Aug 052016
Computer security is evolving in a time of social media

One of the sad truths of today’s online world is that dissidents, lawyers and journalists are ripe targets for governments that want to suppress who they perceive to be their enemies.

At the Black Hat security conference in Las Vegas today, the Electronic Frontier Foundation’s Eva Galperin and Cooper Quintin gave a demonstration of just what lengths governments will go in hacking their opponents.

In When Governments Attack, Galperin and Quintin illustrated how Syria, Ethiopia and Vietnam are all countries whose hacking campaigns they’ve encountered but the particular focus was on Operational Menul, which resolved around the Kazakhstan regime’s attacks on its opponents.

The government of Nursultan Nazarbayev is well known for its corruption, intolerance and global harassment of its opponents as Quintin and Galperin showed. What’s of particular interest to them is the use of off the shelf malware tools.

Using cheap commodity tools has the advantage of not leaving distinctive patterns that may give investigators hints to who has developed the malware. The downside of course is that most anti-viruses can detect these tools.

For the regimes this is not such a problem as most of their targets are relatively unsophisticated, as most of the activists, lawyers and journalists targeted by government agencies or their contractors do not have high level tech skills or use advanced security tools.

Another concern is how private contractors are employed by these governments. An interesting tactic used by the EFF is to commence legal proceedings against US based corporation for operations they’ve conducted against dissidents visiting or living in the United States.

Galperin and Quintin have three conclusions from examining these attacks.

  • Attacks don’t need to be sophisticated to work
  • None of this research is sexy
  • The tools and actors are not sophisticated

While the tools and actors in these sad tales are not sophisticated, the costs to the targets are usually high as they and their families can be subject to terrible consequences.

As we increasingly see both simple and sophisticated software tools available to be used against citizens we can expect to see more abuses by governments around the world. The job of organisations like the EFF is not going to get easier any time soon.

We citizens though need to do what we can to demand safeguards and legal protections from our governments. Those of us in democracies should be making that clear at the ballot box.

Mar 292016

One of the truisms of modern business is we live in an API economy where open Application Programming Interfaces allow software companies to connect their platforms that builds an ecosystem of developers and extends the functionality of their products.

But what happens when an API shuts down or a company starts applying the web2.0 principles of draconian legal terms and conditions to its data feeds? Pinboard, “the social bookmarking application for introverts” is illustrating how serious legalese can be for developers.

Maciej Cegowski, Pinboard’s founder, decided the terms and conditions imposed by popular automation site If That Then This (IFTTT) were too demanding and pulled his service from the platform.

In a blog post he lays out exactly why, citing IFTTT’s demands for rights over his service along with the option of  the plaftorm being able to assign those rights to third parties.

For developers, IFTTT’s terms are almost impossible as the platform strips them of their intellectual property rights and restrains their trade. It’s a classic case of legal over-reach which is all too common in the control obsessed tech industry.

As we’re seeing software vendors releasing platforms to manage IoT devices through APIs and cloud services making their plethora of APIs a selling point, access to these becomes a serious matter for the software industry.

There is a worrying aspect for users in this as well, as those relying on Pinboard services driven through IFTTT are now effectively stranded and have to look for another site that provides similar functions.

While Pinboard is quite small, a larger service shutting down its APSs could have dramatic effects. This is even truer with Internet of Things devices that could use a service like IFTTT to run key functions.

Designing devices and services to cater for the possibility an API or web service may become unavailable needs to be priority for IoT vendors while for developers and users, the risk a service may stop is something that should never be far from their minds and factored into the business and purchasing decisions they make.

Feb 082016

Who is responsible for the effect of renegade computer programs is going to become a serious legal topic as an increasing number of things become ‘intelligent” and connected to the internet.

Britain’s Financial Conduct Authority (FCA) is one of the first regulators to start looking at how companies’ algorithms. In their just released rules for wholesale traders, the FCA sets out the responsibilities for companies and their managers.

“We are determined to embed a culture of personal responsibility within the banking sector,” says the FCA’s Acting Chief Executive Tracey McDermott. “Clear individual accountability should focus minds, drive up standards, and make firms easier to run and to supervise. And if things go wrong, it will allow senior managers to be held to account for misconduct that falls within their area of responsibility.”

The definition of ‘misconduct’ when an algorithm goes awry will undoubtedly prove contentious, as will the idea of ‘personal responsibility’ in the banking sector.

While it’s too tempting to be dismissive of such move in the financial services industry, the FCA’s regulations are a pointer of what most industries are going to face over the next ten years as the more devices make decisions for themselves or communicate with other equipment over the Internet of Things.

In many areas the question of who is responsible for a rogue computer program will be left to the uncertainties of the legal system with no doubt many surprises, injustices, inconsistencies and unintended consequences so the earlier regulators develop a framework for dealing with mishaps the better.

Should the IoT start delivering on its promise of a connected world a poorly designed algorithm in even what should be relatively trivial devices or services may have the potential to cause massive disruption and damage. It’s hard not to imagine many other regulators in other industries are looking at how to attribute responsibilities, if not minimise risk, in a smart connected world.

Jan 192016
censorship on the internet and social media

The Libertarian dream of a free trade zone out of reach of authorities on the Dark Web has come to an end reports Wired.

Ironically it’s not the authorities that have discredited these sites but the untrustworthiness of the various contraband services’ operators that have doomed these illicit marketplaces.

While there’s still potential for these dark web markets to evolve into something more robust their current failure shows that radically changing existing institutions and systems is rarely happens quickly and without cost, as those with stolen Bitcoins are learning.

Jun 302015

What happens when an internet connected device fails?

In The Australian today I have a piece discussing the legal risk of the IoT.

Lawyers warn that manufacturers, distributors and installers all face the possibility of damages should their devices malfunction or not perform as advertised.

This risk is compounded by the data analysis with Michael Stojanovic of international law firm Bird & Bird citing the example of a gas monitoring device accurately detecting and reporting a surge but a company being liable because they didn’t warn their customer something was amiss.

Equally there’s a risk with misreported or lost data. This in itself is presents a problem as many of the software vendors currently looking at supplying the IoT have a ‘best effort’ mentality where they don’t accept responsibility for service interruptions.

While that attitude may have stood up before courts over the last twenty years, it’s unlikely to get much sympathy from judges and juries when critical systems are affected.

Like everything else in life, the lawyers are coming for the IoT.

Apr 042015
The law applies online to social media and other web services

Automakers Say You Don’t Really Own Your Car states the Electronic Frontiers Foundation.

In their campaign to amend the US Digital Millenium Copyright Act to give vehicle owners the right to access and modify their automobiles’ software the EFF raises an important point.

Should the software licensing model be applied to these devices then purchasers don’t really own them but rather have a license to use them until the vendor deems overwise.

Cars, of course, are not the only devices where this problem arises. The core of the entire Internet of Things lies in the software running intelligent equipment, not the hardware. If that software is proprietary and closed then no purchaser of a smart device truly owns it.

Locking down the smarthome

This raises problems in smarthomes, offices and businesses where the devices people come to depend upon are ‘black boxes’ that they aren’t allowed to peer into. It’s not hard to see how in industrial or agricultural applications that arrangement will often be at best unworkable.

Four years ago tech industry leader Marc Andreessen pointed out how software is eating the world; that most of the value in an information rich economy lies in the computer programs that processes the data, not the hardware which collects and distributes it.

That shift was flagged decades ago when the initial fights over software patents occurred in the 1980s and 90s and today we’re facing the consequences of poorly thought out laws, court decisions and patent approvals that now challenge the concepts of ownership as we know it.

Is ownership outdated?

However it may well be that ‘ownership’ itself is an outdated concept. We could be entering a period where most of our possessions are leased rather than owned.

If we are in a period where ownership is an antiquated concept then does it matter that our cars, fitness bands, kettles, smoke alarms and phones are in effect owned by a corporation incorporated in Delaware that pays most of its tax in the Dutch Antilles?

Who owns the smartcar’s data?

The next question of course is if the software in our smart devices is secret and untouchable then who owns the data they generate?

Ownership of a smartcar’s data could well be the biggest issue of all in the internet of things and the collection of Big Data. That promises to be a substantial battle.

In the meantime, it may not be a good idea to tinker too much with your car’s software or the data it generates.

Mar 262015
Big data takes our online, shopping and social media use it is the business challenge for our time

This morning I’m speaking on ABC Radio’s Overnights about the risks of the Australian government’s law to force telecommunications companies to retain users’ metadata for two years.

While the act, currently before the Senate having passed the House of Representatives last week after the poorly named ‘opposition’ Labor Party supported it, mandates that telcos and ISPs will have to retain the details of users’ connection times, places and type of device for two years and that government agencies will be able to access this data without a warrant.

The program was broadcast on 26 March 2015 at 4.15am Eastern Time with Trevor Chappell and is can be listened to on the ABC radio website.

Some resources on the data retention bill follow;