418 I'm a teapot
Yesterday, as Russia began its invasion of Ukraine, some people on the Internet noticed a strange thing. I'm not going to comment on the big picture except to say that the situation is terrible, the invasion criminal and the failure of other countries to do anything meaningful to stop it, reprehensible. Nor will I attempt to expound on how the conditions for this to happen came to exist; there are plenty of people who know more about that than I do. Instead, I will examine this strange detail that will surely be just a minor footnote in this terrible conflict, try to explain what it means, and, at the end, indulge in some hopeful speculation into how it got there. The web site of the Russian Ministry of Defence looks like it's "down" from the perspective of nearly everyone outside of Russia and a small number of other countries. If you point a web browser at it right now, you'll get a blank page. But the _way_ that it is down is interesting. If you look closely, you'll see that it is producing an error code 418. This can be reproduced more clearly with a tool like [curl(1)]: ``` % curl -I https://mil.ru/ HTTP/1.1 418 Date: Fri, 25 Feb 2022 19:23:07 GMT Content-Length: 0 Connection: keep-alive Server: Ministry of Defence of the Russian Federation ``` All successful conversations between your web browser and a web server include a [status code]. A status code is a three digit number, and it has meaning. If it starts with a 2, like 200, that means everything is ok, and you'll get a web page along with it to look at. If it starts with a 3, that means whatever you're looking for has moved somewhere else and you'll be redirected there. If it starts with a 4, it means you've done something wrong. Maybe you've asked for something that's not there and you'll get 404 which means "Not Found". So far so good. The Russian MoD is telling us we're not allowed to look at their web site, right? If that were the case, the natural choice would be 403 which means "Forbidden" or perhaps 410 which means "Gone". But 418 is a strange one. It means "I'm a teapot". It comes from April Fool's day 1998 when the IETF published their traditional joke standard ([RFC2324]), in that case about connecting coffee pots to the Internet. As the joke goes, if you've connected a teapot instead, you should get an error: *418 I'm a teapot*. But there's another layer. In colloquial Russian, to be a teapot (чайник) means, approximately, to be computer illiterate. The connotation is slightly different than the English term though it umambiguously suggests ignorance of how a computer system works. So is the Russian Ministry of Defense claiming to the outside world that they are computer illiterate? Do they have a geeky, impish, self-effacing sense of humour? That seems a little implausible... ## Who is a teapot? We can find out a little more about what's going on with some simple tools. This teapot message either originates on the Ministry of Defense's web server itself, or somewhere fairly close by since, by all accounts, nearly everyone sees the same thing. To find this out, we can find out what actually answers a TCP connection on the HTTPS port using [tcptraceroute(1)], ``` # tcptraceroute mil.ru 443 Tracing the path to mil.ru (82.202.190.92) on TCP port 443 (https), 30 hops max [...] 8 uk-lon03a-ri2-ae-2-0.aorta.net (84.116.135.46) 28.784 ms 19.933 ms 24.521 ms 9 ae16-209.RT.TC2.LON.UK.retn.net (87.245.245.22) 26.014 ms 24.460 ms 47.426 ms 10 ae1-3.RT.OK.MSK.RU.retn.net (87.245.232.7) 66.608 ms 67.573 ms 67.430 ms 11 GW-Indrik.retn.net (87.245.253.219) 69.701 ms 67.521 ms 68.754 ms 12 * * * 13 82.202.190.92 [open] 66.221 ms -9016.769 ms [closed] -8215.307 ms ``` Without belabouring the details of how to read a traceroute, and eliding the parts closest my computer, the path goes clealy over a major backbone provider, RETN, from London to Moskow and then to something called the Indrik gateway. Nice bit of mythology there. [Indrik] is a kind of chimeric bull-deer-horse -unicorn beast from Russian folklore. There's another hop not responding after that, and then an answer. The round trip time to the last hop, which has the same address as what we asked for, 82.202.190.92, the address of mil.ru, is plausible. So whatever response we're getting, it's coming from Moscow, and it's coming from the place that whoever operates mil.ru intends. That address, 82.202.190.92, however, is not owned by the Russian Ministry of Defense. It is part of a [network] that belongs to Kaspersky Labs. I did not realise before looking into it just now, but Kaspersky appears to operate a substantial amount of network infrastructure. They're not just a software company. If an intruder had done this to embarass the Russian Ministry of Defense, I would have expected it to be noticed and fixed by now. So we're left with two possibilities that I can think of. Either the MoD is in on the joke or they are not. It's hard to believe that
Re: The Left Needs a New Strategy
Dmytri Kleiner writes: > Federated small groups with voluntary structures that analyze and > iterate. [...] The trouble is the western left has mostly abandoned > this strategy in favour of third party "advocacy" or "mobilizing" or > other punditry and doesn't want to be on the same team as the global > left. These days I spend most of my time in some sort of no-man's land between theoretical computer science and applied mathematics. I don't know much about the philosophers that you quote. I think you are relying too heavily on names and labels at the expense of simple ideas which might make what you are saying inaccessible to many people. At least for people like me with memories like sieves through which famous names immediately fall, it can be difficult to keep track of what you are talking about. Nevertheless, I think I can recognise the pattern that you are describing. The kind of iterative process that you describe can be observed throughout nature. It's a way of doing optimisation. There's something that we want to optimise, perhaps a personal notion of fitness or well-being in the game theoretic sense, perhaps out of a sense of altruism it's the average fitness of the group, or the society or the world. It would be useful to articulate specifically what you think we should be optimising for -- I don't think that you have done that. Your iterative process is a kind of evolutionary algorithm. The system is far too complicated to immediately know what immediate action is going to make things better, so we try a strategy, evaluate the fitness, change the strategy a bit (or completely), and repeat. We can change strategy smoothly, a little more of this, a little less of that, or we can mutate the strategy radically. We can copy what appears to us to be the strategies that are successful. Over time, generations, the prevailing strategies shift and the global landscape changes. This is nothing more than the process of evolution. Bacteria do it, virii do it, animals and plants do it, all organisms including humans do it. Humans are a bit different because we can consciously change strategies. This means change can happen on much shorter time-scales than, for example, genetic evolution. Can we see why pundits of western left as you put it appears to be stuck in a local optimum? Well, that's just it. There's not a huge amount of pressure to do things differently. Small changes in strategy don't appreciably change where we are, and where we are is pretty comfortable. Large changes tend to become very uncomfortable very quickly. We are in a deep potential well with very tall and steep sides. The energy needed to get out of it is very large indeed. Discomfort far away is hard to feel here. To the extent that we are conscious of it, any local change that we make has at most a small effect on it on the time-scale on which we make decisions and change strategies. This small effect is not enough to get us up and over the sides of the well to some place different. So here we sit at the bottom of the well. The western left as you describe it cannot be a source of change. QED # distributed via : no commercial use without permission #is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nett...@kein.org # @nettime_bot tweets mail w/ sender unless #ANON is in Subject:
Marcel Salathé: I fear we will need stronger measures
Marcel Salathé: I fear we will need stronger measures Interview by Sylvie Logean for Le Temps Original: https://www.letemps.ch/sciences/marcel-salathe-crains-ne-devions-aller-vers-mesures-plus-strictes Translation by William Waites 2020/03/25 EPFL professor expresses his frustration about the authorities' management of the COVID-19 crisis. Despite the appeals of experts as early as January, the Swiss authorities were slow to act, losing precious time. [photograph of Marcel Salathé] Marcel Salathé, professor at EPFL, believes that, when it comes to the authorities, "we are dealing with a kind of magical thinking, a kind of hope that the situation will spontaneously improve". The director of the Digital Epidemiology Laboratory at the Biotech Campus in Geneva and professor at the École Polytechnique Fédérale de Lausanne closely follows the COVID-19 pandemic across the world with machine learning tools. For him, it was clear several weeks ago that we would be facing a dramatic situation. He doesn't hide his frustration with the authorities who, despite the appeals of experts, have been slow to act. Le Temps: several scientists tried to alert the authorities very early about the health emergency, in Switzerland and elsewhere, that the exponential growth of the COVID-19 epidemic would represent. Why did they take so long to react? Marcel Salathé: I think that's an eminently political question. We were working on these questions already in January and we were able to predict what was going to happen. Based on what happened in Wuhan, we could see, in effect, that the number of infected people was following a nearly perfectly exponential curve. At the same time, given our vulnerability to this virus and a lack of preventative or therapeutic treatments for it, we knew that the situation would be very difficult to manage, even more so when the epidemic spread to Iran and Italy despite the confinement measures taken in China. These were the observations that made us raise the alarm at the end of January. Unfortunately, we were not taken seriously then and received no support from the political class. In the eyes of many, we were simply being alarmist. On your Twitter account, you recently expressed your loss of confidence in the political arena... I understand that it's difficult to reconcile all the different existing interests, to find the right equilibrium. But I was particularly shocked by the lack of appreciation for the work of Swiss scientific experts that weren't, at any time, involved in the decision-making process. I expected the political actors to take the threat seriously, that the authorities would strongly attack the situation from the beginning, but this was not the case, which is terribly frustrating. Our objective is still not, today, to point the finger, but to face this crisis together. This is why we have created, with a team of scientists, a volunteer task force with the goal of producing studies that can be useful for the authorities. Happily, in the past few days, a communication channel seems to have been opened. It is a narrow channel, but at least it exists. In your opinion, did the the Federal Council try to appear too reassuring to the population? I think rather that part of our leaders did not, at that time, grasp the true gravity of the situation. This observation, valid for Switzerland, is also true for nearly all European countries as well as the United States, which, unlike the Asian countries, haven't lived through the trauma linked to the preceding SARS-CoV-1 and MERS epidemics. We also need to mention that, among the countries which reacted inadequately, Switzerland nevertheless rapidly decided to impose courageous measures, forbidding, for example, gatherings of more than 1000 people. Despite this, we lost precious time. Seen from outside, the strategy of the Federal Council still doesn't seem clear. What model are they working from to face this pandemic? That's a question for which I don't have a precise answer. For now, the Federal Council seems to be applying what I call the "salami technique", which consists of cutting a certain number of measures into fine slices, stronger and stronger, with the goal of obtaining more acceptance from the population. Globally these are good measures, but are they really sufficient? My impression is that the authorities seem to believe that it will still be possible to manage the situation by compromise. We are faced with a sort of magical thinking, a form of hope in the possibility of a spontaneous improvement in the situation, like we observe with seasonal flu. We don't know yet if this is really possible, but the example of Italy shows us that it certainly won't happen. That's the reason why I fear that we will need a much stricter lock-down. To some experts, the
Re: Should use mobile phone data to monitor public health
James Wallbank writes: > And, shockingly, the value of a lawyer who is not working is, > apparently, greater than the value of a waste disposal worker who is > working! Necessary to point out that, at least as of now, lawyers, especially junior ones taking legal aid cases, are being required to keep working: http://www.younglegalaidlawyers.org/COVID19pressrelease Also the wage subsidy is capped at just above the median wage, so it's not quite as wildly unequal as you suggest. Though I agree that it would be better to just treat everyone who is not working equally. Best wishes, -w # distributed via : no commercial use without permission #is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nett...@kein.org # @nettime_bot tweets mail w/ sender unless #ANON is in Subject:
Re: Should use mobile phone data to monitor public health efforts?
Felix Stalder writes: > So, is there a possibility to use this data without it turning > it into an authoritarian power grab? I think there is, under the > following guidelines: > > - Data needs to be deleted after immediate purpose of the analysis > has been achieved. The thing is these data are as much necessary for trying to do immediate contract tracing as they are for post-hoc analysis and development and validation of new analysis techniques. These are very important. We can't just rely on non-reproducible analyses that can't be checked because the data has been deleted. Some of this only requires an anonymised version of the data, but we also know that doing that right is very hard. > - The analysis needs to be restricted to questions developed by > an external team. So, no fishing simple because the data is now > available. Mission creep is very often a problem. For sure, but see above. > - Questions, methods and results of the analysis need to be published > after the fact. This will allow public appraisal of the legitimacy of > the program. Absolutely. > - Data needs to be made available to at least two teams that are > completely independent from one another. This will allow for the > cross-examination of the quality of the different approaches. Anonymised data, if we can make such a thing, should be made completely open and then all the usual activity of analysing and modelling it in different ways can happen. For the personalised data, I agree with you, but it should be at least three teams because if you have two analyses that disagree, it's hard to tell which one is wrong. Best wishes, -w # distributed via : no commercial use without permission #is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nett...@kein.org # @nettime_bot tweets mail w/ sender unless #ANON is in Subject:
Re: rage against the machine
> To my limited understanding, the black box in the airplane is not a > device to limit the complexity of the pilots' interaction with, or > understanding of, the plane by reducing a complex process to a simple > in/out relationship. > > No, it's a flight recorder. During the flight, it has no output at all, > and in no way influences the processes of flying. It simply records > certain signals, including voice signals. > > The plane would fly in exactly the same way if it wasn't there. > > In this sense, it's a forensic, not a cybernetic tool. And as that, it's > function is actually exactly the opposite. It's a tool designed not to > hide but to reveal complexity, to make transparent what happens inside > the cockpit. It seems to me it is a question of where you draw the system boundary. If the system is an aeroplane that is flying, then the recording device is not part of the control loop and it is not a cybernetic tool in that context. If the system is the one that adjusts and optimises designs according to successes and failures, then the recording device definitely is part of the control loop and it is a cybernetic tool. Best wishes, -w signature.asc Description: PGP signature # distributed via : no commercial use without permission #is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nett...@kein.org # @nettime_bot tweets mail w/ sender unless #ANON is in Subject:
Re: Why I won't support the March for Science
> What it really needed for me to believe in the efficacy of science as a > political force ... When this event was advertised on a departmental mailing list here in Edinburgh, it was specifically described to be "non-political". That struck me as at best nonsensical but at the same time oddly revealing about the current climate in this part of the world. Dangerous times, best keep your head down, wait and see where the chips will fall etc. # distributed via : no commercial use without permission #is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nett...@kein.org # @nettime_bot tweets mail w/ sender unless #ANON is in Subject:
Re: A Veillance Ansatz
Hi John, Yes, `social power' has a form a lot like `potential energy'. Confusing choice of words here since `power' in pysics means something quite different. Also perhaps confusing was my choice of the symbol E for the product which might normally be used for some kind of total energy. Well, it's a work in progress. The immediate reason for writing this was an article [1] that mentioned sousveillance but used it wrongly. I had been working with Steve Mann around the time that he coined the term, so I pointed this out. What the article discusses is more like isoveillance at best and indirect surveillance at worst. A minor quibble over choice of words, not especially interesting. More generally, I've been busy over the past years working in the background on collaborative Internet infrastructure in remote places. These are organised roughly along venture communist lines, and although they generally would not use that language to describe themselves they owe a great debt to Dmytri Kleiner and others' thinking. This project has been quite successful at creating the part of the Internet that covers a large geographical area in rural Scotland, complete withinter-network peering and transit relationships and a distributed exchange point presented as a confederation to the outside world. Sadly the extent to which the Internet is under siege is increasingly clear. In the UK it may soon become untenable to work to promote access and collective ownership and management of infrastructure. The reason is that the proposed new laws attempt to conscript these operators into assisting with the surveillance project. The flavour of this is yet more sinister than just the background of mass surveillance (the flavour may have something to do with path integrals of the veillance field equation). Given these developments, it may be best to redirect some effort away from infrastructure developmentand towards awareness and self-defence. The main line of work continues of course. In this light the previous post is part of the process of understanding and articulating the situation in which participants in the Internet (a better term than `users') find themselves. Best, -w http://arstechnica.com/business/2015/12/new-open-source-license-plate-reader-software-lets-you-make-your-own-hot-list/ # distributed via : no commercial use without permission #is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nett...@kein.org
A Veillance Ansatz
This short article is to try to put discussion about surveillance into theoretical framework. It is far from rigorous and is more a guide to a certain way of thinking about the topic. The word `sousveillance', coined in the late 90s by Steve Mann in analogy with `surveillance' was meant to invert the prevailing power dynamic. The canonical example being the hypothesis that giving cameras to homeless people would make it less likely that they would be beaten by police. The `veillance' or watching was in the direction from less to greater power. Locally, at any point in space, we can write the veillance equation: E = V·∇P This is a compact way of saying that supposing we can assign a `social power' to every point in space, we can then find, with certain technical assumptions, the direction and magnitude of greatest change, ∇P. This is the power gradient. It points up the hill from the less powerful to the more powerful. Equally, following Mann [1] we can form the `sight' or `veillance intensity' vector V at that point. This is the direction and intensity of watching emanating from there. It is the sum of all the gazes that pass through that point. The · symbol means inner product which is a way of multiplying vectors such that the result is a single number, a scalar, that says how well aligned V and ∇P are. The result, E, is the amount of `veillance' happening at that point scaled according to the disparity in power at that place. We can further take the integral over a region in space, ∫Edv, to find out the aggregate amount, and nature of veillance in that region. The sign of E is instructive. If it is positive, the total gaze and the power gradient are aligned. In this situation we have `sousveillance', the weak watching the powerful. If it is negative, the direction is reversed, with the powerful watching the weak, which is `surveillance' as the word is normally used. If it is zero, then the gaze is among peers with no disparity in power. Making a short film of a birthday party perhaps. This is `isoveillance'. The magnitude of E has an interesting interpretation. It can be small or zero in three circumstances: when the power gradient is zero, when there is nobody watching, or when watching is only directed among equals. In other words this might happen in either or both of an egalitarian society or a society without either sur- or sous-veillance. On the other hand if E is some non-zero value, the larger the power gradient, the smaller the amount of watching necessary to get that particular value and vice-versa. If E is interpreted as some sort of measure of the effect on society of veillance, then taken together with its sign, if there are great power disparities, a small amount of surveillance has a large negative effect, whereas a small amount of sousveillance has a large positive effect. In less unequal societies it takes more veillance activity to achieve the same thing. This theory of veillance does not take into account the following, important, phenomenon. Suppose Alex takes a video of Larry at dinner one night to remember a pleasant evening by. On the surface we could imagine that this is simply isoveillance. A harmless activity. However Alex is in the habit of using a server owned by Gerald to store these video-memories. Gerald is in a position of privilege and power and if he looks at the video, he is committing surveillance on Larry and using Alex as an unwitting accomplice. Similar indirect or hidden surveillance -- implying that E should be a large negative number -- is possible in a variety of other circumstances as well. For example even if Alex did not entrust video-memories to Gerald for safe-keeping, a state could covertly steal them or force Alex to hand them over. This indirection, veillance happening through several hops, means that the in calculating V it is necessary to sum up the indirect gazes as well. Indeed it is necessary to know all possible paths for information to pass from Larry to Gerald, together with their bandwidth, in order to find out the amount of veillance being committed by Gerald on Larry. This issn't so obvious at first glance. It is also not obvious that it is well-defined to speak of a `power field' with a value at every point in space. Certainly it is plausible that we could associate a number representing some notion of power for every person, and for every pair of people a difference between these numbers, but to arrive at something like a gradient we need a notion of distance between them. Two candidates are physical distance which has the advantage of being continuous, or distance across a social graph which would take more work. People, of course are discrete, not continuous entities, so we might speak of the
Re: What should GCHQ do?
On Sun, 24 May 2015 22:09:00 -0400, "t byfield" said: > I'm skeptical about crypto absolutism because one of its first > effects would be, in effect, to *privatize* everything. 'Public' > would be reduced to whatever was cracked or leaked As was pointed out to me on IRC, and I agree and tried to include this point, the main problem is that most people cannot accurately distinguish between public and private when it comes to communication. The way the network treats their data often does not match their intentions. Most often this happens in the direction of mistakenly making something public that was intended to be private such a message between you and your spouse. It can happen in the other direction too, but the situation is not symmetric: you can publish things that were once private but you cannot unpublish things. > But I do think that the growing 'moral' push toward secure > communications is troubling, and that preserving 'insecure' > communications channels as a legitimate choice is vital. Publishing something -- making it public -- is one thing. This message is public. However the act of publishing, and the act of reading can be private. In sending this message, some details about exactly where and how and by whom it was sent are obscured. In my case it doesn't really matter much. I even put my real name on it and anyone who wants to find me can easily do so. But for some people -- the prototypical example being journalists in a hostile place -- it matters very much. By arranging for it to be difficult see, on the wire, what is going on we help them because it means they do not stand out. That's the moral argument. Insecure channels generally are still opaque to most people. The only ones who benefit from them are those in a privileged position to watch what is happening on the wire. There is no practical difference to the reader or author if a message is transmitted over a secure or an insecure channel. It only matters to someone else who might be watching. Storage is a little different, but only a little. If you store your information on a computer that you control then there is not much benefit to encryption. Unless it is possible for someone else to come to control it without your permission, and there are many ways that this can happen. If you store your information on somebody else's computer then you had better trust them and transitively anyone else who is in a position to see their computer. Or you can ``trust the math and the engineers'' as you put it. But the thing is, you don't have to just trust the math. You can check it for yourself. You can check the implementations by the engineers. That's difficult and impractical for most people but it is possible in principle. Maybe you have a friend that you trust who tries to keep on top of these things. I am not a mathematician or a cryptographer but I know some of them, and I find that in virtually all cases I trust their *motivations*. They are human so there is a gap between the theory and what is the case in the world, but we try to narrow that gap. To me it seems better on average to place trust in people who are in the business of clearly explaining things rather than obfuscating and appealing to emotions in order to profit. -w # distributed via : no commercial use without permission #is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nett...@kein.org
What should GCHQ do?
Edinburgh, May 24 2015 Back in late April, an invitation [1] was circulated around the School of Informatics which asked academics for ideas about what projects they should fund in the area of ``Cyber Defense''. Presumably the same invitation went out to various universities and other organisations. I was very much conflicted about whether to participate. One the one hand engaging with GCHQ at all seemed like a bad idea. On the other, it was an invitation to tell them directly what I think -- at least then it could be said that they had been told. As it turns out, the even was cancelled at the last minute with no explanation. If the event had gone ahead, what would I have said? The topic was defense, keeping infrastructure and such safe from attack. This part of their job is different from the offensive surveillance (or ``signals intelligence'' in the jargon) programmes. So it stands to reason that projects that would make their SIGINT job harder would improve our defensive capabilities and make ``UK interests'' safer. After all, the GCHQ is are not the only ones with offensive capabilities, but they're reputed to be pretty well developed so trying to defend against them seems like a good tactic for improving everybody's security. If GCHQ were to fund work in that direction, they would be making a positive contribution to our collective security. That's the argument in broad strokes. What, specifically, could this mean? One thing is to figure out how to get strong encryption used pervasively. The science is well established, we have good (technical) quality software that does encryption, but still an alarming amount of communications still happen in the clear -- both the content and the meta-data. Why is this? Originally the answer may have been expense, doing encryption is computationally more expensive than not doing it. But that is no longer much of a concern. Computers are fast. Modern computers even have hardware support for encryption (how trustworthy that hardware support is is another important thing to look at). Another answer is that using encryption is difficult. But we know how to make simple, pleasant and natural user interfaces, surely if serious effort were brought to bear this too could be overcome. The answers probably lie in psychology, sociology and economics. The false argument that only criminals need privacy, and they don't deserve it still convinces many people. Worse, the intuition of the average user about the security properties of their actions does not match the reality. This leads to people typing their lives into Facebook under the mistaken impression that this is somehow a private communication with their friends. How can this impedence mismatch of intuition be improved? If it were improved, we could have an informed population with an accurate perception of the on-line world, less susceptible to many of the threats on the Internet. Surely the UK's population is a ``UK interest''. Furthermore such research could similarly improve the safety of others outwith the UK since the Internet does not recognise the borders of nation-states. The security of the global population is also in the UK interest since a home computer somewhere in another country with a virus can be used to attack something that the UK cares about. Better that the owner of that home computer is educated and aware and follows good practices by default so it does not become infected in the first place. Of course this would limit the capabilities of agencies in the UK to break into that computer (which, shockingly is now completely allowed [2]) but that is worth it because it is delusional to think that any bug or exploit that allows that to happen will not be also used by criminals or countries that the UK considers to be enemies. The Internet today, is incredibly centralised. In the UK, infrastructure itself is heavily concentrated in London. A small number of large companies are responsible for the lion's share of traffic and activity. This concentration is a risk. It was not how the Internet was conceived to operate. The risk comes because accident, disasters and bad actors have a relatively small number of targets. The concentration makes mass surveillance easier but it also makes revenue generation using advertisements (a common business model among large Internet companies) possible. The value of such a company is roughly proportional to the number of ``eyeballs'' it can sell to advertisers, so there is a strong incentive to gather as many as possible in one place. It's a lot harder to tailor advertisements if the communication between these eyeballs is encrypted. Automated analysis of behaviour patterns is more difficult and injecting ``relevant'' ads based on content is impossible. And so we have arrived at the economic problem. The business model of advertising has the same basic requirements as mass surveillance. Thwarting one by decentralisation and ensuring confidentiality of communications me
Re: Future Scenarios for a Collaborative Economy
Salut Michel! Congratulations on the publication of your book. I would like to read it but am concerned that I would have to break the law to do it. Using Free Software on my computer to read it means breaking the law because all of the distributors employ some sort of Digital Restrictions Management. Is this the way Peer Production is meant to Evolve Within Capitalism? Or am I Mistaken? Greetings from Edinburgh, -w # distributed via : no commercial use without permission #is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nett...@kein.org
Google, PGP & the Metadata
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Edinburgh, June 2014 Google has announced that they are working on a way to do PGP encryption inside web browsers. When it's finished this means that, if you use the GMail web site, your messages can be enciphered by your web browser and deciphered by the person who is receiving the message in their web browser or email program. This is a good thing, and something that we have been trying to encourage for a long time because the more encrypted messages flying around, the better. Right now using encryption is like raising a flag and shouting "look at me". But there are a few interesting observations to be made. The first one is about Google's business model of data mining and advertising. If they cannot read the messages, they cannot do this. Perhaps this is changing. Perhaps the other revenue that they have has grown to the point where they can afford to forego the this extra source of information. Perhaps emails read and written on mobile devices are numerous enough -- they cannot use this facility yet without third party programs -- that the traffic from the web site is small enough to not significantly impact their bottom line. Whatever the case they have made the judgement that the loss of visibility and ability to derive revenue from the content of people's email messages is worth the benefit of better privacy. How are the keys kept secure? With PGP you have a public key and a private key. The private key is meant to be kept private and is normally stored somewhere and itself kept encrypted with some sort of symmetric cipher using a passphrase. People do not, generally, like typing in long passphrases so are likely to either use a weak one or to have it stored in the clear or at best protected by whatever mechanism they normally use on their computer or phone (when this stuff is available for phones). The poor state of endpoint security and prevalence of all sort of automated exploits and phishing used to retrieve information from people's computers and telephones means that we can expect an increase in this kind of activity. The black market price for exploits of this kind might rise and the botnets used to deliver them to grow in size. Another weakness arises from considering how Google might handle a warrant or order requiring them to divulge the content of messages. When using a web site such as GMail a lot of proprietary JavaScript software is delivered to the browser to run. It is quite conceivable that they add a function to encrypt messages to an additional, hidden, recipent. It is easy enough with the OpenPGP protocol to make the web browser add a recipient and then to strip it out within Google before sending the message along without violating the integrity of the message. That way the recipient would be unaware that the message had been intercepted. Simple. With some cleverness and a pocket certificate authority the same thing could be done with a man in the middle setup by a nefarious third party. The moral here is trusting secure communications to proprietary software delivered "as a service" is foolish. And the elephant in the room is the metadata. It is well known that PGP does not address keeping the sender and recipient of messages confidential. They could not be delivered as email otherwise. This information, coupled with other sources such as location and search history and so forth, the so called "pattern of life" analysis that we have been hearing about recently, is very valuable. Too Google perhaps it is sufficiently valuable to overcome the loss of information from mining the content itself. Certainly it is revealing enough that though it might hamper those organisations engaged in "full take" recording of every bit sent along important paths it is likely to do so only slightly. To fix this we need to also replace our aged email protocols. -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJTjtYGAAoJENHVTUTA6LQ3t1EQAJMMbun7+Twi2OFiKSL1wYQY JpAgJ5mJznbmTGt6KMjN/a0DKXb4kLtpzczwt41WefSBTlX38VMh9CyRkUrlVftD 6ud74HtgspHvC7l/UTT+MkoQqI2G7ZnxglIdYXc7dAkxGg/fe3RpAIw1w0spWWry L9yYgQd3uONJSMgbIJB9sDHiz7Mfqcsf6O/Xmpisc5vBVeFYXLoMf0euZFKD+/UA eTR5brRImzgdUAlxEmss7ylH/9f1v3u18SH7Ye9erzdqHds+INH6KxLMo+z3jMIc LaOzwP/sm7qps7BcEDKwxZEPawzIHrBBGThY1ZhO5SC7YH2rrGHnlI4FYGJ8Mh1O 3Mwp2/hqb0LwP9frTkx1h8qgCoAX4lZx0zFKFBsnTmxEC0hc7bhfUiTJoOhmE3T3 5TGypafWu3Kuj/2xOxXg/W2XYNnnIb0xsQPifxHlRSlZCoio/Aty3swdsA3vR7zu tz2Qe7+yTq44q0GYobWEf9hrj+BCSfB1lAzx39kbG6pPvptrbC7sXaE8uLYqCB7B BtxqYSP14tLcEv2u428Gdbc0flTTHbK9zZe6tWwKx13+CB73kOvADCipXogtKKEM is+xy6GJAPA1KgnzBtT0gF7gX8DhHXvCFbkrnpD4FmynlLIgtT5oxD9h+HYFfsgz s8pNfjazImmkzLHvSbSe =hNAR -END PGP SIGNATURE- # distributed via : no commercial use without permission #is a m
Surveillance in Scotland -- More of the Same
Surveillance in Scotland -- More of the Same Edinburgh, May 2014 There is a petition [1] in front of the Scottish Parliament to conditionally grant Edward Snowden asylum should Scotland become independent. This presented an interesting opportunity yesterday for the parliament -- or individual politicians -- to take a position on what is probably the most significant issue of this generation: the transformation of society through ubiquitous surveillance. This topic has been conspicuous by its absence from the independence debate so far and the parliament missed its chance. Several of the MSPs on the committee were sympathetic to the idea, but the discussion soon degenerated into the technicalities of extradition and missed the point. They chose to focus on the Scottish Government Whitepaper says that it intends to maintain current extradition arrangements [2] and so the actual taking up of an asylum offer might be unlikely, and in any case would have to wait until 2016. The point that the gesture itself would be significant was largely ignored. What could be the reason for this? The whitepaper also says that the organisation of the security and intelligence services will be primarily done with guidance from the UK. Given the level of overreach and probable illegality [3] that has been engaged in by the UK, this is a poor model for an independent Scotland to copy. If one were feeling cynical and disillusioned with politicians, it almost seems as though the apparently sympathetic words by some of the committee members may have been designed to create the impression of responsiveness to a petitioner who brought a serious public grievance before them, along with something concrete that they could do about it whilst doing nothing about it. There was never any intention of doing anything about it because -- and I hope that I am wrong about this -- one thing that both the Scottish and the UK governments agree upon is that the citizens of Scotland will remain under constant surveillance no matter the outcome of the vote on September 18th. [1] http://www.scottish.parliament.uk/GettingInvolved/Petitions/asyluminscotlandforedwardsnowden [2] http://www.scotland.gov.uk/Publications/2013/11/9348/11 [3] http://kingsreview.co.uk/magazine/blog/2014/05/21/2014-the-return-of-big-brother/ # distributed via : no commercial use without permission #is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nett...@kein.org
BCP 188: Pervasive Monitoring Is an Attack
Just now from our engineers: http://www.rfc-editor.org/rfc/rfc7258.txt Internet Engineering Task Force (IETF)S. Farrell Request for Comments: 7258Trinity College Dublin BCP: 188 H. Tschofenig Category: Best Current Practice ARM Ltd. ISSN: 2070-1721 May 2014 Abstract Pervasive monitoring is a technical attack that should be mitigated in the design of IETF protocols, where possible. ... # distributed via : no commercial use without permission #is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nett...@kein.org
Re: Harassing People for Watching a Movie in a Cinema
We used to say, back when collaborating with Steve Mann in the late 1990s that it isn't a camera, it's a visual memory prosthetic. I think it's an accurate description. It's disappointing that the writer was intimidated into giving up all of his memories to the police in order to clear his name under a presumption of guilt. On Wed, Jan 22, 2014 at 01:07:38PM +0100, Felix Stalder wrote: > I remember, a couple of years ago, Sebastian Luetgert speaking about the > real frontier of copyright wars being personal memory. That if you > really want to enforce copyright, you have to force people to forget, to > erase from memory, say, films immediately after watching them. <...> # distributed via : no commercial use without permission #is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nett...@kein.org
Re: Privacy, Moglen, @ioerror, #rp12
> For what it's worth, the *original* Internet (okay, ARPANET) was > quite "centralized" and, in fact, had "surveillance" (albeit of a > very small group of researchers who had grown reluctant to travel > to "brain-storm") as (one of) its primary goals. This is a strange thing to say. Centralised in its funding, in the early days, sure. Centralised architecturally? Not so. Small enough to easily hold in your head? Sure but that didn't last long. > By the time I brought AOL public in 1992, its entire profits were > the result of HOT CHAT, which was superceded by AOL becoming the > primary site for accessing PORN sites, since they had the largest > server-farm and, therefore, the most room to cache "pictures." So porn figures importantly in the demise of usenet. Here I disagree with Dmytri's implication that usenet died because of its decentralised nature. As I remember it, being a sysadmin and network engineer, it was more a simple question of expense of running a full feed. alt.binaries was big. The news server took a lot of disk space and consumed a lot of bandwidth and accounted for a small portion of revenue. The decisions at ISPs to stop running news servers were taken pretty much on those terms and had little to do with thinking about centralisation or lack thereof. The reasoning that said that running a web site and trying to keep the eyeballs to sell to investors was a better model than things like usenet was after the fact. It was a line of thinking that happened at the financier level, after all it wasn't an either-or question for the ISPs who were, in general, in the business of infrastructure not running web sites. > So, there's "surveillance" (like the don't pass go, directly to > jail type -- for instance) and the "I've got all your clicks but > don't know what to do with them" type -- which is exactly where > Google and Facebook are today and will likely be 10 years from now. These two kinds of surveillance fit neatly into the ISP and the web site categories. The former is getting ridiculous. Here (UK) we seem to have taken some bizarre and dangerous position that Orwell's novel is more of an instruction manual than a cautionary tale. For example a recent report from a parliamentary enquiry [1] is seriously suggesting an Opt-In content filtering scheme to be implemented by the providers. Think about it. We already have passive surveillance and DPI, but now we have to raise our hand and ask permission to look at anything that some civil servant thinks might be objectionable. This drives centralisation in the infrastructure. These measures are expensive computationally and administratively. A network operator might rightly think it is easier to manage such things centrally. The latter, "I've got all your clicks but don't know what to do with them although I'm pretty sure they're useful or valuable in some way" is what drives the centralisation of the web services. The previous iteration, where users were expected to consume but not produce, and we had traffic flows that went from the big web sites to the eyeballs but not in the opposite direction also drove centralisation, aggregation of demand in the infrarstructure. Thankfully this is beginning to change as people start posting more pictures and movies and stuff on web sites (however centralised they may be). Because it starts to mean that the asymmetry that was built into the DSL networks when ADSL was chosen over SDSL starts to be less practical. The structure of the network starts to become more balanced. It starts to become practical to actually serve stuff from your home computer and keep backups on your friend's because you trust them more than some giant overvalued company that has little regard for your interests. Same with passing messages to friends and collegues, where the path that a message takes mirrors more closely the path that it would likely take with old-fasioned word of mouth. The "cloud" starts to diffuse. "social networks" like facebook, linkedin and google+ become redundant and wither away... One can hope, right? William Waites Edinburgh [1] http://www.claireperry.org.uk/downloads/independent-parliamentary-inquiry-into-online-child-protection.pdf pgpCQjOFDWUkI.pgp Description: PGP signature # distributed via : no commercial use without permission #is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nett...@kein.org
Re: Privacy, Moglen, @ioerror, #rp12
> Capitalism was invented for a "purpose" by more-or-less by the same > people who gave us the 18th century (first) Industrial Revolution. > While corporations and usury had been around for a while, that > purpose was (roughly speaking) "industrialization." Today the > Chinese call their system "state-capitalism," which given that they > are still industrializing makes a lot of sense. > > Industrialization raises living standards, increases population > density, improves health, lengthens life expectancy and generally > "helps" EVERYONE -- right? Just look at Angus Madisson's charts > and graphs. Here in Scotland where the steam engine and automatic loom weaving things were invented and maybe where these ideas of capitalism and industrialisation that you're talking about come from, these developments came at a very great cost. All of a sudden the mountainous landscape with poor quality soil that was barely good enough for subsistence farming became useful - we could graze sheep on it, and now that we had these fancy looms, we needed more wool. Now just to get rid of those pesky unprofitable crofters. So the country was purposefully depopulated, people exiled either to North America or to cities like Glasgow. This wasn't quite enough because some of this land was held in common, so we invented property laws that said if your title was in the registry in Edinburgh uncontested for some years, you owned it. Not many peasants knew about this until it was too late and even so the long journey to the capital to look for a piece of paper wasn't easily made. And when they concentrated in the cities, their teeth started falling out. Yes, it's true. See they went from a diet consisting in large part of oats to one consisting in large part of things like jam that were now readily available, and I guess our knowledge of nutrition back then wasn't what it is now. The slums in Edinburgh, in the old town, along the cowgate were at that time hideous places to live. Disease-ridden and filthy. No matter, the lairds had enough cash to drain the Nor' loch and build a New Toun from scratch in the early 19th century with grand imposing avenues and solid georgian buildings. It took a very long time for any increase in life expectancy to materialise. There would first have been a significant decrease. And when the situation improved it was partly due to better knowledge of medicine and nutrition. The other part is, given the time lag, those worst off were already dead or elsewhere so its obvious that average life expectancy would rise once the people dragging it down are gone. To the extent that all this was mixed up with the politics of the day, resentment was directed at the government in London and there were some unsuccessful armed insurrections which lead to brutal repression and a campaign of cultural genocide from which the country has never recovered. To sell this, Sir Walter Scott, one of the greatest propagandists who ever lived, invented the image of the Highlander as the noble savage and together with Rabbie Burns founded the scottish tourist industry for a visit by King George to inaugurate the New Toun. > So, does "capitalism" still have a broad social *purpose* once a > significant level of industrialization has already been achieved? I have a Harris tweed jacket that I like very much and wear almost every day. I like to take the train. Did the history that brought those things to me have to be a tale of depopulation, exile, disease, famine, cultural genocide and concentration of wealth? I can't see any reason why it had to happen that way. > Might the same "anti-privilege" politics that you champion be a > result of having already achieved "post-industrial" status -- > personally and culturally? 200 years on, there is no longer much industry here to speak of. What happens here is banking and tourism. There's an almost dead shipbuilding industry and recently some resource extraction with the North Sea oil. It's not a bad place to live, definitely "post-industrial". I'm not an economist, but I suspect it is largely financed by similar stories of industrialisation and wealth extraction simply being replayed further afield, reaping the benefits of being "first to market". Comments on porn and surveillance to follow... William Waites Edinburgh pgpOzkwoaEFJx.pgp Description: PGP signature # distributed via : no commercial use without permission #is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nett...@kein.org
