Tuesday, March 20, 2012

Pwnd1

Jack jumped up the last few rungs, and through the open window, swearing again. He knew how to be careful. And this time was cutting it a little too close.



Crossing the border was always a nightmare. He expected the lines, the waiting, the mind numbing slowness, the bland faces of the agents working to sort through the safe from the un-. He expected to be pulled out of line—it was inevitable—and subjected to extra scrutiny and harassment. Such was the price for having irritated a few too many folks with ties into National Security. The only really irritating thing about it, other than the delay, was the dirty looks he received from the other passengers, as it already being a foregone conclusion that the agents must be right: He must be an undesirable. He must be worth taking away. “Now, that is a reflection of what’s wrong with society,” he thought as he shuffled toward a nondescript booth and the two hours of flowchart-directed Q&A. The answers flowed simply, for honesty was easy when there wasn’t anything to divulge, or, at least anything that would give them access to the technical underpinnings to accessing his digital life.

Later, sweaty, a bit worn, and more than a little frustrated for the G-men stuck in their roles as perennial persecutors, Jack emerged, papers and baggage cleared, sans phone. It was usually about a fifty-fifty chance he’d get his phone back, and even if he did, it was almost not worth the expense of delinting. Except for the wait, tossing it into the vendo-recycle and getting a new one was nigh equivalent – you still had to do a hardware x-ray, and providing your own firmware was de rigeur even if it weren’t required for safety. As much as the G-men were excited to try and probe his phone for some security hole, there wasn’t anything on it except for a few pointers to honeypots, and those were only to ensure that some long term key wasn’t rooted from one of his other servers. He imagined the look on their faces if they did happen to hit one of those servers though; the keys did guard information, but it was usually some carefully prepared wikileaks-style content package, and if he and his server got it right, it was usually dirt on the fellow actually doing the old skool B&E. Scaling the escalators to the transit bay, he traded some of his BC2 to dollars and some of those dollars into transit passes. First destination: the mall.

The mall is a necessary device. As mundane and reductive as it is for most of its custom, Jack is a fine breed of mall dweller. How many other patrons use its X-ray stores, not for self-MRI or for fine-tuned diagnostics of one’s own health, but instead for the devices they have on them. Jack steps out of the mall-bound bus mid-stop and heads across from the Orange Julius to the vending machines, and picks out a Kazer 103a. His BC2 is diminished, but now he has the device that will serve him until the next border, or next time someone pins him down. Kazer is a good brand, and more importantly, an often purchased brand, and thus not worth the G-men bugging every version, especially out of Southcenter. His natural device has about twice the horsepower, and four times the memory, but that’s far from being the important limitation… this new device, as much as it has a lovely intro movie to explain each aspect of how one might use it, is, well, unclean. The 90s and early 00s showed most people that giftware was crapware, if not outright spyware, and the denizen of the 10s brought their firmware with them. Unfortunately, Jack was not so blessed. Being stripped of his machinarium by the gestapo-lice meant that he was vanilla boy, home schooled, bootstrappin’ for great justice. He acquired a mundane firmware at another station, and refried the device as he walked to the x-station. Feigning recent cataract surgery, he said, I want to know if they “implanted something”, and got himself scanned. Looking at his device in the scans, he could see no foul play: The 389 would have been readily visible if it was there, gleaming like a bulbous capacitor above the headphone port. More advanced stuff was necessarily larger, and would have stood out like a sore thumb.

Jack walked into the mall transit station. His device, having locked into local Wifi, 4.5G, and subter, had started to download his packages… the ones that will let him actually talk to any part of the world that wasn’t right in front of him. Boarding a Westlake-bound train, he pressed his left cheekbone against the glass as his device woke up and figured out that there's a whole new world of applications ready to download and run. The physical world blistered by, and by the time he emited out of First Hill, his phone was now finally ready to use.

“Don’t even f’ing go there.” After he entered his shortcode and 2authconf, that admonition displayed on the frontispiece. “Well, that’s just f’ing grand. What the hell else am I supposed to do,” he murmured, purportedly to himself, but anyone within earshot got a load of his invective. “I’ve just been done over by the gendarme and need a freakin’ break.”

Under the covers, his transmission headed out, carried on a stream of data from one accepted host to another. The very protocol he invented, multicast SSL, carries an alternate form across at least two other streams and makes his connection not just “hard,” but “solid”… a term used by his former teammate when he was able to ensure a control signal even despite 80% signal cancellation and “no way to get in”. The 2authconf seeded the phone with several one-time-bufs, and was able to live on those for minutes while trying to get in touch with the one person who might have made his trip to the homeland worthwhile: The Prince.

The Prince was busy.

Instead, Jack lurked on channels, opening one to the “389,” cruel homage to those that might track them and hunt them down. The 389 chip was a signal processing unit that would copy signal to another track and transmit it. Straightforward (mostly), and harmless (mostly), modulo those silly folks who still thought their unmodulated signal would not be noticed by the powers that be.

Jack got off the train, and walked nary a half block way, to the T-bar, where he ordered a double-espresso and Jameson’s, and tried to make contact. In the meanwhile, he tried normal avenues — Facebook (still an old standby) and Twitter, simple but misused, venue. Both seemed stymied, until… pure signal.

One of the unadulterated joys of the watched, concerned, or paranoiac crowd is a SSL .95 signal. That doesn’t even make sense unless you’re talking about multicast, which probes all available connection points for channels through the murk. It’s easy enough if you have a sufficiently faithful line to source, where you’re faithful all 100%, unless you drop packets. Instead, it’s when you’re watched, marked, nigh surrendered that .95 is the a4some, when despite signals being hacked, subverted, closed, or snooped on, you were entirely sure that what you had to say would not end up on some poor NSA analyst’s desk. Ninety-five-point, is what you call it, and it works… until it doesn’t.

On his unadulterated, vanilla unit, it sang “free and clear!” repeatedly until it got shut off. It wasn’t even clear until afterwards that whomever had watched what was transpiring on his social network actions had modulated signal, closing connections on one side, and then the other, hoping to be on the right side of entropy, and learn the keys that were controlling the session. Sadly, this kind of attack, which Jack’s software would have been warned against, was muted by vanilla versions of the same software, which had no idea that anyone might want to subvert them.

The tick-tock of repeating channel switching transpired as the vanilla unit tried to ensure the connection. Key-exchange after key-exchange occurred, with the watchers gathering data on the nonces, looking for patterns in the supposed randomness. The Kazer line was known not to have randomness faults, plenty of entropy given it took into account touch lengths, distances, accelerometer readings and, if necessary GPS slop. Yet still, given enough evidence, and a large enough MapReduce, the watchers could smoke an ordinary machine. It might take minutes or hours, days if you were careful and kept track of your exchanges.

To Jack, it looked like a craptastic connection, a regular occurrence while on the light rail, that finally stopped being so slow about the time that he reached Westlake. He tried one last time to reach The Prince before hitting the dead drop.

“When you need something done right, format it yourself,” is a motto held by many neteratti who have seen bad software ruin good devices. Jack failed again to contact his friend, but it was solace to be able to walk into the Nitelite, find the stored USB fixed drive secreted in one of the booths, and firmware replace the Kazer with Nutella 0.81b. Two slow gin fizzes masked the ghastly slowness of the update and the partial reconfiguration of the OS on the device after it compared package MD5 hashes and elected to sidestep the normal installation channel for some Important Updates.

The crowd was a normal before-10 croud, waiting for someone to start them up, or some DJ to blaze the latest crazed mix of house dubstep into their willing ears. After dragging a decent BC2 paytip onto a fringe and snapping it off onto the table, Jack was ready to leave.

And yet.

When people are well funded, when they’re out for blood and you’re a means to an end, one doesn’t expect fair play. Four large men in trenchcoats entered the Nitelite and scanned for their target. Sometimes having a regularly vacillating hairstyle pays off, and Jack noticed his “admirers” first. Dropping a “shiiiii…,” Jack silently shouldered through the employee door, ducked between two waiters, and dashed outside to the alley. Tearing north and then eastward, he stepped up onto one of the brick walls and grabbed the fire escape, mounting it with impressive force. Breathing hard, he launched himself through the half-open window into Gemini’s pad, and breathed a sigh of relief as the hard noise of boots on pavement echoed below and the G-men ran by.

Sunday, March 11, 2012

Attribution burden for podcasts

Editor’s note: I am an avid listener and sponsor of On The Media, and acquaintance of the author of the Feminisnt blog, who uses the moniker Furry Girl when posting on that site.

On March 2nd, OTM producer Sarah Abdurrahman was featured in a segment on the On The Media podcast, talking to with Bob Garfield about making Freedom of Information Act (FOIA) requests about herself. In that segment, she refers to her source idea, being “this blog post about this woman who” made FOIA requests about herself. She then goes on to quote several details out of this blog post verbatim, specifically, some of the entries in the FOIA results. Bob moves on to discussing Sarah’s own experience doing the same and never is the blog mentioned, nor the author of the blog post mentioned.

Sarah also produced her own blog post on the OTM site the same day, covering some of the same details as the segment. It, too, never mentions either the name of the blog, or the author, but does provide a link to the Feminisnt blog post from which she gathered her source idea.

This event, which, on a better day would have served the dual purpose of spreading the word about citizen access to government information, and more readership of a blog which helped initially promulgate that information, ended up turning sour.

The original Feminisnt blog post has, at the bottom, a little icon, Creative Commons License, and a comment that the text is licensed under the Creative Commons Attribution-Noncommercial-No Derivative Works 3.0 Unported License. It requires that, presuming you’re a non-commercial entity (OTM is a not-for-profit), that you would need to provide attribution if you were to share the work (i.e., copy, distribute, or transmit). Whereas the OTM blog post has a link (and thus attribution), it doesn’t strictly, license-wise, need one—it is not copying, distributing or transmitting the original work, but merely providing a reference. On the other hand, the OTM segment, copies/transmits select small portions of the work over the public radio airwaves and via the internet in podcast form.

The lack of attribution by the OTM show itself spawned a series of angry tweets and a blog rant and, so far, one response by OTM’s Senior Producer, Katya Rogers, which includes a denial: “neither our blog post nor our broadcast segment constitute copy, distribution or transmission of Furry Girl's original work.”

The OTM segment was clearly not a whole copy, but neither is it free of the work in question. From a legal perspective (and I am not a lawyer), it seems that both of the following are true: (1) OTM only borrowed a small amount, and (2) even if that were to be sufficient to show a prima facie case of copyright infringement, OTM could argue fair use.

That said, I argue that there’s been a bit of a departure from ethics on OTM’s part. In order to bolster their OTM segment, presumably due to the humor value and simultaneous big brother nature of the FBI commentary, they use another person’s produced information. This is information that they could not get for themselves: In the case of Furry Girl’s story, OTM FOIA requests would never return such data, it being a request that only Furry Girl could have fulfilled. In terms of Sarah’s own data, FOIA requests are notorious for how long they take to fulfill, so they could have waited until the FBI finally responded to put up the story, but they did not–they instead used information from the original blog post. I know that we don’t own the news we break, but in this case, there’s no available, more original direct source. The fact that OTM did this and didn’t bother to refer to the original source material in situ is what I take issue with. They could have produced the entire segment without any of the Feminisnt source material, and gotten most of the idea across and not incurred an ethical obligation.

It does not suffice that Bob gave a link to Sarah’s post and that Sarah’s post, in turn, gives attribution to Furry Girl. The OTM segment itself should have given attribution, and not just in the form of a “if you want to know more, here’s a link”.

If it had been a random guest on the show instead of Sarah, it would have been an issue I would have taken with that guest about their own standards of sourcing and attribution. Instead, the segment was produced entirely by the OTM staff, who raise the bar about journalism standards around the globe, and it seems that they, of all people, should know how to do better.

P.S., Whereas I think the OTM staff could have done better, the hyperbolic escalation by Furry Girl and the yield-no-ground nature of Ms. Rogers’ response seem to me to be largely wasted efforts on both sides. All Furry Girl wanted was attribution, and attribution would have been trivial to provide. Instead, we have a threatened legal battle and Google bombing, and who knows what future waste. Aren’t there more things wrong on the Internet to which we can now attend?