Apple Special Event and Security

@ WWDC

Apple’s facial recognition has spurred a number of discussions about the privacy trade-offs in the iPhone X.

Experts Weigh Pros, Cons of FaceID Authentication in iPhone X | Dark ReadingOne concern about FaceID is in its current implementation, only one face can be used per device, says Pepijn Bruienne, senior R&D engineer at Duo Security. TouchID lets users register up to five fingerprints. If a third party obtains a user’s fingerprint and reproduces it, and the user is aware, they could register a different unique fingerprint.

Can Cops Force You to Unlock Your Phone With Your Face? | The Atlantic – Even if Face ID is advanced enough to keep pranksters out, many wondered Tuesday if it would actually make it easier for police to get in. Could officers force someone they’ve arrested to look into their phone to unlock it?

How Secure Is The iPhone X’s FaceID? Here’s What We Know | Wired – Marc Rogers, a security researcher at Cloudflare who was one of the first to demonstrate spoofing a fake fingerprint to defeat TouchID. Rogers says he has no doubt that he—or at least someone—will crack FaceID. In an interview ahead of Apple’s FaceID announcement, Rogers suggested that 3-D printing a target victim’s head and showing it to their phone might be all it takes. “The moment someone can reproduce your face in a way that can be played back to the computer, you’ve got a problem,” Roger says. “I’d love to start by 3-D-printing my own head and seeing if I can use that to unlock it.” 

Now lets talk about the Apple Watch, which I consider to present more serious issues.
 
The Apple Watch 3 is interesting from a legislative point-of-view. The software SIM in the Apple Watch clones the number of your iPhone. The security services of the major powers generally don’t broadcast their capabilities. Politicians are generally untroubled by knowledge of what is possible. Giving politicians an inkling is likely to result in broad sweeping authoritarian power. 
Imagine what will happen when Amber Rudd goes into parliament looking for real-time access to everyone’s phones. She now can point to the Apple Watch 3 as evidence that LTE and 3G connections can be cloned. What kind of legislation will her special advisers start cooking up then?

Secondly, it will only be a matter of time before criminals either work out how to do it themselves, or co-opt mobile carrier staff. Two factor authentication that depends on SMS is already compromised. This allows it to be compromised and undetectable.

The Apple Watch 3 may have royally screwed us all.

The internet of hacking or WTF is happening with my smart home?

Mirai – is a bot network that is powered by a range of devices including infected home routers and remote camera systems. It took over these systems by using their default passwords. The network of compromised machines is then targeted to overload a target network or service. Last week the Dyn DNS service was targeted which restricted access to lots of other services for users on the east coast of the US.

DNS is like a telephone directory of internet destinations, if no one knows where to go it becomes a lot harder to get in touch.

DDoSing
Mirai didn’t spring miraculously out of thin air. It finds its history in passionate gamers who used distributed denial of service (DDoS) attacks to slow down or even kick opponents off online gaming platforms. Eventually the gaming companies got hip to it and went after the cheaters, not to be outdone the cheaters went after the gaming companies.

Taking a service offline using DDoS became a source of extortion against online banking and e-commerce services. Attacks can be used as a form of ‘digital hit’ to take out opponents or critics like online security commentator Brian Krebs.

Computing
Moore’s Law meant that computing power has become so small and plentiful that it is surprising what we often have in the palms of our hands. The first Cisco router was built on the circuit board of a Sun Microsystems workstation. Home routers now are basically small computers running Linux. A CCTV camera box or a DVR are both basic PCs complete with hard drives.

Back in 2007, BlackBerry co-founder Mike Lazaridis described the iPhone as

“They’ve put a Mac in this thing…”

The implication being that the power of a sophisticated PC was essentially in the palm of one’s hand. The downside of this is that your thermostat is dependent on a good broadband connection and Google based cloud services and your television can get malware in a similar manner to your PC.

Security
For a range of Chinese products that have been acknowledged as part of the botnet; the manufacturer acknowledged that they were secured with a default admin password. They fixed the problem in a later version of the firmware on the device. Resetting the default password is now part of the original device set-up the first time you use it.

The current best advice for internet of things security is protecting the network with a firewall at the edge. The reality is that most home networks have a firewall on the connected PCs if you were lucky. The average consumer doesn’t have a dedicated security appliance on the edge of the home network.

Modern enterprises no longer rely on only security at the edge, they have a ‘depth in defence’ approach that takes a layered approach to security.

That would be a range of technology including:

  • At least one firewall at the edge
  • Intrusion detection software as part of a network management suite
  • A firewall on each device
  • Profile based permissions across the system (if you work in HR, you have access to the HR systems, but not customer records
  • Decoy honey post systems
  • All file systems encrypted by default so if data is stolen it still can’t be read

Processes:

  • Updating software as soon as it becomes available
  • Hard passwords
  • Two-factor authentication

Depth in defence is complex in nature, which makes it hard to pull off for the average family. IoT products are usually made to a price point. These are products as appliances, so it is hard for manufacturers to have a security eco-system. The likelihood of anti-virus and firewall software for light bulbs or thermostats is probably small to non-existent.

The Shenzhen eco-system
Shenzhen, just across the border from Hong Kong has been the centre of assembly for consumer electronics over the past 20 years. Although this is changing, for instance Apple devices are now assembled across China. Shenzhen has expanded into design, development and engineering. A key part of this process has been a unique open source development process. Specifications and designs are shared informally under legally ambiguous conditions – this shares development costs across manufacturers and allows for iterative improvements.

There is a thriving maker community that allows for blurring between hobbyists and engineers. A hobbyists passion can quickly become a prototype and then into production . Shenzhen manufacturers can go to market so fast that they harvest ideas from Kickstarter and can have them in market before the idea has been funded on the crowdsourcing platform.

All of these factors would seem to favour the ability to get good security technologies engineered directly into the products by sharing the load.

China
The European Union were reported to be looking at regulating security into the IoT eco-system, but in the past regulation hasn’t improved the security of related products such as DSL routers. Regulation is only likely to be effective if it is driven out of China. China does have a strong incentive to do this.

The government has a strong design to increase the value of Chinese manufacturing beyond low value assembly and have local products seen as being high quality. President Xi has expressed frustration that the way Chinese manufacturing appears to be sophisticated, yet cannot make a good ballpoint pen.

Insecurity in IoT products is rather like that pain point of poor quality pens. It is a win-win for both customers, the Chinese manufacturing sector and by extension the Party.

More Information
WSJ City – Massive Internet Attack Stemmed From Game Tactics
Your brilliant Kickstarter idea could be on sale in China before you’ve even finished funding it | Quartz
Asus lawsuit puts entire industry on notice over shoddy router security | Ars Technica
Europe to Push New Security Rules Amid IoT Mess — Krebs on Security
Why can’t China make a good ballpoint pen? | Marketplace.org

The Yahoo! Data Breach Post

Yahoo! had a data breach in 2014, it declared the breach to consumers on September 22. This isn’t the first large data breach breach that Yahoo! has had over the past few years just the largest.

In 2012, there was a breach of 450,000+ identities back in 2012. Millions of identity records were apparently being sold by hackers in August 2016 that the media initially linked to the 2012 breach. It would be speculative to assume that the records for sale in August was part of the 2014 raid.

The facts so far:

  • 500 million records were stolen by the hackers. Based on the latest active email account numbers disclosed for Yahoo! many of these accounts are inactive or forgotten
  • Some of the data was stored unencrypted
  • Yahoo! believes that it was a state sponsored actor, but it has offered no evidence to support this hypothesis. It would be a bigger reputational issue if it was ‘normal’ hackers or an organised crime group
  • There are wider security implications because the data included personal security questions

The questions

Vermont senator asked the following questions in a letter to Yahoo!:

  • When and how did Yahoo first learn that its users’ information may have been compromised?
  • Please provide a timeline detailing the nature of the breach, when and how it was discovered, when Yahoo notified law enforcement or other government authorities about the breach, and when Yahoo notified its customers. Press reports indicate the breach first occurred in 2014, but was not discovered until August of this year. If this is accurate, how could such a large intrusion of Yahoo’s systems have gone undetected?
  • What Yahoo accounts, services, or sister sites have been affected?
  • How many total users are affected? How were these users notified? What protection is Yahoo providing the 500 million Yahoo customers whose identities and personal information are now compromised?
  • What steps can consumers take to best protect the information that may have been compromised in the Yahoo breach?
  • What is Yahoo doing to prevent another breach in the future?
  • Has Yahoo changed its security protocols, and in what manner?
  • Did anyone in the U.S. government warn Yahoo of a possible hacking attempt by state-sponsored hackers or other bad actors? When was this warning issued?

Added to this, shareholders and Verizon are likely to want to know:

  • Chain of events / timing on the discovery on the hack?
  • Has Yahoo! declared what it knew at the appropriate time?
  • Could Yahoo! be found negligent in their security precautions?
  • How will this impact the ongoing attrition in Yahoo! user numbers?

Additional questions:

  • How does Yahoo! know that it was a state sponsored actor?
  • Was there really Yahoo! web being sold on the dark web in August?
  • Was that data from the 2014 cache?
  • How did they get in?

More information
An Important Message About Yahoo User Security | Yahoo – Yahoo!’s official announcement
UK Man Involved in 2012 Yahoo Hack Sentenced to Prison | Security Week
Congressional Leaders Demand Answers on Yahoo Breach | Threat Post

The September 11 post

15 years ago I worked agency side in Haymarket in London’s west end  for Edelman. It was a normal day, well as normal is it gets when you are in the middle of the dot com bust fallout.

My job meant working on communications programmes for the European subsidiaries of technology companies. This was to reflect a ‘business as usual’ face to their customers. This allowed the subsidiaries to keep their businesses largely intact so that they could be sold off to help bail out the financial hole that the parent company had made.

The businesses had grown on generous venture capital payments, share placements and bank loans. The dot com bust suddenly meant that there was a surplus of servers, network switches, bandwidth, commercial space and Herman Miller Aeron chairs.

Due to the nature of the business I worked closely with colleagues on the finance team because I spoke ‘geek’ and understood how screwed these clients happened to be.

The financial and corporate teams worked for a number of clients, notably Cantor Fitzgerald. They were to lose two thirds of their personnel by the end of the day.

It was early afternoon, when I realised that something was up. We had TVs around the agency that often weren’t on. This time they were all turned to Sky News, which was running the footage. After the troubles and bombings in Beirut, it wasn’t a complete surprise to see another landmark attack – at least at first.

Once the scale sunk in, then the realisation of how different the world was going to be started to dawn on me.

Throwback gadget: SnapperMail

At the end of 2001, I started to prepare of leaving my job at Edelman. This meant upgrading my home IT set up. I picked up an iBook. The iBook was Apple’s consumer-orientated laptop made from 1999 to 2006. Mine was a second generation ‘Snow’ laptop with a G3 processor, dual USB sockets and a combo drive which allowed me to watch DVDs and burn  CDs.

I used the move to go on the first version of OSX. The move also meant that I got a new email account, my default account to date. It had two key attributes:

No adverts, so it looked professional in comparison to having a Yahoo! or Hotmail email address and it wasn’t tied to an ISP.

IMAP support which allowed me to use my email account across different devices that all sync across the devices. POP3 downloads the  emails from the server to the device

My iBook was my only source of email access whilst I left Edelman and then eventually joined Pirate Communications. My first smartphone was a Nokia 6600, which I used alongside a Palm  PDA – l got this sometime around the end of 2003. The 6600 supported IMAP out of the gate, it was slow, but I was connected.

The 6600 was eclipsed by Palm’s Treo devices which were a better device. I moved from the 6600 and a Palm Tungsten T3 combo to a Treo 600 smartphone in January 2005.

The process wasn’t smooth. The Treo was sufficiently fragile that I got a translucent silicon jacket that worked surprisingly well with the keyboard and screen protector to look after the touchscreen. Software wise the Treo 600 was a step back from the Tungsten T3 PDA. The screen was smaller and the software felt sluggish in comparison. I had deliberately chosen the 600 over the 650 because I had previously worked agency side on the Palm account and been a long-suffering device owner so knew how crap they were at bug fixes.
snapperfish limited
Unfortunately Palm had not been as progressive in comparison to Nokia with its default email client. The software didn’t support IMAP. Fortunately I used to follow Mitch Kapor’s blog and he had recommended an app from a small New Zealand company SnapperFish.

SnapperMail was a compact modern email client. It has a number of features that we would expect now:

  • It supported IMAP
  • It supported SSL client to mail box encryption*
  • it was really easy to use
  • You could work with attachments including zipped files**
  • There was no restriction on the file size of attachments, the only restriction was your email account rather than your email client

This looks like the kind of technology you would have thought Palm should have done. At the this time Palm were competing against Microsoft Windows Mobile 2003, BlackBerry 6200 series, 7100 series and early 8700 series. Yet the default email client was back in the 1990s.

*The full-fat application cost US$39.99

**SnapperMail came bundled with HandZipper Lite which handled the compressed files and JPEGWatch Lite image viewer

I used this alongside MetrO – a public transit directions app and QuickOffice Pro – to read Office documents as part of my modern smartphone experience. It wasn’t just me that loved SnapperMail, it was praised by Walt Mossberg back when he wrote at the Wall Street Journal.

SnapperMail won two Palm Source (Palm’s software licence business) Powered Up awards in 2003. It was recognised as Best Productivity and Best of the Best Solution.

More information
SnapperMail Has Solid Software For Savvy Mobile E-Mail Users | WSJ
QuickOffice
MetrO – open source mass transit application
PalmSource Welcomes Developers with Awards, New Tools; Announces New Licensees | PalmSource press room

#VS250 – Inside Virgin Atlantic’s online racism crisis

Virgin Atlantic had a tough finish to the week as Chinese social media users and their overseas counterparts united to hit the airline hard. The problem had percolated for the previous two weeks on Chinese social media as netizens fumed at the way cabin staff had allegedly treated a Chinese woman traveller.

Chinese social media users are known for their direct co-ordinated action such as the ‘human flesh engine’ in a way that is similar to Anonymous or Reddit readers – but at a greater scale.

Looking at the social data we can see that there were two concerted pushes on social media. The first one happened on Twitter at 4am – 5am and then hours later it landed on Facebook. The surge post volume would be enough to stress even the largest and most sophisticated customer services team.

Key lessons for brands:

  1. A Chinese market problem has the potential to be an international one. The Virgin Atlantic team had a good two weeks to either shutdown the protest through a quick resolution or prepare for the Chinese netizen onslaught
  2. The Great Firewall will not keep the protest isolated
  3. Expect a more co-ordinated approach if the protest jumps the firewall. It can be diagnosed by looking at realtime data
  4. Chinese netizens can effectively drive international media coverage, despite western scepticism or possible concerns of state collusion. (They often give the Chinese Communist Party too much credit, and not enough credit to effective adhocracy Chinese netizens create)
  5. Sentiment analysis doesn’t seem to be a good trigger / escalation vector in this incident as the tweets mostly seemed to register as neutral based on the analysis tools that I used. On their own it wouldn’t indicate anything untoward – which negates some of the pretty command dashboards you see

More information
Trail of conversations on Sina Weibo – you need an account to log-in and see the content
Virgin Atlantic targeted after racism accusations | Global Times
Woman Was Called “Chinese Pig” on Flight by Passenger, Only to be Threatened by Crew to Leave the Plane in Mid-air | People’s Daily – probably the best write up of the incident by Chinese government’s paper of record
Virgin Atlantic investigates abuse case as story goes viral | China Daily – London bureau breaks the western social media debacle for English language readers
Chinese woman claims flight attendants ignored her after man called her ‘Chinese pig’ | asiaone – asiaone is a Singaporean news aggregator owned by SPH who own The Straits Times
Richard Branson sends apologetic tweet after woman claims she was called a ‘f****** Chinese pig’ on Virgin flight by fellow white passenger… but cabin crew threatened to kick HER off the plane | Mail Online – the Mail Online piece is particularly importance as it validates the story for western audiences and other media such as The Metro
Richard Branson apologises to woman called ‘Chinese pig’ on Virgin flight | Metro.co.uk

20th anniversary: A Declaration of the Independence of Cyberspace

Back on February 9, 1996, John Perry Barlow wrote his declaration of of the independence of cyberspace. The declaration pointed out the folly of trying to govern something thought to be virtually ungovernable at the time.
Cyberspace and is smart fusion really smart ?
Barlow first came to prominence writing lyrics for The Grateful Dead. His ethos came from the libertarian do your own thing ethic that underpinned much of the hippy movement. This probably come more naturally to Barlow than other people having grown up on a cattle ranch and being the son of the Republican politician.

By the time he wrote the declaration, he was already had published extensively about the internet. He was on the board of directors of The WELL – an online community that sprang out of Stewart Brand’s back to the land influence catalogue of useful things The Whole Earth Catalog (The WELL stands for The Whole Earth eLectronic Link). He contributed to Wired magazine (founded by aging hippies Kevin Kelly and Stewart Brand), Barlow’s essay Economy of Ideas published in the March 1994 issue provides a clear view of the thinking that prompted him to write the declaration. He had already founded The Electronic Frontier Foundation with by John Gilmore and Mitch Kapor in response to a series of actions by law enforcement agencies that led them to conclude that the authorities were gravely uninformed about emerging forms of online communication.

The declaration was a reactionary document, brought upon by the 1996 Telecommunications Act in the US. The act eventually resulted in consolidation of US media ownership.

I suspect the similarities in style between the declaration and the Doc Searl’s et al later Cluetrain Manifesto are an intentional nod to Barlow on cyberspace.

A Declaration of the Independence of Cyberspace

by John Perry Barlow <barlow@eff.org>

Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.

We have no elected government, nor are we likely to have one, so I address you with no greater authority than that with which liberty itself always speaks. I declare the global social space we are building to be naturally independent of the tyrannies you seek to impose on us. You have no moral right to rule us nor do you possess any methods of enforcement we have true reason to fear.

Governments derive their just powers from the consent of the governed. You have neither solicited nor received ours. We did not invite you. You do not know us, nor do you know our world. Cyberspace does not lie within your borders. Do not think that you can build it, as though it were a public construction project. You cannot. It is an act of nature and it grows itself through our collective actions.

You have not engaged in our great and gathering conversation, nor did you create the wealth of our marketplaces. You do not know our culture, our ethics, or the unwritten codes that already provide our society more order than could be obtained by any of your impositions.

You claim there are problems among us that you need to solve. You use this claim as an excuse to invade our precincts. Many of these problems don’t exist. Where there are real conflicts, where there are wrongs, we will identify them and address them by our means. We are forming our own Social Contract . This governance will arise according to the conditions of our world, not yours. Our world is different.

Cyberspace consists of transactions, relationships, and thought itself, arrayed like a standing wave in the web of our communications. Ours is a world that is both everywhere and nowhere, but it is not where bodies live.

We are creating a world that all may enter without privilege or prejudice accorded by race, economic power, military force, or station of birth.

We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity.

Your legal concepts of property, expression, identity, movement, and context do not apply to us. They are all based on matter, and there is no matter here.

Our identities have no bodies, so, unlike you, we cannot obtain order by physical coercion. We believe that from ethics, enlightened self-interest, and the commonweal, our governance will emerge . Our identities may be distributed across many of your jurisdictions. The only law that all our constituent cultures would generally recognize is the Golden Rule. We hope we will be able to build our particular solutions on that basis. But we cannot accept the solutions you are attempting to impose.

In the United States, you have today created a law, the Telecommunications Reform Act, which repudiates your own Constitution and insults the dreams of Jefferson, Washington, Mill, Madison, DeToqueville, and Brandeis. These dreams must now be born anew in us.

You are terrified of your own children, since they are natives in a world where you will always be immigrants. Because you fear them, you entrust your bureaucracies with the parental responsibilities you are too cowardly to confront yourselves. In our world, all the sentiments and expressions of humanity, from the debasing to the angelic, are parts of a seamless whole, the global conversation of bits. We cannot separate the air that chokes from the air upon which wings beat.

In China, Germany, France, Russia, Singapore, Italy and the United States, you are trying to ward off the virus of liberty by erecting guard posts at the frontiers of Cyberspace. These may keep out the contagion for a small time, but they will not work in a world that will soon be blanketed in bit-bearing media.

Your increasingly obsolete information industries would perpetuate themselves by proposing laws, in America and elsewhere, that claim to own speech itself throughout the world. These laws would declare ideas to be another industrial product, no more noble than pig iron. In our world, whatever the human mind may create can be reproduced and distributed infinitely at no cost. The global conveyance of thought no longer requires your factories to accomplish.

These increasingly hostile and colonial measures place us in the same position as those previous lovers of freedom and self-determination who had to reject the authorities of distant, uninformed powers. We must declare our virtual selves immune to your sovereignty, even as we continue to consent to your rule over our bodies. We will spread ourselves across the Planet so that no one can arrest our thoughts.

We will create a civilization of the Mind in Cyberspace. May it be more humane and fair than the world your governments have made before.

Davos, Switzerland

February 8, 1996

So two decades later, how does Barlow’s declaration stand in comparison that what’s actually happened? At first blush not very well. The digital economy outside China is dominated by an oligarchy of four main players: Amazon, Apple, Facebook and Google.

Scott Galloway’s presentation at DLD conference this year, highlights the winner take all nature of the online world. This is partially down to the nature of the online platform. Amazon grew to critical mass in the US as for a critical amount of time buyers didn’t need to pay state sales tax until state legislation started to catch up.

Zuckerberg and his peers marked a changing of the guard in Silicon Valley as yuppies took over from the the hippies.

Inside China there is a similar state-directed oligarchy of Alibaba, Tencent, Netease and Sina.

The oligarchy impact has been most pronounced in Europe, where consumer demand and a lack of effective competition saw Google go to 90+ percent in market share across the EU, when the US market share was less than 70 percent at the time.

Futurist and science fiction author Bruce Sterling summed it up rather well:

“Globalization” is over for 2016. We have entered an era of Internet Counter-Revolution. The events of 1989 feel almost as distant as those of 1789. The globalizing, flat-world, small-pieces-loosely-joined Internet is behind us, it’s history. The elite geek Internet could not resist those repeated tsunamis of incoming users.

It turned out that normal people like the “social” in social media a lot better than they ever liked the raw potential of media technology. In Russia and China in 2016, digital media is an arm of the state. Internet has zero revolutionary potential within those societies, but all kinds of potential for exported cyberwar. The Chinese police spy and firewall model, much scoffed at in the 1990s, is now the dominant paradigm. The Chinese have prospered with their authoritarian approach, while those who bought into borderless friction-free data have been immiserated by the ultra-rich.

In the USA it’s an older American story: the apparent freedom of Henry Ford’s personal flivver has briskly yielded to the new Detroit Big Five of Google, Apple, Facebook, Amazon, and, in last place, Microsoft.

In 2016, everything that looks like digital innovation, “big data,” “the cloud,” the “Internet of Things,” are actually promotional slogans that play into the hands of the GAFAM “Big Five.” Anybody who lacks broadband and a mobile OS is in deadly peril, especially the digital old-school likes of IBM, Cisco, Hewlett-Packard, Oracle… and the hapless TV networks, whose median viewer age is now in the 60s.

The GAFAM Big Five, the “Stacks,” will turn their wrath on the victims closest to them, well before they complete their lunge for control of cars and thermostats. However, their destiny is obvious. The rebels of the 1990s are America’s new mega-conglomerates. Google is “Alphabet,” Apple pruned the “computer” from its name, Amazon is the Washington Post. In 2016, that’s how it is, and in 2017, 189, 19, much more so.

So the not-evil guys are the new evil guys, but don’t be scared by this. It’s quite like watching the 1960s Space Age crumble from giant-leaps-for-mankind to launching low-orbit gizmos for profit. It’s comprehensible, it can be dealt with. Sure, it’s tragic if your head was in the noosphere, but if you have any historical awareness of previous industrial revolutions, this is really easy to understand. It’s already in your pocket and purse, it’s written on every screen you look at It could scarcely be more obvious.

Yes, Internet Counterrevolution is coming, much of it is here already, and it’s properly considered a big deal, but it’s not permanent. This too shall pass.

And this post hasn’t even touched on how government has looked to plug itself into all facets of online life in the interest of discovering terrorist plots, organised crime or paedophile rings. Assaults on cyberspace sovereignty are numerous, from Pakistan’s special editable version of YouTube to several governments looking for cryptographic backdoors.

At DLD 2016, you have a German politician talking about the mechanism of how the government needed to rollback citizen rights to privacy to give German start-ups a chance. In this winner takes all world, the beneficiaries are likely to be Google, Facebook Amazon and Microsoft rather than a local champion.

I started on this post in mid-January and scheduled it to go out on February 8, 2016. danah boyd also published on the declaration of Cyberspace and I recommend you go and check out here.

More information
Economy of Ideas | Wired 
The Cluetrain Manifesto
A Declaration of the Independence of Cyberspace | EFF
Bruce Sterling & Jon Lebkowsky: State of the World 2016 | The WELL
Pakistan lifts ban on YouTube after launch of own version | The Daily Star
John Perry Barlow 2.0 | Reason

PrivaTegrity: the flawed model of distributed keys

Dave Chaum’s idea to to try and balance between state actors demand for internet sovereignty and the defacto end of citizen privacy, with the need to address emotive causes such as terrorism, paedophile rings and organised crime got a lot of attention from wired.
Yesterday evening on a bus stop in Bow
The principle behind PrivaTegrity is that there would be a backdoor, but the back door could only be opened with a nine-part key. The parts would be distributed internationally to try and reduce the ability of a single state actor to force access.

However it has a number of flaws to it:

  • It assumes that bad people will use a  cryptographic system with a known backdoor. They won’t they will look elsewhere for the technology
  • It has a known backdoor, there is no guarantee that it can’t be opened in a way that the developers hadn’t thought of
  • Nine people will decide what’s evil
  • If you’re a state actor or a coalition of state actors, you know that you have nine targets to go after in order to obtain access by hook-or-by-crook. It was only Edward Snowden who showed us how extraordinarily powerful companies where bent to the will of the US government. The UK government is about to grant itself extra-territorial legal powers to compel access. There is no reason why a form of extra-ordinary rendition couldn’t be used to compel access, rather like Sauron in The Lord of the Rings bending the ring bearers to his will. Think of it as Operation Neptune Spear meets a Dungeons & Dragon quest held at a black site

More information
The Father of Online Anonymity Has a Plan to End the Crypto War | WIRED
Privategrity

David Farber on the state of technology during a lecture at Stanford

David Farber runs the Interesting People email list on all things technology related and is a professor of computer science at Carnegie Mellon University. This lecture at Stanford deals with technology problems in a layman-friendly way.

Treat it like a podcast and have it on in the background.

Jargon watch: seabasing

In a tale of fact imitating fiction the US Navy is looking at ways to support the military in future conflicts by creating bases which allow ships to act as a combined space, which they call sea basing (or sea basing). The reason for this is in battles with the likes of China they may not have the luxury of a nearby land base like they have had in the Middle East, so they need to provide a flexible platform that will perform a similar function including floating docks and logistics.

Being out at sea and operating in this way helps put the force out of range of enemy weapons as well, or what the US Marines describe as exploit the sea’s maneuver space.

This includes ramps and sensors that would allow service men and equipment to exchanged from ship-to-ship with as much ease as moving around a base on land. Presumably this would have some sort of affect in terms of increasing the data network connections between ships to help them function better and more cohesively.
140211-D-NI589-094
The idea of seabasing echoes the carrier and lashed together boats of Neal Stephenson’s Snow Crash – a classic work of cyberpunk fiction written in 1994. In the story, refugees have attached themselves to a privatised aircraft carrier owned by a media company that is heading to the US .

More information
The future of sea basing | Armed Forces Journal
Sea Basing: concepts, issues and recommendations by Sam J. Tangredi (PDF)
Pacific seabasing exercise will highlight new ships | Marine Corps Times
Globalsecurity.org – Seabasing
Figuring Out the Future of War in the Pacific — Or, What the Hell is Seabasing? | Vice News
What is Seabasing | United States Marine Corps
Seabasing Annual Report | United States Marine Corps

Jason Matthews on trade craft and social engineering

Jason Matthews is a former CIA spy who used to run agents. He retired and became a novelist. In his Talk at Google he talks about the spy game, but its also interesting in terms of thinking about social engineering in a wider sense.

The July 7th bombing post

The tenth anniversary commemoration of the London bombings caused me to reflect on my memories of the day.

Unlike a lot of London, I was non-plussed about the winning Olympic bid as I had a keen idea of the kind of disruption it would bring to my part of London. The events that happened on July 7, rolled out in a more gradual way for me, so there wasn’t a moment etched in my memory in the same way as I had watching the TV footage of the airplanes hitting the World Trade Center towers. My memory is less distinct. July 7, 2005 started just like most other summer week days for me at the time.
London tube bombing
I was working as part of the European marketing team at Yahoo! based out of 125 Shaftesbury Avenue, I had been working there for a few months. My journey to work on the central line was the usual experience of arriving to the office as a hot and sweaty mess due to the overcrowded trains. I wasn’t aware of the tube bombing that happened roughly about the time that I had travelled in.

It was before 10am when I wandered into the legal department who where in the north east corner of our building on Shaftesbury Avenue. I was trying to get a rush on a press release approval. We were high enough up that it offered a good view over central London north of Oxford Street. Whilst chatting to Liyen McCoy, we heard a crack that sounded to me like exhaust backfiring on a car. Liyen mentioned that she hoped it wasn’t a bomb, I didn’t think it was at the time. In retrospect, it could have been just a coincidence, or it was the sound of the bomb going off on the bus as it passed through Tavistock Square in Bloomsbury.

I went back to my desk and word started to come through from via the internal grapevine that something was up as the first pictures started to hit flickr and attract a surge in viewer numbers. It was pretty soon after this that I noticed that the cell phone network had gone down, I was on Orange (now EE) at the time; soon other colleagues on Vodafone and O2 noticed similar drop in network access. Soon after that email stopped working properly.

A little later, word came back into our corner of the office that the editioral team where taking the Yahoo! UK home page offline. They were going to strip the adverts off the page (partly because it wouldn’t be great to brand adverts positioned against news of this nature, and partly to reduce the strain we were seeing on our servers due to the web traffic coming in). The home page would be hard coded in HTML and updated manually.

This gave the UK readers a fighting chance of getting up to date news, meanwhile I struggled to get any web page at all over the office network as web access degenerated into a series of blank browser screens.  My desk phone couldn’t dial out, in fact the only thing that did seem to work was Yahoo! messenger. Rumours started to swirl around the the government had somehow locked down all the networks near the bomb sites, but the fact that messenger worked indicated to me that it was just too much traffic. Eventually I managed to contact Jonathan Hopkins who was the account manager on the Yahoo! account at Bite back then. I found out from him that all his colleagues were accounted for and safe.

There was concerns that there maybe other blasts and I can’t remember going out for lunch as we were all advised to stay in the building.  Eventually we were allowed home and I walked the six miles back to Bow. I didn’t know my way, my smartphone at the time was a Palm Treo 650 which worked off GPRS, or if you were really lucky EDGE, not that would have made a difference didn’t have cell reception to look up maps online. Even if I had got access to online maps, the Treo 650 didn’t have a built in GPS unit, that didn’t come along until Nokia launched the N95 18 months later.

I remember I followed the crowds heading east and kept on going as their numbers started to thin. Occasionally I rooted around in my bag for my dog-eared A-to-Z of London to make sure I was going the right way by checking road names against the map. Eventually I managed to find my way to Stepney Green tube station and from there it was plain sailing. As I got near home I managed to text my parents to let them know I was alright.

Tim Cook at The White House Cybersecurity Summit

Whilst on the surface this is a puff piece for Apple, but Cook uses the Obama administration’s call to cooperate making life easier for the intelligence industrial complex get access to consumer data and lays out an opposing vision.

He basically kicked Washington DC in the teeth, other significant companies just decided to turn up with a significantly less senior representative to send the same message.

2014: crystal ball gazing, how did I do?

For the past few years I have been thinking about where digital is going and what it all means. At the end of last year here were my projections

Amazon won’t do drone delivery in 2014 – Whilst trials of drone deliveries have been ongoing and drones seem to be getting more mainstream thanks to companies like DJI Amazon hasn’t done deliveries yet. In addition, the FAA in the US started to regulate commercial drone usage, which is likely to slow down adoption in the short term, while providing a stable legal framework of operation in the longer term.

Small data – Not so much an explicit interest in smaller data sets for meaningful things, but the Hortonworks IPO had an almost Netscapean quality to it with shaky revenue streams and a healthy share price bounce when it came to market. It also made Silicon Valley nervous as companies were concerned about negative perceptions toward the big data ‘sector.

Offline to online integration – O2O seems to be a bigger thing in China and other east Asian markets with ‘mobile search keywords’ put into adverts and TV programmes for years. The QRcode seems to be a uniquely Asian form of integration largely abandoned by western developers – mainly because they didn’t seem to use them in as imaginative a manner compared to Tencent et al. Lower power Bluetooth beacons are still experimental. Weve the joint company set up by the UK wireless carriers to provide contextual data about consumers to integrate online and offline marketing is running at a loss and has abandoned peripheral business opportunities in mobile wallets/ m-payments.

Algorithmic display advertising – there are a number of ways in which greater data is being brought to bear on programmatic ad spend but algorithms weren’t the biggest thing shaping the market this year. Major brands seem to have developed a distrust of the agency trading desks and the lack of transparency into market data. Instead of giving agencies an unfair advantage and allowing them to play both sides of the trade, they are bring the trading desk in-house.

Mobile display advertising gets a radical reduction in formats – at the time I wrote this prediction, I had been concerned about clickthrough rates and mistaken clickthroughs, so I considered a reduction in mobile formats to just the ones that worked best like the page takeover. I didn’t forsee a bubble economy driving mobile display revenues around games apps. This may come to a head soon as western consumers seem to be less open to downloading to new apps according to research by Deloittes.

Content marketing on OTT platforms – WeChat has evolved in leaps and bounds with some amazing campaigns coming out in China, Burberry has worked with Tencent to push the envelopes on their campaigns and have included live webcasts. We haven’t seen so much of this happening with campaigns aimed at western consumers, but one brand springs to mind Vivienne Tam who ran a super model contest on the platform including a voting function and a special blog covering activity around New York Fashion Week as a separate tab on the account – all in English.

Chinese technology brands will finally be successful outside China – It’s still early days, but we’ve seen Lenovo and other Chinese brands demolish Samsung’s share of the smartphone market in the developing world. WeChat has expanded into India, Spain and South East Asia. OnePlus and Xiaomi have started selling direct in Europe, Singapore, Indonesia, Malaysia and Hong Kong. Alibaba had a monster IPO and Baidu bought into fast start-ups like Uber.

Privacy issues won’t change much with consumers – Back at the end of last year I didn’t expect the Snowden story to continue to echo onwards. On the surface things didn’t seem to change with consumers, but there has been sufficient consumer interest that technology vendors are addressing (some) consumer privacy needs much to the chagrin of the law enforcement/military industrial complex. This privacy experience hasn’t been universally enjoyed (depending on country regulations) but things are changing.

Technology company workers are the new bankers – the tech worker bus protests that started at the end of December 2013 mushroomed, so by August 2014 Westboro Baptist Church got involved. Uber’s surge pricing and Snapchat’s frat boy CEO were just some of the lightning rods that made the tech sector look like vintage Wall Street.

The rise of immersion – When I wrote my predictions I felt that I had been cheated out of the cyberpunk future that I had been promised and saw it as a major opportunity. Virtual reality had lost out in the 1990s when cumbersome helmet displays would disorientate you and cause you to throw up as the visuals and movement created dissonance partly due to a lack of computing power. Now we’ve seen cyberpunk author Neal Stephenson the chief futurist at one VR company, Facebook own another and companies like Zeiss and Samsung enter the fray. Together with advances in AR post-Google Glasses we are likely to see major innovations beyond gaming in the web-of-no-web.

Machine learning will threaten to disrupt programming – while machine learning is making an increased amount of noise in the tech media it is being seen as a leap forward in artificial intelligence rather than as an alternative strategy to traditional application programming. Skype adopted for their latest language training.

A race to the bottom will bring out hyper-competition in mobile semiconductor suppliers – the mobile market did race to the bottom which has made a major dent in Samsung and Huawei’s marketshare. Mediatek and Hi-Silicon are producing innovative silicon that has pushed phone performance forward. However rather than being a race to the bottom on pricing, Qualcomm has been taken to task by the Chinese government and Qualcomm admitted in its own financial documents that there at least some partners who weren’t paying them licence fees.

More information
2014: just where is it all going? | renaissance chambara