible and powerful educational tools.
The choices, as always, remain very much our own.
April 28, 2013
"Sixteen Gigs" (With Apologies to Merle Travis and Tennessee Ernie Ford)
When you really think about the stranglehold that the dominant ISPs have on Internet access services here in the USA, it's easy to be concerned, upset, or even angry. In the past when folks felt this way, protest songs were a common form of both relief and exposition.
If it worked for them, perhaps it can work for us. This made me feel a little bit better, anyway. Enjoy.
To the tune of "Sixteen Tons"
With apologies to Merle Travis, who created the classic.
And to Tennessee Ernie Ford, who made it into a standard.
MP3 Audio Performance (2:23 minutes / ~2MB)
Lyrics Copyright © 2013 Lauren Weinstein. All rights reserved.
My job is pushing files,
Through the whole darned day.
It's as boring as hell,
And it sure doesn't pay.
All bits and bytes,
And error screens,
A few hours of that,
And you want to just scream.
You push 16 gigs,
What do you get?
Connections so sluggish,
And a bandwidth cap yet.
Almost every day,
There's a new damned fee.
I owe my soul to my I-S-P.
My service provider,
Says I shouldn't complain.
He says we dumb subscribers,
Just deserve our pain.
Since we're so darn stupid,
That we pay him at all,
We should be satisfied,
With connections that crawl.
You push 16 gigs,
What do you get?
Connections so sluggish,
And a bandwidth cap yet.
Almost every day,
There's a new damned fee.
I owe my soul to my I-S-P.
I tried to switch providers,
But it got me nil.
From frying pan to fire,
For the same high bill.
My new data speed,
Is running just as slow.
And when I try to complain,
They tell me just to blow.
You push 16 gigs,
What do you get?
Connections so sluggish,
And a bandwidth cap yet.
Almost every day,
There's a new damned fee.
I owe my soul to my I-S-P.
Our Internet speeds,
Are just a joke,
It's so true.
We screwed this all up,
And it makes me so blue.
I have only one wish left,
Before my eyes,
I pray to see Google Fiber,
Before I die.
What do you get?
Connections so sluggish,
And a bandwidth cap yet.
Almost every day,
There's a new damned fee.
I owe my soul to my I-S-P.
- - -
April 27, 2013
The Coming War Against Personal Photography and Video
Are you ready for the imagery war -- the war against personal photography and capturing of video? You'd better be.
The title of this piece actually isn't entirely accurate. In some ways, this war isn't just coming, it's already begun. Forces are lining up on both sides, under the radar for most of us so far, but preparing for action. And right now, if I had to place a bet (cash, not bitcoins, please), I'd reluctantly have to predict the anti-imagery folks have the better chance of winning.
There are many facets to this struggle, and they interact in complicated and sometimes even seemingly contradictory ways. It's largely a battle pitting technology against a range of personal sensibilities -- and politics will be playing an enormous role.
And please note the following well -- if we techies attempt to argue that no significant relevant issues actually exist, if we are perceived to be arrogant in our reactions to the various concerns being expressed, we are likely to be steamrolled by the opposition.
I said there were contradictory forces in play, and man, do I mean it.
In the aftermath of the Boston bombings -- cameras were everywhere there -- which while horrendous and tragic, killed and injured fewer people than just a few days of "routine" gun violence here in the USA, we're hearing the predictable calls for vastly expanded government-operated video surveillance networks, even though virtually every study shows that while these systems may be useful in solving crimes after the fact, they are of little to no use in preventing crime or terrorism in the first place. This has proven true even in cities like London, where there's a camera focused on pretty much every individual pimple on each Londoner's face.
In some cities, like New York, the surveillance-industrial complex has its fangs deeply into government for the big bucks. It's there we heard the Police Commissioner -- just hours ago, really -- claim that "privacy is off the table."
And of course, there's the rise of wearable cameras and microphones by law enforcement, generally bringing praise from people who assume they will reduce police misconduct, but also dangerously ignoring a host of critical questions.
Will officers be able to choose when the video is running? How will the video be protected from tampering? How long will it be archived? Can it be demanded by courts? Divorce lawyers? Insurance companies? Can it be enhanced and used to trigger prosecutions of new crimes, perhaps based on items in private homes captured on video when officers enter? What will be the penalties when clips of these videos, often involving people in personal situations of high drama and embarrassment, often through no fault of their own, leak onto video sharing sites?
All of this and more is the gung-ho, government surveillance side of the equation.
But what about the personal photography and video side? What of individual or corporate use of these technologies in public and private spaces?
Will the same politicians promoting government surveillance in all its glory take a similar stance toward nongovernmental applications?
Writing already on the wall suggests not.
Inklings of the battles to come are already visible, if you know where to look.
The push-backs against Google Street View -- more pronounced outside the USA to date but always simmering in the background -- are one obvious example. Even though this imagery is captured either from public thoroughfares or with explicit permission, this extremely useful service has generated considerable angst, and even though the concerns are way overblown, we can't deny the angst itself is real and of political note.
An ironic side note. People not infrequently send me emails asking if I can tell them how to have their homes removed from Street View. I point them at the established procedure, but I always mention that having a gap in the imagery where your home should be is more likely to attract attention to it than anything else. That never seems to dissuade them, however. We're dealing with emotion, not logic.
Governments -- while ever expanding their own surveillance regimes -- can be extremely antagonistic to personal photography.
Only recently has a broad right for individuals to record police activities in public places been established by courts, and trying to exercise that right can still net you a club across the face and a trip to a cell. Individuals are routinely harassed when taking hobby photos of railroads, or bridges, or storefronts -- or pretty much anything these days, based on asserted (but generally unsupportable) security or privacy grounds.
Anti-paparazzi laws restricting personal photography have begun appearing, as have a variety of laws aimed at the perverted practice of "upskirting" -- both classes of laws often subject to much broader interpretation by overzealous authorities.
Laws have been proposed restricting aerial photography in general, and drone-based video capture in particular (the latter already seeing considerable political traction).
And as an outgrowth of parental concerns (particularly regarding third-party Internet postings of associated still and video photography) there are efforts underway to restrict public photography of children by other than their parents -- in a wide variety of public locales -- a topic with a particularly powerful influence on politicians, we should remember.
Laymen often assume that if you're in a public place, you can legally do pretty much whatever you want in these sorts of contexts.
But that's not always true, and is subject to the whims of our increasingly toxic political environment.
For example, many people believe that you can legally, secretly record conversations in public. But this varies state by state. In California, for example, under most circumstances you cannot legally record a conversation, even in public settings, unless all parties to the conversation agree. This holds true regardless of the recording medium -- anything from an old tape machine to the latest wearable video device.
This holds true in mobile environments like personal cars as well, though governmental regulatory focus in that respect is more likely to be aimed initially at perceived cognitive distraction issues.
At the federal level, there is already a concerted push to tightly regulate both handheld and hands-free devices, with a special emphasis on any devices in the visual field that can be used for texting, display of movies, or pretty much anything else. The irony here is that while one could argue that, for example, a wearable GPS mapping display would be less distracting than glancing over at a dash-mounted screen, the capabilities of these devices to engage in a broad range of other potentially more distracting activities will likely attract the attention of insurance companies and regulators (this is actually already a topic of discussion among both groups).
There is in fact something of a possible worst case scenario that we would be foolish to ignore. While techies and many others will be enamored with and responsible in their use of wearable video/audio gear like Google Glass, the potential exists for this class of technology in mass deployment to trigger significant political and regulatory backlash that could negatively affect other types of photography as well -- everything from expensive cameras to the image capturing capabilities of cellphones.
To understand this risk we must remember that politicians generally take the path of least resistance with the highest "CYA" potential.
While spy-cams and other similar tech have long existed, the widespread availability of wearable gear outside that context (note we're not talking only about Google Glass, but the inevitable cheap knock-offs that will not meet Google standards) could, for example, trigger nervous parents' worst fears.
There will be a significant percentage of the population -- including in stores, restaurants, other businesses, or wherever, who will be concerned that in the restroom, or the gym, or the strategy meeting, or wherever, that they just aren't sure that the guy with the glasses isn't actually recording or streaming at that moment. People who have heard stories of malware accessing webcams without lighting the activity lights may never quite trust such signals again.
One would hope that politeness, common sense, and evolving voluntary social conventions would deal with these issues appropriately, reducing the pressure for governmental involvement.
But again, we're dealing here with emotion more than logic, and emotion makes laws. Bad laws usually, but laws nonetheless. And laws are often written with the minority of people who are bad actors in mind, not the bulk of reasonable folks.
We all still end up having to live with these laws, in any case.
I don't have a "magic wand" solution for this situation.
My gut feeling though is that we'd be making an enormous mistake by appearing arrogant about these matters.
Already, in various venues where enthusiastic supporters of such technology gather, the primary attitude most visibly espoused has been to dismiss those persons expressing concerns about these technologies as being "out of touch" or easily ignored or beneath contempt.
If you really want to have politicians and regulators come down like a ton of bricks not only on this technology, but on other aspects of personal photography as well, then by all means continue with that demeanor.
On the other hand, if you'd prefer a more beneficial outcome all around, I'd strongly urge putting aside any arrogance, and instead working with others to engage politicians and regulators in reasoned, logical discussions that actually address their concerns (whether we personally feel that those concerns are valid or not) in a cooperative way. Otherwise, we're likely setting ourselves up for a big fall.
It would be ironic indeed if in the war against personal photography and video, those of us wanting the maximal possible photographic freedom allowed our own swagger to effectively point our own "weapons" at our own heads.
April 23, 2013
In the Wake of Boston Bombings, Misguided Demands for YouTube Censorship
Frankly, I was expecting such a call, and sure enough it arrived yesterday. A reporter for a significant media outlet wanted my opinion on the thesis that YouTube and other video sites should be self-censored and/or censored by governments to remove "all materials" that could "be of help" to would-be terrorists.
This meme is not new, but was inevitably resurrected with word that the Boston bombing brothers supposedly were inspired and trained largely from Internet videos posted by various radical groups.
Now, before we proceed, a few words about the media. It's popular these days to paint mainstream media in particular with a very broad, largely negative brush. In my personal experience, this is mostly unwarranted.
Most reporters I come into contact with -- and this holds true for print, web, radio, and television venues -- are trying to do a good job, often under significant editorial time pressures and associated constraints.
The majority are interested in getting straight information to help them make an accurate presentation. I call these reporters the "seekers of knowledge."
There is however also a minority that are essentially only interested in getting quotes to try add "gravitas" to an already largely pre-written story, article, or other presentation that is predestined to take a particular point of view regardless of what facts come to the reporter's attention. We can call these reporters the "seekers of confirmation."
If your statements to the latter type do not well synchronize with their preconceived ideas and points of view, you can depend on your input being discarded and, most likely, you will never hear from them again.
The reporter who contacted me yesterday was indeed in this second category.
So after I explained to him that not only was the concept of video (or for that matter, other information) censorship that he was proposing a completely abhorrent and utterly impractical attack on civil liberties, I was not surprised when he suddenly "got another call" and quickly terminated the conversation without so much as a thank you.
I believe what really upset him was my explanation that such Internet censorship attempts could actually be extremely counterproductive. They would mainly serve to make it more difficult for authorities to easily observe what sorts of materials were circulating, since censoring of public sites would by no means eliminate "items of concern" from availability, but would instead drive them underground into the so-called "darknets" where, for example, photos and videos related to child abuse remain widely accessible, despite attempts by service providers and authorities to stamp them out.
Especially when dealing with videos or other information that are espousing radical concepts, even violence, censorship is not the answer. Censorship attempts will not be effective, and can very easily make the problems that censorship was aimed to address much worse, not better.
The appropriate response to information of concern is not to try eliminate or block access to those ideas and concepts, but rather to provide more information, better ideas and concepts, a powerful counterpoints.
Trying to censor even outright lies will almost always fail. The antidote to lies is not censorship, but truth.
And truth be told, often the forces of evil are much faster to adopt new technologies to their advantage, while their adversaries stay stuck in old, ineffective methods of battle -- like censorship -- that are as obsolete as lobotomies in the Internet world of the 21st century.
There's a maxim that "for every complex problem there's a simple, wrong answer."
In the wake of the tragedies in Boston, it is to be expected that even many well-meaning individuals and authorities would be desperately searching for a "simple" answer to the complicated, multifaceted specter of terrorism.
But that old saying still holds true. There are no simple solutions for terrorism. Attempts to counter associated videos and related materials with censorship are doomed to failure.
Rather, the answer again is more information, not less.
The answer is straight talk about why terrorism is a path not to justice, but to evil.
We must learn to use the tools of the Internet at least as well as our adversaries, not by playing desperate, hopeless games of censorship Whac-A-Mole, but by uploading light to push out the darkness.
Get to work on those videos.
April 21, 2013
The Boston Bombings, Knee-Jerks, Arthur C. Clarke, and CISPA
A couple of days ago on my Google+ feed, I mentioned that this has been one of those weeks where I've really felt that I've been channeling Mr. Spock.
This generated an immediate comment from one of my regular followers, who noted that it seems to him that I'm actually doing that 52 weeks a year.
But as we consider the events in Boston of the last week, it's worth keeping in mind the incredibly bad decisions flowing mainly from emotional responses to 9/11, that appear poised for a repeat performance now.
I don't really need to remind you of the list, but here's just a quick refresher of a few examples. Emotion over logic yielded us DHS and TSA with their heavy-handed abuses, wars in Iraq and Afghanistan that have been unimaginably expensive in terms of lives and treasure with no real positive results to be seen, the rise of targeted "video game" killings via drones with significant deaths of innocents including children, and generally an increase in anti-U.S. hatred that has radicalized even some American citizens with backgrounds originally void of terrorist leanings at all.
Now, in the wake of the Boston bombings, we're hearing familiar themes once again.
More cameras. Drones galore. Fewer civil liberties.
You know the drill.
Politicians are incredibly sensitive creatures in their ability to sense the public attitude of the moment, especially if it can help them come the next election. Whether or not they act on these signals depends on their perceived risks/benefits analysis.
Thus we see politicos ignoring the will of 90% of the U.S. population in favor of expanded gun background checks, but we also already see these same elected officials now scrambling to jump on the knee-jerk technological surveillance bandwagon, even if a week ago they were taking an essentially contrary stand.
Technological realities are generally not germane to their analytical viewpoints.
We know a lot about domestic video surveillance now, and the overwhelming bulk of evidence suggests that it is relatively useless in stopping terrorist attacks (or even much ordinary crime) and is mainly of use to track down culprits after the damage is already done -- if then.
This proved true even in the case of the Boston bombings, the locale of which must have represented one of the densest concentrations of video and still photography in a single location in history. And even there, despite what you might have heard, highly touted tech such as facial recognition systems apparently played virtually no role at all. The reality is that these systems are only useful under very narrowly defined conditions, the breathless pronouncements of their vested supporters notwithstanding.
And in addition to knee-jerk reactions, we have actual political jerks as well.
Since the capture of the teenage bombing suspect now in hospital -- a naturalized U.S. citizen, by the way -- we've already seen the specter of GOP senators expressing their disdain for the U.S. justice system, demanding that he be declared an "enemy combatant." This despite the fact that based on what we know right now, there is no legal justification for such a determination, and in fact the enemy combatant system -- which could have been better run by "The Three Stooges" -- is tied up in knots of incompetency which make the worst problems in the conventional justice system look trivial by comparison.
And what was unspoken by these U.S. senators was explicitly tweeted by a New York state senator, who apparently graduated from the Air Force Academy without understanding what the Bill of Rights is all about, who blatantly called for "torturing the punk."
To my mind, the sensibilities expressed by these officials are far more dangerous to our civil liberties and way of life than any terrorists.
There are those two words again that so many politicians attempt to ignore: civil liberties.
Understandably pushed into the background during the week was the U.S. House of Representatives passing CISPA legislation that would enable information sharing between government and private industry, that many observers view as rife with the potential for civil liberties abuses.
CISPA is a complex topic. There is no denying that there are actual "cyber" threats. Some of the major Internet firms that had been more openly opposed to previous legislative attempts along these lines have not been presenting formal stances one way or another on CISPA, likely assuming (with some genuine justification from their standpoints) that the current bill is probably the best they could hope to see in the ongoing toxic political atmosphere, and that anything else likely to appear would probably be even worse all around.
In my view, and the view of many others, cyber threats -- while they obviously do exist -- have been vastly overstated by homeland security and military entities, and of course by their affiliated contractor minions in what we might call the "cyberwar-industrial complex" (or my preferred term, the "cyberscare-industrial complex").
Their purpose is clear enough. Sow FUD - Fear, Uncertainty, and Doubt, in a blatant attempt to accumulate vast resources (both in terms of power and funding) to their own both ostensibly offensive and defensive "cyber" regimes, that will enhance their own organizations, not to mention their post-military employment and financial opportunities.
Cyberfear is perfect for these goals. It's almost impossible to prove that a "cyber attack" (whatever that actually means) came from any particular source, or to defend against such accusations. This makes blaming your current "designated enemy" politically expedient indeed.
There are real world consequences to this approach. Already, we've seen high ranking defense officials claiming that "cyberwar" is more dangerous than conventional terrorism. They impress politicians with carefully rigged demos of imaginary cyber-based infrastructure attacks, and demand ever more money for their "cyber armies."
Until bad publicity got in their way, they were even disgracefully planning to give medals to "cyber troops" (and also to remote drone operators, by the way), who faced absolutely no personal risks compared to our brave troops actually fighting in the trenches.
This is all basically part of a concerted effort to elevate military cyberops to the same level as conventional war -- made all the more explicit by arguments about when a conventional retaliation is justified in response to a cyber attack. And remember, as we just discussed, proving where a cyber attack actually comes from is highly problematic. How handy.
Yet if we pull back a bit and look at the broader picture, we find that the disingenuous nature of these official pronouncements is even more extreme.
The disgraceful fact is that we see officials attempting to equate people being unable to access online banking for a few hours to the situation engendered by a terrorist carrying a suitcase nuke into the heart of a major city.
We see enormously overblown concerns about Internet-based infrastructure attacks, when the reality is that one guy in the desert with conventional explosives could take down a high tension power line and be enormously disruptive, or cut off water to millions by simply blowing away a chunk of a major aqueduct. And so on.
But there's no political "sexiness" -- no major funding or power grab opportunities -- in trying to defend against low tech attacks that can be extremely effective, but nearly impossible to prevent.
Remember, officials shut down the entire Boston area, invoking what could arguably be called a de facto martial law condition, to search for a single teenaged suspect armed only with conventional guns (thanks NRA!) and homemade explosives of a sort that anyone could produce in a few hours after gathering components at the local Walmart.
Which brings us back to CISPA.
At least prior to last week, word from the White House was that President Obama's advisers would urge that he veto CISPA if it reached his desk (after consolidation with any parallel Senate legislation) without significant pro-privacy changes.
That is, this was the word we had prior to the incredibly low tech but still quite effective attacks in Boston, conducted by a pair of youthful brothers who apparently didn't even have an effective escape plan in mind, and despite thousands of video cameras in the immediate vicinity.
Given all that we've reviewed above, I would not be at all surprised to see the president backtrack and now be viewed as being much more accepting of CISPA, bowing to the political pressure that will be actively attempting to conflate even the amateurish attack in Boston -- based on hardware from a hardware store, not from a computer store -- with the exaggerated and self-serving FUD of the cyberscare community. I personally still hope that President Obama holds firm to his originally reported stance in this regard.
More than sixty years ago, Arthur C. Clarke published a short science fiction story called "Superiority" -- that we should very much keep in mind today.
It tells the saga of an interstellar war, where the technologically far superior side, by virtue of diverting so much of its attention and resources to high-tech systems that never really performed as promised by their proponents, were ultimately overwhelmed by their technologically inferior adversaries using comparatively low-tech weapons.
As we consider the aftermath of Boston, and the potential effects of CISPA, it would be unfortunate indeed -- and yes, "highly illogical" -- if we fell into the same trap as the losing side in Clarke's story, all the more so if our civil liberties become collateral damage in the process.