The Chrome browser now logs itself in automatically to your Google account whenever you use it to log in on any other Google service, such as Gmail. This exposes all of the data that the browser has collected to Google.
“Why I'm Done with Chrome”
Matthew Green, A Few Thoughts on Cryptographic Engineering, September 23, 2018
Google has transformed the question of consenting to data upload from something affirmative that I actually had to put effort into — entering my Google credentials and signing into Chrome — into something I can now do with a single accidental click. This is a dark pattern. Whether intentional or note, it has the effect of making it easy for people to activate sync without knowing it, or to think they're already syncing and thus there's no additional cost to increasing Google's access to their data. …
Trust is not a renewable resource.
An advocate of functional programming walks through several implementations of the Sieve of Eratosthenes. The first is a typical implementation using the imperative model of computation, but the rest use higher-order functions and other apparatus of the functional model with varying degrees of success.
I enjoyed reading through the various approaches and thinking about their strengths and weaknesses, but it was a little surprising to see that, even though all of his implementations were written in Java, he never considered any implementation that used the object-oriented model of computation in any significant way.
“The Functional Style — Part 4: First-Class Functions II: Filter, Reduce and More”
Richard Wild, Codurance: Craft at Heart, September 19, 2018
A great new way to use Facebook!
Benjamin Grosser, September 19, 2018
Safebook is a browser extension, for Chrome or Firefox, that suppresses all text, images, video, and audio content on the Facebook site, leaving intact the borders around and between panels, the (now blank) menus, drop-down submenus, pop-up windows, and other navigation elements.
The destructive effects of high-interest student loans on the lives and families of borrowers are terrible and widespread. Defaulting on the debt is even worse, but increasing numbers of borrowers have no alternative — 38% of borrowers default within the first twenty years of the loan, and that percentage is increasing.
My guess is that soon prospective students will just stop accepting admission offers if the accompanying "aid" packages include large loans. Some will decide not to attend college at all. I suspect that that's what my family and I would have decided if the same situation had existed when I was applying to colleges. We were all strong believers in education and aspirants to the professional classes, but we were also strong believers in staying out of debt.
“Ending the Secrecy of the Student Debt Crisis”
Daniela Senderowicz, YES! Magazine, September 5, 2018
With an average debt of just over $37,000 per borrower for the class of 2016, and given that incomes have been flat since the 1970s, it's not surprising that borrowers are struggling to pay. Student loans have a squeaky-clean reputation, and society tends to view them as a noble symbol of the taxpayers' generosity to the working poor. Fear of facing society's ostracism for failure to pay them back has left borrowers alienated and trapped in a lending system that has engulfed them in debt bondage.
“The Looming Student Loan Default Crisis Is Worse Than We Thought”
Judith Scott-Clayton, The Brookings Institution, January 11, 2018
The national intelligence services of the United States, the United Kingdom, Australia, Canada, and New Zealand have joined forces to support legislation requiring makers of encryption software to incorporate defects into their products so as to allow surveillance agencies (such as law-enforcement and espionage operations) to seize and decrypt communications between users of the software.
“Statement of Principles on Access to Evidence and Encryption”
Department of Home Affairs, Australian Government, August 29, 2018
The Governments of the Five Eyes encourage information and communications technology service providers to voluntarily establish lawful access solutions to their products and services they operate in our countries. …
Should governments continue to encounter impediments to lawful access to information necessary to aid the protection of the citizens of our countries, we may pursue technological, enforcement, legislative or other measures to achieve lawful access solutions.
Of course, in the United States, any government access to private communications is unlawful, indeed unconstitutional, unless it is supported by a warrant, endorsed by a judge of the relevant jurisdiction, “upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” Unfortunately, in this context, ‘lawful’ is simply a stylistic variant of ‘government’, not referring to any actual law. The threat to resort to system cracking if backdoor entries to encryption systems aren't provided reinforces this obvious indifference to the rights of citizens and subjects.
“Five-Eyes Intelligence Services Choose Surveillance over Security”
Bruce Schneier, Schneier on Security, September 6, 2018
To put it bluntly, this is reckless and shortsighted. I've repeatedly written about why this can't be done technically, and why trying results in insecurity. But there's a greater principle at first: we need to decide, as nations and as society, to put defense first. We need a “defense dominant” strategy for securing the Internet and everything attached to it.
This is important. Our national security depends on the security of our technologies. Demanding that technology companies add backdoors to computers and communication systems puts us all at risk. We need to understand that these systems are too critical to our society and — now that they can affect the world in a direct physical manner — affect our lives and property as well.
Cory Doctorow, Boing Boing, September 5, 2018
It is impossible to overstate how bonkers the idea of sabotaging cryptography is to people who understand information security. If you want to secure your sensitive data either at rest — on your hard drive, in the cloud, on that phone you left on the train last week and never saw again — or on the wire, when you're sending it to your doctor or your bank or to your work colleagues, you have to use good cryptography. Use deliberately compromised cryptography, that has a back door that only the “good guys” are supposed to have the keys to, and you have effectively no security. You might as well skywrite it as encrypt it with pre-broken, sabotaged encryption. …
Cryptography [is] the basis for all trust and security in the 21st century.
“Nation Stunned That There Is Someone in the White House Capable of Writing an Editorial”
Andy Borowitz, The New Yorker, September 5, 2018
Millions of Americans were startled by the revelation on Wednesday afternoon that there was someone working in the White House capable of writing an entire editorial, reports indicate. …
Davis Logsdon, a professor of linguistics at the University of Minnesota, said that a team of language experts under his supervision has studied the Op-Ed word by word and is “in a state of disbelief” that someone currently working for Donald J. Trump could have written it.
“There are complete sentences, there are well-structured paragraphs, there is subject-verb agreement,” he said. “This does not appear to be the work of any White House staffer we're familiar with.”
“Security Risks of Government Hacking”
Riana Pfefferkorn, Center for Internet and Society, Stanford University, September 4, 2018
This paper addresses six main ways that government hacking can raise broader computer security risks. These include:
* Creating a disincentive to disclose vulnerabilities that should be disclosed because other attackers might independently discover them;
* Cultivating a market for surveillance tools and 0-days;
* Risking that vulnerabilities exploited by the malware will be identified and used by other attackers, as a result of either law enforcement's losing control of the hacking tools, or discovery by outsiders of law enforcement's hacking ability;
* Creating an incentive to push for less-secure software and standards; and
* Risking that malware will affect innocent users.
There's also the possibility that government cracking might discourage the use of free software, which would be extremely disadvantageous even if it were not a security risk.
“How the Department of Homeland Security Created a Deceptive Tale of Russia Hacking US Voter Sites”
Gareth Porter, Consortium News, August 28, 2018
DHS compiled an intelligence report suggesting hackers linked to the Russian government could have targeted voter-related websites in many states and then leaked a sensational story of Russian attacks on those sites without the qualifications that would have revealed a different story. When state officials began asking questions, they discovered that the DHS claims were false and, in at least one case, laughable.
The National Security Agency and special counsel Robert Mueller's investigating team have also claimed evidence that Russian military intelligence was behind election infrastructure hacking, but on closer examination, those claims turn out to be speculative and misleading as well. Mueller's indictment of 12 GRU military intelligence officers does not cite any violations of U.S. election laws though it claims Russia interfered with the 2016 election.
Porter's view is that the Department of Homeland Security is trying, by means of a sketchy publicity campaign, to establish its credentials as the primo defenders of America's computers and networks “despite its limited resources for such responsibility.”
I've been assuming that deals of this kind are commonplace, but it's unusual to see one acknowledged publicly.
“Google and Mastercard Cut a Secret Ad Deal to Track Retail Sales”
Mark Bergen and Jennifer Surane, Bloomberg, August 30, 2018
For the past year, select Google advertisers have had access to a potent new tool to track whether the ads they ran online led to a sale at a physical store in the U.S. That insight came thanks in part to a stockpile of Mastercard transactions that Google paid for.
But most of the two billion Mastercard holders aren't aware of this behind-the-scenes tracking. That's because the companies never told the public about the arrangement. …
It works like this: a person searches for “red lipstick” on Google, clicks on an ad, surfs the web but doesn't buy anything. Later, she walks into a store and buys red lipstick with her Mastercard. The advertiser who ran the ad is fed a report from Google, listing the sale along with other transactions in a column that reads “Offline Revenue” — only if the web surfer is logged into a Google account online and made the purchase within 30 days of clicking the ad. The advertisers are given a bulk report with the percentage of shoppers who clicked or viewed an ad [and] then made a relevant purchase.