When law-enforcement depends on cyber-insecurity, we're all at risk


It's not enough to pass rules limiting use of "stingray" mobile-phone surveillance devices by civilians: for so long as cops depend on these devices, the vulnerabilities they exploit will not be fixed, leaving us all at risk.

Read the rest

Adversarial Compatibility: hidden escape hatch rescues us from imprisonment through our stuff


My latest Guardian column, Adapting gadgets to our needs is the secret pivot on which technology turns, explains the hidden economics of stuff, and how different rules can trap you in your own past, or give you a better future.

Read the rest

Tesla's "car-as-service" versus your right to see your data

Espen got a parking ticket for his Tesla, and he's pretty sure he can exonerate himself, if only the company would give him access to his car's data, but they won't.

Read the rest

The coming Compuserve of Things

What happens when individual companies are allowed to own and control the way your "smart" stuff talks to you and other smart stuff? It's walled garden time, all over again.

Read the rest

US inches towards decriminalizing phone unlocking


America's legal prohibition on phone unlocking has inched almost imperceptibly closer to reform, as a watered-down House bill approaches some kind of Senate compromise, that might, in a couple years, decriminalize changing the configuration of a pocket-computer that you own.

Read the rest

Researchers publish secret details of cops' phone-surveillance malware


Kaspersky Labs (Russia) and Citizen Lab (University of Toronto) have independently published details of phone-hacking tools sold to police departments worldwide by the Italian firm Hacking Team (here's Kaspersky's report and Citizen Lab's). The tools can be used to attack Android, Ios, Windows Mobile and Blackberry devices, with the most sophisticated attacks reserved for Android and Ios.

The spyware can covertly record sound, images and keystrokes, capture screenshots, and access the phones' storage and GPS. The tools are designed to detect attempts to search for them and to delete themselves without a trace if they sense that they are under attack.

Hacking Team insists that its tools are only sold to "democratic" police forces, but Citizen Lab's report suggests that the tool was used by the Saudi government to target dissidents.

The means of infection is device-specific. If police have physical access, it's simple. Android devices can be attacked by infecting a PC with a virus that installs the police malware when the device is connected to it. This attack also works on jailbroken Iphones.

Read the rest

California's cell-phone kill switch is a solution that's worse than the problem


As the California legislature moves to mandate "kill switches" that will allow owners of stolen phones to shut them down, the Electronic Frontier Foundation sounds an important alarm: if it's possible for someone to remotely switch off your phone such that you can't switch it back on again, even if you're physically in possession of it, that facility could be abused in lots of ways. This is a classic War on General Purpose Computation moment: the only way to make a kill-switch work is to design phones that treat their possessors as less trustworthy than a remote party sending instructions over the Internet, and as soon as the device that knows all your secrets and watches and listens to your most private moments is designed to do things that the person holding it can't override, the results won't be pretty.

There are other models for mitigating the harm from stolen phones. For example, the Cyanogen remote wipe asks the first user of the phone to initialize a password. When it is online, the device checks in with a service to see whether anyone using that password has signed a "erase yourself" command. When that happens, the phone deletes all the user-data. A thief can still wipe and sell the phone, but the user's data is safe.

Obviously, this isn't the same thing as stolen phones going dead and never working again, and won't have the same impact on theft. But the alternative is a system that allows any bad guy who can impersonate, bribe or order a cop to activate the kill-switch to do all kinds of terrible things to you, from deactivating the phones of people recording police misconduct to stalking or stealing the identities of mobile phone owners, with near-undetectable and unstoppable stealth.

Read the rest

Schneier: NSA's offense leaves Americans undefended

Writing in the Atlantic, Bruce Schneier explains the NSA's insane program of creating, discovering and hoarding vulnerabilities in computer systems in order to weaponize them. These vulnerabilities allow the NSA to attack its enemies (everyone), but let other states, hackers, and crooks attack Americans. The NSA claims it is "securing" cyberspace, but its dominant tactic requires that everyone be made less secure so that the NSA can attack them if they feel the need.

Read the rest

100 creeps busted in massive voyeurware sweep


More than 100 people around the world have been arrested in a coordinated sweep of RATers (people who deploy "remote access trojans" that let them spy on people through their computers cameras and mics, as well as capturing their keystrokes and files). The accused are said to have used the Blackshades trojan, which sold for $40 from bshades.eu, mostly for sexual exploitation of victims (though some were also accused of committing financial fraud).

A US District Court in Manhattan handed down indictments for Alex Yücel and Brendan Johnston, who are said to have operated bshades.eu. Yücel, a Swedish national, was arrested in Moldova and is awaiting extradition to the USA. Johnstone is alleged to have been employed by Yücel to market and support Blackshades.

Read the rest

Mozilla CAN change the industry: by adding DRM, they change it for the worse

Following on from yesterday's brutal, awful news that Mozilla is going to add DRM to its Firefox browser, the Electronic Frontier Foundation's Danny O'Brien has published an important editorial explaining how Mozilla's decision sets back the whole cause of fighting for a free and open Internet.

Read the rest

Podcast: Why it is not possible to regulate robots

Here's a reading (MP3) of a my recent Guardian column, Why it is not possible to regulate robots, which discusses where and how robots can be regulated, and whether there is any sensible ground for "robot law" as distinct from "computer law."

One thing that is glaringly absent from both the Heinleinian and Asimovian brain is the idea of software as an immaterial, infinitely reproducible nugget at the core of the system. Here, in the second decade of the 21st century, it seems to me that the most important fact about a robot – whether it is self-aware or merely autonomous – is the operating system, configuration, and code running on it.

If you accept that robots are just machines – no different in principle from sewing machines, cars, or shotguns – and that the thing that makes them "robot" is the software that runs on a general-purpose computer that controls them, then all the legislative and regulatory and normative problems of robots start to become a subset of the problems of networks and computers.

If you're a regular reader, you'll know that I believe two things about computers: first, that they are the most significant functional element of most modern artifacts, from cars to houses to hearing aids; and second, that we have dramatically failed to come to grips with this fact. We keep talking about whether 3D printers should be "allowed" to print guns, or whether computers should be "allowed" to make infringing copies, or whether your iPhone should be "allowed" to run software that Apple hasn't approved and put in its App Store.

Practically speaking, though, these all amount to the same question: how do we keep computers from executing certain instructions, even if the people who own those computers want to execute them? And the practical answer is, we can't.

Mastering by John Taylor Williams: wryneckstudio@gmail.com

John Taylor Williams is a audiovisual and multimedia producer based in Washington, DC and the co-host of the Living Proof Brew Cast. Hear him wax poetic over a pint or two of beer by visiting livingproofbrewcast.com. In his free time he makes "Beer Jewelry" and "Odd Musical Furniture." He often "meditates while reading cookbooks."

MP3

Japanese man arrested for 3D printing and firing guns


Japanese police arrested a 27 year old man called Yoshitomo Imura, alleging that he 3D printed several guns and posted videos to Youtube of himself firing it. They say they seized five guns from Imura's home in Kawasaki City. The videos showed that two of these guns were capable of firing rounds -- what sort isn't specified -- through a stack of ten sheets of plywood, and this caused Japanese police to class them as lethal weapons. A Japanese press account has Imura admitting to printing the guns, but insisting that he "didn't know they were illegal."

As I wrote a year ago when 3D printed guns first appeared on the scene, the regulatory questions raised by them are much more significant than the narrow issue of gun control. But there's a real danger that judges, lawmakers and regulators will be distracted by the inflammatory issue of firearms when considering the wider question of trying to regulate computers.

Read the rest

Online test-proctoring: educational spyware that lets third parties secretly watch and listen to you through your computer

Rebecca from EFF writes, "How would you feel about having your computer taken over by online test-taking software - complete with proctors peering through your laptop camera? Reporters at the Spartan Daily (the student paper for San Jose State University) have an interesting story about new software in use there, and the legitimate concerns that some students have. The data-broker connection is especially chilling to those worried about their personal information." The company's response? "We're a customer service business, so it’s really not advantageous for us to violate that trust." Oh, well, so long as that's sorted out then.

Why I don't believe in robots

My new Guardian column is "Why it is not possible to regulate robots," which discusses where and how robots can be regulated, and whether there is any sensible ground for "robot law" as distinct from "computer law."

Read the rest

Australian attorney general wants the power to launch man-in-the-middle attacks on secure Internet connections


The Australian attorney general has mooted a proposal to require service providers to compromise their cryptographic security in order to assist in wiretaps. The proposal is given passing mention in a senate submission from the AG's office, where it is referenced as "intelligibility orders" that would allow "law enforcement, anti-corruption and national security agencies" to secure orders under which providers like Google, Facebook and Yahoo would have to escrow their cryptographic keys with the state in order to facilitate mass surveillance.

Edward Snowden referenced this possibility in his SXSW remarks, pointing out that any communications that are decrypted by service providers are vulnerable to government surveillance, because governments can order providers to reveal their keys. This is why Snowden recommended the use of "end-to-end" security, where only the parties in the discussion -- and not the software vendor -- have the ability to spy on users.

The "intelligibility order" is the same kind of order that led to the shutdown of Lavabit, the secure email provider used by Snowden, whose creator shut the service down rather than compromising his users' security.

Read the rest