Wednesday, March 16, 2016

Whatever

And so it begins. "Seems like Google's RankBrain AI is a Skynet in making because even the engineers working on it are unable to understand it."

Labor markets are hampered by occupational licensing laws. "Lower rates of worker mobility mean that workers are misallocated across the states in a similar way that price controls or discrimination misallocate resources and reduce total wealth. Lower rates of workforce mobility also increase the persistence of unemployment."

Terrorism becomes an opportunity. "[D]omestic law enforcement officials now have access to huge troves of American communications, obtained without warrants, that they can use to put people in cages. FBI agents don't need to have any 'national security' related reason to plug your name, email address, phone number, or other 'selector' into the NSA’s gargantuan data trove."

Don't piss of chess geeks they might pull out the DDoS gambit.

Music is always a social experience. "[R]ecent looks at the evolution and neurology of music suggest we are not waltzing by ourselves. Musical experiences are inherently social, scientists tell us, even when they happen in private. When we listen alone, we feel together."

Step 1 - stop sustaining criminal elites. "[A]dopting the rule of law is complex. A country needs to enact an immense number of rules. Crafting and enforcing those rules requires cooperation among legislatures, ministries, departments of ministries, the judiciary, local governments and more. At each stage, defenders of the status quo can sabotage or twist the effort to their advantage."

Path Dependent by William Dupre
Ask me where it is
I will say “The flow seems to take me there.”

I am an accumulation of lost experiences
Bridging a dependent path to others of me
Experiencing what again will be lost.

What parallels of me exist?
When did I become me?

Tuesday, March 15, 2016

Security Roundup

Not only is the U.S. Congress about to vote on anti-encryption legislation, but so is California. The bill going through the CA State Assembly "would ban default encryption on all smartphones" sold in the state.

Those laws could make the push to have Apple build iPhones even it can't unlock moot. Though, some companies - including Facebook and Google - are working to increase privacy protections in the face of the next attack on this front - WhatsApp.

Unfortunately, President Obama is showing that he doesn't understand the importance or technical issues of encryption either. He "keeps mentioning trade-offs, but it appears that he refuses to actually understand the trade-offs at issue here. Giving up on strong encryption is not about finding a happy middle compromise. Giving up on strong encryption is putting everyone at serious risk."

Could the government demand the iOS source code and signing key? A footnote in the DOJ brief says the following:
For the reasons discussed above, the FBI cannot itself modify the software on Farook's iPhone without access to the source code and Apple's private electronic signature ... The government did not seek to compel Apple to turn those over because it believed such a request would be less palatable to Apple. If Apple would prefer that course, however, that may provide an alternative that requires less labor by Apple programmers."
In other words, "it would be a shame if we had to take that code from you."

Mr. Fart and phone security -- the comparison between cockpit security and phone security is great. 

Saturday, March 12, 2016

Why it matters

I've posted a lot about security and privacy lately and will continue to do so because I believe this could be a defining movement both in law and culture with respect to security, privacy, and surveillance (maybe Crypto Wars 2.0). It's not just the FBI's request to Apple either. Facebook could soon be clashing with the DOJ on the WhatsApp messaging application in a case regarding wiretapping. There is also activity in the U.S. Congress which is preparing to vote on a bill that would punish tech companies that refuse to cooperate with investigators, specifically on encryption. The importance of these events can't be overstated.

The importance of encryption per se can't be overstated either because it is an enabling technology that gives private citizens power against mass surveillance. John Reed at Just Security, wrote about this topic recently. He was reacting to the oft-cited yet dangerous argument that "if you don’t have anything to hide, you shouldn’t have anything to worry about." He states,
A government’s abuse of surveillance to intimidate and discredit law-abiding citizens isn’t something that happens only in places like Russia. It’s happened time and again, even in democracies as strong as the United States. Within living memory in the US alone, one can recall Nixon’s enemies, Sen. Joseph McCarthy’s anti-communist witch hunts, J. Edgar Hoover’s FBI files on everyone who may have posed a threat to his power, COINTELPRO, and more specifically, that program’s use of surveillance to assist in attempt to ruin Martin Luther King Jr., the list goes on. There is simply no reason to think that such abuse will not occur again. So why should you care if you’re always being watched? Because your self-perceived innocence may not protect you from the kind of abuses we’ve seen repeatedly over the past century (emphasis added).
Jenna McLaughlin at The Intercept shows how Reed's comment emphasized above is all too true with respect to Black Lives Matter movement. Quoting a grassroots organizer,
"The mundane surveillance of people of color is what gives rise to bulk surveillance at a federal level … not the other way around," she said. "Whatever has been considered normal at a local level" -- including systems of suspicious activity reports, predictive policing, and other tactics -- "has now been considered normal at the federal level."
Even beyond the realm of social justice movements, the fact of the matter is is that everyone has something to hide or something in their life that they want to keep private. Reed quotes Bruce Schneier as saying that "[p]rivacy is a basic human need," and that being watched turns us into children under watchful eyes waiting to be implicated by patterns from our past lives.

This is why the fight for strong encryption and against surveillance matters.

Thursday, March 10, 2016

Is code speech?

In Apple's fight against a court order compelling it to create specific software to enable the government to break into an iPhone, the company is invoking its First Amendment rights as one of its defenses. In particular, they claim that the government is compelling speech by forcing it to digitally sign the special version of iOS. The Electronic Frontier Foundation (EFF), in their amicus brief in support of Apple, explains how digital signatures are a way of communicating endorsement of a signed document. (Also see the EFF's FAQ on the matter.)

In making this defense, Apple and EFF (as well as others) typically use the term "computer code is speech" in reference to previous court decisions which protected companies and individuals developing software, in particular encryption software. However, this idea (code as speech) is controversial. Below, I will address law professor Neil Richards's claim that "Code = Speech" is a mistake. (As a reference, please also refer to Apple's filling.)

Code is a means of expression

Richards states that "Apple has told the court that 'under well-settled law, computer code is treated as speech within the meaning of the First Amendment.' Unfortunately, it's wrong about that. The Supreme Court has never accepted that code is protected like speech." The problem is that Apple never said that The Supreme Court has ruled on the matter - they referred to "well-settled law." From that perspective, Apple is correct. They even list the lower court case-law to illustrate.

For instance, in Bernstein v. Department of State the U.S. Court of Appeals, Ninth Circuit says "we conclude that source code is utilized by those in the cryptography field as a means of expression, and because the regulations apply to encryption source code, it necessarily follows that the regulations burden a particular form of expression directly" (emphasis added). The court here explicitly refers to cryptography which is exactly what Apple refers to in their filling. They say that
The government asks this Court to command Apple to write software that will neutralize safety features that Apple has built into the iPhone in response to consumer privacy concerns. The code must contain a unique identifier "so that [it] would only load and execute on the SUBJECT DEVICE," and it must be "'signed' cryptographically by Apple using its own proprietary encryption methods (emphasis added).
More directly, though, Apple also lists the case of United States v. Elcom Ltd. which was ruled by the U.S. District Court in Northern California. In that ruling the court states that
the government contends that computer code is not speech and hence is not subject to First Amendment protections. The court disagrees. Computer software is expression that is protected by the copyright laws and is therefore "speech" at some level, speech that is protected at some level by the First Amendment (emphasis added).
At least two other cases address this claim as well:
  • Universal City Studios, Inc. v. Corley - "Computer programs are not exempted from the category of First Amendment speech simply because their instructions require use of a computer"  
  • Junger v. Daley - in reversing a lower court's decision stating that encryption code is not expressive speech, the U.S. Appeals Court, Sixth District concluded that the First Amendment does in fact protect computer source code 
Richards is correct in saying that the Supreme Court hasn't ruled that "code is speech" but they haven't ruled contrarily either. The current accepted view of the courts is that computer code is a form of speech.

Speechiness is not the issue - regulation is

Having said all of that, I do believe that Richards makes a good point when he says that
What matters, in the end, isn't the metaphysics of "speechiness," [the central question of asking whether code is speech] but whether a government regulation of an activity threatens the traditional values of free expression -- political dissent, art, philosophy, and the practices of self-government...The right question to ask is whether the government's regulation of a particular kind of code (just like regulations of spending, or speaking, or writing) threatens the values of free expression.
Like Richards, I see this as the true issue at hand. The clumsy language used by the various courts above only confuses the matter. Computer code is really more like words, not speech, and like words used in other forms of expression, the content matters. Richards provides an illustrative example when he implies that it would be silly (my word not his) to protect malware writers because the code they used to write the programs was protected speech.

In defense of that last view, Richards writes "Code = Speech is a fallacy because it would needlessly treat writing the code for a malicious virus as equivalent to writing an editorial in the New York Times." I have some trouble with this analogy because I could see a case where these were equivalent. For instance, if the New York Times published an editorial that incited a riot in Times Square, that would be the same as writing a malicious virus (or DDoS attack). Using words to incite violence is not protected by the First Amendment, nor is using code to inflict damage. And this, as I see it, gets to the real heart of the matter. However, I wouldn't go as far as Professor Richards in calling for regulation of code.

Conclusion

While I believe that Apple has a valid First Amendment argument in their fight against the government, I also think the simple slogan of "code is speech" and what it implies is clumsy. Computer code can be used to achieve great things including giving power to the powerless and limiting the power of the powerful. In that way, it is no different from traditional values of political dissent, art, and philosophy.

Wednesday, March 09, 2016

Whatever

Get used to America, we just may not be that unique.

An interesting approach to limit wasteful exchanges of political favors during election cycles. "In ancient Athens, not only juries but many office-holders were selected by lot. But the most intriguing unpredictable election process was probably that of the medieval Venetian Republic. In Venice, many political offices were selected by a repeated cycle of lottery, vote, .... lottery, vote."

The Ukrainian power grid was hit by Russian-sponsored hackers late last year. Kim Zetter has the compelling story. The scary part - "the control systems in Ukraine were surprisingly more secure than some in the US, since they were well-segmented from the control center business networks with robust firewalls."

Oh France! Why? "[T]he French National Assembly has amended a pending counterterrorism bill to impose heavy penalties on technology companies that fail to cooperate in decrypting communications relating to terrorism investigations."

Science is messy. "An influential psychological theory, borne out in hundreds of experiments, may have just been debunked. How can so many scientists have been so wrong?"

Artificial "octopus skin" for robots - what more needs to be said.

While bitcoin is having some success, maybe it's the blockchain that will be the real 'game changer.' "Goldman Sachs says the technology 'has the potential to redefine transactions' and can change 'everything.'"

"Legal marijuana may be doing at least one thing that a decades-long drug war couldn't: taking a bite out of Mexican drug cartels' profits."

Could the insurance industry help reform American policing? Radley Balko found "several examples in which insurers had demanded changes to policies regarding the use of SWAT teams, usually after one or more incidents that resulted in a payout to someone shot or injured during a police raid...[T]he financial incentives insurers can offer to cities and towns for good policing are powerful."

Bonds by William Dupre
All that we look to spend
To suit a legacy
With others there to lend
The bonds that are not free.
The sense we must abuse
And trespass to for-give
On lies we like to use
For lives we long to live.
We must, but no alone,
End the art to deceive,
Lest what we love be gone
And we ourselves take leave
Of senses that are the
Guise of what is to be.

Thursday, March 03, 2016

Security Roundup

I've been blogging a lot about security lately, but there is a lot going on to blog about. Here is a roundup of some hot news items.

ACLU: You can kiss trust in software updates goodbye if Apple's forced to help the FBI: "What the government seeks here is an authority that would undermine American and global trust in software security updates, with catastrophic consequences for digital security and privacy."

We are currently dealing with the consequences of intentionally weak cryptography. The latest is the DROWN attack which exploits bad decisions made by the U.S. government during the 1990s Crypto Wars. "Today, some policy makers are calling for new restrictions on the design of cryptography in order to prevent law enforcement from 'going dark,'...[H]istory's technical lesson is clear: Weakening cryptography carries enormous risk to all of our security."

The U.S. government has funded projects like TOR and Open Whisper with the intention of giving dissidents across the world the ability to communicate freely. So, is the government fighting itself on encryption? "We thought the risks of not allowing the Internet to be secure and a vehicle for free speech was more detrimental than the risks of bad guys using it in ways that made it harder to go after them."

Could the Feds get into iPhones without Apple's help? Maybe they should ask the NSA.

Wednesday, March 02, 2016

Whatever

  • An open-source alternative to Android Wear OS
  • Wonderful piece, great player
  • Pirates of the 21st Century!
  • Help Wanted for hackers - "Some groups also offer incentives for new talent, such as promising fame and notoriety, profit-sharing, and travel expenses."
  •  How to make good decisions? Don't ignore the base rate.
  •  FBI's Tor hack shows the risk of subpoenas to security researchers - "If you're a researcher, you need to think: Am I going to get subpoenaed here? Should I be gathering this information and risking putting it into the wild?"

Oh, God! a lipogram in O by William Dupre
Oh! To know God’s blood,
Don’t brood on school’s rot
Or cool to Mom’s cocoon -
Stomp on roots of doom!

Look to books for food
To stop torpor’s hoofs.
Don boots to crook cons
Or to loot God’s boon.

Go now! Look how blooms
Took to soot on sod
On footholds of foo
To grow food for fools!


Pirate Ship image courtesy of EricaMaxine Price at Fine Art America

Monday, February 29, 2016

Apple gets some love from the Big Apple

U.S. Magistrate Judge James Orenstein in New York has ruled against the government in a separate All Writs Act request to unlock an iPhone. Alex Bewitt at InfoQ highlights some of the key points in the decision (the full ruling can be found here).

This is a scathing ruling against the government.One key point appears in a footnote:
In considering the burden the requested relief would impose on Apple, it is entirely appropriate to take into account the extent to which the compromise of privacy and data security that Apple promises its customers affects not only its financial bottom line, but also its decisions about the kind of corporation it aspires to be. The fact that the government or a judge might disapprove Apple's preference to safeguard data security and customer privacy over the stated needs of a law enforcement agency is of no moment: in the absence of any other legal constraint, that choice is Apple's to make, and I must take into account the fact that an order compelling Apple to abandon that choice would impose a cognizable burden on the corporation that is wholly distinct from any direct or indirect financial cost of compliance [emphasis added].
In other news from New York, District Attorney Cyrus Vance Jr. will go before Congress to discuss encryption. As Gregg Keizer at ITWord says of Vance, he "wanted Apple to return to the security model it used through 2013's iOS 7. 'We want smartphone makers to offer the same strong encryption that Apple employed before iOS 8,' Vance said."

Apple wants personal device security to be controlled by the person; the government wants it controlled by the government via corporate proxies.

Measures of Inequality

Robert Samuelson has an article on some recent research on inequality by the White House's Council of Economic Advisers (CEA). Samuelson summarizes one point as follow:
[The CEA] attributes much inequality to differences between companies and not to individuals in the same firm. It’s not so much that the gap between the chief executive and the janitor at company A has widened; it’s that company A is falling behind company B, which is more profitable and pays both the CEO and the janitor better. Think General Motors (company A) and Google (B). The economy is splintering into increasingly and decreasingly profitable firms, argues CEA Chairman Jason Furman.
Income inequality is a complex phenomena which has many causes. Some may be institutional failures (e.g., rent seeking, poor schools), while others could be signs of growth and lifestyle changes (e.g., innovation, demographic changes, immigration). And that is ignoring the measurement issues around compensation (i.e., the growth of fringe benefits and government transfer payments). Samuelson argues against "stock explanations" like greed and corporate compensation packages to CEOs, and I agree.

Saturday, February 27, 2016

Apple Defenses

Kim Zetter at Wired has an article up explaining the First Amendment defenses that Apple could use in its case against the government. As I mentioned in a previous post, the courts have ruled that, in essence, computer code is speech. A defense tactic in this vein could argue that requiring Apple to write a special version of iOS is compelled speech. However, as Zetter illustrates, there is another line of defense Apple could take, and it pertains to the digital signing of that new code.
Instead, it's the digital signature that Apple would use to sign that code that is the key to Apple's First Amendment argument, say legal experts who spoke with WIRED. "The human equivalent of the company signing code is basically saying, 'We believe that this code is safe for you to run,'" says Jennifer Granick, director of civil liberties for the Center for Internet and Society at Stanford Law School. "So I think that when you force Apple to cryptographically sign the software, it has a communicative aspect to it that I think is compelled speech to force them to do it."
"[B]ecause what's so expressive, necessarily, about that? But to me, the signing is expressive—very clearly so," she says. "That's kind of what the code signing is—it's saying 'I'm Apple Computer and we support this software and we think this software is safe for you to run'...So a forced signature to me is compelled speech."
 If Apple were to use this defense it could set some interesting precedents for digital signatures.

Other than the First Amendment, Apple could take the 5th in this case. Not refuse to testify, of course, but apply that other pesky part of the 5th Amendment - due process. David Kravets at Ars Technica explains how "conscripting Apple to build something that it doesn't want to do...is a breach of its 'substantive due process.'"

There is also the question of whether Congress has already had its say in this matter. The All Writs Act that the FBI is using to compel Apple only gives courts a tool to enforce existing statutes. As Albert Gidari shows, Congress in 1994 passed the Communications Assistance for Law Enforcement Act (CALEA) which "did not prohibit a [telecommunications] carrier from deploying an encryption service for which it did not retain the ability to decrypt communications for law enforcement access" (emphasis mine). So, CALEA could trump AWA. It is yet to be seen, however, if the courts view Apple as a "telecommunications carrier."

Wednesday, February 24, 2016

Whatever


Little Lies by William Dupre
We can't escape
Having a little of what we hate
Of others within ourselves. 

Yet we let the lie reside
Lest we make light the biases
We desire to hide --

The Hypocrisy doesn't wear well
As we tell stories of the self.

Tuesday, February 23, 2016

Bubble Watch

Evan Soltas has an article looking at how the decline in oil prices could end up hitting the banking sector. He writes,
That link to the financial system has people on edge. Andrew Levin, a former adviser to Ben Bernanke and Janet Yellen, has been ringing the "recession" alarm bell as loud as he can. Larry Summers has warned policymakers to "heed the fears of financial markets."
The banks are tied up in this for a simple reason: America’s fracking boom was brought to you by very aggressive financing. Buying land, drilling a well, renting equipment, hiring a team, and securing pipeline or rail space to ship out the oil — all that takes capital, and the banks provided it at low interest rates with little equity from the borrower.
Banks lent so much to frackers that the cost of debt service consumed 60 percent of cash flow before oil prices fell, according to the Energy Information Administration. The collapse in oil prices makes that kind of debt unpayable. Frackers will default and force banks to eat the loss. (Emphasis in the original)
He also has a graph showing how this exposure is hitting banks stocks.

Tim Hartford also writes about how cheap oil might trickle through the economy. He's worried that consumers are using the spare cash from cheap gas to save and not spend more. I'm skeptical of the notion that savings is bad, and think that it could be the cushion to soften the blow of a fall. However, he may be right that innovation in the clean energy sector may slow because of the disincentive to invest that industry. On the other hand, how much of the clean energy sector is being propped up by government subsidies?

I'm not willing to bet on a big slow just yet, but both articles are worth a read to understand the difficult times that may be ahead.

Postscript: Above, Soltas mentions the fracking boom and how it was brought on in part by aggressive financing of, among other things, rail space for shipping oil. Working in the rail industry, I for one know that there has been a slow down in shipments of energy-based commodities. Coal shipments have been hit the hardest, but other areas are being hit as well.

Saturday, February 20, 2016

The Security Chess Game

The Justice Department is now chiming in to defend the FBI's All Writs Act request to Apple. We've also learned that late last year the White House ordered government agencies to work around encryption. As Bloomberg reports, agencies were requested to "find ways to counter encryption software and gain access to the most heavily protected user data on the most secure consumer devices."


In the DOJ's defense of the FBI's request, they said that Apple's refusal to comply "appears to be based on its concern for its business model and public brand marketing strategy." That may be true, but the government is playing the same game. It looks like they are using the emotions around the San Bernardino incident to garner political support for a more strategic move against companies refusing to break encryption. They know this could set the precedent they need to strong arm industry players into either installing "backdoors" on encrypted devices or bending over whenever the FBI comes knocking.

So we have competing strategies at play: the enabling of security vs. the subversion of security. Which one were you taught in high school was the government's side?

As I mentioned in a previous post, government agencies have ways to get into devices. Andy Greenberg has an entire article on the ways government officials can get access to data on an iPhone. So this really does seem like the government is playing a chess game here.

***

Regarding the All Writs Act request, check out Orin Kerr's thoughts on the 1789 statute. The ruling precedent right now is the 1977 case United States vs. New York Telephone. According to Kerr,
The tricky part of New York Telephone is that the Court left the actual test for what the AWA allows frustratingly murky. The Court was comparatively clear about one essential limit on a Court’s power under the AWA: "We agree that the power of federal courts to impose duties upon third parties is not without limits; unreasonable burdens may not be imposed." Okay. But the rest of what the Court says is really unclear.
So the chess game could be a long one.


Thursday, February 18, 2016

#FBIvsApple

Elsewhere (on Facebook), I backed away from a claim that the order issued by the California Court requiring Apple to assist the FBI in accessing a locked iPhone was a 4th Amendment issue. In this particular case it clearly isn't. However, if Apple loses its challenge, the precedent set could have longer term 4th and 5th Amendment issues. (This is important because the current makeup of SCOTUS, especially since the passing of Justice Scalia, leans towards deference to the government is such cases.) There is also an interesting First Amendment issue to consider. In Bernstein v. Department of Justice, the U.S. District Court for the Northern District of California ruled that, in essence, computer code is equivalent to speech. So, is it compelled speech if the government requires Apple to create a modified version of iOS?

So, clearly there are some Civil Rights issues on the line with this order.

Another interesting angle in this case is the question of whether the FBI actually needs Apple at all. It is known that the government has tools to hack into software systems already. Specifically, the NSA has a stash of zero-day exploits it has collected over the years. Now, of course, the NSA isn't going to share those with the FBI, but could the FBI have its own stash? Also, are they really just using this order to set a legal precedent? Or are they using it to garner public support to force software companies to include backdoors in encryption tools? There is no evidence that this is what is going on, but these are some of the issues that are now in play.

Apple has a fight on its hands and we will soon see how this particular case plays out. However, there are serious security, technology, privacy, and rights implications that will play out over the longer term.