Posts

Tuesday Morning: Speed of Love

This video fascinates me. I’ve watched it a number of times since Nerdist shared it last month; it’s the 24-minute long set by Freddie Mercury and Queen at the 1985 Live Aid concert held in Wembley Stadium.

Nerdist noted the audience’s response reflects the speed of sound — the visible ripple of fans’ hands speeds across the crowd in response to the sound as it leaves the stage area and travels across the venue. The gif they shared was taken about 16:37 into this set, just as the band begins We Will Rock You.

I think there was more at work here because earlier snaps of the audience reaction during Radio Gaga (roughly 4:25 onward) don’t show the same marked wave across the crowd. But several points in the set Mercury interacts with the audience, coaxing them to sing and shout along with him.

And then at 16:35 when he begins We Will Rock You, the crowd is completely in sync with him. They adore him and are utterly engaged. The wave is not just sound but their feeling for Mercury and his performance.

Can you imagine a politician who could induce such a response?

Cybersecurity
Adobe Flash must die, and Google’s slowly exterminating it in Chrome (Ars Technica) — By year’s end, Flash will be disabled by default in Google’s Chrome browser. It will only play when manually enabled. All part of the slow migration to HTML5 away from risky Flash.

Antivirus app halts heart surgery (Ars Technica-UK) — Holy crap. Why does medical equipment need antivirus software to begin with, let alone how does an A/V app launch and run during surgery?

Artificial Intelligence
Dude, that female TA you hit on? An AI bot (Sydney Melbourne Herald) — Wow. Future’s already here and you can’t tell you’ve been dissed by both your prof and the chick-bot-TA.

A series of tubes
Remote healthcare not ready for prime time (ScienceDaily) — Study using fake patients to test direct-to-consumer teledermatology remote health care systems found security problems with IDs, poor-to-bad assignment of clinicians, many errors made in major diagnoses, insufficient warning to pregnant patients when meds prescribed, just for starters. Think of this as Healthcare Internet of Things Fail.

Super. Fast. Wireless. Internet. Coming. To. YOU! Really? (MIT Technology Review) — Ugh, so breathless with excitement they are about this startup called Starry. I was, too, initially, but we’ve been told this crap for more than a decade. Since this requires the cooperation of Verizon, AT&T, Facebook, and Google to standardize on this platform AND reception relies on line-of-sight, I’m not holding my breath.

The Business
New business for Amazon to tackle: its own private label groceries (Techcrunch) — Amazon doesn’t want to leave a penny on the table. If customers are too price sensitive to click their Dash button for a big name brand consumer good, they’ll offer their own instead. Prime accounts only, though; first goods will be heavy on baby needs, which makes sense given parents are often a captive audience.

Norway’s sovereign (oil) wealth fund to sue Volkswagen (AP) — Fossil fuel-created fund owns 1.64% stake in Volkswagen. It’s suing to protect its assets exposed by VW’s emissions controls cheat. Imagine me laughing at oil suing a car company for the manner in which it promulgated oil consumption.

Norway’s Statoil to launch first floating wind farm (Bloomberg) — This company is well ahead of Shell when it comes to diversifying energy production.

Flint Water Crisis
Michigan’s top law enforcement agent unaware of Michigan State Police “quiet investigation” (WZZM) — Still scratching my head over this one. Why did the governor ask MSP to conduct an administrative — not criminal — investigation, omitting the state attorney general? And who’s conducting a genuine criminal investigation, including the governor’s role?

Gender Equity
Toy maker(s) insisted Iron Man 3 movie must have male, not female villain (The Mary Sue) — In other words, Marvel’s big sweeping superhero movies are really just very long trailers to sell boys’ toys. Girls and women need not apply. I have no idea how they can make a decision based on any realistic data given the dearth of female villains on screen and in toys. Is this just some lame argument for inequity in front and behind the camera?

Running behind, probably read too much today and swamped my processing circuits. Hope mid-week becomes a little more focused — catch you tomorrow!

 

Thursday Morning: Eye in the Sky

I am the eye in the sky
Looking at you
I can read your mind
I am the maker of rules
Dealing with fools
I can cheat you blind

— excerpt, Eye in the Sky by Alan Parsons Project

It’s not like I wanted to haul out all my high school and college music, but they sure seem to work well this week.

Speaking of the eye in the sky…

FBI and DHS circle overhead a LOT
Buzzfeed published its findings after looking into FBI and DHS surveillance flight records, finding a lot of planes circling over mosques. The results also looked at flights immediately after the San Bernardino shooting. You know what would be interesting? Comparing that information against the handling timeline for the Apple iPhone issued to Syed Farouk by his employer.

U.S. dealerships sue Volkswagen – but expand on Dieselgate
Not only are three family-owned dealerships suing VW for its fraudulent use of an emissions control defeat system in their diesel passenger vehicles — they are suing because of VW’s financing practices, which steered money away from dealership’s preferred financing while leaving the dealerships stuck with rapidly depreciated business value. The potential losses to VW just swelled by another magnitude.

Iceland’s new PM expects elections this fall
Rather than dissolving the government, the former Prime Minister Sigmundur David Gunnlaugsson’s coalition partners negotiated the appointment of Sigurdur Ingi Johannsson as his replacement after Gunnlaugsson’s Panama Papers-driven resignation. Johannsson said the coalition expects elections this autumn while continuing to focus on working on stability. That’s a nice way of saying the Progressive Party and the Independence Party are stalling for time to avoid a likely rout if elections were held today. Polling indicates the Pirate Party would stomp the other three major parties if a vote was held now.

MP and Official spokesperson of the Pirate Party Birgitta Jónsdóttir was interviewed by Democracy Now! about Iceland’s current political climate. Jonsdottir, a possible contender for PM, explained her country’s reaction to the Panama Papers’ revelations:

…What is in particular disturbing about the prime minister’s conduct in this matter is that the day before new laws took effect in Iceland about how you declare and how tax havens are dealt with, because Iceland is a part of a sort of a campaign, international campaign, to stop tax havens being a part of a solution on how to get away from participating in paying tax in your own country. He signed—his sold his wife his share for one dollar the day before the laws took effect. And that, in itself, seems highly dubious. And then, he has actually been using his wife as a shield and saying that people that are criticizing him are attacking his wife. I actually think that this guy is in some sort of meltdown, because his behavior in the last few days has been so outrageous that it seems like we are stuck in a satire by Dario Fo, you know, in a complete theater of the absurd. And I’m just so deeply humiliated on behalf of my nation that this is what the outside world is looking at. …

The feeling of betrayal is palpable. It’s a good read, do check it out in its entirety.

Odd lots

  • Massive breach exposes 55 million Philippine voters’ identities (The Register) — That’s Philippines’ Commission on Elections (COMELEC) *entire* database, which COMELEC claims doesn’t contain anything sensitive. Except for stuff like fingerprints and passport numbers. Oh, and all the information for half the entire country’s population.
  • China’s ‘Great Firewall’ architect reduced to using VPN during a speech (Shanghaist) — Oops.
  • Adobe patching a Flash zero-day (Naked Security) — Again. I know, I know, when will Flash die?
  • Climate change could lengthen Europe’s dengue fever season (Science Daily) — Longer, warmer summers will extend the season for Aedes aegypti and Aedes albopictus mosquito populations, the disease’s key infection vectors. Hey, you know what else might show up for longer periods of time, too? Zika, since it’s carried by Aedes aegypti.

Wow. It’s coffee break time already? Have at it. Catch you tomorrow morning!

Friday Morning: Lovely

We made it to Friday! Yay! And that means another jazz genre. This week it’s shibuya-kei, a sub-genre/fusion born of Japanese jazz. Our sample today is by Kenji Ozawa. Note how damned perky it is, blending jazz elements with pop and synthpop. Its cuteness might also be described as kawaii, but that’s a whole ‘nother topic.

Some other shibuya-kei artists you might want to try are Paris Match (Metro), Aira Mitsuki (Butterly), Maki Nomiya (Shibuya-kei Standards), Takako Minekawa (Plash), and Kensuke Shiina (Luv Bungalow).

Get your mellow on and jazz your Friday up.

Urgent: Update Adobe Flash immediately if you apply patches manually
Go to this Security Bulletin link at Adobe for details. The update fixes 23 vulnerabilities, one or more of which are being used in exploits now though information about attacks are not being disclosed yet. And yes, this past Tuesday was Patch Tuesday, but either this zero-day problem in Flash was not known then, or a solution had not yet been completed, or…whatever. Just make sure you check all your updates, with this Adobe Flash patch at the top of the list.

USDOJ doing its PR thing on #AppleVsFBI
After reports this week that FBI director James Comey was a political liability in the case against Apple, U.S. Attorney General Loretta Lynch appeared on Stephen Colbert’s The Late Show to make the case for Apple writing code as requested by USDOJ. She said,

“First of all, we’re not asking for a backdoor, nor are we asking anyone to turn anything on to spy on anyone. We’re asking them to do what their customer wants. The real owner of the phone is the county, the employer, of one of the terrorists who is dead,”

Right. And my iPhone-owning kid wants a ham sandwich — will Apple write an app on demand for that, just because my kid’s the owner of the iPhone?

Look, nearly all software is licensed — the San Bernardino shooter’s iPhone may be property of the county that employed him, but the iOS software is property of Apple. Maybe Lynch needs a ham sandwich, too, a little boost in blood sugar to grok this point.

Volkswagen’s Terrible, No Good, Very Bad Week continues

  • Looks like VW’s U.S. CEO Michael Horn bailed out because he butted heads with the Holzkopfs in German leadership (Jalopnik)
  • By butting heads, that is to say, Horn dislikes the idea of jail time (Forbes) — though naming executives is pro forma on such lawsuits, if Horn was only in his role for roughly 18 months and this fraud goes back 8-9 years, AND Germany’s executive team disagreed with Horn’s proposal for U.S. dealers and vehicle owners, he’s reasonably twitchy about sticking around.
  • VW updated its emissions standards defeat code after its existence was revealed (Forbes) — wanna’ bet it was a software patch?

Stray cats and dogs

  • White House wants +20M more Americans on broadband (DailyDot) — Under ConnectALL initiative, a new subsidy program will help low income citizens get online with broadband access.
  • Pew Research study shows 15% of Americans still not online (Pew Research Center) — Rural, low income, minority, elderly are most likely not to have internet access; they’re the same target group as proposed federal ConnectALL program.
  • But good luck with broadband speed or cable TV content if HBO-TWC-Charter continue to scuffle over the TWC-Charter merger (AdAge) — Yet another example of the fundamental conflict between content makers and internet providers; internet providers should focus on the quality of their internet service, not on the content in the ‘series of tubes’ they supply.`

And just for giggles, note the Irish economy has expanded at fastest rate since 2000. Gee, I wonder what would happen to the Irish economy if major tech companies like Apple moved to Ireland?

I’m out of here — have a great weekend!

Could Corporations Include CISA Non-Participation in Transparency Reports? Would It Even Mean Anything?

I confess I don’t know the answer to this question, but I’m going to pose it anyway. Could companies report non-participation in CISA — or whatever the voluntary cyber information sharing program that will soon roll out is eventually called — in their transparency reports?

I ask in part because there’s great uncertainty about whether tech companies support or oppose the measure. The Business Software Alliance suggested they supported a data sharing bill, until Fight for the Future made a stink, when at least some of them pulled off (while a number of other BSA members, like Adobe, IBM, and Siemens, will surely embrace the bill). A number of companies have opposed CISA, either directly (like Apple) or via the Computer and Communications Industry Association. But even Google, which is a CCIA member, still wants a way to share information even if they express concerns about CISA’s current form. Plus, there some indication that some of the companies claiming to oppose CISA — most notably, Facebook — are secretly lobbying in favor of it.

In the wake of CISA passing, activists are wondering if companies would agree not to participate (because participation is, as Richard Burr reminded over and over, voluntary, even if the key voluntary participants will also be bidding on a $50 billion contract as CISA rolls out). But I’m not sure what that would even mean.

So, first, would companies legally be permitted to claim in their transparency reports that they did not voluntarily participate in CISA? There are a lot of measures that prohibit the involuntary release of information about companies’ voluntary participation in CISA. But nothing in the bill that seems to prohibit the voluntary release of information about companies’ voluntary non-participation.

But even if a company made such a claim — or claimed that they only share cyber indicators with legal process — would it even be meaningful? Consider: Most of the companies that might make such a claim get hacked. Even Apple, the company that has taken the lead on pushing back against the government, has faced a series of attacks and/or vulnerabilities of late, both in its code and its app store. Both any disclosures it made to the Federal government and to its app vendors would be covered by CISA unless Apple deliberately disclosed that information outside the terms of CISA — for example, by deliberately leaving personally identifiable information in any code it shared, which it’s not about to do. Apple will enjoy the protections in CISA whether it asked for them or not. I can think of just two ways to avoid triggering the protections of CISA: either to only report such vulnerabilities as a crime report to FBI (which, because it bypassed the DHS, would not get full protection, and which would be inappropriate for most kinds of vulnerability disclosures), or to publicly disclose everything to the public. And that’s assuming there aren’t more specific disclosures — such as attempts to attack specific iCloud accounts — that would legitimately be intelligence reports. Google tells users if they think state actors are trying to compromise their accounts; is this appropriate to share with the government without process? Moreover, most of the companies that would voluntarily not participate already have people with clearance who can and do receive classified intelligence from the government. Plus, these companies can’t choose not to let their own traffic that transits communications backbone be scanned by the backbone owners.

In other words, I’m not sure how a company can claim not to participate in CISA once it goes into effect unless it doesn’t share any information. And most of the big tech companies are already sharing this information among themselves, they want to continue to do that sharing, and that sharing would get CISA protections.

The problem is, there are a number of kinds of information sharing that will get the permission of CISA, all of which would count as “participating in it.” Anything Apple shared with the government or other companies would get CISA protection. But that’s far different than taking a signature the government shares and scanning all backbone traffic for instances of it, which is what Verizon and AT&T will almost certainly be doing under CISA. That is, there are activities that shouldn’t require legal process, and activities that currently do but will not under CISA. And to get a meaningful sense of whether someone is “participating” in CISA by performing activities that otherwise would require legal process, you’d need a whole lot of details about what they were doing, details that not even criminal defendants will ever get. You’d even need to distinguish activities companies would do on their own accord (Apple’s own scans of its systems for known vulnerabilities) from things that came pursuant to information received from the federal government (a scan on a vulnerability Apple learned about from the government).

We’re never going to get that kind of information from a transparency report, except insofar as companies detail the kinds of things they require legal process for in spite of CISA protection for doing them without legal process. That would not be the same thing as non-participation in CISA — because, again, most of the companies that have raised objections already share information at least with industry partners. But that’s about all we’d get short of really detailed descriptions of any scrubbing that goes on during such information sharing.

How Did Two CISA Beneficiaries and Numerous Agnostics Come to Support CISA?

When the Business Software Alliance released this letter a while back, I was perplexed.

In addition to its call for Congress to pass a set of designated bills, including ECPA reform, that would give assurances to international customers that US services weren’t more exposed to US spying, the letter also called for passage of cybersecurity sharing legislation.

Cyber Threat Information Sharing Legislation will promote cybersecurity and protect sensitive information by enabling private actors in possession of information about vulnerability and intrusions to more easily share that information voluntarily with others under threat, thus enabling the development of better solutions faster.

As TechDirt noted, the letter didn’t name any particular cyber sharing bill, but there are three and all expand US government access to data. Even if some or all tech companies that make up BSA wanted such a bill it seemed odd to include in a call for legislation that would reassure international customers. I asked around and the impression was it was just convenience to include a CISA-type legislation (but why include it at all)?

So then Fight for the Future went to work. It got thousands of activists to complain to the companies directly about their stated support for a CISA-type legislation. And also announced their intention to stop using Heroku, which is part of Salesforce, as their host.

That led first Salesforce then BSA more generally to deny they had ever supported CISA. The BSA language pretended their original letter called for balanced legislation. And it also claimed to consistently advocate for strong privacy protections on such legislation — which of course they didn’t do in the letter.

There have been questions about our views of the current CISA legislation. For clarity, BSA does not support any of the three current bills pending before Congress, including the Cybersecurity Information Sharing Act (CISA), the Protecting Cyber Networks Act (PCNA), and the National Cybersecurity and Communications Integration Center (NCCIC) Act.

Consistent with this view, BSA’s September 14 data agenda letter to Congressional leaders identified five key areas where Congress can pass legislation to strengthen the policy environment around digital commerce, including voluntary information sharing, and highlighted the need for balanced legislation in this area.

BSA has consistently advocated for strong privacy protections in all information sharing bills currently pending before the Congress.

We will continue to work with the Congress, others in industry and the privacy community to advance legislation that effectively deals with cyber threats, while protecting individual privacy.

All of raises more questions about how the endorsement for cyber sharing at a time when all the cyber sharing bills before Congress don’t balance privacy interests got into the letter.

Especially given the signatories. The signatories include companies — like Apple — that have fought hard to protect their customers’ privacy. It included several — notably Adobe and Siemens — that could significantly benefit from any kind of immunity, given that their products are among the most consistent targets of hacks. Most interesting, it includes several companies — including IBM and Symantec — that will benefit when a CISA bill makes it easier for cybersecurity contractors to get more data with which to serve customers.

Indeed, the language from the original bullet support cyber sharing — “enabling private actors in possession of information about vulnerability and intrusions to more easily share that information voluntarily with others under threat” — might well describe how cybersecurity contractors will get a boost from CISA.

Some members of BSA probably do, individually, support CISA for the immunity and data it would give them. Others neither need it nor want the stigma.

So how did it get in this letter?