Tag Archives: NSA

Change You Won’t See

Posted on by

It’s that time of year when blogger’s thoughts turn to change. Seems like everyone is talking about it. Change for the better, change for the worse. Far be it for me to neglect a tidal wave of interest. But naturally, I have to put my own cynical spin on it.

Herewith, my top five list of things that need to change in 2015, but won’t.

5. BART’s mañana attitude. Not just waiting until the last minute and beyond to negotiate with the unions–really, guys, it’s not too early to start working on the 2017 contract, honest–but in general. Cars are increasingly overcrowded; by the time the new cars with more space are delivered in 2016 and 2017, they’ll be packed just as tight as the old cars are now. And yet, we keep hearing that BART can’t start thinking about increasing capacity until after the cars are delivered.

4. Caltrans’ “It doesn’t need to be tested” attitude. Do I even need to elaborate on this? It’s not just the Bay Bridge: everything we’re hearing suggests that Caltrans needs to make a significant change in its corporate culture. Consider future needs. Don’t take it for granted that construction has been done to standard. Recognize that budgets are not infinitely flexible.

3. Government’s belief that citizens have no right to privacy. Did you notice that the NSA chose Christmas Eve to release a pile of audit reports, hoping that nobody would pay attention? Bloomberg’s report makes it obvious that nobody is exercising any control over the NSA. If there are no processes–or software controls–in place to prevent analysts from conducting surveillance without authorization, it means the organization is relying on self-policing. And if an analyst can accidentally submit a request for surveillance on himself, it’s a pretty good sign that self-policing isn’t working. And yet, the NSA wants more access to record and monitor everything that everyone does. Oh, and let’s not forget the FBI, which continues to claim that North Korea is reponsible for the Sony hack, despite significant evidence that the crackers were Russians, possibly assisted by an employee or ex-employee.

2.5 The increasing militarization of local police. As long as police departments are free to buy new and increasingly lethal toys, no one will be able to make any progress in decreasing the fear and distrust between police and the general public. Drone flights won’t make the public feel safer, and the increased resentment will easily flash over into more threats against the police. And body cameras are not and will never be the answer. They’re too easily forgotten, damaged, misinterpreted, or outright ignored.

2. The endless waffling and squabbling by MLB and the As. Just make a decision, people. Yes, O.co is a literal cesspool, but the As aren’t going to make any effort to improve the situation while the possibility exists that they could skip town. The costs of San Jose’s lawsuit are increasing, and MLB’s anti-trust exemption–already cracked by recent court decisions on the NFL’s blackout rules–is at risk. Regardless of your opinion of the exemption as a whole, having it revoked or struck down would open the door to levels of team movements that haven’t been seen since the 1890s. MLB needs to–ahem–shit or get off the pot before someone yanks the pot out from under them.

1. Phones getting bigger. Remember how bad the RSI epidemic was before we started to figure out how hard on the wrists sitting and typing all day was? I’m increasingly of the opinion that we’re treading the same path here. People are holding larger, heavier phones all the time. Bluetooth headsets aren’t a cure: you still need to hold your phone to play games, watch videos, and read and write all but the simplest e-mails. I fully expect 2015 to be the year of the sprained wrist, as Android phone-makers rush out models to increase their size lead over Apple. 2016 will be even worse when Apple catches up with an iPhone 7 that–projecting the trend–will require a personal crane to lift. Not that all of the blame can be assigned to device manufacturers. Several studies that I just made up indicate that all of the screen protectors, fancy cases, and assorted bling that consumers slather on their phones increase the weight by at least twenty-five percent.

0. Happy New Year!

They See You When…

Posted on by

In today’s multi-topic column in the SF Chronicle, Jon Carroll takes on the difference between “uninterested” and “disinterested”, the decline in the latter, and the misuse of the former. I can’t add anything to what he says, beyond cheering him on. You may find my support for his position surprising, given my lack of concern over the use of “literally” to mean “figuratively”. The difference is that in the case of uninterested/disinterested, the correct interpretation is usually not obvious from context. Anyway, go read the column.

But that’s actually a side-issue, and isn’t actually why I wanted to call the column to your attention. The most important part of the column is the one in which Mr. Carroll discusses a workaround for the NSA’s snooping that I think merits some additional conversation. Says he, “It may be that, if you’re an enemy of the state or just a private citizen yearning for a life without surveillance, you’d be safest if you just wrote a letter.” In short, he suggests that the Postal Service doesn’t open your mail, and, should you burn your letters after reading them, the NSA can’t reconstruct the contents. Thus, it’s a much safer alternative to email.

Break out the tin-foil hats, folks (I’ll take a foil fedora, please. Better coverage than the traditional beanie, and much more stylish.) Could it be that Edward Snowden was actually a mole planted by the Postal Service to boost postal revenues and save Saturday mail delivery? Let’s look at the evidence.

One meme I hear over and over again is that the Post Office makes most of its money from delivering junk mail. If true, that would cast doubt on the conspiracy theory, as a spike in personal mail usage wouldn’t affect the major revenue source. It turns out, however, that it’s not true. As the New York Times pointed out in August, first-class mail is “the largest revenue source” for the Postal Service. Revenue from junk mail is about two-thirds what first-class mail brings in, and is only slightly ahead of package delivery revenue. Combine that information with the knowledge that first-class revenue actually declined by more than 3% in the third quarter, and the idea starts to look reasonable. If the Postal Service can reverse the decline in their big moneymaker, they might not just survive, but show a profit.

But wait, there’s a piece of information that Jon Carroll missed. The New York Times also reported that the Postal Service “…takes a photograph of every letter and package mailed in the United States…and…provides the photos to law enforcement agencies that request them…” That gives a record of every letter you send, who you send it to, and when. In short, exactly the same metadata that the NSA is collecting from cellular carriers.

Mr. Carroll suggests that using the mail system will allow you to run your illicit ferret smuggling operation without detection because law enforcement can’t read your letter setting up the meet. However, they can observe via the metadata that you have a pattern of sending letters to known ferret fanciers. Clearly this would be grounds for enhanced surveillance; a GPS tracker planted on your car would quickly reveal your covert trips to the secluded rest stop near the border where you exchange ferrets for cash.

I think this makes it clear that Edward Snowden is not working for the Postal Service, but is actually an NSA plant working a double-blind operation. The NSA, aware that the public would eventually find out about the cellular snooping program, is using Snowden to redirect communications into a different channel which is less efficient for terrorists (slower and more prone to data loss), but just as easily monitored.

You doubt me? Just ask yourself one simple question: “Who was paying Edward Snowden during the entire time he was gathering information on NSA practices?” That’s right, follow the money and consider: it was the NSA itself! Not exactly a disinterested third party. QED.

Theft Detection

Posted on by

Sort of a painful post today. I hate to publish a downer about Google right after the neutral-to-good things I said yesterday, but putting it off doesn’t make it any better.

There’s an interesting story on The Verge about Google uncovering a ring of Chinese car thieves.

The gist of it is that the thieves would take pictures of cars parked on the street and use the photos in ads offering the cars for sale. When they found a buyer, they would go steal the car, take the buyer’s money, and leave him to deal with the repercussions of having purchased stolen merchandise. It’s a clever scam: the JIT procurement processes means that the car probably doesn’t get reported as stolen until after the deal is done, and the delays built into the Chinese banking system apparently make it almost impossible for the buyer to stop payment–and give the thieves several days to make their getaway.

So what’s the Google connection? It seems that when they were updating their tools for detecting fraudulent ads in their AdWords network, a bunch of used car ads were getting flagged alongside the expected ads for counterfeit designer goods and phishing schemes. Nobody was sure why, as the ads didn’t appear significantly different than other ads for used merchandise that didn’t get flagged. In fact, as far as I can tell from the article, nobody is still quite sure exactly what caused the fraud flag to be set. There are some obvious clues, most notably a pattern of quick buys from new accounts. But because the main algorithm incorporates its own feedback loop, using the results of past runs as input for new runs, the specific combination of pieces of information is obscure, to say the least.

Of course, there really isn’t much Google can do when they spot a fraudster in China. They can delete the ad from AdWords, but that’s about it. Their relationship with China is rather rocky, making the sort of fast, targeted communication necessary to catch the scammers somewhere between “difficult” and “impossible”.

But they’re spotting crime, and there are other countries where Google has better access. This is a good thing, right?

Well, no. Even without considering the question of false positives–not everything that gets flagged as fraudulent will actually turn out to be an actual crime–consider this quote from AdWord’s director David Baker: “There’s no one thing or even a handful of things. It’s thousands of pieces of information in aggregate.” In other words, it’s Google’s massive database of information about who is doing what using their system.

This is, of course, exactly the same database that the NSA and other law enforcement and intelligence agencies are accessing in secret. Do you really want Google being forced to produce a list of suspected terrorists based on advertising history? Keep in mind that the database doesn’t just include the ad buyers, it also includes who sees which ads, what pages the ads were shown on, and whether the viewer clicked on them. Are you confident that your name won’t show up on the list?

Sure you’re OK with that risk–terrorism is pretty bad stuff, after all? Consider the FBI’s definition of terrorism: “…the unlawful use of force and violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives”. “Any segment” could be as small as one or two people, which means it could apply to breaking windows during a protest (see, for example the recent protests in Oakland over the Zimmerman trial verdict). I’m not the only one who thinks this is a legitimate risk. As far back as 2002, the ACLU pointed out that Greenpeace, Operation Rescue, and WTO protesters were at risk for being treated as terrorists. Open Salon pointed out that the Department of Defense explicitly defines protests as “low-level terrorism” and that definition was used in responding to the 2008 “RNC Welcoming Committee” protests.

Still totally confident that your name isn’t going to show up on the suspect list? Let’s face it: if you came to this post via a Google or Bing search, you’re going to be on that list. Chances are good that even if you just have this blog bookmarked, a simple demand that WordPress turn over their activity logs would include enough information for you to be tied to your other web actions and identified.

And none of this discussion even considers the possibility of scope creep. If the NSA can use this approach to fight terrorism, who’s to say that the local police can’t use it to fight serious crimes like rape and murder? And once that door is open, history shows that other crimes won’t be far behind. Fraud (remember where this discussion started?), theft, and even driving violations could be next).

I implied back at the beginning of this post that it’s Google’s problem. It is and it isn’t. As with the NSA’s reported surveillance activities to date, Google wouldn’t have a whole lot of choice about cooperating with a demand for such materials. It’s their problem, but it’s ours too. And there isn’t any more of a good solution for this part of the problem than the rest of it.

Trending

Posted on by

This has been bugging me for a while, and since I’m feeling curmudgeonly today, I’m going to rant for a bit. I’ve already posted a cute cat picture, so I figure I’m entitled.

Google has a variety of pages that show trends in what people are currently searching for. The most visually spectacular is the “Hot Searches Visualization“, which shows “the latest hot searches”, updating live as new requests come in.

Then there’s the main “Hot Trends” page, which gives a static view of the most frequent searches along with an approximate count of the number of requests for each. (As I write this, four of the top five searches are “Lil Snupe”, “Miley Cyrus”, “Shailene Woodley”, and “John McAfee”*; clearly America has a deep interest in popular culture – but its attention span is getting shorter: James Gandolfini was the runaway top search Wednesday (5,000,000+ searches with numbers 2-4 at only 200,000+, yet he didn’t even crack the 50,000 search mark Thursday.))

* What, you don’t consider a YouTube video featuring cocaine, lap dances, and the handgun execution of a recalcitrant computer to be pop culture at its finest? OK, let’s discuss that at some point.

And then there’s my pet peeve. The “Top Charts” page. Go take a look, I’ll wait. Back? My problems with this page have to do with how things are categorized and how useful they are. For instance:

  • Can we drop Shakespeare from the “Authors” category? Let’s face it, he’s been number one on that list by a wide margin every time I’ve looked at it. Let’s just declare him the winner, filter him out of the results, and make room for the real competition – the current four-way battle between Dan Brown, Ernest Hemingway, Dr. Seuss, and Anne Frank is neck-and-neck, and could only be improved by the addition of a steel cage match. Ditto for the Bible in “Books”. Let’s make more room for the slugfest between “Romeo and Juliet” and “Fifty Shades of Grey”.
  • What are the New York Yankees doing in the “Baseball Teams” category? Shouldn’t they be in the “Bottom-feeding Scum” table?
  • Readers in Texas, are you happy to know that UT Austin is holding a narrow lead over Harvard? Does it enrich your life in any way? Seriously, what benefit does tracking searches for “Colleges & Universities” bring to anyone? Oh, wait, I get it. Clicking through to the top 100, I see that Brown University has dropped 33 places since last month and now sits at number 100. Clearly they need to step up their recruiting. Bet they never would have figured that out without this handy chart.
  • Google generously provides separate charts for “Drinks” and “Foods”. “Coffee”, to nobody’s great surprise, is Number 1 on the Drinks chart, narrowly edging out “Wine”. More surprisingly, “Coffee” is also Number 4 on the Foods chart. Why exactly does Coffee show up on both? (So do Wine, Beer, Tea, and Milk.) How about leaving them on the Drink chart and making room for five actual foods? It’s not like they’re contaminating the Drink chart with crossover foods such as chocolate.
  • Given that we’ve got “Car companies” and “Cars”, do we really also need “Sports cars”? We do? OK, if you insist. But then shouldn’t we also have “SUVs”, “Hybrid cars”, and “Luxury cars”? I guess it’s similar to having “Sports teams”, “Basketball teams”, “Soccer teams”, and “Baseball teams”, but skipping “Football teams” and “Hockey teams”. I get it that the categories are arbitrary, but I’m not seeing any obvious logic behind the selections.
  • Hey, can we go back to the food and drink question? There’s also a category for “Whiskeys” (Jack Daniel’s is leading by a wide margin.) “Whisky” is also Number 10 in “Drinks” (yes, it’s spelled with the ‘e’ in its own category but without in the parent category.)
  • Can anybody explain why “Arnold Schwarzenegger” is being tracked in “US governors” instead of “Actors”? Oh, wait, he’s in both: Number 1 as a governor, Number 50 as an actor. Does that give him an unfair advantage over poor “Chris Christie”, running a distant second in “US governors”? Or should I rather be giving my sympathies to “Clint Eastwood”, Actor Number 92, who can’t take consolation in the fact that he’s leading the list for “US mayors”, since that category doesn’t exist?
  • Then there’s “Medications”, which is a huge mess. It cheerfully mixes brand names, specific drugs, and classes of medications in a single list (the top four are currently “Antibacterial”, “Amphetamine mixed salts”*, “Alprazolam”, and “Ibuprofen”; “Tylenol” comes in at Number 6).

* Any bets on what proportion of the hits are NOT from people interested in ADHD or narcolepsy?

OK, that’s pretty much got the rant out of my system. Does this stuff matter? Maybe it’s just my training as a librarian speaking, but I believe that a consistent classification scheme is the key to storing information. Arbitrary classification leads directly to the inability to find what you need when you need it and misinterpretation of the data you do find. Consider: if Google uses similarly arbitrary methods throughout their operations, are you confident that they won’t be combining your garden center search for deals on lawn fertilizer with your neighbor’s search for the gas station with the cheapest diesel and telling the NSA that people in your neighborhood seem to be very interested in making fertilizer bombs?

Knock-Knock

Posted on by

No, that title isn’t the start of a joke.

Now I feel like an idiot for April’s post on the CISPA bill and its potential to strip privacy protections online.

After all, we now know that we already have no protection.

With this week’s revelations about phone companies being required to turn over metadata for all calls and the existence of the PRISM program that gives the NSA full access to everything that Microsoft, Google, Apple, and a host of other large Internet companies know, it’s clear that if you use a phone or computer, you have no privacy whatsoever.

Consider: According to the Guardian and Washington Post reports, to conduct a PRISM search, the NSA has to be 51% sure that the subject is foreign. That’s the only limitation. A barrier that low will allow a massive number of false positives, but that’s almost irrelevant, because once the search begins, it can (again according to the reports) be extended to all of the contacts of the subject and all of the contacts of the contacts. By design, anyone who is “probably” not a US citizen is – and has been since at least 2007 – a terrorism suspect.

Hell, more than half of the regular readers of this blog are “foreign”; they have no protection against being the subject of a PRISM search: PRISM was designed to allow the NSA to monitor everything they do online to “protect against terrorism”.

Last week’s picture of Kokoro lurking in the headboard of my bed drew likes from people in England, Wales, and Moscow. The NSA knows that (and knew it before this post told the world). Since I’m now associated with those foreign “suspects”, all of my online activities are now available to the NSA, and because I’m associated with you, so are yours. And by “you”, I’m not just talking about those of you reading this post. Everyone I’ve communicated with falls into that category – as described, PRISM would make it trivially easy for the NSA to link the email address I use for this blog to all of my other email addresses, at which point they’ll find out that I’ve exchanged emails with citizens of India, Japan, and China. Better check all of their contacts; since they’re foreign, the rule of “two levels of contacts” resets and the NSA can chain their searches outward from there. Nice work, Kokoro. You’re single-pawedly responsible for the investigation of thousands of people around the world for their possible roles in plotting terroristic acts against the US.

Yes, I do have a sudden urge to make myself an aluminum foil hat. Why do you ask? Right now it’s seeming like the most sensible thing to do.

Seriously though folks, if even half of the capabilities being touted for PRISM are accurate, by combining its output with the results of the phone company data, the NSA can figure out not only damn near everything you’ve done online, but also what you’re doing out in the real world. Legally. And that’s why I feel like an idiot about getting bent out of shape over CISPA – all that adds to the government’s capabilities is to let the FBI and Homeland Security track US citizens without first linking them somehow to someone “foreign”.

Please, no comments along the lines of “If you’re not doing anything wrong, you shouldn’t care.” If nothing else, when the government can secretly monitor everything you do, “wrong” is what they define it to be. I don’t think I’m being overly pessimistic in saying that “Niemöller” and Orwell were conservative.

Frankly, I think there’s very little we can do. The capability won’t go away: even if a public outcry forced the repeal of the PATRIOT Act and the other legislation that enables this warrantless surveillance, you can be sure that the tools will stay in the hands of the government agencies that have it now. They’re just too useful for them to give up. And removing the laws that limit their use will just encourage the agencies to use them more: why shouldn’t they if any use is illegal?

Heck, given the administration’s position that these data collection programs are “a critical tool in protecting the nation from terrorist threats”, even trying to take those toys away can be classed as a terroristic act (giving aid to terrorists).

If y’all will excuse me, I’m going to go downstairs and arrest myself. Maybe if I save the government the effort of doing it, they’ll let me share my cell with Kokoro.