Monday, March 08, 2021

My Blogs Have Moved, March 2021

This post will be the last one on Randomness, but my blog is not going away. Is has simply moved from Blogger to WordPress. To keep up with my posts, please bookmark Cragin's Random Thoughts over on WordPress. All content from Randomness has been migrated to Cragin's Random Thoughts, so you can still wander my past musings.

I moved the blog for several reasons. WordPress gives me greater control over both the content and coding than Blogger. Regarding content, Blogger is owned by Google, and I am concerned about the cancel culture and wokeness censorship of Google affecting Blogger sites. Regarding coding, Blogger has been moving to a new code format that forces all embedded links to code as if they are Google Search referral links, instead of straightforward URLs. That change makes Google-tracking of my readers more pronounced, something I do not wish to force on my readers. As I make this announcement in March 2021, all my Blogger links are still simple URLs, but I cannot guarantee that the site will not be automatically converted to the newer tracking-link format in the future. WordPress also gives me much greater latitude in site design than Blogger allows, so I will enjoy playing with new looks and tools in Wordpress.

In parallel with my blog move, I am shifting my primary video host from Google-owned YouTube to Rumble. My reasons are basically the same as for the WordPress move. My YouTube videos will not disappear, because Rumble will be managing them for me.

Along with this blog move, I have migrated my hang gliding Flight (b)Log to Craig Flew Hang Gliders in WordPress. While I retired from flying gliders in December 2018, I want to keep my flying reports and linked videos available online, and as above without the new Blogger Google-tracking links in them.

I have been using Blogger and YouTube since 2003, so this is a big move for me, but I think it is overdue.

(c) 2021 D. Cragin Shelton

Wednesday, March 03, 2021

Invite Your Adversary to the Meeting

Well here is a bit of national security intersecting with popular technology:

From the Washington Post on March 3, 2021

Opinion: The White House’s use of Zoom for meetings raises China-related security concerns

Opening paragraph:

"The Biden White House is using the teleconference platform Zoom for most of its unclassified government-related virtual interactions, even as the Justice Department is prosecuting one of the company’s China-based executives for working with Beijing’s intelligence services to interfere in Zoom calls. Some lawmakers, former officials and experts are warning that the Biden administration may be ignoring the risks."


There have been extensive concerns over how Zoom is engineered in China, and has extensive server capability in China, raising legitimate concerns over what data on those servers are available to the Chinese government. Zoom was caught lying about the level and type of encryption used in Zoom calls: their use of "end to end encryption" turns out to have meant https (TLS) between clients and servers. Sheesh! Trustworthy much?

I have heard reports that selected US government agencies have blocked Zoom from their desktop computers. They get it.

How can senior executives ignore the situation so blatantly?

One contribution to the mess is the combination of ease of use and wide promotion. Chinese designers have proven themselves, in both Zoom and TikTok, as expert in human factors usability design and features inclusion.

Be wary, be very very wary.

(c) 2021 D. Cragin Shelton

Saturday, January 23, 2021

GeoLoc Privacy: Government Workarounds

Your phone knows where it is, and thus most of the time, where you are. And your phone tells your phone company all of the time. Mobile phone companies know where your cell phone is all the time it is turned on. They have to, because they monitor which cell towers it uses. And they keep records of your phone's geographic location (geoloc).  Who else knows?The history of your phone locations is considered sensitive privacy data, and in many jurisdictions a law enforcement or intelligence activity must have a warrant or court order to obtain those records from the phone company.  That sounds nice, but do not for a moment think your location privacy is protected from government surveillance by these legal requirements. Your geoloc history is on the market for purchase, and governments are buying.

Every smart phone is delivered with a batch of apps already installed, and almost every new owner adds more games and productivity apps in short order. They also very rarely read and understand the permissions they grant to those apps when they click the ACCEPT button to install each app. And a surprising number of apps ask for permission to know your location. Why in the world would a flashlight app or a picture-mapping app need to know where it is being used? Because those app companies build their own geoloc files for your phone, independent of the phone company's records. Then they sell that data to data brokers. And the data brokers aggregate that data from multiple app vendors to esll to other customers. Who buys from these data brokers? We can assume companies that want to do marketing analysis are primary buyers. However, another buyer category has come to light: government agencies.

See the Jan 22, 2021, Verge article US Defense Intelligence Agency admits to buying citizens’ location data. The title tells the core story: while the US Supreme Court Carpenter ruling said the government must have a warrant to obtain geoloc data from phone companies, both the DIA and law enforcement agencies assert that ruling does not restrict them from buying geoloc data from commercial data brokers, without any judicial approval in advance. You can read for yourself what the DIA said in their memo to Senator Wyden  explaining their testimony in a recent Senate committee hearing. Basically, DIA says it is OK for them to have this data, and as long as they are not looking at it, they have not "collected location data on US persons. Hmmm, that sounds a lot like the testimony years ago by a NSA Director that they had not "collected" the cell phone data being stored in their massive Utah data enter, because they had not looked at that data. 


“When I use a word,’ Humpty Dumpty said in rather a scornful tone, ‘it means just what I choose it to mean — neither more nor less.’
’The question is,’ said Alice, ‘whether you can make words mean so many different things.’
’The question is,’ said Humpty Dumpty, ‘which is to be master — that’s all.”

Lewis Carroll, Through the Looking Glass


(c) 2021 D. Cragin Shelton

Sunday, January 17, 2021

WhatsUpp at WhatsApp

 WhatsApp (WA) recently announced new privacy policies on data sharing that emphasized that, as a Facebook (FB) company, they will share data collected on users with the other FB companies. Lots going on here.

1. Apparently this new sharing policy has caused a massive backlash, especially in India.
WhatsApp Scrambles As Users In Big Indian Market Fret Over Privacy (1/15/21)

 2. FB and WA have reacted to the clamor by delaying the new policy implementation three months.
WhatsApp is delaying a new policy change after critics claimed the update would have turned over user data to Facebook (1/15/21)

Note they apparently are trying to deal with their PR mess, not improve the policy. FB is claiming that they have not really changed how they handle data within the FB family of companies, just improve how they support businesses who use WA.

3. People abandoning WA have created a good news/bad news situation for competitor encrypted chat service Signal, as new Signal subscribers swamp their servers. 
Messaging App Signal Facing Technical Difficulties  (1/15/21)

Presumably many of the messaging migrants were influenced by Tesla CEO Elon Musk's statements.
Signal sees surge in new signups after boost from Elon Musk and WhatsApp controversy  (1/7/21)

4. Isn't user privacy preserved as long as WA keeps the promise to use true end-to-end encryption, never decrypting chat content?

Not really. By merging all data from all FB companies about who you chat with, when, how often, and for how long, what FB pages you visit and which you like, what online ads you click in FB, then cross-linking that with what FB knows about all of your chat contacts, and who they contact, they can build a whopper of a detailed dossier on you. The detail will include all unencrypted messages FB can read through Facebook Messenger, along with comments on your FB page and the FB pages of those contacts. Consider particularly an open conversation in FB Messenger with a comment as a new topic opens up, "Let's move this to WhatsApp."

This process is based on the network analysis processes used for many decades by signals intelligence agencies like NSA and GCHQ. Think of it like super-powered contact tracing. In fact, consider NSA's methods today for social network analysis, as described in Wired's
Inside the NSA’s Secret Tool for Mapping Your Social Network (5/24/2020)

We can reasonably assume that FB is doing exactly the same thing as the NSA as they build your personal dossier with all of their tools. 

(c) 2021 D. Cragin Shelton

Wednesday, November 25, 2020

Availability, Resiliency, and Over-reliance on a (THE) Cloud

 I have a nifty, rather expensive Roomba robot vacuum cleaner from iRobot, named Darth III. If I want it to do anything other than leap out to clean the entire house, I can only control it with a smartphone app connected through my iRobot account. Early this morning I sent it to clean a group of four tooms while no one was in them. Done. An hour later I tried to send it on another assignment. FAIL! The app said Darth III was not connected to the net. Hmmm. I tried to send a tech support note to iRobot using that feature in the app. FAIL! No connection to the servers.
After several attempts at local fixes, such as rebooting the robot and rebooting my router, I gave up ane called iRobot tech support. The recorded message answering the number was informative: due to a problem at AWS (Amazon Web Services, Amazon's HUGE cloud serice provider operation), the iRobot app was not available. Well dang, that means that all of the high-end Roombas and Bravas (robot mops) are dead until further notice. It is now 8 hours later, and my fancy-dancy vacuum cleaner is still a doorstop (that's an old PC reference for the younguns).

Sure enough, a web search for "AWS outage" tells the basic story:
Amazon Web Services outage takes a portion of the internet down with it
Zack Whittaker@zackwhittaker / 11:32 AM CST•November 25, 2020
Prolonged AWS outage has taken down a big chunk of the internet, recovery may take ‘a few hours’
By Jay Peters@jaypeters  Nov 25, 2020, 12:14pm EST
where I learned,
"Many apps, services, and websites have posted on Twitter about how the AWS outage is affecting them, including 1Password, Acorns, Adobe Spark, Anchor, Autodesk, Capital Gazette, Coinbase, DataCamp, Getaround, Glassdoor, Flickr, iRobot, The Philadelphia Inquirer, Pocket, RadioLab, Roku, RSS Podcasting, Tampa Bay Times, Vonage, The Washington Post, and WNYC."
Amazon Web Services  »  Service Health Dashboard

So, lesson time. Do you have local operations or services that cannot work if a remote server outside your control, or cloud service, goes T!t$ Up? Think about it. I do have my Shark in the closet upstairs, ready to go. But, being old and lazy, I  think I will try to wait out Amazon.

Gee, I wonder if the Amazon delivery management system is in that part of AWS that has crashed? If so, gonna be a LOT of Amazon orders late today.

(c) 2020 D. Cragin Shelton