" /> net.wars: December 2013 Archives

« November 2013 | Main | January 2014 »

December 27, 2013


"Annus horribilis" might be going a bit far for the Internet in 2013. Long-term one hopes it instead proves to be a watershed: the end of complacence.

The most recent scandal unlocked from Edward Snowden's cache of NSA documents raised the question of whether leading cryptography company RSA took a $10 million payoff to weaken the random number generator library on which such products (and therefore we) depend. University of Pennsylvania professor Matt Blaze explains in detail what this means. In short: the weakness is there, it's hard to exploit, and we can't guess how many systems and products it's embedded in. Blaze calls it "the doomsday nuclear option of cryptographic back doors".

My version: terrorists could not have done a more efficient job of creating uncertainty and undermining trust in everyday (online) life.

The good side of 2013's six months of revelations of systemic surveillance and spying is that everywhere there are green shoots of activism as everyone from academics to corporate interests begin the long process of devising alternatives and upgrading infrastructure. Legislators, too: the EU's data protection reform seemed in danger of being derailed by complacency and US lobbying; the directive passed now is likely to be much stronger than it might have been without Snowden's input.

The bad side is obvious: we are, for now, screwed. At least we know; I prefer truth, however unpleasant.

The disturbing thing is that while everyone is thinking how to reclaim the Internet, a different set of folks continue to produce the next tech generation, seemingly without changing their thinking.

Snapchat strikes me as emblematic. Founded on the notion of ephemeral messages, last week, the company announced a replay feature. That's some holiday gift: showing that your business model is based on a claim that can be up-ended at will. Granted, the claim was never completely reliable.

It's a great example of our problems. A company sells technology to solve a social problem - trust. The promise encourages risky behavior, while the company may retrofit its technology to serve changing business needs. By then, the data is out there. Snapchat's motives may be perfectly pure, but there are plenty of precedents for abrupt changes of tack, of which Facebook is just one.

More insidious, though, is the way that electronic analogues of familiar physical objects add sneaky data collection facilities in ways we do not expect.

For example: a few Christmases ago, a male 50-something startled his family and friends by citing the exact number of the page that he, as a teenaged boy reading it for the first time, had found most "interesting" in a 1960s science fiction novel. He got this dreamy, faraway look in his eyes... Today, reading the same book as an ebook, the publisher would be noting his interest in the absurdly vague sex scene that appeared on that page and calculating how to copy it to sell more books. Would that make better books, as the data-selling subscription services - Oyster, Scribd - claim? Do we want customized novels, so that the version a teenaged boy reads is different from the one perused by a woman in her 50s? I doubt it. The main point: the technology they're talking about using for business purposes is the same stuff that would handily enable the thought police.

As against that are the ideas around getting the Internet to forget us. In a small, less familiar, example from 2008, Cornell graduate Kevin Vanginderen sued the university for libel when the official campus newspaper put its archives online, including a 1983 article reporting on a previously sealed incident in which he was charged with petit larceny and burglary. The case was tossed, to become one of many examples of the way electronic records are reviving forgotten pasts. Conversely, in a discussion earlier this week, Slashdot asked what, eventually, will fade out on the Internet over time. The Facebook page belonging to a friend who died in 2010 still pops up occasionally; but Facebook is still an active business. How many of the old Geocities pages still survive? (Granted, the Internet Archive is trying.)

William Gibson has famously said, "The future has already arrived. It's just not evenly distributed." The same can be said about remembering and forgetting: neither is evenly or predictably distributed. Things that were thought to be off-the-record to future investigators have been opened to everyone (especially if you call attention to yourself by suing), while things that people thought were permanent proved to be at best shaky and at worst ephemeral. These trends, together, are giving this a scary, new twist.

Every year for the last few years has been supposed to be the year of the Internet of things. One year soon, perhaps 2014, will be. Yes, some call it marketing hype, but reality is upon us. Assume that everything that is electronic collects data about how you use it. Assume that no matter what the company says, that data will be available in future for use by people whose identity and trustworthiness are currently unknown for purposes that are as yet unstated. Soon, you will have to assume that everything is electronic. Happy new year.

P.S. On a personal note, thanks to all net.wars readers.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

December 20, 2013

Here there be midget porn

It's hard not to listen to outlines of the smart connected future we're facing and go "EEK! Dragons!" This is particularly true in the context in which these predictions are being made: caught between the Snowden revelations of endemic electronic spying and the UK government's censorship plans.

For the last several months David Cameron & Co. have been threatening ISPs with regulation if they don't do something about protecting children; on Friday, as The Register reports, BT turned on a system supplied by Nominum. Now, Nominum is an interesting company: its founder is Paul Mockaetris, who created the domain name system. Go and look at their Web page, and yes, one of the services they sell companies is parental controls. The American origins may explain some of the odder categories parents can select in the filter, including this gem, which is provoking widespread objection:

"Sex Education will block sites where the main purpose is to provide information on subjects such as respect for a partner, abortion, gay and lesbian lifestyle, contraceptives, sexually transmitted diseases and pregnancy."

If that's Scylla, Charybdis is the reinvention of the Internet into a giant surveillance machine (as Bruce Schneier has put it).

The one good thing to come out of *that* is the US's self-examination in public - this week the government published the review of the NSA's activities (PDF), which contains 46 recommendations for reining the agency back in. We can - and probably should - be skeptical about how much the agency will really change, but it's a start. Compare and contrast to the UK, where, Guardian editor Alan Rusbridger writes, the authorities are still behaving as though stifling any such discussion is an essential part of national security.

Off to the future. Last week, the latest in the lengthy series of Westminster eForums tackled smart living. Much of the discussion revolved around smart meters and various types of energy saving. Some of it was plain how-to-sell-this-to-consumers talk (for example, Susan Furnell, from British Gas). Some was thoughtful about the changes redesigns would bring (such as BMW's Dominik Fromm, who imagined a world full of electric vehicles topping up wherever and whenever). The most exceptional was Glasgow land and environmental services director Brian Devlin, who is masterminding a remarkable project to reinvent Glasgow.

The most thoughtful, however, was Gus Hosein, the director of Privacy International, who noted that he's wanted a smart meter long before anyone saw such things as a market opportunity.

"I worry that I don't want the technologies on show," he said. "I want a better form of smart. I want technology that deals with the full spectrum of risks - that's secure, deals with surveillance ambitions, that's private, and allows individuals to have control. It's not easy."

Cut to one of science fiction writer Charlie Stross's latest rants, an risks inherent in giving rather ordinary things communications connections.

Hosein was concerned about a related set of imminent dark-side Internet of things risks. In just the last few weeks we've seen a new malware attack on Androids that leverages the ad network to charge calls and SMSs to the owner's account. The FBI can secretly turn on Mac webcams. And LG's smart TVs collecting and passing on behavioral data on the TVs' owners and sending it on, unencrypted.

This is where midget porn came in. (Note: if you want to see a crowd of business people listening to a string of technical presentations perk right up, throw in a term like "midget porn".) The guy who got curious about what his LG TV was doing noticed that it seemed to be investigating the contents of a USB stick plugged into the TV. So he checked by creating a file with a name he thought was unlikely to be duplicated by any other source: "midget porn". Gotcha!

"Smart devices are not good at letting you know what's happening under the hood," Hosein commented. These tiny devices people are talking about won't have user interfaces. So: how will you do updates or security patches? How will you figure out what your devices are doing behind your back when the information streams are tiny and pervasive? Keith Osman from Birmingham City University raised another good question: when you combine data from different applications and market sectors with streaming data (as you might for a routing application), where does the liability lie? Who's responsible for data accuracy, or if the routing application lands me in a dangerous place?

Let's return to the twin monsters we began with. In a network with pervasive censorship would "midget porn" have been filtered out, helping hide this bad behavior? Granted, you could come up with some other term, but the uncertainty matters. As the network increases logmarithmically in complexity, what will it hide from us? And as cyberspace invades real life and makes physical objects into simultaneous virtual ones, how do we stop them all from joining the giant surveillance platform? If that street light doesn't like my profile, will it stay off when I pass by?

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

December 13, 2013

Copyright plays

Evil - or benign - file-sharers checking in on The Pirate Bay this week discovered the site had vanished. Hours later, it was back via a domain registration in the Ascension Islands; today it's woken up in Peru, apparently at rest for now. TorrentFreak reports, however, that the next phase will be different: The Pirate Bay will circumvent the domain name system entirely. The plan is for a standalone browser and plugins for Chrome and Firefox that will turn the entire system into P2P, taking the process of decentralization that began with the takedown of Napster to the next level.

Meanwhile, rightsholders themselves are gaming the system. Also this week, it was announced that The Beatles are releasing a batch of unreleased recordings in order to prevent them from falling into the public domain. Under the most recent European law regarding sound recordings, record companies are required to "use or lose" such material. At least Apple-the-record-company is planning to keep the new releases available; that report notes that Bob Dylan - or rather, Sony - finessed a similar situation by releasing the material on a set of six vinyl LPs. That may have slowed the material's arrival on torrent sites by a few minutes.

It's interesting to speculate how rightsholders will respond to this next phase of the copyright arms race. Probably somewhere in a Big Media boardroom there's someone going, "Couldn't we just run a browser check when someone tries to stream our content and block delivery to anyone who has The Pirate Bay installed?" Sort of the same logic that has CBS refusing to load content on one of my computers because it blocks ad networks in hosts.txt. The answer, of course, is that the sort of person who installs The Pirate Bay is the sort of person who runs multiple browsers on different machines, always retaining one digital personality that can successfully pretend to be acceptable.

Eliminating the DNS as a central point of failure is an idea that's been creeping closer for years; the DNS was essential for the growth of the Web and email, but is much less so for newer services - and apps ignore it entirely. While Nominet fiddles with the structure of .uk and frets about its role in Internet governance, the reality is that both are part of an older paradigm competing with a newer one. Their experience is not unlike that of rightsholders themselves or, before all of them, the British Empire. They won't die off, but their business models and the way they think about their place in the world must change. Meantime, app store (and Web store) owners are moving into place as new central points of failure; Google is removing torrent apps from its Web store.

Ever since the Snowden revelations started there's been talk of Balkanizing the Internet. In a grander version of "no one can call my sister an ape but me", countries who spy on their own citizens are nonetheless resentful when other countries do it. You can hardly blame them for wanting to close down their network perimeters or for seeing protecting their citizens from foreign spying as more important than protecting "the essential freedoms of the Internet". It probably won't work anyway, or at least not the way they think. The Pirate Bay's move reminds, however, that the Net is already Balkanized, even if it's porous to the technically adept. The "dark nets" beloved of mainstream fear-mongers do exist, but from an individual perspective they're much more diverse than usually depicted; I'd include all those language areas we can't interpret, and the millions of services each of us has never tried.

As the novelty of the Net wears off, even though our connection speeds continue to increase our inclination to explore beyond the things we use and need most often seems to be decreasing. The app paradigm fits this reality perfectly. For most people, the Net itself is not an object of interest. Friends' kids want to play games on their tablet; they don't get frustrated because they can't program it. Which is why "digital natives" is so much nonsense. The real natives are us 50-somethings who adopted the Internet in the early 1990s when it was young and its bones were not only visible but as malleable as a newborn's skull. We know how to do things that today's 20-somethings, who have grown up with it as a black box, in general do not. They just look fast when they're typing into Google.

And that, in turn, is why, while I don't care much what happens to The Pirate Bay itself - to gain a good appreciation of the site's founders and motives, watch the movie TPB-AFK - I do think we are at real risk here. Except the risk is letting copyright law become the Net's single point of failure by dictating how everything else may function.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

December 6, 2013

Running with scissors

What with one thing and another, net.wars failed to mark November 2, 2013 as the 25th anniversary of the Internet worm. Probably its author, Robert Tappan Morris, Jr, would have liked for the whole world to fail similarly. Instead, he got to be one of the first to discover what life is like in the Age of the Internet, when it's increasingly hard to lose your past mistakes in the mists of time. Especially when those mistakes represent a watershed moment in the development of a globally adopted technology.

I have no way of proving this, but it's long been my belief that the Morris worm was the first time many of us - at least, those who were sentient at the time - heard of the Internet. It was certainly the first time I did, though I already knew of electronic bulletin boards reached via phone and modem. My hazy recollection is of reading in the newspaper that there was this network that connected universities and research divisions of large companies and it, and consequently them, had been paralyzed when someone released this bit of software.

In retrospect, at the time I may have paid attention to exactly the wrong facets of the articles I read: communications network, computers, facilitating research and information sharing. Wow. Amazing. The bit I overlooked: not working, paralyzing those who depend on it. The people whose payment plans were disrupted this week because of RBS's IT systems failure could probably identify. As could myriad others. The Hotfile users whose service has vanished overnight after the site lost to the MPAA in court. The Bitcoin users, both witting and unwitting who have been under attack. And so on.

The problem isn't that we use these various technologies, or even that we rely on them. It's that technology deployment has three phases. In the first, people experiment. In the second, they use it for real. In the third, they tear down whatever the old system was that it has replaced. The current economic climate is arguably speeding up moving from stage two to stage three: for many businesses, continued growth depends on cost-cutting and improved efficiency. What could be more efficient than getting rid of duplicate systems? The rather optimistic talks last week at the Westminster eForum on digital payments (PDF) are a case in point. The first person I thought of when the RBS outage occurred was Dave Birch, who is intent on exterminating cash. Sure, you could say that those whose cards ceased to function in the RBS outage were no worse off than a person carrying cash who gets relieved of it in a mugging - either way, you can't get home - but the key to recovery in those situations is redundancy, the folded-up fiver in a back pocket, or the hidden emergency credit card. I keep cash around, not because I'm a criminal as Dave Birch likes to suggest cash hoarders all are, but for the same reason that I don't keep all my credit cards in the same wallet or all my money in just the one bank. I think of it as planning for failure.

The RISKS Forum, run by the veteran computer scientist Peter G. Neumann and which I've read for many years, tends to foster this kind of thinking. Over and over again you find RISKS posting stories of failure to think ahead, to plan for the need to recover, to imagine what might happen if a system failed due to malice, poor or unacceptable design, or user incompetence; often, sadly, these failures were explained and solved in papers written 40 years ago. An Android flashlight app that ignores user-set preferences and sends location and other data back to the mother ship does not have to be a permanent fixture in your life provided that you haven't thrown away all your flashlights and you can still buy or make more.

What I worry about is that we're throwing away the flashlights. One of the points about the continuing Snowden revelations is how few alternatives we've been left for avoiding NSA (and others') surveillance. Landlines, cell phone location data, Internet traffic, even - the thing that privacy advocates used to use as a way of describing how unacceptable these practices would be if translated into older ways of life - postal mail. Like the data collection in the flashlight app, all this surveillance is an unwanted bug in the systems we thought we were buying.

What's especially disturbing about these stories is the extent to which so many of the people in control of the technology we use seem able to think in only one way: we must have data. We need to rediscover other modes of thought: perhaps using older tools, like handwriting and doing mental arithmetic.

In Pudd'nhead Wilson's Calendar, Mark Twain wrote: "...the wise man saith, 'Put all your eggs in the one basket - and then *watch that basket*!'" That was before computers. We need to learn the real lesson from the Morris worm: how to cope when they don't work.

Wendy M. Grossman's Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.