Category: Technology

The End of Everything Good and Holy

It seems like every generation is destined to disparage the next generation. This is nothing new. Even the elderly Romans complained about how an easy life has made their successor soft. In the most recent entry of the new generation sucking we have an article wondering if smartphones have destroyed a generation:

Around 2012, I noticed abrupt shifts in teen behaviors and emotional states. The gentle slopes of the line graphs became steep mountains and sheer cliffs, and many of the distinctive characteristics of the Millennial generation began to disappear. In all my analyses of generational data—some reaching back to the 1930s—I had never seen anything like it.
The allure of independence, so powerful to previous generations, holds less sway over today’s teens.

[…]

What happened in 2012 to cause such dramatic shifts in behavior? It was after the Great Recession, which officially lasted from 2007 to 2009 and had a starker effect on Millennials trying to find a place in a sputtering economy. But it was exactly the moment when the proportion of Americans who owned a smartphone surpassed 50 percent.

The more I pored over yearly surveys of teen attitudes and behaviors, and the more I talked with young people like Athena, the clearer it became that theirs is a generation shaped by the smartphone and by the concomitant rise of social media. I call them iGen. Born between 1995 and 2012, members of this generation are growing up with smartphones, have an Instagram account before they start high school, and do not remember a time before the internet. The Millennials grew up with the web as well, but it wasn’t ever-present in their lives, at hand at all times, day and night. iGen’s oldest members were early adolescents when the iPhone was introduced, in 2007, and high-school students when the iPad entered the scene, in 2010. A 2017 survey of more than 5,000 American teens found that three out of four owned an iPhone.

Do you know what destroyed a generation? The printing press! When books stopped being written by hand by monks in monasteries, they become cheaper and more readily available. This lead to more people reading more frequently, which cause them to pass less attention to their social obligations.

That’s the same argument except it would have, and probably did, taken place in the 1440s.

Just as every generation is destined to disparage the next generation, every technological advancement that makes its way into the hands of consumers is destined to be accused of destroying the next generation. Television, video games, and computers were all accused of destroying a generation in recent times. The first generations the grew up with those technologies turned out fine just as the new generation will end up turning out fine. Adoption of new technologies are always disruptive to a point but it seems like humanity has a knack for discovering, rather rapidly, the positives and negative aspects and adopting the former while discarding or working around the latter. As today’s teenagers develop they too will discover the positives and negatives of smartphones and adjust themselves accordingly. Then they’ll be at an age where they can disparage their successors and whatever new technology is being adopted by them at the time.

Put It in the Cloud, They Said. It’ll Be Fun, They Said.

Not only do you not own devices that are dependent on online services but those devices are also more vulnerable to unauthorized remote access. If your Internet connected devices aren’t secure, they can be accessed by unauthorized third parties, which can make for an awkward time when said device is capable of playing audio:

That suave chat is a translation of what webcam owner and shocked F-bomb flinger Rilana Hamer, of the Netherlands, related in a 1 October Facebook post.

Hamer says that a month or two ago, she picked up a Wi-Fi enabled camera to keep an eye on the house. Most particularly, to keep an eye on her puppy, who has a penchant for turning everything upside down. She bought the device at Action—a local discount-chain store that mostly sells low-budget convenience utilities.

Hamer’s experience isn’t unusual. In fact, there’s a website dedicated to providing remote feeds to insecure video cameras. Internet of Things (IoT) manufacturers have a pretty dismal record when it comes to security and few have shown any notable effort to improve that record. While the ramifications of this lack of security awareness aren’t immediately obvious for many IoT devices, they are obvious when it comes to devices that allow unauthorized third-parties to interact with you.

What Happens When You Don’t Own Something

The cloud is good. The cloud is holy. The cloud is our savior. If you listen to the marketing departments of online service providers and Internet of Things manufacturers, you’d be lead to believe that the cloud will soon cure cancer. While there can be advantages to moving services online there are also major disadvantages. The biggest disadvantage, in my opinion, is the fact that you don’t own anything that is dependent on an online service. People who bought the Canary security camera are learning this lesson the hard way:

Canary, a connected home security camera company, announced changes to its free service last week that went into effect on Tuesday. Under the new terms, non-paying users will no longer be able to freely access night mode on their cameras nor will they be able to record video for later viewing. Night mode is a feature that lets you set a schedule for your Canary camera to monitor your home while you sleep without sending notifications.

On top of that, all the videos the company previously recorded for free will be converted into 10-second clips called “video previews.” Essentially, important features are being taken away from users unless they’re willing to pay $9.99 a month.

People will likely blame this on greed but the real culprit is the lack of ownership. The Canary camera isn’t free but paying money to acquire one doesn’t mean you’re paying money to own it. In reality, you’re paying money for the privilege of paying a monthly fee to tie a camera to an online service. The terms of accessing that online service can change on a whim and, in this case, the change left people who decided not to pay the $9.99 per month fee with a paperweight that used to be a security camera (albeit a limited one).

The Internet of Things means never owning the devices you pay money for and if you don’t own it, you don’t control it.

NIST Publishes New Password Best Practices

g’70A32KsZQ8H2n0JkJ__rfy[JsFzJ(wN(y1,F’Ou1kH(TQcSyNYs”3CSXYPbXQm

That looks like a secure password, right? It is. However, there’s no way I could possibly type that in accurately or remember it. Passwords that cannot be typed or remembered aren’t a big deal for online services if you use a password manager. They are a big deal for passwords you have to type in, like the one to log into your computer. Unfortunately, conventional password wisdom has it that users should be required to have complex passwords instead of memorable passwords. The National Institute of Standards and Technology (NIST) recently published changes to its password best practices. Its changes reflect conventional wisdom when it comes to password security:

Among other things, they make three important suggestions when it comes to passwords:

  1. Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don’t help that much. It’s better to allow people to use pass phrases.
  2. Stop it with password expiration. That was an old idea for an old way we used computers. Today, don’t make people change their passwords unless there’s indication of compromise.
  3. Let people use password managers. This is how we deal with all the passwords we need.

The good news here isn’t so much that NIST published these recommendations but that system administrators are willing to follow NIST’s guidelines. None of the changes published by NIST are new, these practices have been advocated by security professionals for some time now. Unfortunately, many, if not most, system administrators have kept the old guidelines in place, which has lead to users having to come up with passwords that are complex enough to satisfy password policy requirements but simple enough to remember for the several months that password is valid for. Hopefully NIST publishing these changes will convince those administrators of the errors of their ways.

Assume All Source Code is Open Source

Let’s pretend that you’re a fool and believe that security through obscurity works. Because of your foolish belief you sought closed source security software. Since potential adversaries can’t see the source code, they can’t find vulnerabilities in it to attack you with, right? Not so much. Just because software is closed source doesn’t mean nobody is allowed to see the source code. HP recently granted Russia permission to review the source code of one of its security software packages:

Last year, Hewlett Packard Enterprise (HPE) allowed a Russian defense agency to analyze the source code of a cybersecurity software used by the Pentagon, Reuters reports. The software, a product called ArcSight, is an important piece of cyber defense for the Army, Air Force and Navy and works by alerting users to suspicious activity — such as a high number of failed login attempts — that might be a sign of an ongoing cyber attack. The review of the software was done by a company called Echelon for Russia’s Federal Service for Technical and Export Control as HPE was seeking to sell the software in the country. While such reviews are common for outside companies looking to market these types of products in Russia, this one could have helped Russian officials find weaknesses in the software that could aid in attacks on US military cyber networks.

I don’t subscribe to the belief that open source software is inherently more secure (however, I do believe open source software offers several advantages over closed source software that are unrelated to security). I think the numerous critical vulnerabilities discovered in OpenSSL put that belief to bed. However, I also don’t believe that closed source software is inherently more secure. Just because a developer doesn’t share its source code with everybody doesn’t mean it doesn’t share its source code with third parties. In the case of HP, one of the third parties granted access to its source code was an adversary of one of its customers.

If you’re purchasing software from a third party, you have no control over who it shares its source code with. So if you believe in security through obscurity, closed source software won’t offer you any advantage, perceived or otherwise.

You Have Access to the Collective Knowledge of Humanity, Use It

If I had a dollar for every time somebody gave incorrect firearm legal advice, I’d be sitting on a mega yacht in the middle of the Atlantic Ocean drinking scotch that is older than I am.

People who have no knowledge about something but talking about it authoritatively isn’t a new phenomenon nor is it restricted solely to gun laws. However, it was far more excusable in the past because the people who did it didn’t have access to the collective knowledge of humanity at their fingertips. If you’re posting something to Facebook then you’re using the Internet. Since you’re using the Internet, you can quickly look things up. For example, if I search for “machine gun law” in Google, the very first link that appears is the Wikipedia article on the National Firearms Act. A brief reading of that article will debunk the claim that anybody can easily buy a machine gun, which is a claim that I’ve seen posted a lot since the attack in Las Vegas.

There is no excuse to not perform at least a basic amount of due diligence this day and age. If you can post to Facebook, you can perform a search on Google to verify whether or not the claim you’re about to make it true or at least plausible. “But Chris,” I can hear somebody say, “why would I suspect that the thing I believe is false and needs to be verified?” Simple, if you didn’t come by that belief by doing your own search, you should suspect it of being false.

There’s already enough bad information being circulated. Rise above the masses, use your access to the collective knowledge of humanity and verify claims before you post them.

Rejoice for Mozilla is Trying Again

Some time ago I switched from Firefox to Chrome. While I far prefer Firefox in many regards, it’s performance had become so bad that I couldn’t realistically use the browser anymore (the entire browser would grind to a halt if, for example, I had Amazon open in a tab). At the time it seems like Mozilla’s only mission was to copy as much of Chrome’s user interface as possible but not bother with the important parts that make Chrome desirable.

It seems like the people at Mozilla finally realized that their strategy wasn’t a winning one because they finally put Mozilla Quantum in beta. I’m happy to say that the beta version of Firefox is fast. Damned fast. While shifting to a multiprocess in the current release of Firefox did help with performance, the changes made in Quantum have significantly boosted performance. On top of that, Mozilla has finally enabled U2F in Firefox’s nightly builds, which means we should see U2F support in the near future.

I’m glad to see that Mozilla is back in the game. While Chrome is a very good browser, I want to keep my Google footprint as small as possible because I don’t like its business model of surveilling users. I also don’t want to see a return to the dark days where one browser, at the time Internet Explorer, held an almost unshakeable monopoly.

APFS and FileValut

Apple released macOS High Sierra yesterday. Amongst other changes, High Sierra includes the new Apple File System (APFS), which replaces the decades old Hierarchical File System (HFS). When you install High Sierra, at least if your boot drive is a Solid State Drive (SSD), the file system is supposed to be automatically converted to APFS. Although Apple’s website says that FileVault encrypted drives will be automatically converted, it didn’t give any details.

I installed High Sierra on two of my systems last night. One was a 2012 MacBook Pro and the other was a 2010 Mac Mini. Both contain Crucial SSDs. Since they’re third-party SSDs I wasn’t sure if High Sierra would automatically convert them. I’m happy to report that both were converted automatically. I’m also happy to report that FileVault didn’t throw a wrench into the conversion. I was worried that converting a FileVault encrypted drive would require copying files from one encrypted container to a new encrypted container but that wasn’t necessary.

If you’re installing High Sierra on a FileVault encrypted drive, the conversion from HFS to APFS won’t take a noticeably greater amount of time.

The EFF Resigns from the W3C

The World Wide Web Consortium (W3C) officially published its recommendation for a digital rights management (DRM) scheme. By doing so it put an end to its era of promoting an open web. After fighting the W3C on this matter and even proposing a very good compromise, which was rebuffed, the Electronic Frontier Foundation (EFF) has resigned from the W3C:

We believe they will regret that choice. Today, the W3C bequeaths an legally unauditable attack-surface to browsers used by billions of people. They give media companies the power to sue or intimidate away those who might re-purpose video for people with disabilities. They side against the archivists who are scrambling to preserve the public record of our era. The W3C process has been abused by companies that made their fortunes by upsetting the established order, and now, thanks to EME, they’ll be able to ensure no one ever subjects them to the same innovative pressures.

[…]

Effective today, EFF is resigning from the W3C.

Since the W3C no longer serves its intended purpose I hope to see many other principled members resign from the organization as well.

While content creators are interested in restricting the distribution of their products, the proposal put forth by the W3C will return us to the dark days of ActiveX. Since the proposal is really an application programming interface (API), not a complete solution, content creators can require users to install any DRM scheme. These DRM schemes will be native code. If you remember the security horrors of arbitrary native code being required by websites using Active X, you have an idea of what users are in for with this new DRM scheme. At this point I hope that the W3C burns to the ground and a better organization rises from its ashes.

iOS 11 Makes It More Difficult for Police to Access Your Device

One reason I prefer iOS over Android is because Apple has invested more heavily in security than Google has. Part of this comes from the fact Apple controls both the hardware and software so it can implement hardware security features such as its Secure Enclave chip whereas the hardware security features available on an Android device are largely dependent on the manufacturer. However, even the best security models have holes in them.

Some of those holes are due to improperly implemented features while others are due to legalities. For example, here in the United States law enforcers have a lot of leeway in what they can do. One thing that has become more popular, especially at the border, are devices that copy data from smartphones. This has been relatively easy to do on Apple devices if the user unlocks the screen because trusting a knew connection has only required the tapping of a button. That will change in iOS 11:

For the mobile forensic specialist, one of the most compelling changes in iOS 11 is the new way to establish trust relationship between the iOS device and the computer. In previous versions of the system (which includes iOS 8.x through iOS 10.x), establishing trusted relationship only required confirming the “Trust this computer?” prompt on the device screen. Notably, one still had to unlock the device in order to access the prompt; however, fingerprint unlock would work perfectly for this purpose. iOS 11 modifies this behaviour by requiring an additional second step after the initial “Trust this computer?” prompt has been confirmed. During the second step, the device will ask to enter the passcode in order to complete pairing. This in turn requires forensic experts to know the passcode; Touch ID alone can no longer be used to unlock the device and perform logical acquisition.

Moreover, Apple has also included a way for users to quickly disable the fingerprint sensor:

In iOS 11, Apple has added an new emergency feature designed to give users an intuitive way to call emergency by simply pressing the Power button five times in rapid succession. As it turns out, this SOS mode not only allows quickly calling an emergency number, but also disables Touch ID.

These two features appear to be aimed at keeping law enforcers accountable. Under the legal framework of the United States, a police officer can compel you to provide your fingerprint to unlock your device but compelling you to provide a password is still murky territory. Some courts have ruled that law enforcers can compel you to provide your password while others have not. This murky legal territory offers far better protection than the universal ruling that you can be compelled to provide your fingerprint.

Even if you are unable to disable the fingerprint sensor on your phone, law enforcers will still be unable to copy the data on your phone without your password.