The NSA & CIA Fail the American People

Remember the Apple iPhone / San Bernardino case from early 2016? Here’s a recap:

The F.B.I. has been unable to get into the phone used by Syed Rizwan Farook, who was killed by the police along with his wife after they attacked Mr. Farook’s co-workers at a holiday gathering. Reynaldo Tariche, an F.B.I. agent on Long Island, said, “The worst-case scenario has come true.”

But in order to unlock the iPhone, which Apple couldn’t simply “do” because of the passcode implementation used by Farook, a legal dispute ensued whereby the FBI demanded Apple build a backdoor to the “single” device.

Behind the scenes, relations were tense, as lawyers for the Obama administration and Apple held closely guarded discussions for over two months about one particularly urgent case: The F.B.I. wanted Apple to help “unlock” an iPhone used by one of the two attackers who killed 14 people in San Bernardino, Calif., in December, but Apple was resisting.

When the talks collapsed, a federal magistrate judge, at the Justice Department’s request, ordered Apple to bypass security functions on the phone. The order set off a furious public battle on Wednesday between the Obama administration and one of the world’s most valuable companies in a dispute with far-reaching legal implications.

There were two binary sides to this case.

  1. Apple’s case: To some, this was the pro-privacy side of the case. Why not create a quick backdoor to the phone for the US government, and then close it up? In Apple own words: “Some would argue that building a backdoor for just one iPhone is a simple, clean-cut solution. But it ignores both the basics of digital security and the significance of what the government is demanding in this case.” You create one backdoor for the US Government, then what? You’ve created a backdoor for all iPhone iOS users of the same version, and it could be used over and over again. It also sets what should be obvious: a dangerous precedent for the security of iPhone users and the power of the US Government. As the Washington Post makes explicitly clear,1 “This is an existing vulnerability in iPhone security that could be exploited by anyone.”
  2. The US Government’s case:2 Create a “key”, essentially a backdoor into the terrorist’s iPhone, to unlock whatever data is in there (if there’s anything to find at all), and as with #1’s concerns, endanger one of the most used mobile devices on the planet. If the data helps the case, great. If, that is.

Okay, so what happened again? The FBI lost the chance to decrypt the phone via Apple, but apparently “may have found way to unlock San Bernardino shooter's iPhone” anyway. Specifically, this single iPhone and not the other ones. Whatever technical means was found, it isn’t clear, but this maneuver spared a massive security risk across all iPhones.

If the FBI would have gotten its way, though, the most recent news about both the NSA and CIA would have hit even harder. And that’s saying something, because there are a few massive pieces of news that crept out recently that are entirely related to the FBI’s request from last year.

As we’ve been finding out, when US Government agencies aim to have tools to monitor terrorists or its own citizens, they rely heavily on finding (or buying) vulnerabilities in software and devices, or creating exploits (essentially malware) for physical exploitation of such devices. This unraveling began in March of this year, when WikiLeaks began positing redacted documents freshly acquired. Without getting into the weeds (you can read up on it if you so desire), the NSA leaks have been confirmed as legitimate, and they keep unspooling concern to security experts and software developers the world over.

The latest concerns coming out of this are a series of newly found exploits deployed by the NSA to attack computers using pre-Windows 10 operating systems (roughly 65%+ of all desktops on the planet). There is one in particular, called FUZZBUNCH, that can automate the deployment of NSA malware and would allow a member of the agency to easily (from their desk) infect a target computer. As reported by the Intercept:

According to security researcher and hacker Matthew Hickey, co-founder of Hacker House, the significance of what’s now publicly available, including “zero day” attacks on previously undisclosed vulnerabilities, cannot be overstated: “I don’t think I have ever seen so much exploits and 0day exploits released at one time in my entire life,” he told The Intercept via Twitter DM, “and I have been involved in computer hacking and security for 20 years.” Affected computers will remain vulnerable until Microsoft releases patches for the zero-day vulnerabilities and, more crucially, until their owners then apply those patches.

“This is as big as it gets,” Hickey said. “Nation-state attack tools are now in the hands of anyone who cares to download them…it’s literally a cyberweapon for hacking into computers…people will be using these attacks for years to come.”

Yes, the cybertools used by our government’s agencies have been compromised, and are now available to anyone. While we’re sure Microsoft is working on patches, this is what happens when governments have access to exploits and backdoors into software that can, sequentially, endanger people’s most valuable information. While this is still about digital privacy, it’s also about security. What will it take for citizens to take notice of monumental weight of these leaks, these compromises? An attack on their credit cards? Their mortgage? Their identities?

This Doesn’t Seem Fine

A great piece by Vice’s Motherboard further extrapolates on this topic, essentially warning that it’s foolish and naive to assume any government official or contractor can keep cybertools safe. Here’s another way of thinking about this: let’s turn to the master key TSA agents have, granting them the ability to unlock any piece of luggage (with a TSA-approved lock). Well, as you may know, that key was compromised, and you can now download CAD files to get your own version 3D-printed. Imagine that. Anyone can get into anyone else’s luggage. But who would take the time to print one of these keys? Probably someone with malicious intent. And if you apply this same concept to master keys for software, apps, banking systems, etc., would you still trust the US Government (or any other government) to keep that key safe? To not misuse it?

Security and privacy in a digital context are becoming more intrinsically attached, as nearly every compromise to the former affects the latter. As my friend Eric mentioned in a recent email exchange, we may be seeing privacy become a third-rail issue in Washington. As unfathomable as it may seem, privacy doesn’t appear to be a non-partisan issue. We’ve already seen recently the reversal of ISP data privacy restrictions, even though Comcast tries to reassure us that they won’t sell our “individual” data (they will likely sell pools of data so advertisers can create look-a-like models and advertise to individuals anyway, or target individuals with their own ad network based on browsing history), Republicans seem to be more prone to manipulation by telecommunications lobbyists. Or maybe they just don’t give a shit about the digital privacy and security of the American people.

Let’s hope the recent leaks of cyber tool information makes enough headlines to reach the (mostly) non-news reading American populace, and that they take the time to understand the consequences of what can happen when we put too much trust and power in the hands of our governments.

Update

Microsoft has reported that "most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products", and "of the three remaining exploits [...] none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk".

As always, keep your software and operating system updated to the latest version.

  1. This article is a good read, as it complements Apple’s letter and explains the intricacies of what is really being requested ↩︎
  2. No, I didn’t complete the reading of this article, but we’ll assume it covers “both sides of the story”, amiright. ↩︎

The End of The Deck Ad Network

The Last Bastion of Privacy-Conscious Advertising is Dead

Back when the Internet was breaking out and expanding rapidly, with a chorus of new voices stretched across the globe, excitement around how to both monetize blogging and curate wonderful work was at a pitch high. I’m talking about the early-to-mid 2000s, arguably the beginning of solo writing as a serious format, the proliferation of sharing (dare I say “social sharing” before the social network explosion), and the collaboration of minds beyond physical barriers. Very cool projects, voices, and technologies came out of this period, and continue to thrive today. One such solution to monetization of all this activity was a small little advertising network called The Deck, run by Chicago design company Coudal Partners. It operated as an income haven for smart, tech-angled writers and curators, and continued operating until just this past week, when founder Jim Coudal pulled the plug. What kind of impact might this small, hardly known network have on the rest of the advertising and privacy-conscious world?

Let’s first step back a sec and orient ourselves. Started in 2006, The Deck was, and always remained, a small-format display advertising network (you know, the kind with small, static images placed somewhere somewhat prominent on a web page that featured a creative message to incentivize a click-through or just to make you aware of some kind of product or event). It was built with Coudal-selected or self-recommended sites within its walled ecosystem, which is to say that it was kind of an exclusive members-only club for a while. Early on, these members included The Morning News (an online magazine of essays, art, humor, and culture), John Gruber’s Daring Fireball (one of the first Apple-centric blogs), A List Apart (a long-standing institute for web developers and designers), Basecamp’s Signal V. Noise (formerly operated under 37signals, a design studio that built Basecamp and actually shared office space with Coudal Partners back in the day), and, of course, the great Kottke.org, one of the oldest blogs on the Internet, which covers essential people and ideas, and still serves to this day as one of the best resources for daily linkage. It went on to include more than 50 sites.

Sorrow ensues

Sorrow ensues

Eclectic beginnings? Perhaps. But I remember visiting the Deck’s website a decade ago and mining its growing members for writers and bloggers and companies to follow via RSS and eventually Twitter. In a way, through The Deck’s members’ sites, I grew up on the Internet, pouring over all the amazing projects, ideas, and products being written about. To this day, I still follow several of these writers, have consistently linked to a number of their posts, and have bought my fair share of Field Notes Brand notebooks from Coudal’s other side project.

A few fairly critical things set The Deck apart from other growing (and less specialized) ad networks.

  1. The Deck was fairly exclusive, and aimed at a certain kind of audience. Yes, other networks did tend to do this sort of thing, but many have been gobbled up and rolled into larger ones, with segmentation based on attributed demographic/interest models. Essentially, things got algorithmic, less special, and more data-driven.
  2. The Deck never tracked users or personally-identifiable information (PII), something that every other ad network does without shame. They served ads in what they claimed as “useful and unobtrusive” ways. On a technical level, the Deck never issued cookies, which in most circumstances would have tracked readers in a specific way to allow for other actions/recognition elsewhere on the internet. The only data they collected and reported to site owners hosting their ad network was gross impressions, which are the number of times an ad has been served (essentially seen) during a period of time.
  3. The only thing they ever collected about their “users” (what they mean by this is a visitor or reader of a site in their network) was an occasional, completely anonymous survey. Referral traffic tracking is a pretty simple thing to analyze for any of the site owners that were part of the Deck network, so beyond impressions tracking, there probably wasn’t much else to build around this. Kept things clean and simple, I’m sure.
  4. Display ads were low fidelity. This may sound boring, but it was a godsend, particularly when the Internet went mobile. Each Deck ad was a small little square, static image, with a short text message and link beneath it. Page load speed was not compromised because it was such a small little thing, and they were oftentimes placed in unobtrusive places (sure, you can probably owe this to the fact that most sites in its network were run by authors with some design-savvy, but still). Compare this with the godawful display/programmatic networks today, with auto-playing videos, banners covering every corner of the screen (look, I update this exhibit of sites that should be slapped in the face for their atrocities in ad placements), and tracking you in every conceivable way possible — yeah, we’re going to miss the ambitious, reasonable vision Coudal Partners had.

So what happened? According to Jim’s farewell note, a few trends around the major mobile/social shifts in the way people engaged on the Internet are mostly to blame. We can probably assume the more invasive ad networks, breadth of connected sites, and their clarity of data probably became too tempting for most advertisers to ignore, even though I always thought the Deck attracted really great companies peddling their wares. When investing in media, it tends to come down to measurable return on investment, and this might have been something the Deck struggled to compete with “on paper.”

Example of a Deck ad network ad placement.

Example of a Deck ad network ad placement.

Jim states that “in 2014, display advertisers started concentrating on large, walled, social networks,” which is primarily true — in-app display ad networks are also extremely rampant now. Let’s not forget, this is where mass attention is. Additionally, the “indie ‘blogosphere’ was disappearing”. In part, this too, is true. I have to constantly remind myself I’m probably in the minority of folks who still follow writers and bloggers via RSS, and the rest of the world is getting their kick inside Facebook, Instagram, and Twitter. The breadth of ad networks shows no sign of ceasing its advancement across and inside every platform imaginable, and the complexity of data tracking is not going to relent any time soon. Solutions like Google’s Display Network and Facebook’s Advertising apparatus are significantly more nuanced, with ever-smarter audience and demographic targeting, and available in various formats (including video and, more recently, interactive, like Facebook’s Canvas). Their data-sharing abilities also span audience and data management platforms, something advertisers, agencies, and brands are clinging to as part of major organizational maturity models moving into this year and the next ten years. These “innovations” and platform-specific advantages make competitors like The Deck extremely fragile, and less appealing, to both small and large advertisers.

But with the recent mounting concerns around privacy and data-sharing, it’s surprising to see this ad network cease to operate. If anything, it seems like the time is ripe to build a privacy-conscious ad network, get a great many influential writers and influencers onboard, and proliferate the good word. Maybe that’s something we can all work together toward?

So why, exactly, did The Deck just go quietly into the night, and not sell its platform to another owner?

John Gruber’s recent lament on the end of the Deck had probably the best anecdote as to why:

I was chatting with Jim earlier this evening. Someone wrote to him to ask, “Why didn’t you sell the network instead of shutting it down?” Jim’s answer: “The Deck was built exclusively on close, personal relationships. I don’t think those are mine to sell.”

With that remark, we can safely say The Deck went out with dignity, upholding its highest principles. Can’t blame them for that. I just hope the example they set will inspire a new torch-bearer in the darkening days of the Internet ecosystem. Somebody has to be listening…

Our Privacy, Our Data: A Call to Be Defiant

There was once a time when human societies were truly free from mass surveillance — at liberty to say, do, and think as they pleased within mutually-agreed upon, reasonable constraints. And yes, could feel safe doing so in their own homes. Few, if any, of our ancestors could have anticipated how quickly our societies pushed forward in technological and political complexity. Our progressive willpower in these areas has overwhelmed global culture and political infrastructures with exponential innovation in data-driven decisions, Internet plus hardware application, and laws (or lack thereof). Now we enter an era with the ubiquity of connected technologies — in our cars, in our homes, in our pockets, on our bodies. And due to our inexhaustible tenacity to produce data and content, our inherent right to liberty and privacy is under constant siege. At the rate these technologies evolve, paired with the menace of terrorism, international hacking, and the nearly incomprehensible extensiveness of government surveillance, our liberties and privacy have been inextricably compromised.

As citizens, we have the ability and right to understand the repercussions of technology we use or other agents surround us with, and most importantly, the spirit to challenge these conveniences, compromises, and innovations. We should not sit idly while legalese in terms of services obfuscate or bewilder us, surrendering our privacy and data to those who would use it against us or for their own ends. We should not, for want of convenience, ignore modern practices of safe password management, profile protection, and behavioral tracking. We should be concerned with the reckless abandon organizations have built, maintained, and even stagnated on core communications technologies that affect our everyday lives, imperiling privacy in email, messaging, social networks, voice-over-internet, web browsing, and file-syncing services. We should care about the way our data, communications, and media are stored, maintained, and protected. And we also should know where our data is stored -- not all countries share the same privacy and security standards. This isn’t asking much, but it does beckon you and our fellow citizens to pay attention. To be willing to learn. And to be willing to share and educate.

This isn't to say that we can't still enjoy the delights, conveniences, and usefulness of technology. At this point, we're in too deep for any government or corporation to start reversing the saturation of all this technology. So while we should continue to invest in this future, we need to let our concerns be known to leaders, corporations, and peers around the world -- the union of hardware and software can make our lives better, but shouldn't at the expense of inherent human dignities. We have to tread cautiously. And smartly. After all, this progression has made life better for many people and businesses around the world. I am not suggesting we retreat to Internet-free zones, removing ourselves from connectivity, smartphones, and Internet of Things devices. But I am suggesting that we take the considered time and effort to become more informed about the current privacy climate, that we acknowledge that our privacy has been irreversibly compromised, that companies and governments should be held accountable to the tremendous changes in communications in our modern civilization, and that we as a people can do something about it. Democracy and fairness cannot reign unless we are able to speak, act, create, and litigate freely. If everything we say, write, or do is tracked and archived, how else can we possibly feel other than creeping ever closer to a police state, worried about potentially irresponsible or libelous use of that data? As many have said before, would you feel comfortable with an advertising agency or government reading and storing your personal letters, your physical journals, your bank statements, your doctor visits, your bodily functions, your every movement on this planet? The likelihood they have access to most of this is already great. And for those who say they have "nothing to hide" are woefully ignorant of the larger consequences of this movement. As Edward Snowden so astutely declared, "arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say."

Defending our privacy and data will continue to be an important movement as we make progress as a society. The perseverance of surveillance back doors in software and hardware can compromise our financial and personal security, domestically and abroad, if exploited by ill-doers. And the big business of technology, security, and surveillance will continue to slither forward as an ouroboros of corporations and government. And there is no end in sight of the application of algorithms for everything in our lives -- you don't need to turn to an episode of Black Mirror to see this in action because it's already happening all around us (search engines, social media, advertising, economics, wellness, prisons, education, you name it). But if creators and users of these algorithms are not transparent, are not willing to cede to constructive collaboration with others to iteratively improve these action-driving usages of data in meaningful ways for society and civil liberties, we could be in for a very challenging time ahead. And let’s not forget that algorithms are only the first step. The machine-learning era of artificial intelligence will further compound the use of algorithms and could end up instructing us (or bypassing us entirely) on how to apply the insights for efficiencies and actions across the board, all based on the blueprints of an algorithm programmed by a misinformed coder years ago.

As such, the purpose of this site is to inform readers of the large-scale movements in data use, algorithms, advertising technologies, privacy risk, and state surveillance. I hope to make it a trustworthy, if at times facetious (because how can it not be?) resource for methods to safeguard your personal information, secure communications, and productively collaborate without unwarranted intrusions. Together, we can keep a discerning eye on the ever-watchful governments, health organizations, insurance companies, advertising agencies, and technology corporations who continue to benefit society with their inventiveness but simultaneously solicit us to normalize always-on, active Internet products and services that can and are used for self-interest and disingenuous means. Don't get me wrong -- I love technology. My smartphone is a miraculous device that saves me time, provides me nearly unlimited access to information, and allows me to accomplish things I could only dream about in my childhood. I’ve read, watched, written, and captured the most important events in my life through its omnipresent screen, camera lens, and microphone. But I also expect that these moments, this data, this usage is inherently mine. As soon as it does not become mine, I’m likely the product, or the subject, or the variable in some larger scheme. If you're comfortable with that, fine. But I'm not. And I’m not alone.

Instead of leaving you with a reminder of the lofty aims of the Fourth Amendment (of which whose authors at the time couldn’t even have fathomed the technological progress of the modern era), I will leave you with this quote from long-time cryptographer and computer security specialist, Bruce Schneier, who warns on the misappropriation of the debate for privacy:

Too many wrongly characterize the debate as "security versus privacy." The real choice is liberty versus control. Tyranny, whether it arises under threat of foreign physical attack or under constant domestic authoritative scrutiny, is still tyranny. Liberty requires security without intrusion, security plus privacy. Widespread police surveillance is the very definition of a police state. And that's why we should champion privacy even when we have nothing to hide.

Thanks for your time. I hope this is a compelling enough beginning for you to continue reading in the weeks to come, and at the very least, a resource to check in on every once and a while for your own sake.

The Privacy Quandary

Revisiting the advertising industry of yesteryear in shows like Mad Men feels quaint when you realize how far we’ve come from the days of single-platform advertising dominance. Print, radio, and television were the harbingers of new ways for advertisers and companies to connect with potential audiences with the hopes of converting them into paying customers. In 2016, this is no longer the case. Those channels exists in some form, but they hold neither same attention nor weight as they once did; instead, a myriad of platforms have manifested and taken hold across audiences and users that have avoided consolidation and technological limitations like their predecessors once did. But with this proliferation of platforms and marketplaces came supportive, connective technologies that reach beyond anything the 1960s masterminds in the pitch room could ever have dreamed up. And with those connective technologies comes one critical decision that must be made by each and every participant on these platforms: how much do I value my privacy?

Read More