Bitcoin (the blockchain, really) is one of the most significant advances in computer science in the last decade. This piece on Freedom to Tinker is a in-depth looking at how the 2013 blockchain fork was resolved. It's notable that a fundamentally decentralized system benefited significantly by both centralized decision-making and hashpower. The lesson may be that we should develop and use systems that afford federation, but allow for centralization.
This new chosen-ciphertext attack on common encryption software is really impressive:
We successfully extracted keys from laptops of various models running GnuPG (popular open source encryption software, implementing the OpenPGP standard), within a few seconds. The attack sends a few carefully-crafted ciphertexts, and when these are decrypted by the target computer, they trigger the occurrence of specially-structured values inside the decryption software. These special values cause observable fluctuations in the electromagnetic field surrounding the laptop, in a way that depends on the pattern of key bits (specifically, the key-bits window in the exponentiation routine). The secret key can be deduced from these fluctuations, through signal processing and cryptanalysis.
At the beginning of June, the Associated Press broke a story about a fleet of small aircraft registered to fake companies that are being flown over U.S. cities on a regular basis. The planes were traced back to the FBI, which has been identified as running operations in at least 11 states using at least 50 aircraft, logging around 11 flights a month.The planes carry high resolution cameras that photograph continuously, and in some (rare) circumstances, an IMSI-catcher, which tracks all cell phones (in use or not) in the area visible to the aircraft as it flies (cell phones use line-of-sight frequencies, by and large).
When the story first broke, I wasn't sure what to think. Having just read Nothing To Hide and Data and Goliath, privacy issues were fresh in my mind. Today, I got the chance to listen to a RadioLab episode called Eye in the Sky, about a company called Persistent Surveillance Systems which flies small aircraft over urban areas. The episode gives rare insight into not only how the technology works, but also how citizens (and reporters) respond to it when they grow to understand it.
The technology was tested in in Dayton, OH, and the test went well, demonstrating that the planes could be useful in fighting crime. The subsequent town hall meeting that was held to discuss the adoption of the technology did not go very well, however. Some citizens of Dayton were concerned about being watched all the time, everywhere they went. As a result of that meeting the police in Dayton did not adopt the technology, but may in the future. But the citizens got a voice, and there was a discussion.
It would be surprising if the FBI were not using technology that is largely identical to what Persistent Surveillance Systems uses, though probably more invasive, given their use of IMSI-catchers. The fact that there has been no public discussion of the use of the technology, and that the FBI has taken extensive measures to hide their use of the planes as tools of mass surveillance over United States cities is concerning. It seems reasonable to expect that the citizens of a democracy should have a say in how law enforcement operates, and should not be intentionally deceived by law enforcement agencies.
If you're interested in this kind of stuff, be sure to give the RadioLab episode a listen.
I wanted to pen a long post discussing Cory Doctorow's Information Doesn't Want to Be Free: Laws for the Internet Age and how it relates to Taylor Swifts two-day-old yet now-famous letter to Apple. As is often the case, Mike Masnick wrote up my thoughts better than I ever could. Although I only just started Cory Doctorow's book over the weekend, I am amazed by how well he articulates subtle issues surrounding copyright and the internet. I highly recommend giving it a read if you're interested in the subject matter.
One argument against having the government develop dossiers on every citizen en masse is that it introduces a single point of failure: if that repository is breached, all data is compromised in one swift stroke. This phenomenon is nothing new. Insurance companies have detailed information about the insured, and those repositories have been targeted, as we saw earlier this year in the Anthem attack that compromised the information of 8.8 million people. The government also collects lots of information on workers that it gives security clearances to, naturally. The information is quite detailed for a Single Scope Background Investigation, and that information is compiled into an 127-page SF-86 form (pdf, if you're curious). It turns out those forms were compromised in the latest attack made by China on U.S. government databases. Decentralized systems are more robust because they avoid a single point of failure, and can still authorize parties to retrieve information as needed. One project that trends in this direction is Unhosted, which separates the concern of hosting the application from the concern of storing the data. ReadWrite has an explanation of the architecture.
Looks like Amazon is going to be a CA, and not just for users of AWS or other Amazon services. Companies like Google and Yahoo have been taking bold steps to provide encrypted email, and Let's Encrypt looks like very promising project to provide free SSL certs to everyone. Apple's Tim Cook has publicly stated that encryption is vital, and was joined shortly thereafter by the UN. I'm excited to see Amazon joining in.
Project Vault (being discussed at Google I/O right now -- no links online yet) analyzes device usage in real time to produce a live-updated trust score that can be adaptively applied to various actions the user of the device attempts to make. Use case: trust score drops below 50, may allow user to play a game, but not launch a banking app. Very smart idea.
EDIT: It turns out that I'd conflated Project Vault with Project Abacus. Project Vault is a microSD ARM computer that handles trusted operations on Android phones via a faux FAT-filesystem interface. Also cool, but not what I originally posted about.
How can we possibly be arguing this much about something so blindingly obvious? If APIs are copyrightable, then there's no point in creating them. The whole point of an API is to create compatibility and interoperability.
I still haven't found a great browser on Android. I used Firefox for some time, but it had rendering issues. Chrome is closed source, which I try to avoid. Oddly, a Chromium build was never available, so I stuck with WebView wrappers like Lightning, which I can also load on my non-Play devices (Kindle Fire). Turns out, there were no Chromium builds because the code wasn't open source...but that's changing according to aurimas_chromium on Reddit. I'm looking forward to having Chromium show up in F-Droid!
One of the best side-effects of full-disk encryption is that "factory reset" functionality is a no-op, since it doesn't rely on complex and potentially error-prone disk wiping routines. It turns out that Android suffers from exactly those sort of faults.