Printer inks and tractors, and the right to repair

You might recall several years ago when it came time to replace an “empty” Lexmark printer cartridge, you had to purchase a new “authentic” one as a replacement. HP had a similar program. Lexmark was sued (and lost in the Supreme Court) by a third-party ink maker who was blocked by the locking software. (The reason for the quotes is because these cartridges are seldom anywhere near empty, wasting a lot of ink. But let’s stay focused.)

John Deere 8 Series Tractor MY22 updates give farmers more optionsWhat does this have in common with tractors? John Deere has special locking software that prevents farmers from doing their own repairs. This came to light recently when Russian troops stole about US$5M worth of them from Ukraine and brought them to Chechnya. The Ukrainians were able to “brick” the tractors by engaging the software. This is not a coincidence: their software engineers have been hacking Deere tractors for years.

Now, while you may cheer on the Ukrainians, this exposes the dark side of tech called the right to repair. For the past decade, tech companies have come under fire for preventing “unauthorized” repair work on their equipment. Apple is one of the most egregious, you can’t just have anyone fix your gear. But as supply chains stretch and break during the pandemic, we need more flexibility, not less. And typically using the authorized repair folks is nothing more than having an added surcharge to your repair bill. (And if you are a farmer, waiting for the Deere repair dude to drive out to your farm.)

One small victory in this arena has been the unlocking of cellphones. Remember when you had to get permission from your phone vendor if you wanted to port your phone and your number to another carrier? You still need to go through a somewhat dense process, but at least the carriers have to sell you a new unlocked phone. Various states now have laws on their books to mandate rights to repair, but it still is far from universal.

Avast blog: How license plate scanners challenge our data privacy

A security camera at one of ...As more communities install automated license plate readers (APLRs) to monitor vehicle traffic, there are growing concerns about the privacy and efficacy of these tools. Stories have appeared in local newspapers, such as those in St. LouisLouisville and Akron that document the rapid rise of Flock license plate camera data and how it can be a central source of vehicle movements.

These stories highlight some of the privacy implications of APLRs and also recall some of the same issues with the growth of other massive private data collections. In my latest blog for Avast, I describe what’s going with these APLR systems, some of the issues raised by privacy advocates, and how they compare with the DNA/genetic testing data collections.



Avast blog: How to defeat social engineering attacks

ImageIf you have heard of the process of social engineering, the ability of a hacker to trick you into divulging your private details, then you might have come across ethical hacker Rachel Tobac. She’s the CEO of SocialProof Security and board member of Women in Security and Privacy. I virtually attended one of her more recent talks, during which she explained her craft and gave some suggestions on how we all can improve our personal security and make her job more difficult.

Tobac has carried out some notable security stunts in the past, such as live hacking a CNN report’s accounts and stealing his airline points. “I hack so people can understand how hackers think and hopefully you will avoid these mistakes,” she told her audience.

You can read more about her talk — and how to harden your own defenses against social engineering attacks — in my latest blog for Avast here. And if you want to watch a great documentary about the teens behind the 2020 Twitter hack, you can find it streaming on Hulu here,

What is the online “town square” and how should it work?

renee direstaThe news about Elon Musk’s intended purchase of Twitter has brought about a lot of hooey and hand-wringing. Here are my thoughts. I first listened to a very interesting interview by ex-White House speechwriter Jon Favereau of Renee DiResta, an expert on tech policy at the Stanford Internet Observatory, whom I have quoted numerous times in the past. She makes the case that Elon has a fundamental misunderstanding of what online free speech means, even ignoring the fact that free speech only applies to governments, not companies. Renee amplifies her piece for The Atlantic that she wrote a few weeks ago, saying that Elon is more about attention than freedom (and who knows if his bid will even go through). “Free expression should be a foundational value,” she wrote. She also makes the case that all online social media products moderate their content – and most do so reactively, inconsistently or clumsily or all three. This includes Truth Social, Gettr and Parler, just to name some of the more notable “free speech” ones. (The hyperlinks will take you to their community guidelines for your future reference.)

Suzanne Nossel, the CEO of the writers’ group PEN America, writes that “Musk will learn the hard way that there is no return to a mythic online Eden where all forms of speech flourish in miraculous harmony.” However, she agrees with him (and others) that our current content moderation methods are deeply flawed. If you haven’t learned the words “shadow banned” (where followers are deleted without telling them from your social accounts) or retconned (officially sanctioned revisionist history), you will hear them more often during these discussions.

So what is the solution? DiResta and others penned this piece in SciAm, suggesting that social media companies need to become more transparent. “The only way to understand what is happening on the platforms is for lawmakers and regulators to require social media companies to ​provide researchers and others access to data on the structures of social media, like platform features and algorithms​.”​ PEN’s Nossel is also for more transparency. She suggests that more moderation is essential to prevent spammers, trolls, and other quackery from taking over social media and that “robust content moderation is here to stay,” especially to try to stem the tide of false positive takedowns of content and users. For example: TikTok restores more than 1M videos each month after initially removing them for violations. Of course, they allow millions more to be posted to their site. But still, that is an awful lot of content to judge.

I think there is a bigger question that many of the commentators aren’t really addressing: do we really want an online town square? The comparison doesn’t really work when millions of people are shouting to be heard, or in places in the world that are under the grip of authoritarians. It very quickly devolves from the marketplace of ideas to mob rule. DiResta spoke about the “high harm areas of online that are worth moderating,” which is a good way to look at this, especially given the absence of facts being spewed there and how they are amplified and become part of the conversation offline.

Avast blog: The U.S. government wants to expand the use of social media for visa vetting

For the past several years, millions of foreign visitors and potential immigrants entering the US have divulged the contents of their social media accounts to the US Department of Homeland Security (DHS). This requirement is part of the Visa Lifecycle Vetting Initiative (VLVI) that began in 2014 and has been expanded in 2019.

You can read more about the evolution and dangers of this program in my post for Avast’s blog here.

Avast blog: Obama on strengthening our democracy and reforming social media

Last week, Barack Obama delivered a keynote address at an event, “Challenges to Democracy in the Digital Information Realm”, co-hosted by The Stanford Cyber Policy Center and the Obama Foundation. He discussed the role of government in online technologies, the relationship between democracy and tech companies, and the role of digital media to elevate authoritarian rulers. He touched on the point that we all now occupy entirely different media realities that are fed directly into our “personal information bubbles” of our smartphones.

You can read my post for Avast’s blog here to see what else he had to say to this audience and what he recommends we do to fix social media to make it better for democracy.

More on the Pegasus Project

Since I last wrote about the NSO Group’s Pegasus mobile spyware last summer, there have been several new developments that show just how insidious the software is and how pervasive its use around the world.

Pegasus can be placed directly onto a target’s smartphone without any user interaction and can then start tracking a phone’s location and operations. Last year a consortium of journalists revealed who was using the spyware after doing extensive forensic research on dozens of phones. This resulted in the US Commerce Department putting NSO on a block list, the DoJ beginning investigations and Apple suing the company. Then we saw two developments from last December: first, Apple notified a bunch of US State Department employees in Uganda that their phones have been hacked. And Pegasus was found to be used to track Jamal Khashoggi and residue was found on one of his wives’ phones.

There were other reports that the FBI had tried out Pegasus but didn’t actively use it, or at least not that anyone could prove. And that a security researcher had decompiled several code samples and documentation.

Just recently, the Citizen Lab — one of the research groups involved in last summer’s project — found more cases of Pegasus used on dozens of Catalan phones, probably at the direction of various government entities in Spain. One of the researchers found a previously-unknown iOS zero-click exploit. The more we find out about Pegasus, the more I am convinced this tool spells trouble.

Again, I want to emphasize that your chances of getting infected with Pegasus are very, very low. But it does seem to crop up frequently enough, and now in places that you would think would be curious as they are free, democratic countries. NSO representatives continue to maintain that they carefully vet their potential customers and say its software is intended to investigate terrorists and potential criminals. But given that its residue has been found on phones of political figures, journalists and human rights workers, I wonder how careful this vetting process really is.

Aiding Ukraine in the modern web era

I want to tell you two stories to counter-balance the seemingly endless ones about the horrors of war we have seen coming from Ukraine. I am doing this not to blunt the tragedies that millions have and are continuing to experience, but to show you that there are many people who have taken action and done something to help others. I am sure there are many other stories of hope and would urge you to share them here if you feel so inclined.

The first story is a group of hundreds of librarians and others who have banded together with the sole purpose of Saving Ukrainian Cultural Heritage Online, which coincidentally is their actual name. They have saved more than 25TB of scanned documents, artworks and many other digital materials from thousands of websites of Ukrainian museums, libraries and other archives. The group was founded by a few dedicated individuals such as Anna Kijas, a music librarian at Tufts University, who saw a looming disaster in February as the country’s buildings were being systematically bombed out of existence, and began making digital copies of various archives. She was joined by Quinn Dombrowski, an academic technology specialist at Stanford University, and Sebastian Majstorovic, a digital historian based in Vienna.

You might think that the Internet Archive Wayback Machine already does this, but it doesn’t crawl very deeply. For my own website, many of the saved copies just include the home page or one or two other pages. The team harnessed a couple of other web scraping tools and began search Google Maps to go literally block-by-block to find physical museum collections. They developed workflows and scripts and distributed them via a Slack channel and shared documents to keep things organized.

My second story concerns the video channel Yes Theory. This is a group of three guys that have traveled together for several years doing very entertaining and sometimes meaningful videos. The trio combined forces with Adventurers for Change and have raised more than half a million euros from 8000 contributors to support Ukrainian refugees. Their video describes how they set up offices at a co-working space in Warsaw to coordinate their volunteers, who came from all over the world to help them purchase basic staples and get them to the Ukrainian border. The group began operations at the end of February.

What these two stories have in common was a ground-up organization that wouldn’t have been possible in the pre-web era. Using email lists, messaging groups, social networks, crowdfunding and other tools, they not only got their message out and recruited volunteers but were able to keep overhead costs low and be on the ground helping people almost immediately. Both relied on existing channels and groups that were together for other purposes, rather than tapping into existing relief efforts such as Doctors Without Borders or various UN-backed programs. Both did more than just ask for money, and had to develop their infrastructure quickly and figure out the daunting logistics to put everything in place. When you think about all the ways that technology is being used for evil purposes, it is great to read about these two efforts.

Ranking the world’s democracies

This morning I was watching the live coverage of the meeting of six foreign ministers in the Israel Negev. It was a remarkable experience because of the venue, the nature of the broadcast itself and the way it was being reported, and the global context of the meeting.

Before I can explain the situation, let’s take a short quiz. Here are six countries (not the same list as the ministers). Put them in order from most to least democratic. Use any metric you’d like. USA, Rwanda, Laos, Moldova, Norway and Qatar. Don’t peek at the end of the essay for the results quite yet. I will give you one hint: we are not the top country, by a long shot.

So why am I writing about this today? The Negev Summit, as it was billed, covered the ministers from USA, Morocco, UAE, Bahrain, Egypt and Israel. Some of the men were in Israel for the first time in their lives, which was interesting in and of itself. It was notable who was not there:  the leaders of Jordan and Palestine were meeting in the West Bank as a bit of counter-programming. What was different (apart from the actual meeting itself) was the location: the last home of David Ben-Gurion, who was the founder of the modern Israeli state.

That is how I have thought of him ever since I was a pre-teen attending Hebrew school. He is well-regarded by many Israelis and there are several things that carry his name today, including the Tel Aviv airport where every tourist to Israel and the West Bank arrives and a university in Beersheva that I have been to numerous times and where my son-in-law got both of his college degrees. If you drive another 45 minutes south of the university, you will get to the Negev town of Sde Boker, which is where the summit took place. There is a kibbutz and it is also near a Bedouin camp, and also not too far from Israel’s only nuclear “research” reactor.

Anybody who thought at the end of 2020 that things could not get worse for the world’s democracies has been proven wrong, says the Economist’s Intelligence Unit in their latest “Democracy Index” report. The overall index hit a new low since it first began its tabulations in 2006, largely thanks to a variety of government-imposed tracking and monitoring tools of their citizens caused by the pandemic. The report goes into lots of detail about how they scored each of 167 countries on 60 different metrics such as electoral processes, civil liberties, and government functions. These are rolled up to classify each county into one of four categories:

  • Full democracies,
  • Flawed democracies
  • Hybrid democratic and autocratic regimes
  • Authoritarian regimes

My six-country quiz contains countries in each category. And here is another hint: we are not a “full” democracy by the Economist’s definition. Sad to say. They figure out the segments based on examining the various components of freedom, such as: freedom from want and the satisfaction of material needs; political and religious freedom; democratic rights and equal treatment for all citizens; equality of opportunity and the avoidance of stark economic and social inequalities. One of the things that interests me is that there are various shades of authoritarianism. The World Population Review counts 52 countries and describes them as one of five different types, based on how a dictator grabs and maintains their power. This could be through the use of the military, a monarchy, a force of personality, a single political party, or some combination. The various dictators are listed and linked to by name.

Another group that tracks these issues is Freedom House’s annual “Freedom in the World” report. It scores countries by overall freedom, internet freedom, and democracy scores. They use a definition for electoral democracy which includes:

  1. A competitive, multiple party political system,
  2. Universal adult suffrage,
  3.  Regularly contested elections conducted on the basis of secret ballots, reasonable ballot security and the absence of massive voter fraud, and
  4. Significant public access of major political parties to the electorate through the media and through generally open political campaigning.

Going back to the Negev Summit, I should mention that I was watching it on Al Jazeera’s English channel, which as I said was doing a live broadcast wrapping up the summit. This is the channel which is owned by the Qatar government, which is considered an authoritarian regime because of its leader. But Qatar is on the upswing: the report shows a steady increase in their index since it began. I have been watching more of their coverage because they do a really good job of reporting from all sorts of places around the world (they had two reporters at the summit, for example).  At one point, the analyst from the channel being interviewed mentioned how Ben-Gurion was also the leader of many attacks on the Arab residents in the early years of Israel’s independence, a point of view that I hadn’t previously considered.

Ok, now time for the list, from most to least (with their rankings from the Economist report, where the lower number means more democratic):

  1. Norway (1)
  2. USA (26)
  3. Moldova (69)
  4. Qatar (114)
  5. Rwanda (127)
  6. Laos (159)

Avast blog: Watch out for browser-in-the-browser attacks

A man-in-the-middle (MITM) attack consists of a victim, a website the victim would like contact with (such as a bank), and the attacker. The attacker inserts themselves between the victim and the targeted website with the intention to steal personal information such as login credentials, or bank account and credit card numbers. MITMs have consistently been an active development strategy for hackers.

There are several different types of these attacks, including ones that involve running software on a webpage that can infect your computer through your browser. One of them is gaining traction (from the attackers) and is what one security researcher calls browser-in-the-browser. The idea here is that a hacker can write some JavaScript code to present a pop-up window that is another phishing phony to lure you into typing your account information. Look at the two screens reproduced above: it is hard to figure out which is real and which is a threat.

I wrote about this for Avast’s blog here. One way to prevent this exploit is to use a secure browser (such as one from Avast or Brave).