Tag: security

Posted on
by

With no card number, CVV security code, expiration date or signature on the card, Apple Card is more secure than any other physical credit card.

Source: Apple Card launches today for all US customers – Apple

While @jackieLbrewer was working at the bakery there was a cash register glitch. For several days they took credit card payments on paper, writing the number down by hand, and then entering them manually at the end of the day.

Those customers would have been totally secure from being able to buy bread.

Marketing image courtesy of Apple

Posted on
by

To be completely honest I mainly want this because without it the watch pocket in 5-pocket jeans is worthless. But it also occurs to me it might be appropriate as an alternative to a burner phone.

I don’t have the device fully characterized yet, and in fact there are multiple versions that might be differently useful in different circumstances, but here’s a sketch of what I’m thinking about.

First of all, the device has to fit comfortably in the watch pocket of a pair of 5-pocket jeans. That’s its whole raison d’être.

Almost certainly it needs to have:

  • Camera
  • GPS
  • Good-but-small screen
  • Bluetooth
  • WiFi

This is enough to enable all sorts of use cases: Geo-tagged images, navigation, listening to podcasts, tracking workouts, etc.

If I could get just that—and if it were reasonably cheap, and designed with good security—I’d buy one in a heartbeat, simply to have a workout tracking device that fit in the media pocket of my workout shorts. (My phones get bigger faster than I need to buy new running shorts.)

At this point, we need to make a big binary decision: Does the device have a phone?

Without a phone, it’s just a teeny-tiny tablet. As I say, I’d buy one, but without a phone it’s pretty limited—no connectivity unless you’re on somebody’s WiFi.

For most of the use cases I have in mind, this would work great. I could connect my headset & heart-rate monitor, kick off a podcast, start up my work-out tracking app, and go for a run. Along the way I could pause to take photos to document my workout. And the end I could share photos and workout details to social media. (Everybody I know cares deeply about my workouts.)

Some very minor software tweaks would let you use it your pocket watch phone as if you were connected. For example, you could still write texts and social media posts, they’d just be queued up until you went on WiFi someplace at which point they’d all be delivered.

The biggest issue with a pocket-watch non-phone phone would be the inability to make emergency calls. Less of a big deal but important to a lot of people is just generally being connected—making and taking calls, sending and receiving texts, keeping up on and posting to social media, etc.

The downside of adding a phone is that it loses the potential to be a purely off-the-grid device.

It might be possible to compromise: You could have a phone that’s turned off (with a burner SIM). Then you’re covered: In case of an emergency turn the phone on.

Proper burner phone security would require that you dispose of the phone as well as the SIM once you’ve powered it up. That need could probably be avoided if the phone generated a new IMEI on each power-up the way some devices are now generating new MAC addresses on power-up for the same reason. (There might be other numbers that would need to be regenerated. There’d also probably be other software changes necessary, such as obfuscating the list of installed apps, to keep the phones from being self-fingerprinting in all sorts of ways.)

If you can make the phone cheap enough, which having a very small screen would help a lot with, maybe none of that matters. Buy the phones in three-packs for a few dollars, and then give them to homeless shelters as soon as you’re done with one.

Posted on
by

I’ve read several novels lately with characters engaging in the sort of OPSEC that you need to do nowadays if you’re undertaking activities the federal government would consider nefarious—beginning with not carrying your smartphone around everywhere you go.

Of course you wouldn’t want to leave your phone behind only when you were doing something nefarious. To do that would be like announcing “Nefarious activity beginning now!” Instead, you need to start playing at going off the grid now for no particular reason, so that when you go off the grid for reals it won’t be so obvious what’s going on.

The necessary OPSEC is hard to get right. One of the novels I mentioned, (The God’s Eye View by Barry Eisler) has as a significant plot element how easy it is to screw up. In the novel a character’s actions are discovered due to her turning on her burner phone at a point close in time and place to where she turned off her regular phone.

As a slightly more sophisticated example, the NSA is known to have a system for “fingerprinting” burner phones, which works by spotting when one cluster of related burner phones all go dark at the same time, and then a similar-sized cluster, with a similar pattern of connectedness, starts up right after.

Just spending some time out and about without a cell phone is probably a good start. Establish a pattern of turning your phone off (or leaving it at home) for a couple of hours every day. It might make sense to establish a regular pattern of doing so, but one can easily go awry trying to set up false patterns. Perhaps it would make more sense to have no particular pattern of when the phone might be on or off.

Purely whimsically, I’m inclined to do this.

In fact, I’m going to have to: Next month I’m on jury duty for a week and cell phones aren’t allowed in the courthouse. I’m sure most people leave their phones in the car, so they can return to them over their lunch break, or at least get back to it as soon as they’re released at the end of the day. But the courthouse is in downtown Urbana, a place that’s easy to get to by bus, so I’m disinclined to drive there. But without a car in which to leave my phone, I’ll probably have to leave it at home.

That might mean 8 hours or more being out and about without my phone, which seems like a great opportunity to establish a pattern of my phone being left home while I do something else—serve on jury duty next month, but who knows what the month after? Nothing nefarious, of course. I’d never do anything nefarious.

Even places where cell service is spotty, such as this spot on the trail in Kennekuk Cove County Park, having a smartphone is completely normalized for me. I expect to be able to just take a picture like this. (And the idea that I might instead bring a camera almost doesn’t fit in my brain any more.)

As an aside: I wrote a couple of articles about going off the grid back when I was writing for Wise Bread. One was a book review of a rather interesting book titled Off the Grid. The other was an article about the trade-offs in choosing to live “off the grid” in the broader sense—not just off the surveillance grid, or even the power, gas and water grids, but more broadly the globalized economy, industrial agriculture, consumerism, etc. I can’t remember what I called the post, but Wise Bread published it as Going Off the Grid Is a Lot Harder Than You Think.

Posted on
by

I marvel that the 1% is being so indifferent to the large and widening leftward political shift in the U.S. and elsewhere. It seems to me they should have already started telling their politicians, “Give the poor folks 20% of what they want, quick! We need to nip this in the bud!”

Of course, maybe they’re right and I’m wrong.

They got away with globalization, after all. And then they got away with the financial crisis. And so far they’ve gotten away with Trump’s tax cut.

Now, I can understand the first two. Globalization, despite how it crushed many individuals, families, and communities, did make people better off on average. Having the average person end up better off makes a policy supportable at some level. I can see it providing enough political cover for them to get away with it. Who doesn’t like buying cheap crap at WalMart? Nobody but freaks and weirdos like me.

The financial crisis is harder to understand, which I think is due mainly to it being harder to understand. There was a real sense that our whole economy could implode—and it was a real sense because it was actually true. The technocrats managed to save the economy, so they get some credit for that. They did it in a way that crushed homeowners, which is bad. They did it in a way that subverted the rule of law, which is bad. And they did it in a way that crushed a whole generation, which is also bad. But they did save the economy.

But now we’ve got multiple cohorts of people who have already turned against the system. It’s no longer just the freaks and weirdos who care about their local community and the natural systems that support life. It’s no longer just former homeowners whose homes were seized to save the banks. It’s no longer just millennials who graduated into a job market so bad that they’re a decade behind their parents’ generation in things like family formation (and further than that in preparing to retire).

Now it’s basically everybody except the 1% who is being harmed, and they’re being harmed right now, every day.

The Trump tax cut is just a naked grab at wealth by the wealthy. It didn’t help anybody else. Trump’s tariffs aren’t even that—they don’t help anything but Trump’s ego.

I cannot imagine that any amount of voter suppression and gerrymandering—even with the structural anti-democratic features of our constitution—will keep the supermajority of people being harmed by our current system from making some major changes.

If the 1% had any sense they’d have thrown some bones to the people already. I can’t imagine that the smart ones haven’t figured this out already.

Sure, there are plenty of dumb ones who figure that they can build a survival bunker in Alaska or New Zealand and survive the ensuing revolution and climate catastrophe. But are they really all that dumb?

Evidence so far suggests they are.

Or maybe they’re right and I’m wrong.

Posted on
by

I used to play on the monkey bars all the time when I was a kid. My mom encouraged it. She knew it built upper-body strength, and that the ability to traverse monkey bars was an important capability for any human. (She could traverse monkey bars herself, when I was a boy.)

I quit doing the monkey bars, probably when I was college age, and quickly lost the capability. Then for three decades would have been afraid to even try, because I’d definitely have hurt myself. A few years ago I wanted to regain that capability, so I started looking for monkey bars to practice on, and found that they’ve gotten quite scarce. Many playgrounds don’t have them at all.

Winfield Village has a playground in every quad, but the only playground with any sort of monkey bars is the big one close to the office, and it has a rather strange curving monkey bar that over the course of 5 rungs makes a 90° turn—a particularly challenging version. (Like most these days, this one has weird triangular bars hanging from a single support, rather than a series of rungs supported on both sides.)

Bars for brachiating at Winfield Village playground

The reason for both the near disappearance and the switch to triangular bars seems to be that monkey bars are “dangerous.” Many playground safety experts recommend that monkey bars be excluded from playgrounds altogether, and I think the weird shape is designed to make them harder to climb on top of, in the hopes that kids would then not do so.

I spent a chunk of yesterday afternoon at an “alignment play day” with folks from CU Movement (and  kids), getting some hanging and balancing and barefoot walking on various textures. One thing I did was traverse the monkey bars at Clark Park in Champaign—an old-style set of monkey bars, rather like the ones I remember as a kid.

One of the kids in our group—small enough that it was a challenge to reach the next bar, and at a height that the experts would no doubt claim was “too high” for a kid of that size—did the monkey bars, and then immediately wanted to climb on top of them. He asked for help getting on top, which his mom declined to provide—except that she pointed out that one of the supporting poles could probably provide the necessary foot purchase for him to get on top on his own. And he did manage to find two ways to get up there. Having gotten up there, he decided against traversing the top of the monkey bars, and simply swung back down under them.

A new school of thought is emerging (finally!) that “dangerous” playground equipment offers valuable opportunities for kids to do exactly what this boy did: evaluate a hazard and decide how much risk was appropriate. The only way to learn to make that sort of evaluation is to actually practice it. Making playgrounds so safe that children cannot hurt themselves reduces their opportunity to develop a good sense for what is safe and what is dangerous, and what is and is not within their capability.

It has also made it a lot harder for me to find a set of monkey bars to practice on.

I crossed the monkey bars three times in the afternoon, but I forgot to attempt my next big trick: Cross from one end to the other, turn around (without putting my feet down) and cross back again.

I’ll do that next time.

Posted on
by

The reason that a well-regulated militia appealed to the founding fathers was that they hoped it would eliminate the need for a standing army.

If you had the whole body of young adult men armed and trained, it was hoped you could raise an army very quickly in case of need. If that were true, Congress could insist that the standing army be run down to just a cadre of specialists and officers. Then, in the event that you needed an army—because you were invaded, or needed to invade someone else—you could mobilize (i.e. draft) the militia to fill the ranks with soldiers.

The founders knew perfectly well that a government with a standing army could not be resisted by the people, even if the people were armed. A standing army was always going to be more disciplined, more highly trained, and better equipped than a militia could possibly be.

So, the purpose of the militia was to eliminate the need for a standing army. If you could make a militia work that way—quickly go from a bare cadre to a fully mobilized army simply by calling up the militia—then you’d be in a position where Congress could insist that the the army in fact be a bare cadre, meaning that neither presidents nor generals could use the army until Congress actually raised one.

It’s an appealing idea, particularly to someone like me who is very doubtful about trusting presidents or generals. Sadly, the evidence is pretty good that it doesn’t work.

This was clear even before the sorts of modern, high-tech weapons and other equipment that take extensive training to learn how to use, and then nearly constant on-going training to preserve the capability.  It took five years to go from a 16,000-man army to a 1,000,000-man army during the civil war. The ramp up for WW I was quicker but also smaller—manpower grew by 16 times in two years rather than 62 times in five years, but that was from a much larger base—basically, a smallish standing army, not merely a cadre waiting to be filled out.

The experience of the U.S., at least as far back as the civil war, is that fielding an army by mobilizing a militia simply can’t happen fast enough to respond to an enemy with a standing army. (The experiences of Switzerland mobilizing to resist a possible Nazi invasion and Finland mobilizing against the Soviet Union at around the same time are interesting, but do not I think make the contrary case.)

Given all that, I’d have to say that a militia is pretty much obsolete, and has been for a couple of centuries at least.

Posted on
by

My friend Mart lost her job this week.

I know all about losing a job. Over the years I was fired or laid off four times.

Getting laid off is humiliating and insulting. The process is stressful and and unpleasant. The aftermath, where you have to deal with your feelings about the fact that other people kept their jobs while you lost yours, at the same time that you deal with having a sharply lower income, layers more stress and unpleasantness on top of that.

Losing a job is also frightening. It fills your future with unknowns.

The middle time I was laid off, my former employer hired an expensive outplacement firm to help us make the transition. We had a series of meetings at an off-site location where a counselor gave us advice on dealing with the emotional and practical issues. Although the somewhat simplistic advice was another layer of insult piled on top of the insult of being let go, it was actually pretty well done. I used what I learned there for pep talks that I’d give former coworkers when they were let go. I used it as the basis for part 1 (losing a job) of the Wise Bread series I wrote on getting by without a job.

These last few decades—as the whole economy has adjusted to eliminate the working-class jobs that used to provide a middle-class standard of living—losing a job has become even worse than it was back when I lost mine.  And yet, while losing a job is a pretty bad thing, but it’s not always purely bad. Even people who love their job don’t love everything about it. (Mart in particular, I think, loved books a lot more than she loved her job at a bookstore.)

Still, losing a job sucks, even if things go as well as possible after that.

Visit Mart’s website! Consider buying her book!

Posted on
by

A year and a half ago, my brother gave me a Raspberry Pi 3 as a birthday present, suggesting that I should use it to run my own server.

I used to run my own server. A friend who liked to build such things had built it. It had two ethernet ports, one connected to my cable modem and the other connected to my WiFi router, and it was running OpenBSD (then the most secure OS easily available) and was configured to serve as a firewall.

I used it as a server in other ways. I put an extra disk drive (40 GB!) in it where I could store files that I might want to access from elsewhere. (In particular, when I went to Clarion I copied my latest draft of my current story there each evening, in case of catastrophic computer failure.)

It didn’t require much upkeep, but it required more than none—which turned out to be more than I wanted to devote to it. At some point a serious security flaw was discovered in the OpenBSD release I was running. By then most desktop machines had built-in firewalls as did most routers, and I had Time Machine as a backup solution. It seemed safe to give up my server, and easier than updating it.

In the years since then, the use of cloud services has become ubiquitous, to the point that practically everything I do ends up in the cloud—my photos go to both Flickr and Google. I also use Dropbox (where I have Scrivener stash a backup copy of everything I’m writing) and I stash some amount of my music at both Google and at Amazon.

That’s all great—those services are well backed-up, and the servers are very likely running the latest security patches—but I really like the idea of having my own data on my own machines. But I want that without giving up the advantages of having my data in the cloud. Hence wanting to have my own server.

All that as prequel to my brother coming to visit this past week, and helping me get my Raspberry Pi server up and running.

Once the basic install of Raspbian was up and running, I went ahead and ordered a bit of hardware for it. I got a short ethernet cable to connect it to my router, so that it doesn’t have to do WiFi for basic connectivity (although WiFi and Bluetooth are built in). I also got a slightly more powerful USB power supply for it, mainly because I also got a portable USB hard drive that takes its power from the USB port, meaning that the power needs to be available to the Raspberry Pi. Finally, I got a case for it, so that I don’t just have a naked circuit board sitting on my dresser.

This time the hard drive is 1 TB rather than 40 GB.

For cloud functionality I’m following my brother’s example and running syncthing, which has the advantage of being able to handle being behind a NAT and not having a port exposed to the outside world. I’m running it on my Android phone as well and sharing my photos with a third place: my server. The server then shares them with my desktop machine, so they’re available to use. (That’s how I got the photo above: Taken with the phone and then transferred to the desktop within about a minute.)

I’m still sorting out my sharing strategy. I don’t want to share my whole Music folder with my phone, because it would use all the space there. (I’ll probably end up making a folder with an “essential subset” of my music to share with the phone.) I don’t think I want to share my whole Documents folder on my desktop machine, but I’m not sure yet. For the time being I’m sharing a folder I call “Active writing” with the files I’m currently working on, on the desktop, the server, and my laptop. That way they’ll be available wherever I want to work on them.

Other things are tougher. I’d like to have my own calendar server, but that doesn’t seem easy. I should go back to my post on the google-free option and see what else I was thinking about that I might now be able to implement.

For now, though, I’m pretty happy.

My previous server was rack mount width and maybe four or five inches tall, about the size of a stereo component. This one is maybe 3 inches by 5 inches, rather smaller than the hard drive it’s sitting on.

Posted on
by

The right to vote is a constitutional right. It should not be abridged. In this way it is like all constitutional rights.

There is one important difference between the right to vote and most other constitutional rights. Most constitutional rights apply to “the people,” while the right to vote is a right of citizens. Because of that difference, it makes sense to verify that people registering to vote are citizens. But waiting until someone is at the poll and then demanding that they prove they’re a citizen is backwards.

It is, to use another constitutional right as an example, backwards exactly the same way it would be backwards to take your property for public use, and then make you run all over town for documentation to prove that you own it before you can get it back. Instead, we have a property registry to keep track of who has ownership rights, and then a process called eminent domain whereby the government has the opportunity to present to a court evidence that there is a public need for your property according to well-established rules, and to establish fair compensation. You have the opportunity to dispute that evidence, and to argue for a different interpretation of the rules or for higher compensation.

I would suggest that as being the right model for voting rights as well: We should have a voter registry to keep track of who has the right to vote, and then a court process whereby the government has the opportunity to prove that someone on that list does not have the right to vote according to well-established rules (not a citizen, not over 18, not residing in the precinct, dead). You should have the right to appear at the hearing and dispute both the evidence and the interpretation of the rules.

Nobody should ever be struck off the voter rolls without such a hearing—to my mind it would be just as unconstitutional as taking your property without a hearing.

If that is the standard—as it should be—then there is no need to present an identity document at the polling place. All you need to do is prove that you are the person who registered, which is easily done by comparing your signature when you request a ballot to your signature when you registered to vote.

In any case: The right to vote is a fundamental right of the citizen. Denying it without due process is wrong, and there should be substantial sanctions on anyone who does so (or attempts to do so).