Greg Miller, The Washington Post, 11 Feb 2020 <https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage/>
For more than half a century, governments all over the world trusted a single company to keep the communications of their spies, soldiers and diplomats secret. That company was secretly run by the CIA, which had the ability to read all those communications for decades.
The company, Crypto AG, got its first break with a contract to build code-making machines for U.S. troops during World War II. Flush with cash, it became a dominant maker of encryption devices for decades, navigating waves of technology from mechanical gears to electronic circuits and, finally, silicon chips and software.
The Swiss firm made millions of dollars selling equipment to more than 120 countries well into the 21st century. Its clients included Iran, military juntas in Latin America, nuclear rivals India and Pakistan, and even the Vatican.
But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company's devices so they could easily break the codes that countries used to send encrypted messages.
The decades-long arrangement, among the most closely guarded secrets of the Cold War, is laid bare in a classified, comprehensive CIA history of the operation obtained by The Washington Post and ZDF, a German public broadcaster, in a joint reporting project.
The account identifies the CIA officers who ran the program and the company executives entrusted to execute it. It traces the origin of the venture as well as the internal conflicts that nearly derailed it. It describes how the U.S. and its allies exploited other nations' gullibility for years, taking their money and stealing their secrets.
The operation, known first as ‘Thesaurus’ and later ‘Rubicon’ , ranks among the most audacious in CIA history.
This is an outstanding paper.
Michael A. Specter, James Koppel, Daniel Weitzner (MIT) The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections https://internetpolicy.mit.edu/wp-content/uploads/2020/02/SecurityAnalysisOfVoatz_Public.pdf
See also some of the subsequent items:
“Their security analysis of the application, called Voatz, pinpoints a number of weaknesses, including the opportunity for hackers to alter, stop, or expose how an individual user has voted.”
Voting on Your Phone: New Elections App Ignites Security Debate, The New York Times, 13 Feb 2020 https://www.nytimes.com/2020/02/13/us/politics/voting-smartphone-app.html
The general consensus seems to be that Voatz's responses neither address their criticisms more give any reasonable assurance.
[That's “lax”, not “LAX”. PGN]
“The Federal Aviation Administration allowed Southwest Airlines to put millions of passengers at risk by letting the airline operate planes that did not meet U.S. aviation standards and by failing to provide its own inspectors with the training needed to ensure the highest degree of safety, according to a report released Tuesday by the Department of Transportation's inspector general.”
The flying public experiences elevated risk when FAA inspectors are not qualified or are under-trained to competently fulfill mandated assignments. Trust but verify rigor is required to ensure life-critical operational readiness. Coffee cup inspections don't cut it.
“The FAA's overreliance on industry-provided risk assessments and failure to dig deeply into many of those assessments is a broader concern raised by several outside experts and reviews following the crashes of two Boeing 737 Max jets that killed 346 people…”
See http://catless.ncl.ac.uk/Risks/31/17#subj2.1 for an exposé on industry self-regulation efforts, and why the US government promotes the practice. Alternatively, the EU's precautionary measures regulatory approach might reduce the frequency of disruptive brand outrage incidents and declining product orders.
A lawsuit brought by Amazon has forced the Pentagon to again pump the brakes on an advanced cloud computing system it sought for years, prompting yet another delay the military says will hurt U.S. troops and hinder its national security mission.
A federal judge Thursday ordered the Pentagon to halt work on the Joint Enterprise Defense Infrastructure cloud computing network, known as JEDI, as the court considers allegations that President Trump improperly interfered in the bidding process.
The order comes just one day before the Defense Department had planned to “go live” with what it has long argued is a crucial national defense priority.
Halt work? …one day before? …a crucial national defense priority? Politicize technology decisions? Sounds about right.
2038 is for Linux what Y2K was for mainframe and PC computing in 2000, but the fixes are underway to make sure all goes well when that fatal time rolls around. …
But look at this way: After we fix this, we won't have to worry about 64-bit Linux running out of seconds until 15:30:08 GMT Sunday, December 4, 29,227,702,659. Personally, I'm not going to worry about that one.
Dynamic map border revisions: a catastrophic recipe for navigation errors and munitions deployment.
Someone rented a Ford from Enterprise and paired it with FordPass to get remote control. Five months later he could still start and stop the engine, lock and unlock the car, and track it—remotely. Same thing happened to him a second time.
Recent piece in ZDNet https://www.zdnet.com/article/he-returned-the-rental-car-long-ago-he-can-still-turn-the-engine-on-via-an-app/
Earlier report in Ars Technica
Text of ZDNet article …
He returned the rental car long ago. He can still turn the engine on via an app
Imagine you've parked your rental car and are walking away. Suddenly, the car starts up, seemingly on its own. Yes, it's another day in technology making everything better. …
You think we're living in the end of times?
No, this is just a transitional period between relative sanity and robot inanity.
The problem, of course, is that our deep, mindless reliance on technology is causing severe disruption.
I'm moved to this fortune cookie thought by the tale of a man who rented a Ford Expedition from Enterprise. He gave it back and, five months later, he discovered that he could still start its engine, switch it off, lock and unlock it and even track it. Remotely, that is.
You see, as Ars Technica described last October <https://arstechnica.com/information-technology/2019/10/five-months-after-returning-rental-car-man-still-has-remote-control/>, Masamba Sinclair had connected his rental car to FordPass, an app that's presumably very useful. Who wouldn't want to remotely unlock the doors of a car someone else is renting? Just to imagine their faces, you understand. It so happened that Sinclair hadn't unpaired his app from the car. Cue the absurdity.
At the time, I thought Sinclair's tale entertaining. But surely the app's vulnerability would be patched, secured or whatever technical verbal emoji you might choose.
Yet Sinclair just rented another Ford—this time, a Mustang. And what do you know, four days after he'd returned it, he could still make the car do things from his phone. Which could have been a touch bemusing to anyone who happened to have subsequently rented it.
It seems that Ford does offer warning notifications inside the car when it's paired with someone's phone.
Yet if subsequent renters or, indeed, the rental company's cleaners don't react to such notifications—or simply don't see them—a random somebody who happens to still have an app paired to the car may incite some remote action, like a ghostly jump start.
You might think Sinclair should have already disconnected his app from any car he'd previously rented. Some might grunt, though, that it shouldn't be his responsibility.
For its part, Enterprise gave Ars a statement that began: “The safety and privacy of our customers is an important priority for us as a company.” An important priority, but not the most important priority?
The company added: “Following the outreach last fall, we updated our car cleaning guidelines related to our master reset procedure. Additionally, we instituted a frequent secondary audit process in coordination with Ford. We also started working with Ford and are very near the completion of testing software with them that will automate the prevention of FordPass pairing by rental customers.”
Here's the part that always make me curl up on my sofa and offer intermittent bleats. Why is it that when technologies such as these are implemented, the creators don't sufficiently consider the potential consequences and prevent them from happening?
If Sinclair could so easily keep his app paired to any Ford he'd rented — and this surely doesn't just apply to Fords—why wasn't it easy for the Ford and/or Enterprise to ensure it couldn't happen?
Why does it take a customer to point out the patent insecurity of the system before companies actually do anything about it?
Perhaps one should be grateful that at least nothing grave occurred. But imagine if someone of brittle brains realized they could be the ghost in a machine and really scare a stranger.
Too often, tech companies place the onus on customers to work things out for themselves and even to save themselves. Or, worse, to only discover a breach when it's too late.
Wouldn't it be bracing if tech companies, I don't know, showed a little responsibility in advance?
Lawmakers in Strasbourg adopted a resolution calling for strong oversight of artificial intelligence technology, approving the text by hand vote while rejecting six potential amendments. <https://www.europarl.europa.eu/doceo/document/B-9-2020-0094_EN.pdf>
The document, which was adopted by the Parliament's Committee on Internal Market and Consumer Protection (IMCO) late last month, marks the first time since new lawmakers were elected last year that the assembly takes a position on what kind of safeguards are needed for automated decision-making processes. It comes as political leaders at the European Commission, the EU's executive body, are set to initiate far-reaching legislation on artificial intelligence next week.
Some of the world's biggest companies are relying on AI to build a better workforce. But be warned: The tech can create new problems even as it solves old ones. …
In his Amsterdam offices, about an hour's drive from his company's largest non-American ketchup factory, Pieter Schalkwijk spends his days crunching data about his colleagues. And trying to recruit more: As head of Kraft Heinz's talent acquisition for Europe, the Middle East, and Africa, Schalkwijk is responsible for finding the right additions to his region's 5,600-person team.
It's a high-volume task. Recently, for an entry-level trainee program, Schalkwijk received 12,000 applications—for 40 to 50 openings. Which is why, starting in the fall of 2018, thousands of recent university graduates each spent half an hour playing video games. “I think the younger generation is a bit more open to this way of recruiting,” Schalkwijk says.
The games were cognitive and behavioral tests developed by startup Pymetrics, which uses artificial intelligence to assess the personality traits of job candidates. One game asked players to inflate balloons by tapping their keyboard space bar, collecting (fake) money for each hit until they chose to cash in”or until the balloon burst, destroying the payoff. (Traits evaluated: appetite for and approach to risk.) Another measured memory and concentration, asking players to remember and repeat increasingly long sequences of numbers. Other games registered how generous and trusting (or skeptical) applicants might be, giving them more fake money and asking whether they wanted to share any with virtual partners. […]
Still, he too is proceeding cautiously. For example, Kraft Heinz will likely never make all potential hires play the Pymetrics games. “For generations that haven't grown up gaming, there's still a risk” of age discrimination, Schalkwijk says.
He's reserving judgment on the effectiveness of Pymetrics until this summer's performance reviews, when he'll get the first full assessment of whether this machine-assisted class of recruits is better or worse than previous, human-hired ones. The performance reviews will be data-driven but conducted by managers with recent training in avoiding unconscious bias. There's a limit to what the company will delegate to the machines.
AI “can help us and it will help us, but we need to keep checking that it's doing the right thing, Humans will still be involved for quite some time to come.”
But … how can it work without quantum computing hosted blockchain?
[We're doomed… Rebecca Mercuri]
Artificial intelligence and machine learning aren't the only changes to expect in QA, but they're a big part of it.
“Although all of the researchers agreed that algorithms should be applied cautiously and not blindly trusted, tools such as COMPAS and LSI-R are already widely used in the criminal justice system. ‘I call it techno utopia, this idea that technology just solves our problems,' Farid says. 'If the past 20 years have taught us anything, [they] should have taught us that that is simply not true.’”
In “Talking to Strangers: What We Should Know about the People We Don't Know,” Malcolm Gladwell discusses judges during an arraignment hearing to determine “own recognizance release,” or to imprison a suspect based on numerous factors. What tips a judge's decision to release or hold?
Judges study prior criminal history, the crime, eyeball the suspect, etc. Do they always make a correct determination? No. News reports tragically document instances when a judge mistakenly interprets a suspect's public safety assessment, should the suspect commit a crime while on bail and caught.
https://www.govtech.com/public-safety/Civil-Rights-Groups-Call-for-Reforms-on-Use-of-Algorithms-to-Determine-Bail-Risk.html discusses algorithmic public safety assessments which can assist judicial bail decisions.
Risk: State or Federal legislation that establishes algorithmic priority over human judicial ruling.
Passwords are a notorious security mess. The FIDO Alliance wants to replace them with better, more secure technology and now Apple is with them in this effort.
…I wonder about non-tech people reacting to and adopting this…
In some cases* the US IRS still accepts only paper tax forms. Compare this to the government's FBAR form, which can be filed only electronically. But in some COVID-19 areas, paper mail is no longer an option…
E.g., Form 5329, when filed separately.
Over the past few years, it has seemed as though the only thing real news outlets can agree on is the danger of fake news.
Foreign powers or domestic traitors are accused of engineering political divisions, creating polarization, and seeding arbitrary disinformation for the sole purpose of making it impossible for people from different subcultures to communicate. This is blamed on the Internet (and, more specifically, social media)—and there is some truth to this accusation. However, as is often the case with new communication technologies, social media has not accelerated this tendency towards disinformation so much as it has made it more visible and legible.
When widespread Internet access broke down our sense of a collective reality, what it was toppling was not the legacy of the Enlightenment, but instead an approximately 100-year bubble in media centralization. Current norms around meaning-making cannot survive the slow collision with widespread private ownership of duplication & broadcast technologies.
These norms are built around an assumption that consensus is normal and desirable among people who communicate with each other—in other words, that whenever people calmly and rationally communicate, they will come to an understanding about base reality. This ignores the role of power relations in communication: in modern, liberal contexts, the party that can perform calm diplomatic rationality the best will win, and the best way to remain calm and diplomatic is to know that if you fail in your attempts at diplomacy, a technically advanced army will continue that diplomacy through more direct means. It also ignores the potential value of ideas (including myths) to people who do not fully understand their mechanism of action — what the rationalist community calls Chesterton's Fence.
Just as we benefit from medical innovations like SSRIs and anesthesia without knowing how or why they work, many cultures benefit from beliefs that aren't grounded in observation, deduction, or strong evidence that they correspond to base reality—but, rather, by the fact that everybody who didn't hold those beliefs eventually died for reasons that remain obscure.
In situations of extreme cosmopolitanism, where people from different cultures and environments communicate on equal terms, there will be disagreements that cannot be dismissed as merely aesthetic preferences or historical relics—but that nevertheless cannot be worked out through debate or discussion, simply because discovering their material bases is a project of immense complexity.
Epistemic fragmentation—the tendency for different people to have different sources of knowledge and different, often conflicting, understandings—is irreducible, and epistemic centralization—the centralized control of shared sources of information—cannot provide a universally-applicable shared understanding of the world.
We should be wary of attempts to solve this problem through ‘trust in institutions’—in other words, through a return to the epistemic centralization that characterized the twentieth century.
This epistemic centralization was produced by tight control over broadcast communication—organizations were ‘trusted' because they had the power (through reserves of capital, ownership of expensive equipment, and/or explicit government support) to reach many people with the same messages, but they were not ‘trustworthy’ in the sense that they did not (and could not) accurately report on reality. While plenty of these organizations worked in good faith to be responsible and accurate, no handful of organizations has the manpower to report upon and fact check everything important.
Organizational or institutional meaning-making is a slightly scaled-up form of individual meaning-making.
An institution provides a structure for organizing individual work, and this structure organizes flows of resources and information.
These flows control what information can be expressed externally by enforcing broadcast norms, house style, determining what sections are allocated to what topics and determining what counts as newsworthy based on whether or not it fits into any of these topics, and so on; they control what information can be expressed internally, based on norms about professional communication, expectations about shared spaces (like DC reporters socializing after-hours in particular bars, or tech and culture beat journalists socializing on twitter where strict character counts force a terse style), and social hierarchy and stigma around covering particular topics; they control what material can even be effectively researched through the control of resources like travel expenses, deadline length, and materials for stunt-reporting.
All of these actions are essentially filters: they prevent journalists from researching and reporting on a wide variety of things they would like to cover, while producing incentives to cover a handful of specific things. Because of this, no institution can produce better-quality meaning (i.e., meaning formed by serious consideration of a wider variety of sources) than the individuals working for it could produce under a looser confederation, assuming the resources necessary for access remained available.
Consensus reality is merely a side effect of ignoring or erasing the pieces that cannot be made legible and cannot be made to fit any narrative or model—and this erasure is political, in the sense that it shapes what can be imagined and what can be spoken about.
We cannot effectively consider topics we are not allowed to discuss; we cannot make good personal decisions about topics we cannot effectively consider; we cannot make good collective decisions on topics about which we cannot make good personal decisions; therefore, the soft-censorship necessitated by the limited resources of the centralized meaning-making that engineers the illusion of consensus reality prevents politics from effectively addressing problems that affect only a few but that require mass action and solidarity to solve
The private supplementation of centralized shared knowledge is insufficient.
The twentieth century model of broadcast media is an extension of earlier models of (print-based) publishing: in the beginning, printing presses and radio stations are expensive and a handful of early experimenters create content for a handful of early adopters; as equipment costs drop, more people get into the market, leading to a push to regulate and re-centralize helmed on one side by the biggest players in the market and on the other by folks who are concerned about signal-to-noise ratio.
This leads to self-enforced standards—rules for journalism, for instance — along with state-enforced measures to create a ‘legitimate’ class and separate it from ‘illegitimate’ amateurs—copyright, spectrum subdivisions, broadcast content rules.
Broadcast mechanisms have typically remained expensive, regardless of how technology has progressed: prior to widespread Internet access, the cheapest broadcast medium (in terms of the ability of an individual of modest means to reach many people) was the production of xerox pamphlets — tens of cents per copy, plus postage.
With the Internet, copying has a much lower cost & can be performed without the direct, intentional involvement of recipients —what costs do exist can be automatically distributed more evenly, rather than being concentrated in the hands of some central node.
(Because of a historical mistake, the web concentrates costs centrally, but peer to peer communications technologies do not.) <https://medium.com/@enkiv2/there-was-never-an-open-web-69194f9b1cf1?source=3Dfriends_link&sk=3D7aed9c67a373e1334f671be2b0b78afc>
This breaks the economic justification for a tendency toward re-centralization in the distribution of information—a justification that had previously made the institutionalization of consensus-making unavoidable.
Prior to widespread literacy and widespread access to oral mass broadcast media, consensus-making and meaning-making was a social process rather than a parasocial one.
Time-binding technologies—mechanisms to permanently record and retrieve information, so that information that originated long ago or far away could be transmitted without distortion—were limited to print.
Writing, in the absence of mass-production technologies, had more of an oral aspect to it: while Babylonian kings would manufacture negative molds for exactly reprinting laws, manuscripts were largely transcribed by students in lecture halls who included the lecturer's asides in their transcriptions alongside their own notes, and these modified manuscripts would be the basis for later lectures or would be copied by hand. In other words, before print, it was rare for even writing to be ‘broadcast’ in the sense of a large number of people receiving exactly the same information, and before radio, this kind of standardization was not available to the illiterate at all.
In the print age, the intelligentsia got their ideas from the canon of great literature and so were capable of groupthink at scale, but their illiterate or semi-literate peers were exploring epistemic space together in a more organic fashion, without powerful time-binding technology tethering them to any baseline.
The sharedness of their realities mirrored their social connectedness — almost always bidirectional, if not even or equitable—and their social graphs mirrored geography (because transport technologies, though they could warp transit-space, did not flatten it—it may be easier to go 100 miles by train than 10 miles by horse, but it has never become equally easy to physically transport oneself to anywhere on earth).
What the Internet did was to make visible the already-existing alien realities of the outgroup and allow faster mutation through the cross-pollination of fringe groups.
Telephony could have done to these oral cultures some of what social media has done to our literate culture, had it become common and affordable a decade earlier and had party lines remained normal, but charging by the minute (with a multiplier for long-distance calls) prevented the telephone network from being the basis for the kind of multi-continent perpetual hangouts that make the Internet so cosmopolitan—with the exception of phone phreaks, who used exploits to create exactly this kind of community behind Bell's back.
Social media is awful and whatever pleasures it confers in the form of mildly amusing memes or a fleeting sense of community/belonging are massively outweighed by its well-documented downsides. Their psychic consequences are of interest to its owners only in the sense that, past a certain threshold, people might turn away from their platforms and cut off the endless stream of monetizable private data that sustain their business models and corrode conventional ideas about privacy, self-determination, etc. […]
I guess this is something I believe, though even typing it out is embarrassing—because at this point it's so obvious/trite, and because its obviousness/triteness hasn't stopped me or anyone I know from using it. Some vague comfort is extractable from the fact that these platforms were designed to foster just this kind of behavior, but it might be nice to know how, exactly, that end was/is achieved. To that end, for this week's Giz Asks <https://gizmodo.com/c/giz-asks> we've reached out to a number of experts to find out why social media is so addictive.
Distinguished Professor, Behavioural Addiction, Nottingham Trent University
Looking up more information about that acorn woodpecker stash, according to a couple of sources (especially the Nat Geo article below), an entire family of woodpeckers generally works as a team to build their stash, and it might have taken them as long as five years to squirrel away that 300-pound load:
Even more interestingly, that video is from 2009, leading to yet another RISK of finding things on the Internet - thinking something you've discovered is new just because it's new to you and the source conveniently didn't mention any dates on it.
The “first woodpecker” quote is attributed to Gerald Weinberg, I remember that because I checked for a canonical version before putting in my post in RISKS-28.21. At the time I thought I was being novel, but I see now that I was merely the 3rd person to have that same great idea.
While the WP article is technically correct when saying that the app had exposed every “registered voter” in Israel, it makes the fault seem a bit less severe that it really is. The fact is, voters in Israel do not have to register; every citizen over 18 can vote, and is listed automatically. This means there is no opting out, everyone is on the exposed list, voting or not.
A colleague points out that a longer video of this was uploaded to YouTube in 2009: https://www.youtube.com/watch?v=cZkAP-CQlhA It identifies the location as being Bear Creek Road microwave site. The video is mis-titled “Squirrel [sic] fills Antenna with Acorns”, but the comments identify a woodpecker as the culprit.
The two options were: Extend the year field from 2 digits to 4 digits (which might have knock-on effects all over the system), or use a “sliding window&8221; which would treat all dates whose 2 digit year could be interpreted as up to, say, 20 years in the future as actually in the future and not the past.
In 2020 the sliding window should treat dates “20” to “40” as 2020 to 2040 while “41” would be interpreted as 1941.
Another option is simply to pick the closest date to the current date: this is approximately equivalent to a 50 year sliding window.
Implementing a Y2K “fix” which is guaranteed to fail in a few years seems insane given that this is exactly the kind of short-sightedness which created the Y2K mess in the first place! (Unless it was a cunning plan for the programmers to give themselves extra business in 20 years time: like the programmer who was implementing a payroll system and programmed the system to crash if his name was not found on the payroll!)
Reading through the latest RISKS, I think your readers might be interested in the article by Professor Roger Kemp, ¶#8220;Autonomous vehicles, who will be liable for accidents?”—not quite a legal analysis, but an excellent overview of some of the practical issues that do not get discussed very often: https://journals.sas.ac.uk/deeslr/issue/view/528
The books listed below are published on paper and available as open source from: https://ials.sas.ac.uk/about/about-us/people/stephen-mason
Stephen Mason and Daniel Seng, editors, Electronic Evidence (4th edition, Institute of Advanced Legal Studies for the SAS Humanities Digital Library, School of Advanced Study, University of London, 2017)
Electronic Signatures in Law (4th edn, Institute of Advanced Legal Studies for the SAS Humanities Digital Library, School of Advanced Study, University of London, 2016)
Open source journal: Digital Evidence and Electronic Signature Law Review http://dev-ials.sas.ac.uk/digital/ials-open-access-journals/digital-evidence-and-electronic-signature-law-review (also available via the HeinOnline subscription service)
Please report problems with the web pages to the maintainer