Posts

Lasciando il matrimonio di Elmo

[NB: check the byline, thanks. /~Rayne]

My moderation team counterpart bmaz is a bit put out at people who are flouncing Twitter dramatically. We don’t see eye to eye about the topic of departing Twitter now. I’m among those who are unwinding their accounts now that Elmo has been forced into marrying Twitter, Inc.

Elmo’s turbulent management style is one reason I’d like to leave. Who knows what any given day will yield – will a new policy pop up out of the blue insisting users must pay for services to which they’ve become accustomed for years?

Security is another matter of concern, and in saying security I mean I have my doubts about personal data security now that Elmo has capriciously announced he’s going to fire 75% of Twitter’s personnel…and now 50% this Friday…and maybe with or without compliance with state or federal WARN Act.

Does anyone really think Twitter personnel are at top form right now when they’re looking over their shoulder for their pink slip? Could you blame them if they aren’t?

But my biggest single reason for wanting to leave Twitter is this: I do not want to be Elmo’s product.

~ ~ ~

Artist Richard Serra said of his experience viewing the painting Las Meninas (c. 1656) by Diego Velázquez:

“I was still very young and trying to be a painter, and it knocked me sideways. I looked at it for a long time before it hit me that I was an extension of the painting. This was incredible to me. A real revelation. I had not seen anything like it before and it made me think about art and about what I was doing, in a radically different way. But first, it just threw me into a state of total confusion.”

When one first sets eyes upon the painting, it appears to be one of the young Infanta Margaret Theresa of Spain and her ladies in waiting, standing next to a portraitist at work. It takes a moment to realize that the portraitist isn’t painting the Infanta but whomever the Infanta is observing, and yet another moment to realize the subject of the portrait and the Infanta’s gaze can be seen in the mirror behind them.

The painting’s observer will then realize they are standing in for the Infanta’s parents who are being painted by the portraitist — and the painting is a self portrait of Velázquez at work. The painting’s observer is a proxy who has not fully consented to their role but nonetheless becomes the subject of the painter at work.

It is this same inversion which must be grasped to understand why I refuse to be Elmo’s product.

I know that I am not Twitter’s customer. I’m not the consumer.

If I remain I am the consumed in Elmo’s forced marriage scenario.

~ ~ ~

Serra and director Carlota Fay Schoolman produced a short film in 1973 entitled, “Television Delivers People.” It was considered video art, using a single channel with a text scroll to critique television.

This excerpt explains the relationship between the audience and television:

Commercial television delivers 20 million people a minute.
In commercial broadcasting the viewer pays for the privilege of having himself sold.
It is the consumer who is consumed.
You are the product of t.v.
You are delivered to the advertiser who is the customer.
He consumes you.
The viewer is not responsible for programming —
You are the end product.

What television did in the 1970s, social media does today. It consolidates access to disparate individuals over distances into audiences of varying sizes and offers them to advertisers.

Social media is mass media.

Social media, however, doesn’t serve audiences to advertisers alone. Given the right kind of incentives and development, audiences can be bought for other purposes.

There are almost no regulatory restrictions on audiences being identified, aggregated, bought, and resold, and very little comprehensive regulation regarding data privacy.

Elmo so far doesn’t appear to understand any of this between his uneducated blather about free speech and his ham handedness about Twitter’s business model.

I do not want to be sold carelessly and indifferently by Elmo.

~ ~ ~

If you are a social media user, even if validated or a celebrity with millions of followers, you are the product. You are being sold by the platform to advertisers.*

There may even be occasions when you’re not sold but used – recall the access Facebook granted to researcher Aleksandr Kogan in 2013 as part of experimentation, which then underpinned the work of Cambridge Analytica ahead of the 2016 election.

Facebook was punished by the Federal Trade Commission for violating users’ privacy, but there’s still little regulatory framework to assure social media users they will not be similarly abused as digital chattel.

What disincentives are there to rein in a billionaire with an incredibly short attention span and little self control now that he’s disbanded Twitter’s board of directors? What will prevent Elmo from doing what Facebook did to its users?

I’ve raised a couple kids with ADD. I don’t want to be on the other end of the equation, handled as digital fungible by an adult with what appears to be ADD weaponized with narcissism.

I deserve better.

I’m only going to get it if I act with this understanding, attributed again to Serra:

If something is free, you’re the product.

~ ~ ~

By now you should be used to hearing this, but I’m leaving this marriage, Elmo.

Treat this as an open thread.

__________

* We do not sell data about our community members.

Security Saturday

[NB: check the byline as usual, thanks. /~Rayne]

I have Disney’s ‘Cinderelly’ song from the animated movie Cinderella stuck in my head now as I do my weekend cleaning.

We observed “Cinderella Saturdays” when my kids were younger. At 10:00 a.m. the morning cartoons were turned off (or the teenagers awakened) and appropriate Get Moving music put on the stereo.

For the next two to four hours we’d tear through the house with vacuums and mops and dust rags, throwing bedding in the laundry and hanging wash on the line.

It felt so good to be done with the chores by mid-afternoon. Or done with the irritating question, “When are we going be able to play?”

~ ~ ~

It’s Saturday once again, but our cleaning chores have changed. Now it’s time to address digital chores like information security, ensuring the week will be safer than the last.

— If you haven’t reset your passwords recently, it’s past time.

— If you haven’t set up Multi-Factor Authentication, it’s also past time.

— If you haven’t recently used some apps on your mobile devices, it’s time to remove those you don’t need. Please consider using a good browser to access services instead of apps because each app is a new security risk, a chance to be hacked.

— If you feel like you need more information about personal information security, visit Electronic Frontier Foundation’s Surveillance Self-Defense page.

https://ssd.eff.org

— This site by Tactical Tech is no longer being updated but it’s still a decent guide to privacy and security considerations you might want to browse as a guideline:

https://myshadow.org/increase-your-privacy

Tactical Tech also offers their own resource kit called Security in a Box:

https://securityinabox.org/en/

— If you don’t have this automated already and haven’t cleaned your browser’s cache, search and download history, cookies, site settings, now’s the time to go through them.

— If you don’t have antivirus and antimalware applications set up on an automatic schedule, it’s also time to get this done.

— If you don’t have instructions “in case of an emergency” about your online accounts for your family, now’s the time to draft them and put them wherever you also keep your legal documents like a springing power of attorney, patient advocate authorization, so on.

~ ~ ~

Now a few words about housekeeping for this site.

First, you may have noticed occasional lags or quirks in service of late. You may assume we’ve made somebody unhappy and they’re having a “tantrum,” in which case you may need to wait until the “tantrum” is done.

You can check for us online at Twitter — our accounts are:

@emptywheel
@bmaz
@raynetoday
@MasaccioEW
@JimWhiteGNV

(I don’t think Peterr has a Twitter account, sorry.)

Second, how our security works won’t be elaborated upon here, but you can guess there are triggers which may cause your comments not to make it directly onto the page. Things you can do to reduce the possibility of tripping a trigger:

— Make sure  you use the same username each time, spelled the same way. (You have NO idea how much time is spent checking users’ account information and correcting some minor typo or spelling error because it’s tripped up a comment.) Save the information in a plain text notepad file to cut-and-paste if you’re forgetful or prone to fat fingering keys.

And no, we’re not going to look for a new comment system. We do not need to maintain a separate database which may also collect and sell your data.

— If your post has links, you may wish to “break” the link by inserting blank spaces so that it’s not active when posted; an active link may cause auto-moderation. The more links you share in  your comment, the more likely your comment will go into auto-moderation.

— There are times when security is tighter, especially if you’re using a VPN. I’m sorry but this is simply a necessity for the security of the site and community members.

— Comments do not allow but a narrow range of HTML tags here; this is another security measure.

— If you’re being an ass and/or SHOUTING or swearing at community members or contributors/moderators, you can expect auto-moderation to kick in; see our Community Guidelines for more elaboration.

— For the safety of this site and others, please consider removing tracking from URLs you share in your comments. Links to sites of a questionable nature will never make it onto the site, including links to Google Docs.

Twitter links in particular are very easy to edit to remove tracking — just delete the question mark and everything after it so Twitter doesn’t have a full path from you, your machine, the person you’re retweeting/sharing, back to this site.

~ ~ ~

And now set up reminders in your calendar: clean your browser weekly, change your password monthly to quarterly, check all your other security bells and whistles at least 2-4 times a year.

You can go play when  you’ve finished your housekeeping chores.

Software is a Long Con

I had a conversation with a bridge engineer one evening not long ago. I said, “Bridges, they are nice, and vital, but they fall down a lot.”

He looked at me with a well-worn frustration and replied, “Falling down is what bridges do. It’s the fate of all bridges to fall down, if you don’t understand that, you don’t understand bridges.”

“Ok, I do understand that,” I replied. “But they fall down a lot. Maybe if we stepped back and looked at how we’re building bridges –”

“You can’t build a bridge that doesn’t fall down. That’s just not how bridges work”

I took a deep breath. “What if you could build a bridge that didn’t fall down as often?”

“Not practical — it’s too hard, and besides, people want bridges.” By now, he was starting to look bored with the conversation.

“I bet if you slowed down how you build bridges, you could make ones that lasted decades, even in some cases, centuries. You might have to be thoughtful, set more realistic expectations, do a lot more of the design of a bridge before you start building it, but..”

He interrupted me again. “Look, you’re not a bridge engineer, so you don’t really understand how bridges work, but people want bridges now. So no one is going to build a bridge like that, even if it were possible, and I’m not saying it is.”

“But people get hurt, sometimes die, on these bridges.”

“Bridges fall down. Sometimes people are on them when they do. That’s not my fault as a bridge engineer, that’s literally how gravity works,” he said.

“I know there will always be accidents and problems with bridges, but I really do think that you could build them with careful planning, and maybe shared standards and even regulations in such a way that bridge collapses could be rare. Some of the problems with bridges are faults we’ve known about for decades, but they still get built into bridges all the time.”

He took a deep breath, and pinned me with a stare. “Even if we could, and it’s still entirely possible that no one can build these mythical bridges you’re talking about, that would slow down the building of bridges. People need bridges to get places. No one could afford to build bridges that slowly, and people would complain.” He stretched out the –plaaaain in complain, in a way that made clear this was the end of the argument and he’d won.

“They might not complain if they didn’t fall off bridges so often,” I mumbled.

He heard me. “Unlike you, people know that bridges fall down.”

Just then, a friend of mine, also a writer, also interested in bridges, stopped by.

“Hey guys!” he said. “So it looks like there’s a crew of Russian bridge destroyers with hammers and lighters who are running around in the middle of the night setting fires to bridges and knocking off braces with hammers. They started in Ukraine but they’re spreading around the world now, and we don’t know if our bridges are safe. They’ve studied bridges carefully and they seem to be good at finding where they’re most flammable and which braces to knock off with their hammer.”

We both regarded my friend a long moment, letting it sink in. I turned back to the bridge engineer and said, “Maybe we need to make them out of non-flammable material and rivet them instead of using exposed braces and clamps.”

But he was already red in the face, eyes wide with anger and fear. “GET THE RUSSIANS!” he screamed.

OK, obviously it’s not bridges I’m talking about, it’s software. And that other writer is Wired’s Andy Greenberg, who wrote a  piece not that long ago on Russian hacking.

Greenberg’s detailed and riveting story focuses largely on the politics of hacking, and the conflict between an increasingly imperialist Russia, and Ukraine, with an eye towards what it means for America. For people who respond to such attacks, like FireEye and Crowdstrike, these kinds of events are bread and butter. They have every reason to emphasize the danger Russia (or a few years ago, China) pose to the USA. It’s intense, cinematic stuff.

It’s also one of a long sequence of stories in this vein. These stories, some of which I’ve written over the years, show that our computers and our networks are the battlegrounds for the next great set of political maneuvers between nation-states. We the people, Americans, Russians, whomever, are just helpless victims for the coming hacker wars. We have Cyber Commands and Cyber attack and Cyber defense units, all mysterious, all made romantic and arcane by their fictional counterparts in popular media.

But there’s another way to look at it. Computer systems are poorly built, badly maintained, and often locked in a maze of vendor contracts and outdated spaghetti code that amounts to a death spiral. This is true of nothing else we buy.

Our food cannot routinely poison us. Our electronics cannot blow up, and burn down our houses. If they did, we could sue the pants off whomever sold us the flawed product. But not in the case of our software.

The Software Is Provided “As Is”, Without Warranty of Any Kind

This line is one of the most common in software licenses. In developed nations, it is a uniquely low standard. I cannot think of anything infrastructural that is held to such a low standard. Your restaurants are inspected. Your consumer purchases enveloped in regulations and liability law. Your doctors and lawyers must be accredited. Your car cannot stop working while it is going down the freeway and kill you without consequences, except maybe if it’s caused by a software bug.

It is to the benefit of software companies and programmers to claim that software as we know it is the state of nature. They can do stupid things, things we know will result in software vulnerabilities, and they suffer no consequences because people don’t know that software could be well-written. Often this ignorance includes developers themselves. We’ve also been conditioned to believe that software rots as fast as fruit. That if we waited for something, and paid more, it would still stop working in six months and we’d have to buy something new. The cruel irony of this is that despite being pushed to run out and buy the latest piece of software and the latest hardware to run it, our infrastructure is often running on horribly configured systems with crap code that can’t or won’t ever be updated or made secure.

People don’t understand their computers. And this lets people who do understand computers mislead the public about how they work, often without even realizing they are doing it.

Almost every initial attack comes through a phishing email. Not initial attack on infrastructure — initial attacks on everything — begins with someone clicking on an attachment or a link they shouldn’t. This means most attacks rely on a shocking level of digital illiteracy and bad IT policy, allowing malware to get to end-user computers, and failing to train people to recognize when they are executing a program.

From there, attackers move laterally through systems that aren’t maintained, or written in code so poor it should be a crime, or more often, both. The code itself isn’t covered by criminal law, or consumer law, but contract law. The EULAs, or End User Licensing Agreements (aka the contracts you agree to in order to use software), which are clicked through by infrastructure employees are as bad, or worse, as the ones we robotically click through everyday.

There are two reasons why I gave up reporting on hacking attacks and data breach. One is that Obama’s Department of Justice had moved their policies towards making that kind of coverage illegal, as I’ve written about here. But the other, more compelling reason, was that they have gotten very very boring. It’s  always the same story, no one is using sophistication, why would you bother? It’s dumb to burn a zero day when you can send a phishing mail. It’s dumb to look for an advanced zero day when you can just look for memory addressing problems in C, improperly sanitized database inputs, and the other programatic problems we solved 20 years ago or more.

Programmers make the same mistakes over and over again for decades, because software companies suffer no consequences when they do. Like pollution and habitat destruction, security is an externality. And really, it’s not just security, it’s whether the damn things work at all. Most bugs don’t drain our bank accounts, or ransom our electrical grids. They just make our lives suck a little bit more, and our infrastructure fail a little more often, even without any hackers in sight.

When that happens with a dam, or a streetlight, or a new oven, we demand that the people who provided those things fix the flaws. If one of those things blows up and hurt someone, the makers of those things are liable for the harm they have caused. Not so if any of these things happen because of software. You click through our EULA, and we are held harmless no matter how much harm we cause.

When I became a reporter, I decided I never wanted my career to become telling the same story over and over again. And this is, once again, always the same story. It’s a story of software behaving badly, some people exploiting that software to harm other people, and most people not knowing they could have it better. I’m glad people like Andy Greenberg and others at my old Wired home, the good folks at Motherboard and Ars Technica, and others, are telling these stories. It’s important that we know how often the bridges burned down.

But make no mistake, as long as we blame the people burning the bridges and not the people building them, they will keep burning down.

And shit software will still remain more profitable than software that would make our lives easier, better, faster, and safer. And yeah, we would probably have to wait a few more months to get it. It might even need a better business model than collecting and selling your personal information to advertisers and whomever else comes calling.

I could keep writing about this, there’s a career’s worth of pieces to write about how bad software is, and how insecure it makes us, and I have written many of those pieces. But like writing about hackers compromising terrible systems, I don’t want to write the same thing telling you that software is the problem, not the Chinese or the Russians or the boogeyman de jour.

You, the person reading this, whether you work in the media or tech or unloading container ships or selling falafels, need to learn how computers work, and start demanding they work better for you. Not everything, not how to write code, but the basics of digital and internet literacy.

Stop asking what the Russians could do to our voting machines, and start asking why our voting machines are so terrible, and often no one can legally review their code.

Stop asking who is behind viruses and ransomware, and ask why corporations and large organizations don’t patch their software.

Don’t ask who took the site down, ask why the site was ever up with a laundry list of known vulnerabilities.

Start asking lawmakers why you have to give up otherwise inalienable consumer rights the second you touch a Turing machine.

Don’t ask who stole troves of personal data or what they can do with it, ask why it was kept in the first place. This all goes double for the journalists who write about these things — you’re not helping people with your digital credulity, you’re just helping intel services and consultants and global defense budgets and Hollywood producers make the world worse.

And for the love of the gods, stop it with emailing attachments and links. Just stop. Do not send them, do not click on them. Use Whatsapp, use Dropbox, use a cloud account or hand someone a USB if you must, but stop using email to execute programs on your computer.

Thanks to my Patrons on Patreon, who make this and my general living possible. You can support this more of work at Patreon.

Image CC Skez

 

Friday Morning: It’s Five Somewhere

This week has been really long. Painfully dragged out. Mid-week snowstorm probably didn’t help. But here we are, survivors with another week and yet another Presidential campaign debate under our belts.

I’ll keep it short and snappy given how much ugly we’ve been through.

Your information security is only as good as the stupidest person on staff
“Hello, FBI? I’m new here and I don’t have my code. Can you help a girl out?” No joke, that’s about all it took for one unnamed hacktivist to get inside the FBI. And yet the FBI demands backdoors into all mobile devices. I can’t even…

Meet your new immortal overlord: Your self-driving car
This first graf scares the crap out of me:

The computer algorithms that pilot self-driving cars may soon be considered the functional equivalents of human drivers. That’s the early opinion of the National Highway Traffic Safety Administration—and so begins our slow-burn acquiescence in the battle of man versus machine.

And not even for the reasons that PC World’s editor-in-chief Jon Phillips outlines in his editorial. If a governmental agency recognizes an algorithm as equal to a human, how long before humans are actually subordinate to artificial intelligence?  It’s bad enough corporations — legal constructs — have nearly the same rights as humans and can live forever. This needs to die on the vine right now — especially since Google is ramping up hiring for its line of self-driving cars.

Speaking of Google…

Busy week on Zika front

Media commentator Douglas Rushkoff interviewed on digital society

You left Facebook in 2013. How is that working out for you?

Professionally, I’m thinking it may be good for one’s career and business to be off social media altogether. Chris Anderson was wrong. “Free” doesn’t lead to anything but more free. Working for free isn’t leverage to do a talk for loads of money; now they even want you to talk for free. What am I supposed to do? Join YouTube and get three cents for every 100,000 views of my video? That is crap; that is insane! …

A worthwhile read, give it a whirl when the dust begins to settle.

Here’s hoping the weekend moves as slowly as this week did. Huli pau!

Sony, the White House, and 10 Downing Street: What’s the Quid Pro Quo?

BrokenHollywoodLots of ugly things crawled out of Sony Pictures Entertainment’s emails leaked by hackers this past autumn.

The leak of emails and intellectual property, including then-unreleased film The Interview, was labeled “a serious national security matter” by the White House. In January this year, President Obama issued an executive order increasing sanctions against North Korea, the purported origin of the hack on SPE’s network and computers.

Sony Pictures Entertainment (SPE) is a wholly-owned subsidiary of Sony Corporation, a Japanese multinational conglomerate. In offering retaliation on behalf of SPE, the White House placed SPE on par with critical U.S. infrastructure, though no one will be physically injured or die should SPE be hacked again, and the market won’t collapse if SPE loses money on all its movies this year.

If SPE, a foreign-owned, information security-challenged entertainment firm, is now entitled to military protection against cyberattack, what is it the White House and the U.S. will receive or has received in exchange?

What’s the exchange in this quid pro quo?

Which brings us to the matter of STARZ’ cable series, Outlander, and UK Prime Minister David Cameron‘s government.

In 2013, STARZ network ordered the 16-episode adaptation of bestselling historical fiction novel, Outlander by author Diana Gabaldon, from production companies Tall Ship Productions, Story Mining & Supply Co., and Left Bank Productions, in association with Sony Pictures Television.

While STARZ was the U.S. distributor, offering the series on its own cable network, SPE’s TV arm appears to have handled overseas distribution to broadcast, cable, and video streaming services.

Outlander’s cross-genre narrative is set mainly in 1740s Scotland; the story is sympathetic to a Scottish protagonist and his time-traveling English wife who are caught between the British and Jacobites in the ramp up to the 1746 Battle at Culloden. The Scottish people and countryside are treated favorably in the series’ production.

The program debuted on STARZ in the U.S. on August 9 last year — a little less than six weeks before Scotland’s independence referendum (“IndyRef”). Outlander began airing in Canada and Australia in August also, and in October in Ireland after the IndyRef vote.

Distribution deals in other countries including Germany, Hungary, Japan, and the Netherlands led to wider release overseas last year.

But Outlander never received a distribution deal in 2014 in the UK, in spite of its many Scottish and British fans’ clamor and the source book’s status as a renewed bestseller in advance of the show’s U.S. debut. To date the series has only released on Amazon Prime Instant Video in the UK, for paid video-on-demand streaming — not on broadcast or cable.

At least one email leaked by hackers revealed that SPE personnel had a meeting or meetings with Cameron’s government. In an internal email from Keith E. Weaver, executive vice president, SPE executives were told,

“Your meeting with Prime Minister Cameron on Monday will likely focus on our overall investment in the U.K. – with special emphasis on the jobs created by Tommy Cooper [the ITV show], the importance of Outlander (i.e., particularly vis-a-vis the political issues in the U.K. as Scotland contemplates detachment this Fall), and the growth of our channels business…”

The implication is that SPE would suppress any effort to distribute Outlander to the benefit of Cameron’s anti-independence position, in exchange for “growth of our channels business…”

What exactly does this mean?

And is the pursuit of growth confined to SPE, or did “channels business” mean something else? Were Sony executives also looking for opportunities for Sony Corporation, which includes Sony Computer Entertainment, Sony Music Entertainment, Sony Mobile Communications (once known as Sony Ericsson), and Sony Financial?

Did SPE executives and the Prime Minister agree not to seek broadcast or cable distribution Outlander in the UK before this month’s election? Read more