Glider from the game of Life, rising from the left




Archive for July 2018

Microsoft Presents the Antipersonal Computer


According to the insider press, Microsoft is close to releasing the “Microsoft Managed Desktop,” which is a version of Windows that will be distributed and exclusively administered by Microsoft, for a monthly rental fee. Perhaps it will run only on some specialized hardware platforms, as MacOS runs only on Macintosh hardware.

“Microsoft's Got a New Plan for Managing Windows 10 Devices for a Monthly Fee”
Mary Jo Foley, All About Microsoft, July 27, 2018

As anyone who's been watching Windows 10 feature updates knows, many IT pros are unhappy about Microsoft's twice-yearly feature updates to the OS. They have seen updates break compatibility with things they didn't anticipate. They've seen Microsoft post and pull patches and updates to these releases, making deployment a nightmare. Windows as a service has been a rocky (or substitute your expletive of choice) road for many.

Microsoft looks to be counting on companies being ready for greater predictability — in terms of spending, updating and support — in exchange for letting someone else do the driving.

In other words, they are about to abandon the last remnants of the pretense that Windows machines are “personal computers” in any meaningful sense. A machine running a Microsoft Managed Desktop is an appliance, plain and simple — not even an appliance that you own, but one that you rent and operate on terms convenient to the lessor. The Terms of Service are going to be wondrous to behold.

“With DaaS Windows Coming, Say Goodbye to Your PC As You Know It”
Steven J. Vaughan-Nichols, Computerworld, July 30, 2018

Microsoft has been getting away from the old-style desktop model for years now. Just look at Office. Microsoft would much rather have you rent Office via Office 365 than buy Microsoft Office and use it for years. Microsoft Managed Desktop is the first move to replacing “your” desktop with a rented desktop. By 2021, I expect the Managed Desktop to be to traditional Windows what Office 365 is to Office today.

“With the Next Version of Microsoft Windows, Say Goodbye to Your Windows PC As You Know It”
Dick Eastman, Privacy Blog, July 30, 2018

I'm not sure I would trust Microsoft to keep my PC clean and tidy and free of viruses. Then there is the privacy issue: will Microsoft add spyware the way that Facebook does?

Eastman seems to be a little behind the curve here. Windows 10 is already full of spyware, although Microsoft prefers to call it “telemetry.” The difference is that under the Microsoft Managed Desktop you won't have the right to turn any of it off.

#Microsoft #Windows #Microsoft-Managed-Desktop #appliances

Air Marshals Now Track Innocent Travellers


So few terrorists now travel by air in the United States that the Transportation Security Administration has taken to placing teams of air marshals on flights to monitor the behavior of entirely innocuous persons. Judging from the name of the program (“Quiet Skies”), I imagine it's make-work or perhaps practice.

“TSA Is Tracking Regular Travelers Like Terrorists in Secret Surveillance Program”
Jana Winter, The Boston Globe, July 28, 2018

Federal air marshals have begun following ordinary US citizens not suspected of a crime or on any terrorist watch list and collecting extensive information about their movements and behavior under a new domestic surveillance program that is drawing criticism from within the agency.

The previously undisclosed program, called “Quiet Skies,” specifically targets travelers who “are not under investigation by any agency and are not in the Terrorist Screening Data Base,” according to a Transportation Security Administration bulletin in March. …

TSA officials, in a written statement to the Globe, broadly defended the agency's efforts to deter potential acts of terror. But the agency declined to discuss whether Quiet Skies has intercepted any threats, or even to confirm that the program exists.

Release of such information “would make passengers less safe,” spokesman James Gregory said in the statement.

Already under Quiet Skies, thousands of unsuspecting Americans have been subjected to targeted airport and inflight surveillance, carried out by small teams of armed, undercover air marshals, government documents show. The teams document whether passengers fidget, use a computer, have a “jump” in their Adam's apple or a “cold penetrating stare,” among other behaviors, according to the record.

Having long established the privilege of forcing air travellers to submit to unconstitutional searches and seizures, the TSA has apparently decided to extend its exemption from the rule of law to spy on people who use their phones in airports, study their reflections in store windows, wait to the end of the boarding process to get on the plane, or previously travelled on an international flight. Better watch your step.

#Transportation-Security-Administration #surveillance #law-enforcement

Bluetooth Is Broken


When Bluetooth devices are paired, each side generates an encryption keypair in which the public key is a more-or-less randomly selected point on an agreed-upon elliptic curve in the Euclidean plane. They exchange public keys, and then each side computes a session key by performing an arithmetic operation on its own private key and the other side's public key. The mathematical basis for the encryption system guarantees that the two computations have the same result even though they reach it in different ways. Eavesdroppers cannot infer the session key because they don't have either of the private keys. However, the Bluetooth protocol doesn't authenticate both coordinates of the selected points, only the x-coordinates. This enables a “man in the middle” to insert a zero y-coordinate in place of the y-coordinate in a Bluetooth device's public key. The resulting point doesn't even lie on the agreed-upon elliptic curve, but it does lie on a curve that differs from the one actually used only by a vertical translation, and in fact lies at a point of order two on that curve, where two solutions to the curve's equation coincide. It turns out that Bluetooth can be induced to accept the attacker's bogus public key as valid half the time. When the attack works, it enables the attacker to derive a session key and then passively decrypt subsequent exchanges or forge messages from the device. When it doesn't work, the pairing attempt simply fails. The legitimate Bluetooth device doesn't get a secure connection in either case. Anyone within wireless range (which varies from ten to a hundred meters, depending on the capabilities of the Bluetooth devices) who happens to know when pairing is being attempted can mount such an attack.

“Breaking the Bluetooth Pairing — Fixed Coordinate Invalid Curve Attack”
Eli Biham and Lior Neumann, Technion, July 25, 2018

“Bluetooth Security: Flaw Could Allow Nearby Attacker to Grab Your Private Data”
Liam Tung, ZDNet, July 24, 2018

#Bluetooth #security #key-exchange

Components of Natural Language Processing Applications


Applications of natural-language processing commonly rely on libraries that implement common tasks such as tokenization and part-of-speech tagging. This article describes the functions of such components, focussing on the ones that aren't completely terrible at doing the jobs that they claim to do.

“Natural Language Processing Is Fun!”
Adam Geitgey, Medium, July 18, 2018

#natural-language-processing #computational-linguistics

Remote Access to Election-Management Systems


But of course. It's not a bug — it's a feature.

“Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States”
Kim Zetter, Motherboard, July 17, 2018

The nation's top voting machine maker has admitted in a letter to a federal lawmaker that the company installed remote-access software on election-management systems it sold over a period of six years, raising questions about the security of those systems and the integrity of elections that were conducted with them.

In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by Motherboard, Election Systems and Software acknowledged that it had “provided pcAnywhere remote connection software … to a small number of customers between 2000 and 2006,” which was installed on the election-management system ES&S sold them.

The statement contradicts what the company told me and fact checkers for a story I wrote for the New York Times in February. At that time, a spokesperson said ES&S had never installed pcAnywhere on any election system it sold. …

ES&S customers who had pcAnywhere installed also had modems on their election-management systems so ES&S technicians could dial into the systems and use the software to troubleshoot, thereby creating a potential point of entry for hackers as well.

In May 2006 in Allegheny County, Pennsylvania, ES&S technicians used the pcAnywhere software installed on that county's election-management system for hours trying to reconcile vote discrepancies in a local election, according to a report filed at the time. And in a contract with Michigan, which covered 2006 to 2009, ES&S discussed its use of pcAnywhere and modems for this purpose. …

In 2006, the same period when ES&S says it was still installing pcAnywhere on election systems, hackers stole the source code for the pcAnywhere software …

Security researchers discovered a critical vulnerability in pcAnywhere that would allow an attacker to seize control of a system that had the software installed on it, without needing to authenticate themselves to the system with a password. And other researchers with the security firm Rapid7 scanned the internet for any computers that were online and had pcAnywhere installed on them and found nearly 150,000 were configured in a way that would allow direct access to them. …

In its letter to Wyden, ES&S defended its installation of pcAnywhere, saying that during the time it installed the software on customer machines prior to 2006, this was “considered an accepted practice by numerous technology companies, including other voting system manufacturers.”

That's the problem, all right. My guess is that installing remote-access backdoors is still a universal practice among makers of proprietary election-management devices, though perhaps “accepted” is no longer the right word for it. There's an obvious need for remote access in this day and age: Without it, how would the managers of elections be able to determine their outcomes?

#voting-machines #backdoors #proprietary-code

Venmo Publishes Transaction Data


By default, users of the Venmo payment service allow Venmo to mine their transaction data and share everything except the payment amounts. Venmo has chosen to exercise this liberty by providing a Web interface though which anyone with Internet access can download the transaction data — no authentication necessary!

It turns out that some people use the text fields in which one can document the reason for the payment and send a comment to the recipient as opportunities for other modes of discourse.

“A Privacy Researcher Uncovered a Year's Worth of Breakups and Drug Deals Using Venmo's Public Data”
Samantha Cole, Motherboard, July 17, 2018

Payment exchanges accumulate in a public feed, where people thought it was hysterical to write things like “money for drugs” or “sexual favors” for otherwise-innocuous payments. …

It's not so much the exposure of the intimate details of your life, … but that each transaction is just one data point in a massive web of knowledge companies like Venmo are building about us. And once they know who we're closely connected to, what we buy, and when, that's an immensely valuable dataset for companies to use in targeting your future decisions.

#privacy #Venmo #data-mining

IEEE Recommends Strong Encryption without Backdoors


The Institute of Electrical and Electronic Engineers has issued a straightforward statement endorsing the use of strong encryption both by governments and by individuals and opposing requirements to insert backdoors into software packages that implement strong encryption.

“In Support of Strong Encryption”
IEEE Board of Directors, IEEE, June 24, 2018

Exceptional access mechanisms would create risks by allowing malicious actors to exploit weakened systems or embedded vulnerabilities for nefarious purposes. Knowing that exceptional access mechanisms exist would allow malicious actors to focus on finding and exploiting them. Centralized key escrow schemes would create the risk that an adversary would have an opportunity to compromise security of all participants, including those who were not specifically targeted. …

Efforts to constrain strong encryption or introduce key escrow schemes into consumer products can have long-term negative effects on the privacy, security, and civil liberties of the citizens so regulated. Encryption is used worldwide, and not all countries or institutions would honour the policy-based protections that exceptional access mechanisms would require. A purpose that one country might consider lawful and in its national interest could be considered by other countries to be illegal or in conflict with their standards and interests.

#encryption #backdoors #Institute-of-Electrical-and-Electronic-Engineers

Adversarial Reprogramming of Deep Neural Networks


Some researchers at Google Brain have discovered a technique by which a black-box decider that has been successfully trained for one task can be used to perform an unrelated computation by embedding the inputs for that computation in the input to the black-box decider and extracting the result of the unrelated computation from the output of the black-box decider.

One of the proof-of-concept experiments that the paper describes uses ImageNet for recognition of handwritten numerals. The inputs for the numeral-recognition problem are small images (twenty-eight pixels high and twenty-eight pixels wide), and the task is to determine which of the ten decimal numerals each input represents. Normally ImageNet takes much larger, full-color images as inputs and outputs a tag identifying what's in the picture, chosen from a list of a thousand fixed tags. Numerals aren't included in that list, so ImageNet never outputs a numeral. It's not designed to be a recognizer for handwritten numerals.

But ImageNet can be coopted. The researchers took the first ten tags from the ImageNet tag list and associated them with numerals (tench ↦ 0, goldfish ↦ 1, etc.). Then they set up an optimization problem: Find the pattern of pixels making up a large image so as to maximize the ImageNet's success in “interpreting” the images that result when each small image from the training set for the numeral-recognition task is embedded at the center of the large image. An interpretation counts as correct, for this purpose, if ImageNet returns the tag that is mapped to the correct numeral.

The pixel pattern that emerges from this optimization problem looks like video snow; it doesn't have any human-recognizable elements. When one of the small handwritten numerals is embedded at the center, the image looks to a human being like a white handwritten numeral in a small black square surrounded by this random-looking video snow. But if the numeral is a 9, ImageNet thinks that it looks very like an ostrich, whereas if it's a 3, then ImageNet thinks that it depicts a tiger shark.

Note that ImageNet is not being retrained here and isn't doing anything that it wouldn't do right out of the box. The “training” step here is just finding the solution to the optimization problem: What pattern of pixels will most effectively trick ImageNet into doing the computation we want it to do when the input data for our problem is embedded into that pattern of pixels?

The researchers call the optimized pixel patterns “adversarial programs.”

Besides the numeral-recognition task, the researchers were also able to trick ImageNet — six different variants of ImageNet, in fact — into doing two other standard classification tasks, just by finding optimal pixel patterns — adversarial programs — in which to embed the input data.

“Adversarial Reprogramming of Neural Networks”
Gamaleldin F. Elsayed, Ian Goodfellow, and Jascha Sohl-Dickstein, arXiv, June 28, 2018

#adversarial-reprogramming #adversarial-examples #ImageNet #sabotage

Google Gives Developers the Full Text of Gmail Messages


In case you had forgotten that Google does not treat as private any e-mail messages that you send to or receive from addresses, here's another reminder:

“Tech's ‘Dirty Secret’: App Developers Sift Through Your Gmail”
Douglas MacMillan, Stocks Newsfeed, July 2, 2018

But the Internet giant continues to let hundreds of outside software developers scan the inboxes of millions of Gmail users who signed up for email-based services offering shopping price comparisons, automated travel-itinerary planners or other tools. Google does little to police those developers, who train the computers — and, in some cases, employees — to read their users' emails …

Letting employees read user emails has become “common practice” for companies that collect this type of data, says Thede Loder, the former chief technology officer at eDataSource Inc. … He says engineers at eDataSource occasionally reviewed emails when building and improving software algorithms.

“Some people might consider that to be a dirty secret,” says Mr. Loder. “It's kind of reality.”

#surveillance #e-mail #Google #privacy

Hashtag index

This work is licensed under a Creative Commons Attribution-ShareAlike License.

Atom feed

John David Stone (

created June 1, 2014 · last revised December 10, 2018