m Quec.lim's republished posts.http://quec.li/~m /matt [wronka.org] People Centric Phone UIhttp://quec.es/org.wronka/matt/2015/08/27/Thu, 27 Aug 2015 13:02:55 +0000;matt [wronka.org]Thu, 27 Aug 2015 09:02:00 -0400An article from 2013, suggesting people-centric phone UI: <br /> <a href="http://tantek.com/2013/338/b1/people-focused-mobile-communication-experience">http://tantek.com/2013/338/b1/people-focused-mobile-communication-experience</a><br /> <br /> This seems so incredibly obvious, that only after seeing the iOS screenshots did I realize that <a href="http://quec.es/t/apple/">Apple</a> doesn't (hasn't?) had this feature. I've had groups or individuals on my <a href="http://quec.es/t/s60/">S60</a> phone for years, and <a href="http://quec.es/t/maemo/">Maemo</a> (~2011) had you select a person, and then a protocol for communication (<a href="http://quec.es/t/pots/">POTS</a>, <a href="http://quec.es/t/sms/">SMS</a>, <a href="http://quec.es/t/xmpp/">XMPP</a>, <a href="http://quec.es/t/aim/">AIM</a>, <a href="http://quec.es/t/irc/">IRC</a>, <a href="http://quec.es/t/skype/">Skype</a>,etc.). The <a href="http://quec.es/t/maemo/">Maemo</a> implementation sounds exactly like what's suggested, where you can select the person, and for protocols with status (<a href="http://quec.es/t/sip/">SIP</a>, <a href="http://quec.es/t/xmpp/">XMPP</a>, etc.) see if the person is online, and send a message. Or send an eMail instead.http://quec.li/EntryComments?feed=http%3A%2F%2Fquec.es%2Forg.wronka%2Fmatt%2Fsynd%2F&entry=Thu%2C+27+Aug+2015+13%3A02%3A55+%2B0000%3Bmatt+%5Bwronka.org%5Dmatt [wronka.org]http://quec.es/org.wronka/matt/2015/08/23/Sun, 23 Aug 2015 16:37:40 +0000;matt [wronka.org]Sun, 23 Aug 2015 12:37:00 -0400SNESes in Mr. <a href="http://quec.es/t/robot/">Robot</a>'s <a href="http://quec.es/t/mirrors/">Mirrors</a> seem awfully yellowed for a &lt; 4 year old system.http://quec.li/EntryComments?feed=http%3A%2F%2Fquec.es%2Forg.wronka%2Fmatt%2Fsynd%2F&entry=Sun%2C+23+Aug+2015+16%3A37%3A40+%2B0000%3Bmatt+%5Bwronka.org%5DBoard Gamehttp://xkcd.com/1566/http://xkcd.com/1566/Wed, 19 Aug 2015 00:00:00 -0400<img src="http://imgs.xkcd.com/comics/board_game.png" title="Yes, it took a lot of work to make the cards and pieces, but it's worth it--the players are way more thorough than the tax prep people ever were." alt="Yes, it took a lot of work to make the cards and pieces, but it's worth it--the players are way more thorough than the tax prep people ever were." />http://quec.li/EntryComments?feed=http%3A%2F%2Fxkcd.com%2Frss.xml&entry=http%3A%2F%2Fxkcd.com%2F1566%2FSecurity for the Rest of Ushttps://www.schneier.com/blog/archives/2015/08/security_for_th.htmltag:www.schneier.com,2015:/blog//2.6721Thu, 06 Aug 2015 15:26:00 -0400<p>Good <a href="http://web.archive.org/web/20150114220658/https%3A//medium.com/@SwiftOnSecurity/a-story-about-jessica-and-her-computer-e400fa9fd4e">fictional account</a> of an average computer user and how people understand and view security.</p> <p>Related: "<a href="http://dymaxion.org/essays/usecases.html">Real World Use Cases for High-Risk Users</a>."</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2015%3A%2Fblog%2F%2F2.6721Nicholas Weaver on iPhone Securityhttps://www.schneier.com/blog/archives/2015/08/nicholas_weaver_1.htmltag:www.schneier.com,2015:/blog//2.7198Thu, 06 Aug 2015 07:09:00 -0400<p>Excellent <a href="http://www.lawfareblog.com/iphones-fbi-and-going-dark">essay</a>:</p> <blockquote><p>Yes, an iPhone configured with a proper password has enough protection that, turned off, I'd be willing to hand mine over to the DGSE, NSA, or Chinese. But many (perhaps most) users don't configure their phones right. Beyond just waiting for the suspect to unlock his phone, most people either use a weak 4-digit passcode (that can be brute-forced) or use the fingerprint reader (which the officer has a day to force the subject to use). <p>Furthermore, most iPhones have a lurking security landmine enabled by default: <a href="https://medium.com/@nweaver/the-in-security-of-icloud-backup-41b980977653">iCloud backup</a>. A simple warrant to Apple can obtain this backup, which includes all photographs (so there is the selfie) and all undeleted iMessages! About the only information of value not included in this backup are the known WiFi networks and the suspect's email, but a suspect's email is a different warrant away anyway.</p> <p>Finally, there is iMessage, whose "end-to-end" nature, despite FBI complaints, contains some significant weaknesses and deserves scare-quotes. To start with, iMessage's encryption does not obscure any metadata, and as the saying goes, <a href="https://www.youtube.com/watch?v=BwGsr3SzCZc">"the Metadata is the Message"</a>. So with a warrant to Apple, the FBI can obtain all the information about every message sent and received except the message contents, including time, IP addresses, recipients, and the presence and size of attachments. Apple can't hide this metadata, because Apple needs to use this metadata to deliver messages.<br /> </p></blockquote> <p>He explains how Apple could enable surveillance on iMessage and FaceTime:</p> <blockquote><p>So to tap Alice, it is straightforward to modify the keyserver to present an additional FBI key for Alice to everyone but Alice. Now the FBI (but not Apple) can decrypt all iMessages sent to Alice in the future. A similar modification, adding an FBI key to every request Alice makes for any keys other than her own, enables tapping all messages sent by Alice. There are similar architectural vulnerabilities which enable tapping of "end-to-end secure" FaceTime calls.</p></blockquote> <p>There's a persistent rumor going around that Apple is in the secret FISA Court, fighting a government order to make its platform more surveillance-friendly -- and they're losing. This might explain Apple CEO Tim Cook's somewhat sudden <a href="http://techcrunch.com/2015/06/02/apples-tim-cook-delivers-blistering-speech-on-encryption-privacy/">vehemence</a> about privacy. I have not found any confirmation of the rumor.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2015%3A%2Fblog%2F%2F2.7198Shooting Down Droneshttps://www.schneier.com/blog/archives/2015/08/shooting_down_d.htmltag:www.schneier.com,2015:/blog//2.7196Tue, 04 Aug 2015 09:24:00 -0400<p>A Kentucky man <a href="http://arstechnica.com/tech-policy/2015/07/kentucky-man-shoots-down-drone-hovering-over-his-backyard/">shot down</a> a drone that was hovering in his backyard:</p> <blockquote><p>"It was just right there," he told Ars. "It was hovering, I would never have shot it if it was flying. When he came down with a video camera right over my back deck, that's not going to work. I know they're neat little vehicles, but one of those uses shouldn't be flying into people's yards and videotaping." <p>Minutes later, a car full of four men that he didn't recognize rolled up, "looking for a fight."</p> <p>"Are you the son of a bitch that shot my drone?" one said, according to Merideth.</p> <p>His terse reply to the men, while wearing a 10mm Glock holstered on his hip: "If you cross that sidewalk onto my property, there's going to be another shooting."</p></blockquote> <p>He was arrested, but <a href="http://fortune.com/2015/07/29/shoot-drone-privacy/">what's the law</a>?</p> <blockquote><p>In the view of drone lawyer <a href="https://twitter.com/dronelaws">Brendan Schulman</a> and robotics law professor <a href="https://twitter.com/rcalo?lang=en">Ryan Calo</a>, home owners can't just start shooting when they see a drone over their house. The reason is because the law frowns on self-help when a person can just call the police instead. This means that Meredith may not have been defending his house, but instead engaging in criminal acts and property damage for which he could have to pay. <p>But a different and bolder argument, put forward by law professor Michael Froomkin, could provide Meredith some cover. In <a href="http://robots.law.miami.edu/2014/wp-content/uploads/2013/06/Froomkin-Colangelo-Self-Defence-Against-Robots-March-2014.pdf">a paper</a>, Froomkin argues that it's reasonable to assume robotic intrusions are not harmless, and that people may have a right to "employ violent self-help."</p></blockquote> <p>Froomkin's paper is <a href="http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2504325">well worth reading</a>:</p> <blockquote><p><b>Abstract</b>: Robots can pose -- or can appear to pose -- a threat to life, property, and privacy. May a landowner legally shoot down a trespassing drone? Can she hold a trespassing autonomous car as security against damage done or further torts? Is the fear that a drone may be operated by a paparazzo or a peeping Tom sufficient grounds to disable or interfere with it? How hard may you shove if the office robot rolls over your foot? This paper addresses all those issues and one more: what rules and standards we could put into place to make the resolution of those questions easier and fairer to all concerned. <p>The default common-law legal rules governing each of these perceived threats are somewhat different, although reasonableness always plays an important role in defining legal rights and options. In certain cases -- drone overflights, autonomous cars, national, state, and even local regulation -- may trump the common law. Because it is in most cases obvious that humans can use force to protect themselves against actual physical attack, the paper concentrates on the more interesting cases of (1) robot (and especially drone) trespass and (2) responses to perceived threats other than physical attack by robots notably the risk that the robot (or drone) may be spying - perceptions which may not always be justified, but which sometimes may nonetheless be considered reasonable in law.</p> <p>We argue that the scope of permissible self-help in defending one's privacy should be quite broad. There is exigency in that resort to legally administered remedies would be impracticable; and worse, the harm caused by a drone that escapes with intrusive recordings can be substantial and hard to remedy after the fact. Further, it is common for new technology to be seen as risky and dangerous, and until proven otherwise drones are no exception. At least initially, violent self-help will seem, and often may be, reasonable even when the privacy threat is not great -- or even extant. We therefore suggest measures to reduce uncertainties about robots, ranging from forbidding weaponized robots to requiring lights, and other markings that would announce a robot's capabilities, and RFID chips and serial numbers that would uniquely identify the robot's owner.</p> <p>The paper concludes with a brief examination of what if anything our survey of a person's right to defend against robots might tell us about the current state of robot rights against people.</p></blockquote> <p>Note that there are drones that <a href="https://www.youtube.com/watch?v=xqHrTtvFFIs">shoot back</a>.</p> <p>Here are <a href="https://mitpress.mit.edu/books/robot-futures">two</a> <a href="http://thenewpress.com/books/theory-of-drone">books</a> that talk about these topics. And an <a href="http://www.theatlantic.com/technology/archive/2012/10/if-i-fly-a-uav-over-my-neighbors-house-is-it-trespassing/263431/">article</a> from 2012.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2015%3A%2Fblog%2F%2F2.7196Men in Massachusetts should simply not show up to defend restraining orders, divorces, and other family law matters?http://blogs.law.harvard.edu/philg/2015/07/30/men-in-massachusetts-should-simply-not-show-up-to-defend-restraining-orders-divorces-and-other-family-law-matters/http://blogs.law.harvard.edu/philg/?p=8375Thu, 30 Jul 2015 13:15:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2Ffeed%2F&entry=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2F%3Fp%3D8375Bizarre High-Tech Kidnappinghttps://www.schneier.com/blog/archives/2015/07/bizarre_high-te.htmltag:www.schneier.com,2015:/blog//2.7170Wed, 29 Jul 2015 07:34:00 -0400<strong>m</strong>: <em>"It borders on surreal. Were it an episode of CSI:Cyber, you would never believe it."<br /> <br /> Indeed. Lessons to be learned, beyond all the steps reported: Don't buy your burner from Target or any other big chain store. Ideally buy it from a small mom-and-pop far away from where you live or plan to use it. Ideally, don't be the person that buys it yourself. Bypass all those concerns by going to a neutral area that collects working phones for recycling/use by older/minimal-mobility people and take a phone from the box.<br /> </em><p>This is a <a href="http://www.wired.com/2015/07/mare-island/">story</a> of a very high-tech kidnapping:</p> <blockquote><p>FBI court filings unsealed last week showed how Denise Huskins' kidnappers used anonymous remailers, image sharing sites, Tor, and other people's Wi-Fi to communicate with the police and the media, scrupulously scrubbing meta data from photos before sending. They tried to use computer spyware and a DropCam to monitor the aftermath of the abduction and had a Parrot radio-controlled drone standing by to pick up the ransom by remote control.</p></blockquote> <p>The story also demonstrates just how effective the FBI is tracing cell phone usage these days. They had a blocked call from the kidnappers to the victim's cell phone. First they used an search warrant to AT&T to get the actual calling number. After learning that it was an AT&T prepaid Trakfone, they called AT&T to find out where the burner was bought, what the serial numbers were, and the location where the calls were made from.</p> <blockquote><p>The FBI reached out to Tracfone, which was able to tell the agents that the phone was purchased from a Target store in Pleasant Hill on March 2 at 5:39 pm. Target provided the bureau with a surveillance-cam photo of the buyer: a white male with dark hair and medium build. AT&T turned over records showing the phone had been used within 650 feet of a cell site in South Lake Tahoe.</p></blockquote> <p>Here's the <a href="http://www1.icsi.berkeley.edu/~nweaver/vallejo.pdf">criminal complaint</a>. It borders on surreal. Were it an episode of <i>CSI:Cyber</i>, you would never believe it.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2015%3A%2Fblog%2F%2F2.7170Stagefright Vulnerability in Android Phoneshttps://www.schneier.com/blog/archives/2015/07/stagefright_vul.htmltag:www.schneier.com,2015:/blog//2.7171Tue, 28 Jul 2015 07:37:00 -0400<p><a href="http://arstechnica.com/security/2015/07/950-million-android-phones-can-be-hijacked-by-malicious-text-messages/">The</a> <a href="http://www.forbes.com/sites/thomasbrewster/2015/07/27/android-text-attacks/">Stagefright</a> <a href="http://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/">vulnerability</a> for Android phones is a bad one. It's exploitable via a text message (details depend on auto downloading of the particular phone), it runs at an elevated privilege (again, the severity depends on the particular phone -- on some phones it's full privilege), and it's trivial to weaponize. Imagine a worm that infects a phone and then immediately sends a copy of itself to everyone on that phone's contact list.</p> <p>The worst part of this is that it's an Android exploit, so most phones <a href="http://www.androidcentral.com/solving-impossible-problem-android-updates">won't be patched anytime soon</a> -- if ever. (The people who discovered the bug alerted Google in April. Google has sent patches to its phone manufacturer partners, but most of them have not sent the patch to Android phone users.)</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2015%3A%2Fblog%2F%2F2.7171http://instagram.com/p/5gRqzEhapS/?taken-by=koulersfulhttp://instagram.com/p/5gRqzEhapS/?taken-by=koulersfulThu, 23 Jul 2015 23:46:00 -0400<p><a href="http://instagram.com/p/5gRqzEhapS/?taken-by=koulersful"><img src="https://igcdn-photos-e-a.akamaihd.net/hphotos-ak-xaf1/t51.2885-15/11324890_851643381589316_1413443838_n.jpg" height="" width="" alt="" /></a><br /></p>http://quec.li/EntryComments?feed=http%3A%2F%2Fod.saverpigeeks.com%2Frss%2FInstagram%2Fkoulersful&entry=http%3A%2F%2Finstagram.com%2Fp%2F5gRqzEhapS%2F%3Ftaken-by%3DkoulersfulItalian tourism in the smartphone agehttp://blogs.law.harvard.edu/philg/2015/07/23/italian-tourism-in-the-smartphone-age/http://blogs.law.harvard.edu/philg/?p=8337Thu, 23 Jul 2015 12:24:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2Ffeed%2F&entry=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2F%3Fp%3D8337Remotely Hacking a Car While It's Drivinghttps://www.schneier.com/blog/archives/2015/07/remotely_hackin.htmltag:www.schneier.com,2015:/blog//2.7160Thu, 23 Jul 2015 07:17:00 -0400<p><a href="http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/">This</a> is a big deal. Hackers can remotely hack the Uconnect system in cars just by knowing the car's IP address. They can disable the brakes, turn on the AC, blast music, and disable the transmission:</p> <blockquote><p>The attack tools Miller and Valasek developed can remotely trigger more than the dashboard and transmission tricks they used against me on the highway. They demonstrated as much on the same day as my traumatic experience on I-64; After narrowly averting death by semi-trailer, I managed to roll the lame Jeep down an exit ramp, re-engaged the transmission by turning the ignition off and on, and found an empty lot where I could safely continue the experiment. <p>Miller and Valasek's full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep's brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch. The researchers say they're working on perfecting their steering control -- for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep's GPS coordinates, measure its speed, and even drop pins on a map to trace its route.</p></blockquote> <p>In related news, there's a <a href="http://www.wired.com/2015/07/senate-bill-seeks-standards-cars-defenses-hackers/">Senate bill</a> to improve car security standards. Honestly, I'm not sure our security technology is enough to prevent this sort of thing if the car's controls are attached to the Internet.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2015%3A%2Fblog%2F%2F2.7160Equal Pay for Female Soccer Players?http://blogs.law.harvard.edu/philg/2015/07/21/equal-pay-for-female-soccer-players/http://blogs.law.harvard.edu/philg/?p=8255Tue, 21 Jul 2015 12:15:00 -0400http://quec.li/EntryComments?feed=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2Ffeed%2F&entry=http%3A%2F%2Fblogs.law.harvard.edu%2Fphilg%2F%3Fp%3D8255Using Secure Chathttps://www.schneier.com/blog/archives/2015/07/using_secure_ch.htmltag:www.schneier.com,2015:/blog//2.7154Fri, 17 Jul 2015 07:35:00 -0400<p>Micah Lee has a <a href="https://firstlook.org/theintercept/2015/07/14/communicating-secret-watched/">good tutorial</a> on installing and using secure chat.</p> <blockquote><p>To recap: We have installed Orbot and connected to the Tor network on Android, and we have installed ChatSecure and created an anonymous secret identity Jabber account. We have added a contact to this account, started an encrypted session, and verified that their OTR fingerprint is correct. And now we can start chatting with them with an extraordinarily high degree of privacy.</p></blockquote> <p>FBI Director James Comey, UK Prime Minister David Cameron, and totalitarian governments around the world all don't want you to be able to do this.</p>http://quec.li/EntryComments?feed=http%3A%2F%2Fwww.schneier.com%2Fblog%2Fatom.xml&entry=tag%3Awww.schneier.com%2C2015%3A%2Fblog%2F%2F2.7154