Foolish and Dangerous: Europe’s Clothing Attacks Against Muslim Women

I am probably among the last guys on this planet who would normally ever become concerned about issues related to clothing fashions of either women or men. But I do care a lot about civil liberties and fighting terrorism, so it’s impossible for me to ignore the stupid, inane, and frankly dangerous actions by officials in France who have been banning the women’s fashion popularly known as the “burkini” from beaches along the Riviera.

The burkini — primarily a choice of some Muslim women but reportedly with around 40% of sales going to non-Muslims — is a beach garment that only exposes the face, hands, and feet. Frankly, given the increase in ultraviolet radiation and risks of sunburn or much worse these days, this indeed sounds like an eminently practical garment for a lot of folks, irrespective of their religion.

Oh, but not in France. Not in the land of “Liberté, Égalité, Fraternité” (Liberty, Equality, Fraternity), from where photos and videos are appearing showing armed police forcing women to remove clothing at the beach, then ticketing them for failure to wear “an outfit respecting good morals and secularism.”

But beaches where women can go topless or nude in France? Hey, no problem there, eh?

Now, I have nothing against “clothing optional” beaches.

But the sheer hypocrisy on display by French officials in the context of the burkini ban is nothing short of breathtaking.

While French officials have attempted to claim otherwise, their actions are a direct attack specifically on women who choose to dress modestly at the beach — and yes, while that doesn’t mean only Muslim women, the French focus against Islam in this instance is obvious to everyone.

This is only one example of Europe’s growing obsession with restricting the clothing choices of Muslim women.

It’s not just burkinis under attack, but also other forms of traditional Muslim dress ranging from burkas to simple head scarves.

Ironically, these European governments are imposing their own “clothing oppression” while claiming that they’re protecting Muslim women from religious oppression! This displays either vast ignorance or massive hypocrisy or both — since many Muslim women prefer these modest forms of dress, and are not forced nor coerced into wearing them.

In any case, for governments to dictate women’s clothing choices in this manner is abominable.

I’m not a religious person, but I consider religious freedoms being trampled this way by ostensibly enlightened countries in Europe to be utterly disgraceful.

Worse, it’s potentially extremely dangerous, since it plays directly into the hands of radicals who can easily leverage these government actions into “War on Islam” propaganda to inspire terrorists and other criminals. It’s almost as if these governments are purposely choosing dictates most likely to provide terrorists with as much ammunition as possible for evil efforts.

France and the rest of Europe need to get their figurative heads out of their figurative behinds. They need to be working on the foundational issues of conflict within and related to the Middle East, not women’s choices in clothing.

And they need to stop behaving as if the West is on the verge of a new Crusade against Islam.

Europe’s current approach is wrong and foolhardy, and can only lead down the path toward further intolerance and hatred — and risks sucking the entire world down into an endless nightmare significantly of these governments’ own making.

–Lauren–
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

When Hiding Passwords Is Stupid — or Worse!

As I’ve noted a number of times previously, the fact that we still have accounts “secured” by passwords this far into the 21st century is pretty much a security abomination. Adding on multiple-factor security tokens and such is a big help, but passwords themselves remain a weak link in the chain of security, and a vast number of sites and apps rely on passwords without any additional authentication measures at all.

Since the dawn of online systems, it has been standard practice to obscure the display of entered passwords by one means or another.

There are basically two reasons for this. One is the obvious issue of someone looking over your shoulder while you’re logging in.

The other is steeped in computing history.

Early online systems were primarily accessed with paper printing terminals (e.g. Teletype Model 33, IBM 2741, etc.), and leaving around or carelessly disposing of a printout with your password visible could be a serious mistake.

The earliest printing terminal systems were often “half-duplex” in design, meaning that typed characters were echoed locally. To obscure passwords in this instance, the common technique was for the system to overprint a bunch of characters a number of times before the user entered their password over the resulting black blob of ink. This wasn’t foolproof, but was remarkably effective at the time.

For printers on full-duplex circuits, it was possible simply to suppress any echoing of the user password at all, or to print a character like asterisk in place of each typed character.

This same basic model continues today on the Web and in app ecosystems.

Entered passwords either aren’t echoed, or commonly are replaced with asterisks. Some app systems will give you a brief glimpse of the input character before replacing it with an asterisk.

Unfortunately, these kinds of techniques have become decreasingly useful as users have been encouraged or required to use ever longer, ever more complex passwords and passphrases, because the probability of mistyping these entries increases with their complexity.

And it isn’t just a matter of having problems logging in.

The same obscuration techniques are often employed when setting or changing passwords, typically combined with the ever-popular “enter it again” prompt or field, based on the flawed theory that you’d never type the same obscured input in error twice and so set your password incorrectly (and locking yourself out) as a result.

For that matter, even typing the same complex password twice in a row in an obscured field to set the password correctly can be an exercise in frustration.

Recently, the trend toward obscuring input fields has been spreading to all manner of other entries as well, including check account data, credit card numbers, even dates of birth — and much more. I’ve seen forms where even the fields for inputting your first and last names were obscured with asterisks!

Such obfuscations wouldn’t be such a significant problem if there existed a routine way for the user to disable them on demand.

It’s stupid — bordering on insane — to force users to jump through the hoops of blindly entering complicated passwords or other data when they’re alone and there’s no risk of anyone surreptitiously peering at their screen.

And for users with poor typing abilities, motor skill or visual limitations, or other related issues, these input methodologies can be downright abusive. This is one of the most common complaints showing up in my inbox about interface issues.

But wait, it gets even worse!

Many user interface designers, laboring under a twisted misconception of security, purposely make it even more difficult for users to enter their passwords, by rigging their pages or apps to prevent copy/pasting of passwords, and/or by blocking the use of password managers, field autofill systems, and so on.

This really isn’t rocket science.

Except in crucial enterprise environments or especially elevated security situations, it should be common practice for user interfaces to provide a method for the user to see their passwords or other data as they enter it if they choose to do so — a simple enabling checkbox with an appropriate warning would suffice. And this would be the display of the entire password or other input, not just a flash of each letter as it’s being typed.

Some systems already provide this to one degree or another, but this is relatively unusual to find.

Android for example has a little “eye” symbol next to where you enter Wi-Fi passwords, that can be clicked to display the password. This is good, though I’ve had many users tell me that they had no idea of what that symbol meant and so didn’t realize that they could view their Wi-Fi passwords in that manner.

But again, this is an exception to the more general situation of user interfaces across the Web and app worlds that don’t provide such options.

We should be striving to completely eliminate passwords from our systems, replacing them with more robust authentication and security models.

For now though, we still must live with passwords in most cases, and the option should be routinely provided for users to display entered passwords or other obscured data when they choose to do so.

And as for those user interface designers who purposely and unnecessarily block tools and techniques that would make it simpler for users to enter complex passwords — well, since this is a family-friendly blog I won’t mention here what I feel should really happen to them!

Be seeing you.

–Lauren–
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

Google Questions & Unofficial Answers: “Does Google Make Junk Solicitation Phone Calls?”

This is a new entry from my Google+ Community Google Questions & Unofficial Answers.

It seems like almost every day I get junk solicitation phone calls “from Google.” They call about my Google business local listings, about my not being on the first page of Google search results, and so on — and they want me to pay them to “fix” this stuff. When I look up the Caller ID numbers they use, I often finds pages of people claiming they’re Google phone numbers. Sometimes the Caller ID display actually says Google! Is Google really doing this?

Negative. NONE of these calls are from Google. Zero. Zilch. Nada.

These callers are inevitably “SEO” (Search Engine Optimization) scammers of one sort or another. They make millions of “cold calls” to businesses using public phone listings (from the Web or other sources) or using phone number lists purchased from brokers.

If you ever actually deal with them, you’ll find that their services typically range from useless to dangerous — “black hat” SEO firms often use illicit techniques to try boost search rank, which can result in your being demoted or even banned from Google search entirely.

These callers usually either falsely identify themselves as actually calling “from Google” — or they may say they’re “calling about your Google account” — or similar words to that effect.

Now about those “Google, Inc.” Caller ID numbers on these calls. They’re always fakes of one sort or another.

As you may have heard, Caller ID — which a relatively ancient control and signalling methodology not designed for the 21st century — is easily and widely spoofed with false names and numbers. You cannot put any reliance whatsoever on what Caller ID tells you these days.

For example, one common technique is for a scammer in some distant call center “boiler room” to set the Caller ID to a “local”-appearing number, sometimes combined with the name of a local business, in an attempt to make the call more attractive for you to answer. As you can imagine, the innocent parties whose names or numbers are abused in this manner are also victims of these spammers and scammers.

And that’s how these SEO crooks operate. They spoof the Caller ID system to falsely show numbers (and/or names) that are associated with Google — such as numbers used for 2-factor authentication calls or various Google Voice numbers — to try fool you into thinking that the calls themselves are coming from Google, Inc.

Various persons unaware of how this spoofing works then list those numbers on “spam alert” site pages claiming that the numbers indicate that Google is actually making the calls. They are incorrect — again, Google never is the source of such calls.

Also — and this is very important and an issue I touched on in some other Q&As on this page — Google NEVER uses the phone numbers you provide them for account recovery and/or 2-factor authentication for any other purpose without your explicit permission, never uses them for solicitation calls, doesn’t sell them to third parties — and … you get the idea. And by the way, you really do want to proactively set up account recovery and 2-factor — as per the Q&A items at:

https://plus.google.com/+LaurenWeinstein/posts/L3DcshM4Nmi

and:

https://plus.google.com/+LaurenWeinstein/posts/avKcX7QmASi

The bottom line is that none of those harassing, scammy SEO phone calls are from Google.

And frankly, you really don’t want to deal with any of the firms who are actually making those calls — unless you’re a masochist with money to burn who wants to ruin your site’s reputation, that is.

— Lauren —
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –

The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

Care About Science and Tech? Our Job One: STOP TRUMP

When we think of politically-oriented publications, it’s unlikely that venerable, more than 170-year-old Scientific American typically comes to mind. 

So I was definitely stopped in my tracks when I saw their new editorial titled “Donald Trump’s Lack of Respect for Science Is Alarming” — that included these very accurate words:

“Scientific American is not in the business of endorsing political candidates. But we do take a stand for science — the most reliable path to objective knowledge the world has seen — and the Enlightenment values that gave rise to it. For more than 170 years we have documented, for better and for worse, the rise of science and technology and their impact on the nation and the world. We have strived to assert in our reporting, writing and editing the principle that decision making in the sphere of public policy should accept the conclusions that evidence, gathered in the spirit and with the methods of science, tells us to be true.”

For those of us who care about science and technology, about demonstrable truths vis-à-vis ignorant, tinfoil-hat ramblings, it’s clear that we’ve now come to a critical, likely historic, moment of reckoning. 

It’s long been de rigueur for scientists and technologists — most of whom have spent entire careers working tirelessly (and often vastly underpaid) to advance the developments in their fields for the sake of the global community at large — to be told that they should avoid directly engaging in political matters, even when their work is directly involved.

There have always been some individuals in these fields who have ignored this dictum and spoken out anyway — sometimes to the serious detriment of their careers and livelihoods.

But when a publication with the stature of Scientific American raises the red flag about a major presidential candidate, it’s time for everyone in the tech and science fields to take notice and do some serious soul searching.

Because the dangerous, ignorant, fascist, racist, misogynist, continually lying monster that is Donald Trump is significantly of own creation.

We must now come to terms with this truth while we still can, much as ultimately did J. Robert Oppenheimer relating to his key role in the creation of nuclear weapons.

By staying relatively silent regarding specific political matters and in particular regarding specific political candidates, we have permitted anti-science, anti-technology propaganda, misinformation, lies, and fantasies to flourish — all of which can have and have had serious detrimental real-world impacts.

Fear of invoking the Streisand Effect or being accused of “not being balanced” has caused various major tech firms to not speak out directly against obviously false statements by ignorant and opportunistic politicians regarding established scientific principles and technological realities — this holds true for everything from climate change to Internet competition and net neutrality, and far beyond.

We have also more explicitly contributed to the chain of events that has led to a hideous, sociopathic, erratic creation like Trump, who — if given control over our nuclear arsenal as USA president — could literally destroy human civilization on this planet in only slightly more time than it currently takes him to send out a stream of incoherent, babbling Tweets.

The incredible global Internet that we have spent decades building and nurturing is a quintessential tool that can be used for both incredible good and for horrific evil. 

There’s no avoiding the fact that it is very much various aspects of the Internet and Web that have enabled “echo chambers” where like-minded thugs, bullies, white supremacists, and other ignorant and violent haters could congregate and then coalesce around Donald Trump, who feeds on their vileness as a diseased-laden mosquito feeds on human blood.

Censorship of such demons is of course not an answer — but political action is indeed the solution.

If you honor humanity and civilization, if you care about science and technology and what’s factually true on our world and in the greater universe, then you must accept that keeping Donald Trump out of the White House is of the very highest priority. For his presence behind the desk of the Oval Office and his possession of nuclear codes could quite literally be the greatest threat to all that we have created and hold dear since the rise of civilization.

All legal means must be employed to STOP TRUMP. It’s not enough just to register to vote and to get your friends, family, and associates to register. Actually following through and voting for Hillary Clinton — even with her various acknowledged faults — is the only effective means to stop the human nightmare of Trump in his tracks.

Complacency in this election — not actually bothering to vote, or throwing away a vote on a third-party candidate (even in states that Trump is overwhelmingly unlikely to win) — would be a disastrous mistake that could net Trump a victory that would cause fascists and racists of the past to smile broadly from their graves. 

Nor is it enough to simply stop Trump on Tuesday, November 8th. 

He needs to be overwhelmingly beaten, massively crushed in a landslide if possible. We must send a message to future right-wing, racist demagogues — who could be even more dangerous than Trump given similar heinous sensibilities but fewer of his obvious, self-defeating character flaws — that they will not be anointed with political power and that American patriots will always reject their vile rants of hate.

Early voting starts in less than six weeks in some locales. I ask that you please take a few minutes away from your current projects to consider carefully what is at risk in this election and what a Donald Trump presidency would mean for us all should he and his ignorant band of anti-science, anti-technology cronies gain such awesome power.

I earnestly hope that the thought sends a chill down your spine. 

Now we must move from that very real fear to very real political action. There is no time to waste. History would never forgive our faltering at this crucial juncture.

STOP DONALD TRUMP.

–Lauren–
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

“Highly Illogical”: The Hysteria Over Google’s Wi-Fi Scanning

 

(Original posting date: 28 May 2010)

Greetings. I don’t find many opportunities (nor do I have much inclination) to channel characters from Star Trek, but I can only imagine Mr. Spock’s likely bemusement related to the shrill and illogical brouhaha over Google’s Street View Wi-Fi scanning.

To quote the ungrammatical Mr. Bumble, a reprehensible yet occasionally insightful character in Charles Dicken’s Oliver Twist, sometimes “the law is a ass–a idiot.”

Such is the case — as far as I’m concerned — when it comes to laws and controversies regarding the scanning of open Wi-Fi networks.

Let’s start with a basic truth — an open Wi-Fi network is, duh … open!

While the number of open Wi-Fi networks has been falling relative to nets secured at least with weak WEP crypto, or much better with WPA (or better yet, WPA2), there are still vast numbers of open Wi-Fi networks that pop up without prompting all over the world.

Raise your hand if you’ve never seen an open Wi-Fi net when attempting to connect your laptop to the Internet. Very few hands raised out there, I’ll wager.

Now raise your hand if you’ve ever opportunistically connected to an open Wi-Fi net, without permission. Lots of hands raised now.

And have you ever driven around your neighborhood with wardriving software enabled on your laptop or phone, listening to the “pings” as Wi-Fi sites registered at nearly every home or business you passed — and perhaps you saved the data and created Wi-Fi maps to use and share?

This is not just a hobbyist activity. Companies like Skyhook Wireless have built entire businesses around geolocation systems that involve the scanning of Wi-Fi signals.

And why not? Wi-Fi networks are essentially as obvious to outside observers, walking down the sidewalk or driving up the street, as are porch lights, or the flickering TV screens visible through curtains after dark.

Even when Wi-Fi access points are configured with their “SSID” beacons disabled — which tends to cause various user complications — Wi-Fi routers and hotspots are about as secret as a full moon on a cloudless night, and pretty much just as impossible to actually hide.

You can still pass laws to ban Wi-Fi scanning of course — just as the order can be given to ignore the fact that the emperor actually is parading down the central square stark naked. But reality generally triumphs over nonsensical laws in the long run.

Laws related to Wi-Fi scanning don’t exist in a vacuum, and seem to often be related to laws that attempt to ban photography of imagery that can be easily seen by observers from public places. Such illogic has been used to attack Google’s Street View photos, in much the same way that Google is now being chastised for Wi-Fi scanning associated with Street View vehicles.

Amusingly — in a sick kind of way — the fact is that the same government entities who tend to push forth a dramatic show of disdain for Street View — and now Google’s Wi-Fi scanning — are often the same ones rapidly deploying massive real-time CCTV (closed circuit TV) surveillance systems, with vast amounts of real-time imagery data pouring into government servers to be used in often unspecified ways for indefinite periods of time. Some of these entities have also conducted mass and sometimes illegal surveillance of their telephone and Internet networks.

Their complaining about Street View and Wi-Fi therefore seems highly disingenuous — but obviously politically expedient.

Google did made mistakes — they’ve publicly taken responsibility for these — related to the Wi-Fi Street View controversy. It probably would have been wise to publicly announce their Wi-Fi scanning capabilities before beginning the project, so that various governmental entities could register any concerns based on their associated national laws — however ridiculous those laws might be in this sphere, given the ease with which anyone with simple tools can scan Wi-Fi anywhere.

But since Google’s “adversaries” now “pile on” at every opportunity, proactive discussion of the Wi-Fi aspects of Street View might have avoided a fair amount of the current controversy.

The ostensibly more dramatic aspect of Google’s Wi-Fi situation relates to their revelation that their Wi-Fi scanning systems were unintentionally collecting highly fragmentary “payload” data from open Wi-Fi nets, in addition to locationally-related (e.g., SSID) data.

Google critics have been screaming — how could this possibly happen by accident? “What kind of nightmarish, nefarious plot is in play?” — they demand to know.

First, contrary to some of the accusatory claims being made, it’s extremely unlikely that any banking or similarly sensitive data was exposed even in fragmentary form, for the simple reason that virtually all sites dealing with such data use SSL/TLS security systems (https:) that would provide typical encryption protections regardless of the open, unencrypted nature of (extremely unwisely configured) underlying Wi-Fi systems.

And while clearly the collection of Wi-Fi payload data by Google was a significant oversight, it’s the kind of mistake that is actually very easy to make.

It’s completely ordinary for network diagnostic tools and related software to include mechanisms for the viewing and collection not only of “envelope” data but also of test data “payload” traffic flows. Virtually every Linux user has a tool available for this purpose that can provide these functions — the ubiquitous “tcpdump” command.

In Google’s case, it seems highly likely that a procedural breakdown — not criminal intent of any kind — led to the payload data capture portion of the Wi-Fi scanning tools not being appropriately disabled. Such procedural problems are naturally to be avoided, but for critics to try balloon such an issue into fear mongering and conspiracy theories just doesn’t make sense.

And given the very high capacity of inexpensive disk drives today, it’s simple to see how even relatively large amounts of data — like accidentally collected payload data — could collect unnoticed in an obscure directory somewhere deep in a file system over long periods of time.

Like I say, I’m not a lawyer. Other heads will thrash out the legal aspects of this situation.

In my own view, the entire saga has been blown out of proportion, largely by forces primarily interested in unfairly and inappropriately scoring points against Google, rather than treating the situation — both as relates to Google’s Wi-Fi scanning and more broadly to Street View itself — in a logical and evenhanded manner.

But then, that’s pretty much what we’ve come to expect from you humans.

–Lauren–
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t fall into the trap of using the latter. It’s just plain wrong!

Right-Wing Internet Sites in Panic over FBI Smartphone App Solicitation

One of my rather right-wing correspondents sent me a note this morning with materials making the rounds of right-wing Internet sites about a new surveillance-oriented FBI smartphone app solicitation.

While most of the stuff on those sites is total hogwash, this particular solicitation actually does exist — dated 29 July 2016 — and is worthy of some analysis.

The solicitation itself:

Smartphone-Based Audio Recorder
Solicitation Number: DJF-16-1200-N-0007
Agency: Department of Justice
Office: Federal Bureau of Investigation
Location: Procurement Section

And the quite interesting draft technical requirements are available for download.

The background description includes capabilities such as:

– Running on Android, iOS, or Windows
– Overt (e.g. interview) and stealth/remote control surveillance modes
– Not requiring jailbreaking [rooting] for installation
– Storing and streaming of audio, plus GPS, and eventually video
– Cryptographic hash for data integrity and chain of custody control
– Encryption of data on phone not required
– And more

So what’s really going on here?

Right-wing sites are spinning this as “the government is going to turn all our smartphones into bugs!” That clearly is not the goal here.

First, we know that there are already a large number apps available for these phones that provide many of the capabilities asked for in this solicitation. We can be sure that governments are already using these off-the-shelf apps for surveillance purposes.

But the solicitation technical requirements reveal the government’s main “problems” in this regard: authentication and chain of custody.

When the government goes to court currently with such recordings, they often have to provide testimony vouching for the veracity of the recordings, and provide technical details in open court that they’d prefer not to discuss. As the solicitation itself notes: “In fact, the Government works diligently to limit and control who has access to these details as they could be used against us.”

Here’s what I think this all boils down to:

The government wants to replace their current rather ad hoc recording/surveillance apps with a system that would include integral verification that the recorded and/or streamed audio/video/gps data had not been edited or tampered with in any way.

This would have obvious benefits for the government, as in making presentation of such evidence in court potentially much more streamlined, but could also benefit innocent defendants who would be less likely to face evidence that had been unscrupulously altered in the government’s favor.

It does seem odd that encryption of data on the phone is not a requirement, since this suggests that the data could be exposed “in the clear” if the phone fell into unauthorized hands — even if we assume that https: crypto is used for actual data streaming out from the phone.

Perhaps the bottom line question here isn’t whether the government is planning mass deployment of smartphone control and surveillance systems as the right-wing Internet sites appear to fear — that’s clearly false.

But a completely valid question for consideration is whether such a “new and improved” recording/surveillance app would encourage its use in targeted situations where surveillance wouldn’t have been considered (or accepted by courts) in the absence of such an app, and to what extent that could encourage actual overreach and potential abuse by the FBI and other government agencies in specific cases.

–Lauren–
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.
– – –
The correct term is “Internet” NOT “internet” — please don’t
fall into the trap of using the latter. It’s just plain wrong!