How the media really created Trump
This NYTimes op-ed claims to diagnose the press's failings with regard to Trump, but in its first sentence demonstrates how little press understands the problem. The problem isn't with Trump, but with the press.The reason for Trump is that the press has discarded its principle of "objectivity". Reasonable people disagree. The failing of the press is that they misrepresent one side, the Republicans, as being unreasonable. You see that in the op-ed above, where the very first sentence decries the "Republican Party’s toxic manipulation of racial resentments". In fact, both parties are equally reasonable, or unreasonable as the case may be, with regards to race.
The article suggests the press should have done more to debunk Trump in the"form of fact checks and robust examination of policy proposals". But the press doesn't do that for Democrats, so why should a Republican candidate they don't like get singled out? No amount of attacking Trump sticks because the press is blatantly unfair.
Hillary clearly is complicit in the "Benghazi" affair, because she led the charge to inject weapons into Libya to take down Ghadaffi, then ignored Chris Steven's efforts to clean up the mess. Hillary's use of her own Continue reading
I’m skeptical of NAND mirroring
Many have proposed "NAND mirroring" as the solution to the FBI's troubles in recovering data from the San Bernadino shooter's iPhone. Experts don't see any problem with this approach, but that doesn't mean experts know it will work, either. There are problems.
The problem is that iPhone's erase the flash after 10 guesses. The solution is to therefore create a backup, or "mirror", of the flash chips. When they get erased, just restore from backup, and try again.
The flaw with this approach is that it's time consuming. After every 10 failed attempts, the chips need to be removed the phone, reflashed, and reinserted back into the phone. Then the phone needs to be rebooted.
For a 4-digit passcode, this process will need to be repeated a thousand times.This is doable in a couples of days. For a 6-digit passcode that is standard on iOS 9, this needs to be repeated 100,000 times, which will take many months of nonstop effort 24-hours a day. Presumably, you can make this more efficient by pipelining the process, using multiple sets of flash chips, so that a new fresh set can be swapped in within a few seconds, but it still takes Continue reading
There’s no conspiracy behind the FBI-v-Apple postponement
The FBI says it may have found another way to get data off an iPhone, and thus asked to postpone a hearing about whether Apple can be forced to do it. I thought I'd write a couple of comments. Specifically, people are looking for reasons to believe that the FBI, or Apple, or both are acting in bad faith, and that everything that happens is some sort of conspiracy. As far as I can tell, all evidence is that they are acting in good faith.Orin Kerr writes:
If that happens, neither side will look good in the short term. The FBI won’t look good because it went to court and claimed it had no alternatives when an alternative existed. The whole case was for nothing, which will raise suspicions about why the government filed the case and the timing of this new discovery. But Apple won’t look good either. Apple claimed that the sky would fall if it had to create the code in light of the risk outsiders might steal it and threaten the privacy of everyone. If outsiders already have a way in without Apple’s help, then the sky has already fallen. Apple just didn’t know Continue reading
Why we are upset with the NYTimes Paris terrorist article
On the Twitters, we've been mocking that NYTimes article on the Paris terrorists and how they used "encryption". I thought I'd write up a brief note as to why.It's a typical example of yellow journalism. The public isn't familiar with "encryption", so it's easy to sensationalize it, to make it seem like something sinister is going on.
At one point, the article says:
According to the police report and interviews with officials, none of the attackers’ emails or other electronic communications have been found, prompting the authorities to conclude that the group used encryption. What kind of encryption remains unknown, and is among the details that Mr. Abdeslam’s capture could help reveal.
That's not how encryption works. Instead, if "encryption" were the one thing the terrorists were using to hide, then you'd certainly find encrypted emails and encrypted messages -- ones you couldn't read without knowing the key.
The lack of emails/messages instead hints that the terrorists were meeting in person, passing paper notes to each other, or using telepathy. All of these, even telepathy, are more likely explanation for the lack of evidence than "encryption".
This article cites anonymous "authorities" here as concluding encryption was used. The New Continue reading
No, you backoff on backdoors or else
Speaking at #SXSW, President Obama threatened the tech community, telling us to backdoor our encryption ourselves or else congress will mandate a worse solution later.No, Mr. President, it works the other way around. You'd better backoff on your encryption demands, or else the tech community will revolt, That's what's already happen with Apple's encryption efforts, as well as app developers like Signal and Wickr. Every time you turn the screws, we techies increase the encryption.
It's not a battle you can win without going full police-state. Sure, you can force Apple to backdoor its stuff, but then what about the encrypted apps? You'd have to lock them down as well. But what about encrypted apps developed in foreign countries? What about software I write myself? You aren't going to solve the "going dark" problem until you control all crypto.
If you succeed in achieving your nightmare Orwellian scenario, I promise you this: I'll emigrate to an extradition-free country, to continue the fight against the American government.
Your crypto backdoors creates a police-state beyond what even police-state advocates like Michael Hayden and Linsdey Graham can tolerate. Your point on "balance" is a lie. We've become radically unbalanced toward mass Continue reading
Can the Apple code be misused?
This post will respond to the tweet by Orin Kerr:The government is right that the software must be signed by Apple and made to only work on Farook's phone, but the situation is more complicated than that.Tech help: What are the best responses to DOJ claims in new Apple/FBI brief re whether code could be misused? Thks. pic.twitter.com/V08EcV9Rev— Orin Kerr (@OrinKerr) March 11, 2016
The basic flaw in this picture is jailbreaks. This is a process of finding some hack that gets around Apple's "signing" security layer. Jailbreaks are popular in the user community, especially China, when people want to run software not approved by Apple. When the government says "intact security", it means "non-jailbroken".
Each new version of iOS requires the discovery of some new hack to enable jailbreaking. Hacking teams compete to see who can ship a new jailbreak to users, and other companies sell jailbreaks to intelligence agencies. Once jailbroken, the signing is bypassed, as is the second technique of locking the software specifically to Farook's phone.
Details are more complicated than this. Each jailbreak is different, and many won't allow this secret Apple software to be run. Some will. The point Continue reading
Code is expressive. Full Stop. (FBIvApple)
I write code. More than a $billion of products have been sold where my code is the key component. I've written more than a million lines of it. I point this out because I want to address this FBIvApple fight from the perspective of a coder -- from the perspective of somebody who the FBI proposes to conscript into building morally offensive code. Specifically, I want to address the First Amendment issue, whether code is expressive speech.Consider Chris Valasek (@NudeHabasher), most recently famous for his car-hacking stunt of hacking into a Jeep from the Internet (along with Charlie Miller @CharlieMiller).
As Chris tells the story, he was on an airplane without WiFi writing code for his "CANbus-hack" tool that would hack the car. Without the Internet, he didn't have access to reference information, such as for strtok(). But he did remember from years earlier working on my (closed-source) code, and used the ideas he remembered to solve his immediate problem. No, he didn't remember the specifics of the code itself, and in any case, his CANbus-hack was unrelated to that code. Instead, it was the ideas expressed my code that he remembered.
What he came up with was this:
Continue reading
Captain America Civil War — it’s us
The next Marvel movie is Captain America: Winter Soldier. The plot is this: after the Avengers keep blowing things up, there is pushback demanding accountability. Government should be in control when to call in the Avengers, and superhumans should be forced to register with the government. Ironman is pro-accountability, as you've seen his story arc evolve toward this point in the movies. Captain America is anti-accountability.This story arc is us, in cybersecurity. Last year, Charlie Miller and Chris Valasek proved they could, through the "Internet", remotely control a car driving down the freeway. In the video, we see a frightened reporter as the engine stalls in freeway traffic. Should researchers be able to probe cars, medical equipment, and IoT devices accountable to nobody but themselves? Or should they be accountable to the public, and rules setup by government?
This story is about us personally, too. In cyberspace, many of us have superhuman powers. Should we be free to do whatever we want, without accountability, or should be be forced to register with teh government, so they can watch us? For example, I scan the Internet (the entire Internet) with relative impunity. This is what I tweeted when creating my Continue reading
An open letter to Sec. Ashton Carter
Hi.For security research, I regularly "mass scan" the entire Internet. For example, my latest scan shows between 250,000 and 300,000 devices still vulnerable to Heartbleed. This is legal. This is necessary security research. Yet, I still happily remove those who complain and want me to stop scanning them.
The Department of Defense didn't merely complain, but made threats, forcing me to stop scanning them. You guys were quite nasty about it, forcing me to figure out for myself which address ranges belong to the DoD.
These threats are likely standard procedure at the DoD, investigating every major source of scans and shutting down those you might have power over. But the effect of this is typical government corruption, preventing me from reporting the embarrassing detail of how many DoD systems are still vulnerable to Heartbleed (but without stopping the Chinese or Russians from knowing this detail).
Please remove your threats, so that I can scan the DoD in the same way I scan the rest of the Internet. This weekend I'll be scanning the Internet for system susceptible to the DROWN attack. I would like to include DoD in those scans.
I write to you now because you are Continue reading
Early Internet services considered harmful
This journalist, while writing a story on the #FBIvApple debate, got his email account hacked while on the airplane. Of course he did. His email account is with Earthlink, an early Internet services provider from the 1990s. Such early providers (AOL, Network Solutions, etc.) haven't kept up with the times. If that's still your email, there's pretty much no way to secure it.Early Internet stuff wasn't encrypted, because encryption was hard, and it was hard for bad guys to tap into wires to eavesdrop. Now, with open WiFi hotspots at Starbucks or on the airplane, it's easy for hackers to eavesdrop on your network traffic. Simultaneously, encryption has become a lot easier. All new companies, those still fighting to acquire new customers, have thus upgraded their infrastructure to support encryption. Stagnant old companies, who are just milking their customers for profits, haven't upgraded their infrastructure.
You see this in the picture below. Earthlink supports older un-encrypted "POP3" (for fetching email from the server), but not the new encrypted POP3 over SSL. Conversely, GMail doesn't support the older un-encrypted stuff (even if you wanted it to), but only the newer encrypted version.
Thus, if you are a reporter using Continue reading
Band-Aids over Basics: Anti-Drone Bill Revisions Compound Earlier Missteps
Glossing over fundamental legislation flaws in favor of quick fixes only serves lawyers and lobbyists. In this guest post, friend of Errata Elizabeth Wharton (@lawyerliz) highlights the importance of fixing the underlying technology concepts as Georgia’s anti-drone legislation continues to miss the mark and kill innovation.
Georgia's proposed anti-drone legislation, HB 779, remains on a collision course to crush key economic drivers and technology innovations within the state. Draft revisions ignore all of the legislation's flawed technical building blocks in favor of a series of peripheral provision modifications (in some cases removing entire safe harbor carve-outs), making a bad piece of legislation worse for Georgia's film, research, and aviation technology industries. Only the lawyers and lobbyists hired to challenge and defend the resulting lawsuits benefit from this legislative approach. Georgia should scrap this piece-meal, awkward legislation in favor of a commission of industry experts to craft a policy foundation for unmanned aircraft systems within Georgia.
Band-aid technology policy approaches skip over the technical issues and instead focus on superficial revisions. Whether a company is prohibited from flying over a railroad track in addition to a road becomes a moot point when the definition of Continue reading
The disingenuous question (FBIvApple)
I need more than 140 characters to respond to this tweet:If you were a crime victim and key evidence was on suspect's phone, would you want govt to search phone w/ warrant?— Orin Kerr (@OrinKerr) February 22, 2016
It's an invalid question to ask. Firstly, it's asking for the emotional answer, not the logical answer. Secondly, it's only about half the debate, when the FBI is on your side, and not against you.
The emotional question is like ISIS kidnappings. Logically, we know that the ransom money will fund ISIS's murderous campaign, killing others. Logically, we know that paying this ransom just encourages more kidnappings of other people -- that if we stuck to a policy of never paying ransoms, then ISIS would stop kidnapping people.
If it were my loved ones at stake, of course I'd do anything to get them back alive and healthy, including pay a ransom. But at the same time, logically, I'd vote for laws to stop people paying ransoms. In other words, I'd vote for laws that I would then happily break should the situation ever apply to me.
Thus, the following question has no meaning in a policy debate over paying Continue reading
About McAfee’s claim he could unlock iPhone
So John McAfee has claimed he could unlock the terrorist's iPhone. Is there any truth to this?http://www.businessinsider.com/john-mcafee-ill-decrypt-san-bernardino-phone-for-free-2016-2
No, of course this is bogus. If McAfee could do it, then he's already have done it.
In other words, if it were possible, he'd just say "we've unlocked an iPhone 5c running iOS 9 by exploiting {LTE baseband, USB stack, WiFi stack, etc.}, and we can therefore do the same thing for the terrorist's phone". Otherwise, it's just bluster, because everyone knows the FBI won't let McAfee near the phone in question without proof he could actually accomplish the task.
There's a lot of bluster in the hacking community like this. There is a big difference between those who have done, and those who claim they could do.
I suggest LTE baseband, USB stack, and WiFi stack because that's how I'd attack the phone. WiFi these days is pretty well tested, so that's the least likely, but LTE and USB should be wide open. I wouldn't do anything to help the FBI, though. The corrupt FBI goes around threatening security-researchers like me, trampling on our rights, so they've burned a lot of bridges with precisely the people Continue reading
Some notes on Apple decryption San Bernadino phone
Today, a judge ordered Apple to help the FBI decrypt the San Bernadino shooter's iPhone 5C. Specifically:- disable the auto-erase that happens after 10 bad guesses
- enable submitting passcodes at a high speed electronically rather than forcing a human to type them one-by-one
- likely accomplish this through a fimware update
The text of the court order almost exactly matches that of the "IOS Security Guide". In other words, while it may look fairly technical, actually the entirety of the technical stuff they are asking is described in one short document.
The problem the FBI is trying to solve is that when guessing passcodes is slow. The user has two options. One option is that every bad guess causes the wait between guesses to get longer and longer, slowing down guessing, forcing an hour between guesses. The other option is to have the phone erase itself after 10 bad guesses. Ether way, it makes guessing the passcode impractical. The FBI is demanding the Apple update the software of the phone to prevent either of these things from happening.
The phone is an iPhone 5C, first released in September 2013, so is quite old. This increases the chance that Continue reading
We’ve always been at war with Eastasia
Consider the example in the book 1984 regarding the ongoing war between the three superstates of Oceania, Eurasia, and Eastasia (representing English, Russian, and Chinese empires respectively).
At the start of the book, Oceania is at war with Eurasia. They have always been at war with Eurasia. That's the political consensus, and all historic documents agree. However, Winston Smith (the protagonist) remembers a time five years ago when Oceania was instead at war with Eastasia. Winston Smith struggles with philosophical idea of "truth". Which is more true, what everyone knows and what's in the newspapers, or the memories within his head?
Then Ocean's allegiance switched back again. On the sixth day of Hate Week, as crowds gathered to denounce Eurasia, the Party switched enemies to Eastasia. In a particularly rousing speech against their enemy, the speaker was handed a slip of paper, Continue reading
Fscking Visual Studio Code JS Hello World
The reason Linux never succeeded on the desktop is the lack of usability testing. Open-source programmers hate users, and created such an ugly baby that only a fanboy could love it. It's funny watching the same thing happen to "Visual Studio Code", Microsoft's answer to the Atom editor. You'd think with Microsoft behind it, that it'd be guided by usability testing. The opposite is true. It spends a lot of time hyping it, but every time I try to use it, I encounter unreasonable hurdles for the simplest of things. It's the standard open-source paradigm -- they only spend effort to make something work in theory without the extra effort to make it usable in practice.The most common thing you'll want to do is first create a "hello world" program, then debug it. As far as I can tell, there are no resources that'll explain how to do this. So, for JavaScript on Windows, I thought I'd explain how this works.
Firstly, you'll need to install NodeJS and VS Code. Just choose the defaults, it's uneventful.
Secondly, you need to understand how projects work. This is the first hurdle everyone has with an IDE. You don't simply run the Continue reading
Hackers aren’t smart — people are stupid
The top three hacking problems for the last 10 years are "phishing", "password reuse", and "SQL injection". These problems are extremely simple, as measured by the fact that teenagers are able to exploit them. Yet they persist because, unless someone is interested in hacking, they are unable to learn them. They ignore important details. They fail at grasping the core concept.
Phishing
Phishing happens because the hacker forges email from someone you know and trust, such as your bank. It appears nearly indistinguishable from real email that your bank might send. To be fair, good phishing attacks can fool even the experts.
But when read advice from "experts", it's often phrased as "Don't open emails from people you don't know". No, no, no. The problem is that emails appear to come from people you do trust. This advice demonstrates a lack of understanding of the core concept.
What's going on here is human instinct. We naturally distrust strangers, and we teach our children to distrust strangers.Therefore, this advice is wired into our brains. Whatever advice we hear from experts, we are likely to translate it Continue reading
Nothing says “establishment” as Vox’s attack on Trump
I keep seeing this Ezra Klein Vox article attacking Donald Trump. It's wrong in every way something can be wrong. Trump is an easy target, but the Vox piece has almost no substance.Yes, it's true that Trump proposes several unreasonable policies, such as banning Muslims from coming into this country. I'll be the first to chime in and call Trump a racist, Nazi bastard for these things.
But I'm not sure the other candidates are any better. Sure, they aren't Nazis, but their politics are just as full of hate and impracticality. For example, Hillary wants to force Silicon Valley into censoring content, brushing aside complaints from those people overly concerned with "freedom of speech". No candidate, not even Trump, is as radical as Bernie Sanders, who would dramatically reshape the economy. Trump hates Mexican works inside our country, Bernie hates Mexican workers in their own countries, championing punishing trade restrictions.
Most of substantive criticisms Vox gives Trump also applies to Bernie. For example, Vox says:
His view of the economy is entirely zero-sum — for Americans to win, others must lose. ... His message isn't so much that he'll help you as he'll hurt them...That's Bernie's Continue reading
Twitter has to change
Today, Twitter announced that instead of the normal timeline of newest messages on top, they will prioritize messages they think you'll be interested in. This angers a lot of people, but my guess it's it's something Twitter has to do.Let me give you an example. Edward @Snowden has 1.4 million followers on Twitter. Yesterday, he retweeted a link to one of my blogposts. You'd think this would've caused a flood of traffic to my blog, but it hasn't. That post still has fewer than 5000 pageviews, and is only the third most popular post on my blog this week. More people come from Reddit and news.ycombinator.com than from Twitter.
I suspect the reason is that the older twitter gets, the more people people follow. (...the more persons each individual Twitter customer will follow). I'm in that boat. If you tweeted something more than 10 minutes since the last time I checked Twitter, I will not have seen it. I read fewer than 5% of what's possible in my timeline. That's something Twitter can actually measure, so they already know it's a problem.
Note that the Internet is littered with websites that were once dominant in Continue reading
Lawfare thinks it can redefine π, and backdoors
There is gulf between how people believe law to work (from watching TV shows like Law and Order) and how law actually works. You lawyer people know what I'm talking about. It's laughable.The same is true of cyber: there's a gulf between how people think it works and how it actually works.
This Lawfare blogpost thinks it's come up with a clever method to get their way in the crypto-backdoor debate, by making carriers like AT&T responsible only for the what ("deliver interpretable signal in response to lawful wiretap order") without defining the how (crypto backdoors, etc.). This pressure would come in the form of removing current liability protections they now enjoy for not being responsible for what customers transmit across their network. Or as the post paraphrases the proposal:
Don’t expect us to protect you from liability for third-party conduct if you actively design your systems to frustrate government efforts to monitor that third-party conduct.The post is proud of its own smarts, as if they've figured out how to outwit mathematicians and redefine pi (π). But their solution is nonsense, based on a hopelessly naive understanding of how the Internet works. It appears all Continue reading