≡ Menu

Twitter and free speech

There’s been a big debate today on Twitter about whether the company is right to remove images of the death of James Foley, the journalist beheaded by ISIS. On one side of the debate has been Mathew Ingram, who posted his points on GigaOm. I think, though, I agree with Derek Powazek on this:


Nuclear Regulator hacked “by foreign power”

Nice exclusive for Nextgov. Not your common or garden ID theft, but definitely a common or garden spearphishing attack:

Nuclear Regulatory Commission computers within the past three years were successfully hacked by foreigners twice and also by an unidentifiable individual, according to an internal investigation.

One incident involved emails sent to about 215 NRC employees in “a logon-credential harvesting attempt,” according to an inspector general report Nextgov obtained through an open-records request.

There’s plenty of information held by the likes of the NRC which would be very useful to foreign governments, but also to the kinds of hackers who sell data like this on the black market. And the malware they deployed doesn’t sound particularly complicated.


Apple’s released an update for Safari which fixes some security stuff:

Apple has released security fixes for vulnerabilities in its Safari web browser which left users open to attacks from cyber criminals.
The fixes relate to Safari 6.1.6 and Safari 7.0.6 and are available from the Apple support page now for OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5 and OS X Mavericks v10.9.4.
The bugs exist in Safari’s WebKit and, according to Apple, mean that “visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution”.

Unfortunately, they’re not telling us what’s been fixed:

It is currently unclear whether the vulnerability is actively being exploited by hackers, as Apple has a steadfast policy of not commenting on security issues.
“For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available,” reads Apple’s security policy.
F-Secure security researcher Sean Sullivan told V3 the firm is yet to see any evidence the vulnerabilities are being actively exploited, but voiced his frustration with Apple’s lack of detailed information on the issues being fixed.
“Wouldn’t it be awesome if Apple did something useful like provide a severity rating for its updates? I’m not seeing any chatter about the reliability of these vulnerabilities. It’s true that ‘arbitrary code execution’ is never a good thing – but it might not work enough of the time to be worth an attacker’s effort – or then, perhaps it is,” he said.



The Mac bundle it’s OK to love

I’m not a huge fan of those vast bundles of software you occasionally get at a discount, but I’ll make an exception for The StackSocial bundle. Moom, Keyboard Maestro and dj alone are worth the money.

Like Gruber, I’m not using the affliate fee, so all your cash will go to the makers of the apps, which is as it should be.


Android Wear finally gets its fitness SDK

One of the things that I’ve been surprised about with my Android Wear watch is that there’s no way I’ve found to get the steps and heart rate data off it. Now I know why:

At Google I/O we announced Google Fit: an open platform for developers to more easily build fitness apps. Today we’re making a preview SDK available to developers so that you can start to build.

Just stop for a second and imagine Apple releasing new hardware without software support for one of its key features. This is the big difference between Apple and Google: Google is OK for products to be unfinished in a way that would drive Apple crazy.

Personally, I generally prefer products to actually work when I buy them.


I’ve said this before…

…but boy, does Yosemite look better on a retina display than a non-retina one. Which leads me to wonder just how long it will be before we have bigger (much bigger) retina displays than those currently available. 


A few days with Android Wear

Android Wear has had plenty of coverage, some of it good, some of it less enthusiastic. The commentary I’ve found most interesting has been around the approach Google has taken of making the wrist a place to get alerts, rather than somewhere which either runs apps or acts as an adjunct to the sensors your phone already contains.
I’m primarily an iPhone user, but this commentary, plus the launch of Android Wear and Android L, made me think it was time to look again at Android Wear. So I bought a Samsung Gear Live watch, and I’ve been playing around with it for about a week.

Alerts which matter

One of the selling points of Wear is the ability of apps – and particularly Google Now – to deliver information when you need it preemptively. You’re not supposed to have to ask Google when the next bus is: it’s supposed to spot the fact you’re by a bus stop and tell you when the next one will arrive.

This is fine in theory, but it depends on Google knowing an awful lot about you and the kind of behaviour you exhibit on a daily basis. It also depends on Google being smart about how your behaviour changes, learning to ignore the odd occasion when you visit a different place so it doesn’t assume you’re interested in travel information to that location all the time.

Unfortunately, Google Now isn’t particularly finely tuned yet. For example, in common with most people I don’t drive everywhere. Neither do I get the bus everywhere. Yet Google forces me to choose between public transport routes or driving routes, and doesn’t learn which I use for what kind of journey. I don’t take the car to work, ever; but this doesn’t mean I get the tube for every journey, so there’s no point pre-emptively suggesting a leaving time for a trip based on that when it’s something I’d always drive to.

This kind of lack of granularity shows up on Android Wear particularly badly, because it puts alerts and what the machine knows about you front and centre. In theory, Google Now ought to get better and better the more you use it. In practice, I’m yet to see a major difference in how good its predictions are.

Keeping the phone in the pocket

However, using Android Wear has had one side-effect which I didn’t expect: it’s helped me to stay “present” in more situations and stop checking my phone for “urgent” stuff. Knowing that if something happens, there will be a little buzz on my wrist helps to avoid the feeling that you’ve got to get your phone out of your pocket “just in case”.

It’s also much, much less intrusive in social situations. Glancing at your wrist for a second to check an alert lets you stay more present in the conversation which is happening around you than ferreting around in your pocket, dragging out your phone, switching it on, checking whatever and putting it back. And of course with the phone, you’ve got the temptation to keep it on the table in front of you, glance at it, maybe see what Twitter is talking about… all of which breaks the social contact you’re having in the real world.

Where does this go next?

Android Wear is interesting, and so far I’ve really enjoyed using it. It, combined with Android L, is pretty-much an even match with the iPhone for usability at the moment, although from my experience of iOS 8 so far I’d say the iPhone will take a leap ahead of it again when it’s released.

However, using it has also made me hungry to see what Apple could do with a wrist-based wearable product. Ever since Tim Cook mentioned the wrist was “interesting” to the company, everyone’s assumed Apple will make an iWatch. But what you have on your wrist doesn’t have to be a watch: the fact you have two wrists means there’s space for two devices. Perhaps on the right you could wear something like Android Wear, designed to keep your phone in the pocket, while on the other, a smaller screenless device keeps a constant check on your heart rate, steps, and more. Or maybe it will be combined into a single wearable (which you have to charge every day).


Chrome battery life on Mac

Chrome has turned into a battery life hog on pretty much every platform, it seems. Here's Jared Newman, writing about the bug which makes Chrome eat up your laptop's battery on Windows:

In a statement to PCWorld, the company noted that the bug has been assigned internally, and that the Chrome team is working to fix it—though only after Morris shined a spotlight on the issue. The long-standing bug report has been bumped up to priority one.

Not just Windows: in my experience, Chrome is a major battery hog on OS X, literally halving the life of my MacBook Pro compared to the latest version of Safari. Whether this is Chrome being wildly inefficient or just better code in Safari, I don't know, but it means that at the moment Chrome just isn't a viable option to use on the Mac.


Untangling DRIP

There’s already been a lot of commentary on the government's attempt to railroad through the Data Retention and Investigatory Powers Bill, known to its opponents as DRIP. According to the government, DRIP represents a simple piece of emergency legislation designed to preserve powers which are about to lapse. To its opponents, it represents a genuine threat to privacy. But which is it?

Does DRIP extend the government's powers or not?

The key question with DRIP is whether or not its clauses represent a simple reaffirmation of existing powers, or an extension of RIPA. As David Allen Green has cogently argued, over half of the text of the bill is devoted to amendments to RIPA rather than reaffirming the data retention regime. The clauses which deal with RIPA – 3, 4 and 5 – all amend it ways which the government claim are “clarifications” but which Green (and I) both think go well beyond that, into the area of new or extended powers.

Clause 3 feels like the work of the Liberal Democrats, “clarifying” the ability of the government to intercept communication on the basis of “economic well-being”. Few would object to this, but – as Green points out – this is not something that requires emergency legislation or, I'd argue, should form any part of a bill which isn't going to be scrutinised.

Clause 4, on the other hand, is pretty noxious: it extends the scope of RIPA to any company providing services to UK citizens, even if they (and their data) are based abroad. As Green points out, this is more than a simple clarification or cosmetic change, and therefore shouldn't be in an emergency bill.

What does Clause 5 do?

In the grand tradition of leaving the worst till last – when hopefully scrutineers will have tired eyes and fogged brains – Clause 5 is possibly the one which is the most despicable. It focuses on the meaning, in RIPA, of “Telecommunications Service”, and extends that definition way beyond the original bill.

At present, RIPA defines “telecommunications service” thus:

“telecommunications service” means any service that consists in the provision of access to, and of facilities for making use of, any telecommunication system (whether or not one provided by the person providing the service).

The DRIP Bill will add this:

For the purposes of the definition of telecommunications service in subsection (1), the cases in which a service is to be taken to consist in the provision of access to, and of facilities for making use of, a telecommunication system include any case where a service consists in or includes facilitating the creation, management or storage of communications transmitted, or that may be transmitted, by means of such a system.

Why the change? The government insists this is primarily to clarify that the bill includes services like webmail. However, read more loosely it could include the entire contents of your Dropbox, or Google Drive, or anything else which “facilitating the creation, management of storage of communications”. Is sharing a document from Google Drive “communications”? With the boundaries between file storage and email blurring, you can bet it will be interpreted that way.

It also, of course, definitely includes the likes of Facebook and Twitter, cementing the intelligence services view that such services are fair game without any additional warrant. I'll come back to that in a minute.

Evidently, this goes well beyond simply clarifying what RIPA means: it's a clear extension of the scope of the law, and as such it shouldn't be part of an emergency bill even if you accept the government's argument that such a bill is necessary. The principle that granting intelligence services additional powers should only be done with the full scrutiny of Parliament and its committees except in the direst national emergency is one which is incredibly important, because without it democracy itself effectively ceases to function. This is particularly true when the measures have the backing of all the parties, because it's not like we can simply blame the government in vote in a party with clean hands.

External communications and RIPA

It's also worth remembering the government itself rarely understands the full implications of its own legislation, particularly in the fields of technology and security. There's two reasons for this. First, government ministers only occasionally have more than a layman's interest in technology. Today, you might find MPs who are brilliant users of Twitter, but finding one that understands the nuances of global TCP/IP routing is much harder.

That's not itself a problem, but unfortunately the experts ministers consult on technical matters tend to be fairly useless too. When you have a government which consistently believes the promises of the likes of Capita about what technology can achieve, the independent advice it is seeking clearly doesn't amount to much.

The second issue is the role of the security services. Security services are, by designed, both cautious and prone to high levels of suspicion. When dealing with external threats, this is actually a positive factor: protecting a country's citizens is a great responsibility, and you want organisations to do it with extreme caution and rigour.

However, this naturally leads security organisations to request more and more access to data, “just in case” something important might be missed. Again, demanding this is in itself not a negative thing. The job of an intelligence agency is to make sure it doesn't miss vital intelligence, not to make judgement calls over whether a specific tool oversteps the mark and leads to violations of individual privacy.

That is the job of the law, and creating a clear and well-written legal framework is the job of the politicians. And unfortunately, as we've seen, even with vast amounts of scrutiny, politicians are fully capable of making bad law which opens the doors to surveillance which the general public would find unconscionable.

Remember the recently revelation that the spooks regard services like Facebook and Twitter as fair game for interception, without an individual warrant? This happened because the last government allowed the warrantless interception of any “external communications” – a message sent or received outside the UK. Stand.org highlighted this at the time – and even, I am told, warned several newspaper editors about its implications – without much in the way of an outcry. The only MP to pick up on the issue during the bill's passage through Parliament was Richard Allan, who persistently questioned ministers about it.

Charles Clarke's answers to Allan are revealing, not only for their evasiveness masquerading as openness but also for their lack of foresight about technology. Clarke persistently comes back to the point that an individual warrant would be required in any case where either the recipient or sender of a message was in the UK, clearly understanding RIPA as intended to cover messaging services following an email-like, person-to-person model. The notion of a service like Facebook, where “the recipient” is much less clear but where there is an expectation of privacy and where everyone who reads a post may be in the UK, clearly wasn't thought about.

Did Clarke intend this all along? Did Parliament intend to give security services carte blanche to look through every kind of communication that UK citizens send without a warrant? I doubt it. The notion that politicians sit around toasting marshmallows while plotting to get nebulous rules they can exploit through Parliament is wide of the mark. They're not a sinister cabal.

Perhaps, though, this is the intention of the Clause 5 amendment: to clearly enshrine in law the spooks' right to intercept every Facebook post you make without a warrant. Perhaps that's what the government means when it says these clauses “clarify” existing powers. But if it is, then surely that's exactly the kind of thing which deserves full and proper scrutiny and debate in Parliament.

It is clear from Hansard that Parliament was thinking of email-like person-to-person communications when it passed RIPA, despite Allan and Stand.org's warnings. Now, having seen the hole in the phrasing and run through it with the enthusiasm of a Brazilian football fan fleeing a semi-final, the spooks have come to rely on the ability to intercept everything you and I post on Instagram. And rather than say “actually, that's not what we intended with RIPA, you can stop doing it please” the government is simply handing them the full legal power without a proper debate.

Fast law makes bad law

If a law can go through the amount of scrutiny that RIPA originally attracted and still end up badly-framed and grant wider powers than Parliament intended, just how bad can a law which has almost no scrutiny be? I'll leave that for you to consider, but the fact is that fast law makes for bad law.

The exception is fast law which is extremely narrow, but, as we've seen, that isn't the case here. DRIP goes beyond preserving the existing requirement on telecoms companies to retain data and into the realm of “clarifying” – which really means enhancing – RIPA. Not satisfied with doing something which, while objectionable, could at least be justified as preserving the status quo, the government is seeking to sneak in additional clauses which add more powers.

Does the government really intend that Clause 5 can be used to allow the spooks to trawl through any UK citizen's Dropbox? Probably not. But that's kind of the point: laws which are rushed through like DRIP are, inevitably, going to contain roughly-drafted clauses and definitions which are too broad, or too narrow, or just don't make sense. If this was a normal law, affecting, say, motoring, it's bad enough. When it deals with the rights of citizens to private life AND national security, it's incredibly bad.

If the government were to withdraw clauses four and five of DRIP, I could understand it as an emergency measure needed to retain existing powers. That both the Liberal Democrats – who, remember, argued they could act as a brake on the illiberal tendencies of the Tories – and Labour have been suckered into supporting the bill is a shocking display of their inability to properly scrutinise legislation. If they can fail to see the obvious additional powers in a two page bill, how much are they missing in larger, more complex legislation? Or are they so blinded by the magic words “national security” and stern-faced briefings from MI6 that they find it impossible to say “hang on a minute…”

{ 1 comment }

Just what is the TSA looking for?

NBC News on the decision of the TSA to not allow electronic devices on to planes unless they are charged up:

A U.S. source familiar with the matter said laptop computers are among the devices security screeners may require passengers to turn on. U.S. officials are concerned that a cellphone, tablet, laptop or other electronic device could be used as a bomb.

Some people have questioned why this measure is necessary, given that a potential terrorist could simply pack a device with explosives while retaining the ability to turn it on, but I think they’re missing the point. My guess – and it is a guess – is that someone has worked out how to create an explosive mixture which, when passed through a scanner, looks the same on the screen as a battery. This means you could replace the battery with explosive, but putting it elsewhere would still stand out as abnormal on screen.

Hence the threat: it’s not that someone can pack a device with explosives (something they’ve always been able to do), it’s that they can now do it undetected.

{ 1 comment }