Reading List, April 2017

1. Adam Carroll, When money isn’t real: The $10,000 experiment, in TEDxLondonBusinessSchool, 9 July 2015. [Online]: https://youtu.be/_VB39Jo8mAQ

   Adam Carroll presents an interesting point – we have abstracted away money through the use of a number of instruments, such as credit and debit cards, NFC payment systems on our phones, and in-app purchases, when we don’t realise how much we are actually spending. Carroll spends some time showing how his kids, aged 7–11 played monopoly differently when they were playing with real money. He goes on to lay his premise, that financial literacy must be taught to children at a young age, when they should be allowed to fail and learn from their failures at a small scale, not at the hundreds of thousands of dollars when they are in student loan debt and just out of college.

   Carroll’s talk hit a lot of notes with my own experiences with money, and I’m sure that it would resonate with your experiences as well.

2. Brett Scott, If plastic replaces cash, much that is good will be lost, in Aeon Essays, 01 March 2017. [Online]: https://aeon.co/essays/if-plastic-replaces-cash-much-that-is-good-will-be-lost

   Found this gem through Nishant’s monthly log. I think it ties in nicely with the above video. In this article, the author argues that cash is good because it is free of control of the banks, that the people who use cash most are the poor, those who don’t necessarily have access to bank accounts. The author also lays out the conglomerates that push for a cashless society, and rightly points out that these are the banks and the payment processing firms such as Visa and Mastercard. The author, therefore, notes that cash transactions should, by corollary, be called bankless transactions.

   In terms of the recent demonetisation fiasco in India, I think that this article deserves a place on my list of share-worthy articles.

3. Chantal Panozzo, 7 ways living in Switzerland ruined America for me, in Vox.com, 21 July 2015. [Online]: http://www.vox.com/2015/7/21/8974435/switzerland-work-life-balance

   Now that I’m nearly done with student life (I hope), I am also starting to care about real life. This article makes an excellent case for working in Europe, where people are more productive, work less hours, and have a life outside work.

4. David Kravets, Uber said to use “sophisticated” software to defraud drivers, passengers, in Ars Technica, 6 April 2017. [Online]: https://arstechnica.com/tech-policy/2017/04/uber-said-to-use-sophisticated-software-to-defraud-drivers-passengers/

   The skeletons keep coming out of the closet for Uber, and it feels as though this is one hell of an unethical company. According to the claims in this suit, Uber presents the passenger with a higher upfront fare, the driver with a lower fare, and Uber keeps the difference. After software to prevent regulators from hailing Ubers, after gazillions of sexual harrassment allegations, and a video where the CEO refuses to acknowledge that he screwed his drivers over when confronted, this.

5. JP Mangalindan, Facebook Messenger now analyzes your chats to give you recommendations, in Yahoo Finance, 6 April 2017. [Online]: https://finance.yahoo.com/news/facebook-messenger-now-analyzes-chats-give-recommendations-165930240.html

   Seriously, STOP USING FACEBOOK SERVICES! Switch to something that offers real encryption with a zero-knowledge algorithm. Use Signal, an application developed by Moxie Marlinspike’s Open Whisper Systems. Signal uses OTR encryption, which offers forward secrecy and deniable authentication. Open Whisper Systems does not keep any logs, except your phone number, which is also your user identification on the system. Signal supports text, voice, and video calling, so it should be the only app that you use.

   WhatsApp uses encryption code from signal, which is why WhatsApp also supports encrypted text, voice, and video conversations. However, one must remember that WhatsApp is owned by Facebook, so I hesitate to recommend it on a matter of principle.

6. Jack Laidlaw, IOT startup bricks customer’s garage door intentionally, in HackADay, 6 April 2017. [Online]: http://hackaday.com/2017/04/05/iot-startup-bricks-customers-garage-door-intentionally/

   IOT is a mess, even when companies play nice. IOT devices are security black holes, often using insecure passwords across all devices. The scariest part about these devices is that they interact with the real world where they can cause real harm. Morphine pumps used in hospitals can be hacked over WiFi to deliver lethal doses of morphine, IOT thermostats can be hacked to freeze the occupants of a house to death, smart meters can be hacked to short circuit and blow up.

   Of course, there’s the other part of the story, where companies play dirty. If the company that sold you your dumb, mercury switch thermostat shut down, then you can continue using your thermostat until it physically fails, which, knowing how simple mercury switch thermostats are, will probably be never. On the other hand, your fancy IOT thermostat company could shut down tomorrow, taking down all its servers and leaving you with a non-functioning thermostat that would probably freeze you to death. Or a company could play really dirty, and lock you out of your device simply for being critical in an Amazon review.

   While you’re here, enjoy this little joke that I read on the internet.

   Good morning sir, do you own a refrigerator? Yes? Well, you’re under arrest, your refrigerator is attacking Germany.

7. D. Victoria Baranetsky, Encryption and the Press Clause, in NYU Journal of intellectual property and entertainment law (JIPEL), Vol. 6, No. 2, 3 April 2017. [Online]: http://jipel.law.nyu.edu/vol-6-no-2-1-baranetsky/

   In this article, the author argues that while the Crypto Wars of the ’90s focussed on the free speech aspect of the first amendment, now, there’s a case to be made for encryption as being essential to the freedom of the press, or the Press Clause of the first amendment. Under ubiquitous surveillance, the author argues that encryption is essential for people to be able to communicate their ideas freely, and ties it in with Justice Scalia’s interpretation of the clause in Citizens United, wherein the Justice interpreted freedom of the press as a right of all citizens to communicate with one another.

   The encryption wars will take place with the usual amount of FUD on the part of the government. I just want to point out: encryption is maths, and banning encryption won’t do any good, because anyone is free to do maths on their own. It’s not a genie out of the bottle game either, it’s not as if we would be better off had the government won the first crypto wars. Without encryption, we would not have been able to successfully conduct online transactions, we would not even be able to trust that our emails are not read, or be able to communicate in any way over the internet without fear of our information being compromised, not by the government, but by malicious entities.

8. Lena Groeger, When the designer shows up in the design, in ProPublica, 4 April 2017. [Online]: https://www.propublica.org/article/when-the-designer-shows-up-in-the-design

   This is an interesting article on the visualisation of data and how it affects our perceptions. It shows interesting examples on how the right data visualisation may have far-reaching effects in the real world in terms of displaying an actual problem, or, on the other hand, as importantly, not showing a problem where one does not exist.

9. Holly B. Shakya and Nicholas A. Christakis, Association of Facebook Use With Compromised Well-Being: A Longitudinal Study, in American Journal of Epidemiology, 01 February 2017. [Online]: https://doi.org/10.1093/aje/kww189

   In this paper, the authors point out a correlation between mental health and Facebook use. I must point out that I do not really understand all the statistics presented in the paper. However, what is interesting is that a 1 standard deviation increase in Facebook activity was linked to a 5%–8% standard deviation decrease in mental health. Now, it is important to note that this study uses self-reported statistics, so it could mean many things. It could mean that depressed people seek company on Facebook, just as they would seek their friends in real life, or it could mean that using Facebook causes depression. It could also mean that using Facebook makes people lower their own estimation of their mental health, or it could mean that people who perceive their mental health to be lower spend more time on Facebook.

   Some of the statistics are interesting. For instance, the mean interaction with Facebook is much lower than the standard deviation, which seems to indicate a highly skewed distribution, i.e. a small number of people probably over-use Facebook. At the same time, a 1 SD increase in Facebook activity would indicate updating your status 12 times more a month, or clicking on 50 more links in a month. This study correlates that with indicating your own mental health at 0.05 less on a scale of 1–4, so I really wonder if the results are significant?

   Anyway, this article corroborates my own views on Facebook, so I shall treat this article as Gospel truth, the best kind of truth.

10. Jeffrey P. Bezos, 2016 letter to shareholders, 12 April 2016. [Online]: https://www.amazon.com/p/feature/z6o9g6sysxur57t

    I think Amazon is one of the most innovative tech companies right now, more than Google, Facebook, Tesla, or SpaceX. There’s a reason for this. Amazon works like a very large number of startups – each team is a startup working within the organisation. This letter simply lays this out in much nicer language. Bezos says that there is no ‘Day 2’ in Amazon, only ‘Day 1’, that no one should get comfortable with what they are doing.

    There are other interesting parts in the letter as well, such as an obsessive consumer focus that goes beyond statistics and surveys, beyond processes and protocols. A number of people are pointing to this part especially after the United Airlines fiasco. But that’s a short term thingy. I’m sure that a year from now, the takeaway from this letter would be the ‘there is no Day 2’ philosophy. Something I try to remind myself of every day – stay uncomfortable, stay innovative, keep learning.

11. Joost Mollen, Pirate Bay founder: ‘I have given up’, in Motherboard, Vice, 11 December 2015. [Online]: https://motherboard.vice.com/en_us/article/pirate-bay-founder-peter-sunde-i-have-given-up

    This is an interesting interview with Peter Sunde, the founder of Pirate Bay, talking about the sorry state of the internet. Relevant now that we have simply shrugged off the recent incorporation of DRMs in the W3C standards.

    Take the net neutrality law in Europe. It’s terrible, but people are happy and go like “it could be worse.” That is absolutely not the right attitude. Facebook brings the internet to Africa and poor countries, but they’re only giving limited access to their own services and make money off of poor people. And getting government grants to do that, because they do PR well.

    Finland actually made internet access a human right a while back. That was a clever thing of Finland. But that’s like the only positive thing I have seen in any country anywhere in the world regarding the internet

    We have become somehow the Black Knight from Monty Python’s Holy Grail. We have maybe half of our head left and we are still fighting, we still think we have a chance of winning this battle.

12. Aditi Roy, Nasir Memon, and Arun Ross, MasterPrint: Exploiting the vulnerability of partial fingerprint-based authentication systems, in IEEE Transactions on Forensics and Security, Issue 99, 6 April 2017. [Online]: https://dx.doi.org/10.1109/TIFS.2017.2691658

    Fingerprint recognition systems on our devices are incredibly insecure, and all biometrics should be seen as convenience that reduces security. Biometrics are publicly known and non-revokable, so they make terrible passwords. In this paper, the authors exploit yet another vulnerability in how fingerprint recognition systems are implemented – most systems are perfectly happy with partial matches. Therefore, the authors propose a set of partial fingerprints that are generic enough to unlock a large number of devices that use partial fingerprints for matching. Of course, this work has not yet been tested on real devices, rather has been done by matching already captured fingerprint images using software on a standalone computer. It is conceivable that such an attack may not yet be feasible on real devices due to some additional properties of their sensors or software. It is only a matter of time, however, that further vulnerabilities can be exploited to break fingerprint locks.

13. Dan Goodin, Smart TV hack embeds attack code into broadcast signal–no access needed, in Ars Technica, 31 March 2017. [Online]: https://arstechnica.com/security/2017/03/smart-tv-hack-embeds-attack-code-into-broadcast-signal-no-access-required/

    This is an impressive hack. It embeds command signals that exploit vulnerabilities in a web browser running on fully-patched Samsung Smart TVs to launch an escalation-of-privilege attack on the TV and get root. What’s scary about this attack is that it can be done without any access to the TV, all it takes is a rogue TV transmitter which could probably be made with less than a thousand dollars in parts (computer + software defined radio). By including rogue commands that can target a number of vulnerabilities, not just one, the attacker could conceivably take control of all IoT TVs.

    Yet another example of why I’m terrified of the IoT revolution.

14. NASA Jet Propulsion Laboratory, NASA image shows Earth between the rings of Saturn, 20 April 2017. [Online]: https://www.jpl.nasa.gov/news/news.php?feature=6822

    This is an impressive image taken as Cassini starts its decaying orbits towards its grave on Saturn. This photograph of our world as a tiny dot within the rings of Saturn reminds me of the “pale blue dot” and Carl Sagan’s commentary.

    Look again at that dot. That’s here. That’s home. That’s us. On it everyone you love, everyone you know, everyone you ever heard of, every human being who ever was, lived out their lives. The aggregate of our joy and suffering, thousands of confident religions, ideologies, and economic doctrines, every hunter and forager, every hero and coward, every creator and destroyer of civilization, every king and peasant, every young couple in love, every mother and father, hopeful child, inventor and explorer, every teacher of morals, every corrupt politician, every “superstar,” every “supreme leader,” every saint and sinner in the history of our species lived there…

15. Finn Cohen, The day Prince’s guitar wept the loudest, in The New York Times, 28 April 2016. [Online]: https://www.nytimes.com/2016/04/28/arts/music/prince-guitar-rock-hall-of-fame.html

    You must listen to this performance of Prince, Tom Petty, Steve Winwood, Jeff Lyne and others playing ‘While my guitar gently weeps’ to celebrate George Harrison’s posthumous induction into the Rock & Roll Hall of Fame. Then read the article about how the performance came together, and learn about the history of Prince’s epic guitar solo.

    What strikes me most in these interviews is how much Prince was a ‘nice guy’, just enjoying the moment and the music.

    And then that whole thing with the guitar going up in the air. I didn’t even see who caught it. I just saw it go up, and I was astonished that it didn’t come back down again. Everybody wonders where that guitar went, and I gotta tell you, I was on the stage, and I wonder where it went, too.

    And when he tossed his instrument into the air at the very end of the song, it never appeared to land; it was almost as if Mr. Harrison had grabbed it himself in midair to signal, “That’s enough of that.”

16. Cathleen O’Grady, “Mindless eating”, or how to send an entire life of research into question, in Ars Technica, 24 April 2017. [Online]: https://arstechnica.com/science/2017/04/the-peer-reviewed-saga-of-mindless-eating-mindless-research-is-bad-too/

    The saga of Dr. Brian Wansink continues. I’m interested in this saga and following it because it relates to Cornell University. Dr. Wansink has been a pop nutrition researcher, with many quotable ‘results’ that have been adapted into policy. The fact that over twenty years of research has been brought into question is disturbing.

17. Mike Issac, Uber’s C.E.O. plays with fire, in The New York Times, 23 April 2017. [Online]: https://www.nytimes.com/2017/04/23/technology/travis-kalanick-pushes-uber-and-himself-to-the-precipice.html

    Yet another Uber related post. And to think that earlier in the month, I wrote, ‘The skeletons keep coming out of the closet for Uber’, when talking about how the company Greyballed law enforcement. This talks about a number of unethical practices at Uber, including tracking people even when they had deleted the app from their phones, and using data from Unroll.me to collect people’s anonymised Lyft receipts to figure out Lyft’s financial status. There’s a lot to unpack in this article, I’ll attempt to summarise the above two points only.

    Uber used a technique for fingerprinting iPhones. This could be done though using some data unique to the phone. Simple statistics include details such as the IMEI number and serial number, although one could go into more complicated statistics that would result from process variations within devices at the time of manufacture. I do not know the exact details of Uber’s operation, but it is conceivable that the system could use a combination of either of these details. Uber used these fingerprints to identify used or stolen phones that were being used to inflate rides in countries like China. The only thing that would prevent them from doing something like this was Apple’s policy towards apps on the App Store. In order to prevent Apple’s engineers from discovering this code, Uber installed a geofence around Apple headquarters, just like Volkswagen had installed cheat software to reduce emissions on an EPA test.

    The second bit of news is even more disturbing. Unroll.me is a service that is supposed to enhance one’s privacy by unsubscribing from emails. The fact that their privacy policy allows them to sell data from our inboxes simply indicates that we must read the fine print. What’s also equally disturbing is that in these contracts, we don’t have any room to negotiate – it’s a take-it-or-leave-it contract. This is true of all the software we use, and may soon start affecting physical devices we buy as well, depending on how Impression Products v. Lexmark International is decided. Anyway, the bottom line is that we really should not trust online services to protect our data.

18. Xuodong Zheng, Phishing with unicode domains, 14 April 2017. [Online]: https://www.xudongz.com/blog/2017/idn-phishing/

    This is a scary as hell attack. It exploits Punycode, which is a way to generate unicode domains. The attack directs you to a unicode-encoded domain name that would look a lot like a regular domain, for example, аррӏе.com vs apple.com. The first one uses a Cyrillic ‘а’ while the second uses the ASCII ‘a’. The good thing is, most Firefox users can turn this off by setting network.IDN_show_punycode to true in about:config. This has also been patched in Google Chrome 58.

19. Lucasz Olejnik, Stealing sensitive browser data with W3C ambient light sensor API, 19 April 2017. [Online]: https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/

    Proof-of-concept attack that changes screen brightness and reads the resulting light levels from the ambient light sensor on a mobile phone in order to figure out stuff like whether or not a particular link was visited by the user, or to figure out how another website may appear to a user. Not overly scary at the moment, as extracting a string of a handful of characters takes 20+ seconds, so unless the user is a total doofus, should figure something is wrong and shut down the malicious website. On the other hand, this does show how exposing some API will almost certainly lead to that API being misused in a way that would harm our privacy or security.