Recent Articles

As the weeks roll on it has become clearer that the NSA has cast a very large, very fine, net over all communications in, out, and through the US. If the NSA is to be believed then they do their very best *not* to capture American communications, but they regularly fail at avoiding such capture — instead relying on their vague “minimization” techniques to make up for the capture of American communications.

One of the reasons this is such a hard debate to solve, is that there are a lot of moral decisions that need to be made — questions that need answers.

The first question we need to answer is: Should the NSA and other federal agencies be allowed to use any and all technology available to catch criminals and terrorists? I believe the *only* answer to that question is an emphatic yes. The next questions are trickier:

– Should these agencies be allowed to act without direct oversight?
– Who oversees these agencies and their policies?
– Should the laws governing these agencies be made in secret to protect law enforcement abilities?
– How much should be known publicly?

I could go on. I am, surprisingly, in favor of most of what the NSA is doing, but the current oversight seems to be totally insufficient. The program should be openly debated in Congress, approved through normal courts, and FISC should only be used for specific people that the government believes are far too high risk to hold a debate over in open court. And even in those circumstances the rulings should be made public after twelve months — no redactions.

The one question I keep tripping over: How, and for how long, should the government retain information they gather about individuals? Additionally, when and who authorizes searches within that retained data?

Essentially let’s say (purely theoretically and simplified) that the NSA holds a database on every email sent — ever. With the interests of the nation in mind, I cannot figure out the following:

– How should that database of emails be stored?
– Should the NSA be allowed to store this data indefinitely, indiscriminately, or should it be filtered and deleted, or just deleted based on dates?
– When should this data be allowed to be searched? By court order? By suspicion? By lovers?

There are many problems here, because quite simply the more data the better when it comes to truly preventing bad things. I acknowledge that, but we also cannot be a nation scared to speak for fear it may show up on a boolean query by an underpaid NSA worker.

Had 9/11 been totally planned via email, then clearly there’s a lot of benefits to indefinite storage and easy searching of email data. When the first plane hits, the NSA knows exactly what to look for and maybe, just *maybe*, they know what is going on before the other planes strike. At the very least, they know the scope of the attack. That’s a great argument in favor of keeping everything, allowing easy searching, and so forth. I truly believe that FISAA, FISC, and the NSA created these tools and are using them with this mindset.

But there’s a flip side to all of this. What if two idiots get drunk and hatch a plan that sounds a lot like terrorism. They communicate over channels monitored by the NSA and get flagged. The plans seem detailed and the “voice” of the messages seems intent on execution. Should the NSA swoop in then? Should they wait until it’s too late? If they swoop in right away, then we never know if that plot would have been carried out. Is that the society we want to live in?

Further, if those people are only observed then many hours have been wasted watching people that never do anything while others slip by.

Now think about this: The FBI catches a person, the *suspect* of terrorism, based on a couple of illegal items they find in their house. Normal penalty (making this up) is five years in prison. But the FBI asks the NSA to run a little search, and it turns out the guy was one of two drunk idiots sending the emails described above. Now what? He’s still only guilty of being an idiot in possession of illegal items, but because of the emails should the punishment be harsher? Why? He still only did one thing against the law…

*Ugh.*

I can’t answer a lot of these questions, which is exactly why I think this is a topic for public debate in Congress. I just hope the president gives us that chance. There’s no correct decision to be made, but there is a sound decision with good reasoning. That’s all I want.

[Michael Kassner reporting][1] on the [reverse-engineering of the Dropbox client][2]:

> The paper goes to great lengths explaining how Dhiru and Przemyslaw successfully gained access to a victim’s Dropbox account and files. The two also mentioned in the paper with each new version of Dropbox, developers were able to harden the client’s security, which in turn eliminated one or more attack vectors.

Essentially they figured out how Dropbox auto-authenticates you into Dropbox.com when you click the link to launch the website from the app. What always worries me about these types of hacks, the same as Kassner worries, is how long they have been in the wild without anyone knowing.

I don’t feel nearly as optimistic about Dropbox security as [Gabe does][3]. It feels to me that the better target for hackers now is services like iCloud, Dropbox, and SkyDrive instead of attacking OSes. Why bother attacking a physical machine running Windows or OS X, if you can instead target a service that stores the actual *files* for millions of physical machines?

I feel like this is just a tip of a very large iceberg surrounding cloud file storage.

[1]: http://www.techrepublic.com/blog/it-security/researchers-reverse-engineer-the-dropbox-client-what-it-means/?utm_medium=App.net&utm_source=PourOver
[2]: https://www.usenix.org/system/files/conference/woot13/woot13-kholia.pdf
[3]: http://www.macdrifter.com/2013/08/dropbox-reverse-engineered-link.html

[George Friedman writing about the tough decision President Obama has to make regarding Syria][1]:

> This is no longer simply about Syria. The United States has stated a condition that [commits it to an intervention][2]. If it does not act when there is a clear violation of the condition, Obama increases the chance of war with other countries like North Korea and Iran. One of the tools the United States can use to shape the behavior of countries like these without going to war is stating conditions that will cause intervention, allowing the other side to avoid crossing the line. If these countries come to believe that the United States is actually bluffing, then the possibility of miscalculation soars.

That’s the danger of bluffing in anything — you better be 100% certain you aren’t called, or willing to take the risk you are. I think it is clear this was a bluff on Obama’s part. Right or wrong Obama has now been called. There is very little choice for the United States now — because either hard line statements from our President no longer carry weight, or we go to war (of some scale). Both options, for lack of a better word, suck.

> The attacks could prove deadlier than the chemicals did. And finally, attacking means al Assad loses all incentive to hold back on using chemical weapons. If he is paying the price of using them, he may as well use them. The gloves will come off on both sides as al Assad seeks to use his chemical weapons before they are destroyed.

I don’t see this ending well for anyone at this point.

[1]: http://www.stratfor.com/weekly/obamas-bluff
[2]: http://www.stratfor.com/geopolitical-diary/us-prepares-intervention-syria

[OmniKeyMaster][1] is a great new tool from The Omni Group which allows Mac App Store users of Omni software to quickly and easily move to non-Mac App Store versions. This allows faster updates (because they bypass App Store approval) and upgrade pricing.

I think this is a very smart move and a great tool. Effectively it removes a decision users have to make: now you just buy from the Mac App Store and if you want upgrade pricing later you can convert easily. More-or-less a win-win. The nice part about buying from the Mac App Store is that (hopefully) Apple has your back and won’t allow you to download anything dangerous to your system. With a tool like OmniKeyMaster you can then use the App Store to gain trust in developers *before* you move outside of the Apple-dome-of-protection.

Now this tool is just for Omni applications, but I hope other companies take note and perhaps someone builds a service for *all* developers to use. One tool to convert any Mac App Store app you want to a non-Mac App Store app, that would be great.

[1]: http://www.omnigroup.com/blog/entry/omnikeymaster-upgrade-pricing-for-mac-app-store-customers

[Dan Frommer][1]:

> The main thing you need to know about my iPad mini right now is that it’s here next to me, and I’ve already been using it a bunch today. I also fell asleep reading it last night, and almost every night last week.

After initially scowling at the iPad mini, I bought one from a [buddy][2]. I bought one because the iPad (3) is damned heavy to carry around and even more cumbersome to deal with if you need two hands and don’t have a bag. I use the piss out of both of my iPads, so I have a few thoughts on them that I will share (in no particular order):

– The size and weight of the iPad mini make it better for almost every task.
– The size of the proper iPad is much better for scribbling notes with a Cosmonaut.
– The size of the proper iPad is superior for typing, even with a bluetooth keyboard the display feels better for writing.
– Not having retina blows, but you get over it when you realize your arms aren’t tired after one page of reading.
– I read with my iPad mini *every* night — I did that for only a few months with my proper iPad.
– I abuse the crap out of my iPads, neither have broken.
– When I head to work I always take my retina MacBook Pro, proper iPad, and then debate about taking the mini. It makes it into my bag 40% of the time.
– The mini is *always* the device I grab if I rush out of the house and am not sure if I might need some extra computing prowess.
– The mini is *the* device I take when we go on day-trips, and weekend getaways (where I have been given the “you better not bring stuff to work on” look).

I’d buy a retina iPad mini over another full-size iPad, but only if the weight and size didn’t change the wrong way on the mini. More likely, I am looking to upgrade *both* iPads and my iPhone this fall.

[1]: http://www.splatf.com/2013/08/ipad-mini-still/
[2]: http://512pixels.net

[Khoi Vinh looking at an Instagram shot of his in the square crop, and how he would have cropped it for portrait][1]:

> I’m not arguing that Instagram should allow portrait images. I’m just saying the world is more interesting than just squares.

There’s a lot that is great about the square crop, but it’s also not a very useable image crop. You rarely see frames for square crops, and your displays are rectangular. In my house I can often be heard, rather rudely, barking at people: “why don’t you shoot that picture/video in an *useable* orientation.” Meaning: stop shooting video in portrait and stop taking group photos in portrait. I try to shoot 95% of all my photos in landscape, with only an odd few in portrait.

I simply find that every time I take a good shot in portrait, there isn’t much I can do with that shot that I actually want to do with it. It’s doubly annoying for square images. They can look great, but then what the hell do I do with a square image? It looks great on my iPhone screen, but outside of that it just looks like: where did the rest of the picture go?

[1]: http://www.subtraction.com/2013/08/26/square-v.-portrait

[Bruce Schneier, in **2010**, for CNN][1]:

> In order to comply with government search warrants on user data, Google created a backdoor access system into Gmail accounts. This feature is what the Chinese hackers exploited to gain access.

This was written before we knew about 90% of the NSA dragnet, Yet here is [Google’s statement, from CEO Larry Page, on PRISM (circa 6/2013)][2]:

> First, we have not joined any program that would give the U.S. government—or any other government—direct access to our servers. Indeed, the U.S. government does not have direct access or a “back door” to the information stored in our data centers. We had not heard of a program called PRISM until yesterday.

Perhaps Page needs to clarify that just the Chinese have direct access to that backdoor? ((By the way, why are you still using Gmail?))

[1]: http://edition.cnn.com/2010/OPINION/01/23/schneier.google.hacking/index.html
[2]: http://googleblog.blogspot.com/2013/06/what.html

[Dan Goodin on the coming iOS secure texting app, TextSecure][1]:

> Moxie Marlinspike, the pseudonymous security researcher, cryptographer, and developer of the TextSecure and RedPhone privacy apps for Android, has devised a simple trick that iPhones can use to respond to another phone’s key requests even when the app is inactive. The technique relies on “prekeys” that are generated and sent to a server when TextSecure is first registered. When a separate TextSecure user wants to send a message, he’ll no longer have to wait for the other party to respond with her key. Instead the sender will be able to download her prekey and so the ephemeral key can be generated right away.

I read about this a few days ago, but was holding off posting to see if anyone would shoot holes in this method. I have yet to see anyone complaining about it enough to warrant suspicion, but there are a couple things I really don’t like here:

1. “the pseudonymous security researcher” — that doesn’t make me feel all warm and fuzzy about the developer, let alone trust this person.
2. From what I can tell your pregenerated keys sit on a remote server, are then fetched, and used to pair and encrypt the message. This is a neat trick, but my fear is that your keys could be compromised *before* you even get the message. So yes, it would be hard to *go back* and decrypt your old messages, but if the server that holds the keys is compromised then all of your new messages could be decrypted in real time (I would assume) and thus you need to trust the server your keys are on. Which brings me back to point one.

I regularly use Silent Circle and Wickr. Wickr is an odd beast that I have talked about before and the security of it is questionable due to the same server issue. I’ll take you back to [this post][2] where Matthew Green looks through secure messaging apps.

Green can’t even weigh in on Wickr, which is concerning. He is in awe of the code for TextSecure (I wasn’t using the pre-key method at the time of Green’s writing), and as for Silent Circle they have been independently audited at a code level and nothing sounds any alarms. TextSecure seems to actually be secure.

I personally think the best bet is Silent Circle for these reasons:

1. They shut down their email service preemptively instead of having any of their users privacy violated — they did so on the notion that they may be forced to turn over everything instead of waiting to be forced into it.
2. I know who they are (not personally). Using your real names, establishing a real company, and showing your credentials goes a long way to establish trust with me.
3. They claim the message key are stored on the device, never leave the device and are not on any servers.

For those reasons I am sticking with Silent Circle to talk to, uh, myself with — man I wish more people took this seriously enough to get accounts on these services. Ultimately, I think TextSecure will stand a good chance because it will be free and secure-ish.

[1]: http://arstechnica.com/security/2013/08/in-surveillance-era-clever-trick-enhances-secrecy-of-iphone-text-messages/
[2]: http://blog.cryptographyengineering.com/2013/03/here-come-encryption-apps.html?m=1

Dave Winer (no link because I refuse to link to sexist douchebags):

> Now, I’m sure there is sexism, probably a lot of sexism. But I also think there’s something about programming that makes many women not want to do it. Here’s a theory why that might be.

That last line? He went back and struck it, as in strike-through, but even without the last line that’s a pretty fucking sexist comment. There’s been a lot of responses. So many comments that Winer has been deleting comments on his blog (many with merit) and writing piece after piece trying to win back credibility, or something, trying to convince himself he is a good guy? I don’t know, I don’t care.

I personally like the response from [Faruk Ateş, who says][1]:

> If there *was* any specialization in the genders, programming would still, to this day, be utterly dominated by women, because they were the first software programmers (hell, they *invented* programming). As today’s programming environment is dominated by men, and this is a recent development as well as a complete turnaround from how it used to be, which is, being dominated by women, the entire foundation of your belief is a lie, and your belief rests on you deluding yourself over these facts.

“Why are there so few women programmers?” Perhaps because of thinking like Winer’s.

[1]: http://farukat.es/journal/2013/08/694-dear-dave-winer-you-cant-silence-truth

[Mari Yamaguchi][1]:

> Now, 2 1/2 years later, experts fear it is about to reach the Pacific and greatly worsen what is fast becoming a new crisis at Fukushima: the inability to contain vast quantities of radioactive water.

Let’s see: leaking tanks of radioactive water, contaminated ground water, and radioactive water spilling out of underground reservoirs — all headed towards the Pacific Ocean.

Question: why isn’t this the top priority of, well, *everyone*?

[1]: http://talkingpointsmemo.com/news/fukushima-vast-amounts-of-radioactive-water-creeping-towards-sea.php

[Mr. Supersite on the announcement of Ballmer’s retirement][1]:

> On a personal note, I’ll just add that Ballmer was one of the good guys. Though he was relentlessly mocked for his over-the-top public appearances in years past, Ballmer was also relentlessly pro-Microsoft and it’s very clear that the troubles of the past decade were at least in part not of his making: Ballmer inherited a Microsoft that had been driven into an antitrust quagmire by Mr. Gates, handicapping its ability to compete effectively or respond to new trends quickly. While many called for his ouster for many years, I never saw a single leader emerge at Microsoft who could fill his shoes or the needs of this lofty position. Looking at the available options today, I still don’t.

What a fucking shill. As I have [shown before][2], Ballmer inherited a Microsoft on the rise, not on the fall. The anti-trust stuff did little to stymie the company and had Ballmer been competent it would have had zero effect on Microsoft.

You don’t see viable replacements today at Microsoft because Ballmer [booted anyone][3] he saw as a threat to his job. Ballmer ran the company scared of losing Windows and Office dominance, and ran his firings of executives scared for his own job. That’s not someone who is “relentlessly pro-Microsoft” — that’s someone who is operating in pure self-interest.

[1]: http://windowsitpro.com/paul-thurrotts-wininfo/microsoft-ceo-steve-ballmer-retire-2014
[2]: https://brooksreview.net/2011/05/ballmer/
[3]: http://www.moneycontrol.com/news/world-news/key-microsoft-executive-departuresrecent-years_855477.html

[Microsoft press release][1]:

> Microsoft Corp. today announced that Chief Executive Officer Steve Ballmer has decided to retire as CEO within the next 12 months, upon the completion of a process to choose his successor. In the meantime, Ballmer will continue as CEO and will lead Microsoft through the next steps of its transformation to a devices and services company that empowers people for the activities they value most.

*Finally*. I’ve gone over already a [couple](https://brooksreview.net/2011/05/ballmer/) [of times][2] how bad I think Ballmer has been.

[1]: http://www.microsoft.com/en-us/news/press/2013/aug13/08-23AnnouncementPR.aspx
[2]: https://brooksreview.net/?s=ballmer

[The Economist][1]:

> Creative people’s most important resource is their time—particularly big chunks of uninterrupted time—and their biggest enemies are those who try to nibble away at it with e-mails or meetings. Indeed, creative people may be at their most productive when, to the manager’s untutored eye, they appear to be doing nothing.

This is a great article, but certainly nothing new for anyone at this point. Email and meetings waste far too much time — everyone’s time. I think the title of the article is inaccurate — it’s not so much laziness, but focus that is needed. Those two can be mistaken for each other, but they certainly are not the same.

Staring off into a window thinking is focus, but can be seen as laziness. But if staring is serving a purpose, then it really isn’t laziness. Doing less is not laziness either, so long as by doing less you do better work. But doing less becomes laziness if you are simply doing less for the sake of doing less work.

[1]: http://www.economist.com/news/business/21583592-businesspeople-would-be-better-if-they-did-less-and-thought-more-praise-laziness

[Wolf Richter reporting on a Die Zeit article][1]:

> Now there is a new set of specifications out, creatively dubbed TPM 2.0. While TPM allowed users to opt in and out, TPM 2.0 is activated by default when the computer boots up. The user cannot turn it off. Microsoft decides what software can run on the computer, and the user cannot influence it in any way. Windows governs TPM 2.0. And what Microsoft does remotely is not visible to the user. In short, users of Windows 8 with TPM 2.0 surrender control over their machines the moment they turn it on for the first time.

> It would be easy for Microsoft or chip manufacturers to pass the backdoor keys to the NSA and allow it to control those computers.

This is going to be an interesting one to watch. The report mentions that Linux cannot use this system and that Apple phased out the chips in 2009 — a good reason not to own an old Mac if you ask me.

The links to the NSA seem to be speculation and hearsay, but I don’t think it is a big leap to make. It’ll be interesting to see the Microsoft response to this… If they even do respond, but Microsoft seems to be taking the negative NSA feelings seriously enough to be fighting to reveal what they were perhaps “forced” into doing.

Either way this stands to be the biggest hit to a U.S. business yet. If it can be proven that the NSA can access those chips directly, then I don’t know why a single person would want to buy such a computer — let alone a corporation or government.

[1]: http://investmentwatchblog.com/leaked-german-government-warns-key-entities-not-to-use-windows-8-links-the-nsa/

Last week App.net celebrated its one year anniversary. App.net, of course, started as a response to Twitter’s stupidity and hostility towards developers. Since App.net launched it has become so much more than just a Twitter clone — App.net is a platform.

But the real problem with App.net is that it’s too difficult to explain to non-geeks. Mat Honan illustrates this in his so-so [Wired article on the anniversary of App.net where it takes him more than 700 words to get to this][1]:

> In simple terms, App.net is a tool that affords you control of your data and network. It lets developers write apps and tap into users’ existing social graphs and stored files. Its first app was a Twitter-esque status updating service.

Once you use the term “social graphs” you have failed to explain something. Honan seems like a sharp guy, but 700+ words to explain App.net? Yikes — that doesn’t bode well for the service. I know I couldn’t do better.

Explaining the product is only part one of the issue, part two is that App.net failed to capture the “top” nerds. Yes John Gruber, and Marco Arment are on App.net, but they don’t actually use it. I suspect they pop in from time to time and they stay on Twitter. ((I suspect this, but can’t confirm, because fuck Twitter.))

As of this writing Gruber is the second most followed account on App.net (trailing only the official App.net account) and the last time he posted was two weeks ago and then a little over two weeks before that. It’s safe to say, Gruber is not an active user. Why should any of his followers on Twitter follow him over to App.net, when it’s clear they aren’t missing much? Marco Arment is in the top five followed users too, and he’s not using App.net much more than Gruber.

This is the problem. ((Don’t make the stupid argument that the ‘App.net’ name is the issue here. I’ve seen much stupider names be successful. For example, ‘Sennheiser’ is a successful brand name that most people can’t even spell properly on the first try.))

App.net is hard to explain to geeks that tolerate Twitter and even those geeks don’t use the service in full-force. Personally, I love App.net and use it daily, but I am clearly an outlier. There’s some very cool stuff happening with the App.net service and I look forward to seeing it, but I can’t quite shake the feeling that Honan may be right and in a couple of years we will be thinking, “App.net? What was that again?”

[1]: http://www.wired.com/gadgetlab/2013/08/the-great-app-net-mistake/

[Ryan Tate on the Internet.org project][1]:

> The problem is that this isn’t enough for the company. It {Facebook} has to be solving “one of the greatest challenges of our generation,” with nary a mention of the big financial upside — and there is one, believe me, for Facebook. This is part of a broader pattern in which the company habitually acts like it’s more akin to a charity than a business.

It was hard to stop my eyes from rolling around in their sockets when I heard about the project. I still haven’t taken the time to read the webpage, it doesn’t render without — well — without whatever I have turned off in Safari.

[1]: http://www.wired.com/business/2013/08/facebooks-selfish-gift/