Tag: Computer

Good

No Comments

Finally, a court has ruled that in order for a DNA test to be admitted as evidence, the source code must be made available to the defense.

To my mind, any software used for prosecutions should be publicly available for review:

A New Jersey appeals court has ruled that a man accused of murder is entitled to review proprietary genetic testing software to challenge evidence presented against him.

Attorneys defending Corey Pickett, on trial for a fatal Jersey City shooting that occurred in 2017, have been trying to examine the source code of a software program called TrueAllele to assess its reliability. The software helped analyze a genetic sample from a weapon that was used to tie the defendant to the crime.

The maker of the software, Cybergenetics, has insisted in lower court proceedings that the program’s source code is a trade secret. The co-founder of the company, Mark Perlin, is said to have argued against source code analysis by claiming that the program, consisting of 170,000 lines of MATLAB code, is so dense it would take eight and a half years to review at a rate of ten lines an hour.

MATLAB is a pretty high level language, so if you have 170,000 lines of code in it, you are writing bloated code. 

Also, if you have 170,000 lines of code in it, I guarantee that there are bugs, and likely substantial ones, because most of those lines of code are there to handle edge (unlikely) cases, where the programmer has to make broad assumptions about the data.

………

On Wednesday, the appellate court sided with the defense [PDF] and sent the case back to a lower court directing the judge to compel Cybergenetics to make the TrueAllele code available to the defense team.

“Without scrutinizing its software’s source code – a human-made set of instructions that may contain bugs, glitches, and defects – in the context of an adversarial system, no finding that it properly implements the underlying science could realistically be made,” the ruling says.

Kit Walsh, senior staff attorney for the Electronic Frontier Foundation, hailed the appellate ruling. “No one should be imprisoned or executed based on secret evidence that cannot be fairly evaluated for its reliability, and the ruling in this case will help prevent that injustice,” she said in a blog post. If TrueAllele is found wanting, presumably that will not affect the dozen individuals said to have been exonerated by the software.

It should be noted that the studies “validating” TrueAllele have been conducted by Mark Perlin, and as such are suspect.

Also, though these are slightly different application, we already know that algorithms used for health care software, Zoom face detection, educational evaluations, and criminal sentencing are all explicitly racist.

It is no stretch to assume that an algorithm explicitly developed for police and prosecutors would be biased in their favor.

That is how you make sales.

It Really Sucks to be You

1 Comment

It appears that in addition to being contemptible people, the purveyors of Parler, the now-shuttered right-wing Twitter, were technically incompetent.

Their tech was incompetently managed, and  a security researcher managed to download almost every post in Parler, including deleted posts and extensive metadata.

I’m sure that the FBI will be most interested in this information:

In the wake of the violent insurrection at the U.S. Capitol by scores of President Trump’s supporters, a lone researcher began an effort to catalogue the posts of social media users across Parler, a platform founded to provide conservative users a safe haven for uninhibited “free speech” — but which ultimately devolved into a hotbed of far-right conspiracy theories, unchecked racism, and death threats aimed at prominent politicians.

The researcher, who asked to be referred to by her Twitter handle, @donk_enby, began with the goal of archiving every post from January 6, the day of the Capitol riot; what she called a bevy of “very incriminating” evidence. According to the Atlantic Council’s Digital Forensic Research Lab, among other sources, Parler is one of a several apps used by the insurrections to coordinate their breach of the Capitol, in a plan to overturn the 2020 election results and keep Donald Trump in power.

………

In the wake of the violent insurrection at the U.S. Capitol by scores of President Trump’s supporters, a lone researcher began an effort to catalogue the posts of social media users across Parler, a platform founded to provide conservative users a safe haven for uninhibited “free speech” — but which ultimately devolved into a hotbed of far-right conspiracy theories, unchecked racism, and death threats aimed at prominent politicians.

The researcher, who asked to be referred to by her Twitter handle, @donk_enby, began with the goal of archiving every post from January 6, the day of the Capitol riot; what she called a bevy of “very incriminating” evidence. According to the Atlantic Council’s Digital Forensic Research Lab, among other sources, Parler is one of a several apps used by the insurrections to coordinate their breach of the Capitol, in a plan to overturn the 2020 election results and keep Donald Trump in power.

………

Operating on little sleep, @donk_enby began the work of archiving all of Parler’s posts, ultimately capturing around 99.9 percent of its content. In a tweet early Sunday, @donk_enby said she was crawling some 1.1 million Parler video URLs. “These are the original, unprocessed, raw files as uploaded to Parler with all associated metadata,” she said. Included in this data tranche, now more than 56 terabytes in size, @donk_enby confirmed that the raw video files include GPS metadata pointing to exact locations of where the videos were taken.

………

Hoping to create a lasting public record for future researchers to sift through, @donk_enby began by archiving the posts from that day. The scope of the project quickly broadened, however, as it became increasingly clear that Parler was on borrowed time. Apple and Google announced that Parler would be removed from their app stores because it had failed to properly moderate posts that encouraged violence and crime. The final nail in the coffin came Saturday when Amazon announced it was pulling Parler’s plug.

………

The privacy implications are obvious, but the copious data may also serve as a fertile hunting ground for law enforcement. Federal and local authorities have arrested dozens of suspects in recent days accused of taking part in the Capitol riot, where a Capitol police officer, Brian Sicknick, was fatally wounded after being struck in the head with a fire extinguisher. 

My suggestion to @donk_enby is that if someone comes sniffing around for the archive that she made, don’t without a subpoena.  Providing the information under compulsion indemnifies you, so if someone wants to sue you for someting like “Invasion of Privacy”, you are covered.  (NOte that I am an engineer, not a lawyer, dammit.*

My second piece of advice is that turning your personal information over to an online site is a stupid thing, and doing so to a business that caters to reactionaries is even dumber.

Businesses that cater to conservatives on the basis of politics tend to be scams.  All you have to do is listen to Rush Limbaugh or Sean Hannity, and see how many of the ads are transparent bullshit like fat burning plant extracts, overpriced gold, phony ED cures, Corona Virus Cures, etc.

For them, it’s all about the Benjamins.

*I love it when I get to go all Dr. McCoy!

Amazon Ring Hacked to Abuse Homeowners

No Comments

Given that Amazon’s model for its Ring security cameras is its ability to collect extensive data on its users, and their neighbors.

Their plan is to monetize your data, and to share your data with law enforcement to further additional sales.

This model, where there are hundreds, if not thousands, of individuals and organizations with access to the cameras, it should come as no surprise that their system was hacked, and the hackers used their control of the network to harass people:

Dozens of people who say they were subjected to death threats, racial slurs, and blackmail after their in-home Ring smart cameras were hacked are suing the company over “horrific” invasions of privacy.

A new class action lawsuit, which combines a number of cases filed in recent years, alleges that lax security measures at Ring, which is owned by Amazon, allowed hackers to take over their devices. Ring provides home security in the form of smart cameras that are often installed on doorbells or inside people’s homes.

The suit against Ring builds on previous cases, joining together complaints filed by more than 30 people in 15 families who say their devices were hacked and used to harass them. In response to these attacks, Ring “blamed the victims, and offered inadequate responses and spurious explanations”, the suit alleges. The plaintiffs also claim the company has also failed to adequately update its security measures in the aftermath of such hacks.

………

Ring has not said who is behind the hacks, and victims say they still do not know who accessed their homes through the devices.

Repeatedly, Ring blamed victims for not using sufficiently strong passwords, the suit claims. It says Ring should have required users to establish complicated passwords when setting up the devices and implement two-factor authentication, which adds a second layer of security using a second form of identification, such as a phone number.

However, as the lawsuit alleges, Ring was hacked in 2019 – meaning the stolen credentials from that breach may have been used to get into users’ cameras. That means the hacks that Ring has allegedly blamed on customers may have been caused by Ring itself. A spokesperson said the company did not comment on ongoing litigation.

The lawsuit also cites research from the Electronic Frontier Foundation and others that Ring violates user privacy by using a number of third-party trackers on its app.

My old axiom applies, “If they treat their employees like sh%$, how do you think that they will treat you as a customer?”  

Amazon is a pernicious and corrupt organization, and cannot be trusted with your privacy.

We Live in Hell

No Comments

According to Microsoft®, Microsoft Excel® is the most used programming in the world

This almost makes me feel grateful that I had to write bbCodeWebEx in JavaScript. (Almost)

Microsoft will let users create custom functions in Excel using the number wrangler’s own formula language.

“Excel formulas are the world’s most widely used programming language, yet one of the more basic principles in programming has been missing, and that is the ability to use the formula language to define your own re-usable functions,” said Microsoft.

Please, for the love of the Flying Spaghetti Monster, make it stop.

Today in a Foreign Language, the Queen’s English

No Comments

It appears that in the late 1980s, in attempt to expand their flagging market for dedicated word processing workstations, they launched a maintenance program called WangCare.

This was well received in the United States, but despite warnings from the UK office, the British release was greeted with protests and mockery, and the name was changed in less than 48 hours. 

Trying to sell a homophone for “Wanker”, a term which was then not well known in the US, did not go over well in Blighty.

That being said, I cannot imagine that there are not at least a few snarky comments about Microsoft’s OneCare internet security product in the early 2000s.

Some people never learn.

Well, This Sucks

No Comments

Today, literally a day after a security audit stated that the security for the Baltimore County Public Schools computer network was so much Swiss cheese, they were hit with a massive ransomeware attack

My wife works as a special education consultant, primary in Baltimore county, and her meeting today was cancelled, and it looks like BCPS may not sort out this cluster-f%$# until the new year.

I’m not entirely sure how to fix this, but I think that relying more on internal expertise, as opposed to over-paid consultants, would be a good start:

Baltimore County’s school system was shut down by a ransomware attack that hit all its network systems and closed school for 115,000 students Wednesday.

While little has been made public about the extent of the attack, school officials said at an afternoon news conference outside the county school headquarters in Towson that they are working closely with state and federal law enforcement and the Maryland Emergency Management Agency to investigate.

………

Superintendent Darryl Williams said he has no timeline for when school will resume. School officials said the network issue has affected the district’s website, email system and grading system. Until the problem is resolved, students will have no school.

The attack comes as the school system continues to operate online only, with all in-person classes delayed, as a result of the coronavirus pandemic.

………

The school system stopped communicating to staff and parents by email and began using Twitter and robocalls to inform its community about the attack. The district is advising all students, parents and teachers not to turn on their school laptops, and some students have taken any county applications off their phones as a precaution.

………

Baltimore County’s network is the conduit for grades, lesson plans, and communication between teachers and students and parents. Unlike some other school systems in the region, Baltimore County began giving students devices more than a decade ago.

………

It’s unclear when the attack started, but the school board meeting video stream abruptly cut out late Tuesday evening. And according to social media accounts, school system teachers began noticing problems about 11:30 p.m. as they were entering grades.

It actually knocked the virtual BCPS school board meeting that was held last night.

What a mess.

The Root of Currency is “Current”, and Cryptocurrency Isn’t

No Comments

That’s why a court has ruled that a $100 million initial crypto coin offering (ICO) by Kin was an illegal unregistered securities sale.

When all is said and done, currency is supposed to allow one to spend a store of value on goods and services essentially instantly.

Even the most established crypto-currency, Bitcoin, takes hours, if not days, to process a transaction.
It is not a meaningful medium of exchange for even the most basic commercial activities:

The 2017 launch of the Kin cryptocurrency broke federal securities laws, a federal judge has ruled. Federal law requires anyone who offers a new security to the general public to register with the Securities and Exchange Commission. The messaging app maker Kik didn’t do that when it sold $100 million worth of Kin in 2017.

The company argued that Kin was legally a new virtual currency, not a security. In a Wednesday ruling, Judge Alvin Hellerstein rejected that claim. The ruling could have big consequences for the cryptocurrency world.

Since 2016, hundreds of cryptocurrency projects have held Kin-like “initial coin offerings” that raised millions—in a few cases, hundreds of millions—of dollars. Few of these offerings went through the traditional steps required to register a securities offering with the SEC. So Wednesday’s ruling could create legal headaches for existing blockchain projects launched via an ICO. It also limits the options for launching cryptocurrencies in the future.

Judge Hellerstein gave Kik and the SEC three weeks to come up with a joint recommendation on appropriate remedies. Kik says it is considering appealing the ruling.
How a cryptocurrency offering is like an orange grove

A security is an asset that investors purchase in hopes of making a profit. It includes traditional investment vehicles like stocks and bonds, but it also includes a catch-all category called an investment contract. The Supreme Court laid out the legal criteria for investment contracts in a landmark 1946 ruling.

………

In his Wednesday ruling, Hellerstein concluded that similar logic applies to the Kin tokens Kik sold in 2017. Officially, Kin owners are not entitled to any profits generated by the Kin ecosystem. But practically speaking, people bought Kin because they hoped a thriving Kin ecosystem would push up Kin’s value the same way that bitcoins and ether had become more valuable over time.

Hellerstein notes that Kik CEO Ted Livingston repeatedly touted Kin’s potential as an investment opportunity. “If you could grow the demand for it, then the price—the value of that cryptocurrency would go up, such that if you set some aside for yourself at the beginning, you could make a lot of money,” Livingston said.

………

This was a common way to bootstrap a new cryptocurrency during the 2017 ICO boom, and the Kik ruling could slam the door shut on this method for getting a new blockchain project off the ground. Registering as a security comes with a lot of regulations. Complying with those regulations will, at a minimum, require a lot of legal work. And some cryptocurrency projects might not fit into existing SEC rules at all.

This is a good thing.

ICO’s are a recipe for fraud.

The New Blogger Sucks

No Comments

The authoring, both in rich text and in HTML is indescribably awful.

The tag applications still do not work reliably, and both interfaces are clearly slower.

Either this is an attempt by Google to drive people away from Blogspot to justify their shutting down the service, or their programming team for Blogger needs to be fired.

I have no clue as to who, and how, they evaluate user interfaces at Google, but these folks need to be fired too.

Acknowledging Reality

No Comments
The CEO of Ford, Jim Hackett, is walking back expectations on self-driving cars, suggesting that they be limited to dedicated roadways.

That has been the opinion of pretty much every expert whose paycheck is not dependent on selling the still distant technology:

Ford CEO Jim Hackett scaled back hopes about the company’s plans for self-driving cars this week, admitting that the first vehicles will have limits. “We overestimated the arrival of autonomous vehicles,” said Hackett, who once headed the company’s autonomous vehicle division, at a Detroit Economic Club event on Tuesday. While Ford still plans on launching its self-driving car fleet in 2021, Hackett added that “its applications will be narrow, what we call geo-fenced, because the problem is so complex.”

Hackett’s announcement comes nearly six months after its CEO of autonomous vehicles, Sherif Markaby, detailed plans for the company’s self-driving car service in a Medium post. The company has invested over $4 billion in the technology’s development through 2023, including over $1 billion in Argo AI, an artificial intelligence company that is creating a virtual driver system. Ford is currently testing its self-driving vehicles in Miami, Washington, D.C. and Detroit.

Driving cars is literally the most difficult things that people do on a routine basis, and it is made all the more complex because it involves incredibly complex interactions with other human beings who do not truly understand the limits of the 1½+ ton death machines.

People who suggest that this is just around the corner are deluded or liars, or both.

As Zathras Would Say, “At Least There is Symmetry.”

No Comments

There was a court hearing for the Florida teen who allegedly hacked dozens of celerity Twitter accounts today, and someone posted porn clips to the Zoom meeting.

Needless to say, this is now in my list as a perfect moment in the history of hacking:


Clearly, Mr. Clark has no F%$#s left to give

Perhaps fittingly, a Web-streamed court hearing for the 17-year-old alleged mastermind of the July 15 mass hack against Twitter was cut short this morning after mischief makers injected a pornographic video clip into the proceeding.

 The incident occurred at a bond hearing held via the videoconferencing service Zoom by the Hillsborough County, Fla. criminal court in the case of Graham Clark. The 17-year-old from Tampa was arrested earlier this month on suspicion of social engineering his way into Twitter’s internal computer systems and tweeting out a bitcoin scam through the accounts of high-profile Twitter users.

………

Notice of the hearing was available via public records filed with the Florida state attorney’s office. The notice specified the Zoom meeting time and ID number, essentially allowing anyone to participate in the proceeding.


All worth it for Florida DA Andrew Warren’s reaction

Even before the hearing officially began it was clear that the event would likely be “zoom bombed.” That’s because while participants were muted by default, they were free to unmute their microphones and transmit their own video streams to the channel.

………

What transpired a minute later was almost inevitable given the permissive settings of this particular Zoom conference call: Someone streamed a graphic video clip from Pornhub for approximately 15 seconds before Judge Nash abruptly terminated the broadcast.

I am very amused by this.

So say we all.

Why Governments Should Insource their IT

No Comments
It turns out that, after millions of dollars poured down the drain, the unemployment websites created by companies like DeLoitte and IBM do not work.

It’s a hell of a racket. You get paid to create the website, and then you get paid to fix your own piss-poor work:

In 2010, California hired the consulting firm Deloitte to overhaul the state website people use to apply for unemployment benefits. Things didn’t go well: Later that year, technical errors led to the halting of payments for some 300,000 people, according to the Los Angeles Times. And, the paper reported that, at $110 million, the final cost of the system was almost double the initial estimate.

A decade later, the taxed, aging system built by Deloitte in California is struggling again, this time under the strain of new applicants put out of work by the pandemic.

But Deloitte still won a fresh contract last month to again help out with California’s unemployment system. The Sacramento Bee reported that the company has received another $16 million to provide unemployment call center services and help deliver benefits. Deloitte still receives nearly $6 million per year under the contract to maintain the system, the Bee reported.

The move is part of a pattern: States continue to spend millions of dollars hiring Deloitte, IBM, and other contractors to build and fix unemployment websites, even amid growing concerns about the quality of their work. And the crush of unemployment applications flooding in around the country since the pandemic hit have only made the situation worse.

This problem is as follows:

  • Basic capabilities are outsourced to consultants.
  • The knowledge to supervise these projects beyond the most superficial walks out the door as the personnel are hired by these consultants.
  • The consultants do their jobs poorly, but the government cannot spot this until it is too late.
  • The consultants are then paid to fix the problem because the government lacks the ability to fix the system.
  • The consultants are paid to maintain the system because the government lacks the ability to fix the system.
  • Rinse, lather, repeat.

Somewhere along the line, there are likely some campaign donations, or similar skulduggery, but that’s a feature, not a bug.

Wage Theft is the Goal

No Comments
Shipt, the delivery service owned by Target, is facing a strike over its shift to an algorithm based pay structure, which workers are claiming will cheat them out of pay.

This is no surprise.  Opaque pay structures like this are intended to cheat workers out of their pay:

Workers for the Target-owned grocery delivery service Shipt are striking Wednesday in protest of the company rolling out a less transparent payment structure nationwide.

The walk-off will coincide with the day that the new pay model will take effect in 12 metro areas, including Chicago, Tampa, Richmond, Va., and Portland, Ore.

Shipt shoppers are raising alarm over the change, which they say would likely reduce shopper pay by at least 30 percent based on a similar pay shift that occurred at the end of 2019.

While Shipt previously had a simple model for calculating payouts — a 7.5 percent commission on all orders plus $5 — the model, dubbed V2, rolled out in some markets last year doles out pay based on a black box algorithm.

“We do not like the transparency because we’re not able to calculate or figure out exactly how it is that we’re being compensated,” Willy Solis, one of the strike’s organizers and a shopper in Texas, told The Hill on Monday.

………

Shipt gig workers’ experiences in areas where the V2 model has been tested do not line up with that claim.

Jeanine Meisner, a veteran shopper in the Kalamazoo, Mich., area told The Hill that she saw an immediate drop in the dollar amount of offers when V2 came to her area.

………

“For six months now we have tirelessly, endlessly provided screenshots, we’ve called, we’ve texted, we’ve emailed about these lowball offers that we’ve gotten and we’ve got nowhere, we get a cut and pasted response,” she said.

Shoppers across V2 markets felt similar impacts, according to Solis.

“Collectively we joined forces and started keeping tabs and calculating … and shoppers were losing significant money,” he said.

So not a surprise.

This is a feature, not a bug.

Algorithmic pay schemes always end up cheating workers, because they make doing so effortless.

This is No Surprise

No Comments

The European Court of Justice has ruled that servers in the US are insufficiently secure to comply with EU privacy regulations.

This is no surprise. The deal with the US has largely been a fig-leaf created as a result of brow-beating of European regulators by the US State Security Apparatus:

The European Union’s top court on Thursday threw a large portion of transatlantic digital commerce into disarray, ruling that data of E.U. residents is not sufficiently protected from government surveillance when it is transferred to the United States.

The ruling was likely to increase transatlantic tensions at a moment when President Trump has already been threatening tariffs and retaliation against the E.U. for what he says are unfair business practices. It was a victory for privacy advocates, who said that E.U. citizens are not as protected when their information is transferred to U.S. servers as when that information stays inside Europe.

The European Court of Justice ruled that a commonly used data protection agreement known as Privacy Shield did not adequately uphold E.U. privacy law.

………

The court said that it was unacceptable for E.U. citizens not to have “actionable rights” to question U.S. surveillance practices.

European data privacy advocates celebrated the decision.

It’s a good thing that the US State Security apparatus is finally getting some push-back internationally.

When You Know That Twice as Much Time Was Spent on the Subhed as Was Spent on the Story

No Comments

OK, you are covering a story about Amazon banning TikTok from work devices

An Email Banning Our Staff from Using Tiktok? Haha, Funny Story about That, We Didn’t Mean It – Amazon, and it sounds like a classic story from The Register, and you see the sub-headline, and it reads, “Shock TikTok block clocked, unblocked as poppycock amid media aftershock.”

You immediately know that whatever the rest of the story is about, most of the effort went into that sub-hed.

I’m actually fine with that, because this is beautiful.

We Now Know Where Microsoft® Bob® Works

No Comments

Microsoft’s MSN network is attempting to replace human editors with artificial “Intelligence”.

Much fail ensues:

Microsoft’s decision to replace human journalists with robots has backfired, after the tech company’s artificial intelligence software illustrated a news story about racism with a photo of the wrong mixed-race member of the band Little Mix.

A week after the Guardian revealed plans to fire the human editors who run MSN.com and replace them with Microsoft’s artificial intelligence code, an early rollout of the software resulted in a story about the singer Jade Thirlwall’s personal reflections on racism being illustrated with a picture of her fellow band member Leigh-Anne Pinnock.

………

Microsoft does not carry out original reporting but employs human editors to select, edit and repurpose articles from news outlets, including the Guardian. Articles are then hosted on Microsoft’s website and the tech company shares advertising revenue with the original publishers. At the end of last month, Microsoft decided to fire hundreds of journalists in the middle of a pandemic and fully replace them with the artificial intelligence software.

………

In advance of the publication of this article, staff at MSN were told to expect a negative article in the Guardian about alleged racist bias in the artificial intelligence software that will soon take their jobs.

Because they are unable to stop the new robot editor selecting stories from external news sites such as the Guardian, the remaining human staff have been told to stay alert and delete a version of this article if the robot decides it is of interest and automatically publishes it on MSN.com. They have also been warned that even if they delete it, the robot editor may overrule them and attempt to publish it again.

Staff have already had to delete coverage criticising MSN for running the story about Little Mix with the wrong image after the AI software decided stories about the incident would interest MSN readers.

Epic fail.

Tweets of the Day

No Comments
HTML was originally developed as a mark up language for non-programmers. It was highly successful as democratizing web development. And then it was replaced with more powerful tools that exclude non-programmers.

This change was as predictable as it was bad.

— Nikkita Bourbaki (@futurebird) April 30, 2020

The real reason we have brogrammers creating more obscure and syntactically incomprehensible languages is that they want to preserve their priesthood. The results are as negative as they are inevitable:

C was created by legendary male hackers and 40+ years later it is still impossible to write safe C code. COBOL was created by women who were pioneers in computer science, runs the world financial system, and you only hear about it when the world breaks.

— woolie (@woolie) April 10, 2020

No, Just No

No Comments
This is a bad idea. A really bad one, on multiple levels – for starters, it threatens the integrity of Dem voter data & puts Nov prospects in hands of a shady firm w/ a failed track record.

Plenty of orgs bid for contracts. I hope there is enough good sense to reject this one. https://t.co/8kRIog03YM

— Alexandria Ocasio-Cortez (@AOC) April 10, 2020

As a part of Michael Bloomberg’s efforts to purchase the Democratic Party establishment (There is no Democratic Party establishment), his campaign organization is making a below cost bid to take over the campaign infrastructure of the Biden campaign, as well as various leadership PACs, and Eric (Place) Holder’s political organization.

If you don’t find this chilling, you are not paying attention.

Also, it should be noted that this is a classic part of the Bloomberg handbook:  Using his money to forestall any meaningful criticism of his actions so that he can secure power.

As an aside, the Sanders campaign should NEVER turn over its data to the DNC for just this reason:

The Bloomberg-owned firm Hawkfish, which ran the presidential campaign of Mike Bloomberg, is in serious talks to serve the presidential campaign of Joe Biden, according to sources with knowledge of the ongoing negotiations. Along with Biden’s campaign, the firm is courting a wide swath of other progressive and Democratic organizations, opening up the possibility of Bloomberg gaining significant control over the party’s technology and data infrastructure.

………

But instead it comes with other enticements to clients. Democratic operatives who’ve been pitched by Hawkfish say that the firm is able to offer extraordinarily low prices by operating at a loss subsidized by Bloomberg, whose wealth dangles as an added benefit that could come with signing the firm. A Hawkfish insider, who spoke on the condition of anonymity so as not to jeopardize employment, confirmed that the company is willing to operate at a loss in order to grab control of the party infrastructure, explaining that the firm hopes to offer a fee that would be small enough to entice the Biden campaign while passing muster with federal regulators. (If a firm offers services for less than fair market value, the discount is considered under campaign finance laws to be an in-kind contribution, and thus subject to legal limits depending on the entity collecting the contribution. A presidential campaign can’t accept more than $2,800 from a single individual per election, or any contributions at all from a company.)

The FEC won’t rule on the in-kind contribution until after the election, if it even could take action, since it still lacks a quorum to operate.


“When the objective isn’t money but control, $18 million is incredibly cheap to become the center of gravity for all Democratic political information, which we would be if both Biden and [House Democrats] have to come through us,” the source said, referring to the amount of money the Bloomberg campaign transferred to the Democratic Party last month, in a reversal of his earlier pledge to create a Super PAC in support of the party’s nominee. “And in the current environment, the public sees this as generosity.”

………

Waleed Shahid, spokesperson for Justice Democrats, which recruits progressive challengers to incumbents, said that Bloomberg’s firm running the party’s data operation would send the wrong signal and could have long-term, damaging repercussions. “The idea of the Democratic nominee potentially rewarding Bloomberg’s firm with this contract is disturbing,” he said. “We shouldn’t be the party of helping billionaires amass huge amounts of mega-data on voters that allow them to keep accruing obscene amounts of power in our democracy.”

In the annals of bad ideas for the Democratic Party, this one is definitely in the top three.

Well, This is a Relief

No Comments
The US District Court for the District of Columbia has ruled that violating a site’s terms of service is not criminal hacking.

This was a pre-enforcement challenge to the CFAA by researchers who were looking into racial discrimination by websites, but were concerned that these sites would manage to convince a prosecutor to charge them with a felony in response to their discovering embarrassing information.

Given that the general vagueness of the CFAA is a petri dish for prosecutorial abuse, this is a good thing:

A federal court in Washington, DC, has ruled that violating a website’s terms of service isn’t a crime under the Computer Fraud and Abuse Act, America’s primary anti-hacking law. The lawsuit was initiated by a group of academics and journalists with the support of the American Civil Liberties Union.

The plaintiffs wanted to investigate possible racial discrimination in online job markets by creating accounts for fake employers and job seekers. Leading job sites have terms of service prohibiting users from supplying fake information, and the researchers worried that their research could expose them to criminal liability under the CFAA, which makes it a crime to “access a computer without authorization or exceed authorized access.”

So in 2016 they sued the federal government, seeking a declaration that this part of the CFAA violated the First Amendment.

But rather than addressing that constitutional issue, Judge John Bates ruled on Friday that the plaintiffs’ proposed research wouldn’t violate the CFAA’s criminal provisions at all. Someone violates the CFAA when they bypass an access restriction like a password. But someone who logs into a website with a valid password doesn’t become a hacker simply by doing something prohibited by a website’s terms of service, the judge concluded.

“Criminalizing terms-of-service violations risks turning each website into its own criminal jurisdiction and each webmaster into his own legislature,” Bates wrote.

Don’t Use Zoom

No Comments
Ever wondered how the @zoom_us macOS installer does it’s job without you ever clicking install? Turns out they (ab)use preinstallation scripts, manually unpack the app using a bundled 7zip and install it to /Applications if the current user is in the admin group (no root needed). pic.twitter.com/qgQ1XdU11M

— Felix (@c1truz_) March 30, 2020

We now have news of a litany of privacy breaches and misrepresentations of its capabilities.

Given their history, the logical conslusion is that they have violating their users’ private as a central part of their business model:

Zoom, the video conferencing service whose use has spiked amid the Covid-19 pandemic, claims to implement end-to-end encryption, widely understood as the most private form of internet communication, protecting conversations from all outside parties. In fact, Zoom is using its own definition of the term, one that lets Zoom itself access unencrypted video and audio from meetings.

With millions of people around the world working from home in order to slow the spread of the coronavirus, business is booming for Zoom, bringing more attention on the company and its privacy practices, including a policy, later updated, that seemed to give the company permission to mine messages and files shared during meetings for the purpose of ad targeting.

Still, Zoom offers reliability, ease of use, and at least one very important security assurance: As long as you make sure everyone in a Zoom meeting connects using “computer audio” instead of calling in on a phone, the meeting is secured with end-to-end encryption, at least according to Zoom’s website, its security white paper, and the user interface within the app. But despite this misleading marketing, the service actually does not support end-to-end encryption for video and audio content, at least as the term is commonly understood. Instead it offers what is usually called transport encryption, explained further below.

………

But when reached for comment about whether video meetings are actually end-to-end encrypted, a Zoom spokesperson wrote, “Currently, it is not possible to enable E2E encryption for Zoom video meetings. Zoom video meetings use a combination of TCP and UDP. TCP connections are made using TLS and UDP connections are encrypted with AES using a key negotiated over a TLS connection.”

The encryption that Zoom uses to protect meetings is TLS, the same technology that web servers use to secure HTTPS websites. This means that the connection between the Zoom app running on a user’s computer or phone and Zoom’s server is encrypted in the same way the connection between your web browser and this article (on https://theintercept.com) is encrypted. This is known as transport encryption, which is different from end-to-end encryption because the Zoom service itself can access the unencrypted video and audio content of Zoom meetings. So when you have a Zoom meeting, the video and audio content will stay private from anyone spying on your Wi-Fi, but it won’t stay private from the company. (In a statement, Zoom said it does not directly access, mine, or sell user data; more below.)

………

“They’re a little bit fuzzy about what’s end-to-end encrypted,” Green said of Zoom. “I think they’re doing this in a slightly dishonest way. It would be nice if they just came clean.”

………

Without end-to-end encryption, Zoom has the technical ability to spy on private video meetings and could be compelled to hand over recordings of meetings to governments or law enforcement in response to legal requests. While other companies like Google, Facebook, and Microsoft publish transparency reports that describe exactly how many government requests for user data they receive from which countries and how many of those they comply with, Zoom does not publish a transparency report. On March 18, human rights group Access Now published an open letter calling on Zoom to release a transparency report to help users understand what the company is doing to protect their data.

Not just a subpoena.  If you bribe a Zoom employee, you could get access to the chat.

Also, Zoom has been found to be sharing user data with Facebook, even if you are not a member, refused to fix a remote access vulnerability until reported to the FTC, allowing meeting hosts to spy on user’s window status on their PCs, and collects personally identifiable data and links it to your IP address.

This is not a company that you want to deal with.

How This Works

No Comments

Someone is Gaming the System

At The Markup, a news org created to do deep dives on technical news story, has found that there are significant differences in the ways that Gmail handles emails from different presidential campaigns.

The Buttigieg andYang campaigns are achieving disproportionate success in getting into the Gmail primary inbox.

The implication of this story is that Google could alter its algorithms to favor one candidate over another.

I do not think that this is a credible concern, at least not yet.

However, it is entirely possible that there are people inside Google who favor one candidate over another who would provide detailed information to the campaigns about how to game the filters.

IMHO, the two campaigns most likely to have a Google insider feeding them information would be those of Buttigieg and Yang, and it is their emails that have achieved the most success in reaching the primary email tab.

It’s called a man on the inside attack:

Pete Buttigieg is leading at 63 percent. Andrew Yang came in second at 46 percent. And Elizabeth Warren looks like she’s in trouble with 0 percent.

These aren’t poll numbers for the U.S. 2020 Democratic presidential contest. Instead, they reflect which candidates were able to consistently land in Gmail’s primary inbox in a simple test.

The Markup set up a new Gmail account to find out how the company filters political email from candidates, think tanks, advocacy groups, and nonprofits.

We found that few of the emails we’d signed up to receive —11 percent—made it to the primary inbox, the first one a user sees when opening Gmail and the one the company says is “for the mail you really, really want.”

Half of all emails landed in a tab called “promotions,” which Gmail says is for “deals, offers, and other marketing emails.” Gmail sent another 40 percent to spam.

For political causes and candidates, who get a significant amount of their donations through email, having their messages diverted into less-visible tabs or spam can have profound effects.

“The fact that Gmail has so much control over our democracy and what happens and who raises money is frightening,” said Kenneth Pennington, a consultant who worked on Beto O’Rourke’s digital campaign.

………

It’s well known that Facebook and Twitter curate which posts people see through the news feed, highlighting some while others are scarcely shown. What’s received less attention is how email has also become an algorithmically curated and monetized platform—essentially another feed—and the effect that can have. Some nonprofits and political causes said inbox curation is reducing donations and petition signatures.

Google communications manager Katie Wattie said in an email that the categories “help users organize their email.”

………

Google communications manager Katie Wattie said in an email that the categories “help users organize their email.” 

………

The tabs also serve another purpose: ad inventory. While Gmail does not sell ads in the primary inbox, advertisers can pay for top placement in the social and promotions tabs in free accounts.