There are a number of changes here. It doesn't mean that I'm looking for a
new job. With that said, my employer surprised everyone with an acquisition
the day it was actually agreed upon, so we'll see how things go.
Someone contacted me about the license of this script. The code itself is
doubtfully enforcable with US copyright anyway, so let's just put this into
the public domain.
It does have comments, but they're minor.
The election is over, so there's no point in keeping the "Election." post.
I...am at a loss for words. I'll surely be posting about this in some
regard at some point, so I'm not going to bother here.
This image displays the date I joined: exactly nine years ago to the
day. That's just a coincidence, tbh; I happened upon it.
Oh how time flies...
Happy Halloween.
[Citizen Lab released a report][cl] describing the attempted use of iOS
0-days on human rights activist [Ahmed Mansoor][] by the United Arab
Emirates.
They named this chain of exploits _Trident_,
and with the help of [Lookout Security][paper],
were able to analyze them.
It begins with [arbitrary code execution (CVE-2016-4655)][4655] by
exploiting a memory corruption vulnerability in WebKit,
which downloads a payload unknown to the user.
That payload is able to bypass KASLR and [determine the kernel memory
location (CVE-2016-4656)][4656],
then allowing it to exploit a [memory corruption vulnerability in the
kernel itself (CVE-2016-4657)][4657];
this "jailbreaks" the device and is a complete compromise of the system.
This payload is [Pegasus][paper],
a complex surveillance tool sold to governments,
often used for espionage.
In this case,
Monsoor received a suspicious text message and wisely [tipped off Citizen
Lab][cl] rather than opening the presented link.
Had he done so,
he would have unknowingly downloaded this spyware that could very well
have put his life in extreme danger:
it has the capability to track his location;
record his calls and texts;
record communications through software like WhatsApp and Skype;
download his contact information;
grab passwords and encryption keys from his keyring;
and much more.
This malware was written by [NSO Group][],
which is so poorly known that their [Wikipedia page didn't even exist
until today][nso-wikipedia].
The software company is based in Israel,
founded in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio.
They were purchased in 2014 by [Francisco Partners][],
a private equity firm in the United States,
for $110 million.
They exist to sell exploits to governments.
Anyone familiar with security research is aware of [responsible
disclosure][]:
it is a model whereby researchers who discover a vulnerability
release their research publicly only _after_ they notify the authors
of the software,
and a patch mitigating the vulnerability has been released.
This is what Citizen Lab did---Apple [fixed the vulnerability][apple] in
iOS 9.3.5.[^rms-apple]
This is not what NSO Group does:
Instead, they horde their exploits[^0day] and sell them to governments as
weapons for surveillance or espionage.
In this case,
the United Arab Emirates (or so it seems).
This is not only unethical,
but to sell to a government that is known for this type of abuse is
inexcusable and negligent---the people behind NSO Group are absolute
scum.[^scum]
They are empowering a foreign government known for their civil and human
rights abuses.
I have trouble finding words.
There is much more that can be said on this topic with respect to security,
civil and human rights,
and various other topics.
But I don't want to distract from the topic at hand.
Let this sink in.
Read the [Citizen Lab][cl] report and the [paper by Lookout Security][paper].
Today I leave my soapbox be.
[cl]: https://citizenlab.org/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
[Ahmed Mansoor]: https://en.wikipedia.org/wiki/Ahmed_Mansoor
[paper]: https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf
[4655]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4655
[4656]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4656
[4657]: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-4657
[NSO Group]: https://en.wikipedia.org/wiki/NSO_Group
[nso-wikipedia]: https://en.wikipedia.org/w/index.php?title=NSO_Group&action=history
[Francisco Partners]: https://en.wikipedia.org/wiki/Francisco_Partners
[responsible disclosure]: https://en.wikipedia.org/wiki/Responsible_disclosure
[apple]: https://support.apple.com/en-us/HT207107
[^rms-apple]: I [can't recommend that you use Apple
devices](https://stallman.org/apple.html), but if you do, you
should upgrade immediately;
you are vulnerable to exploitation by simply visiting a
malicious webpage.
[^0day]: Called 0-days,
because they haven't been disclosed and there has been no time to
prepare or release a fix.
[^scum]: For other scum, see the organization behind [FinFisher][]; and the
group [Hacking Team][].
[FinFisher]: https://en.wikipedia.org/wiki/FinFisher
[Hacking Team]: https://en.wikipedia.org/wiki/Hacking_Team
The past few days of the DNC have demanded pause. I am an Independent. I
do not like Hillary Clinton. I am a Bernie supporter, and I was upset by his
endorsement of Hillary. I had vowed not to vote for Hillary; I would
instead vote for Jill Stein. The DNC, while very well done with a deeply
compelling facade, has not changed my perspective on Clinton.
It is perhaps said best by Bernie himself: "It's easy to boo, but it's
harder to look your kids in the face who would be living under a Donald
Trump presidency". The conflict here is between my deep ideologies and
reality. It's often said that a vote for Hillary is a vote against Trump;
such a perspective would shallow and purposeless. But this isn't an
election for president---this is the most threatening assault on everything
I stand for that I hope I will ever witness in my lifetime. To stand for
ideological purity would be to stand atop a mountain while the world around
me burns. This is why Bernie chose to unite.
Should Trump win, my ideals that seem within reach could be blown back
decades. As a matter of strategy, I cannot justify _not_ swallowing every
ounce of my pride. Hillary's presidency is an unfortunate but necessary
consequence of the only permissible outcome. I am not electing a president
of the United States. I am electing _a United States_.
So I am doing what I never thought I would do: proposing that others too
factor this obscene equation and recognize how the very few remaining
variables affect the result. My ideals continue to exist in part and in
spirit with Hillary as president. With Trump, they are all but
vanquished. Donald Trump must not be elected president of the United
States. When (and if) you vote, think of it as a shot fired, not as a vote
cast.
"Election".
More information about my opinions on this topic can be found
[here][social-1] and [here][social-2].
[social-1]: https://social.mikegerwitz.com/conversation/21864
[social-2]: https://social.mikegerwitz.com/conversation/22026
There is little common sense to be had with the [Computer Fraud and Abuse
Act][cfaa] (CFAA) to begin with.
To add to the confusion,
the Ninth Circuit Court of Appeals last week held 2-1 in [United States
v. Nosal][uvn] that accessing a service using someone else's
password---even if that person gave you permission to do so---[violates
the CFAA][cfaa-passwd],
stating that only the _owner_ of a computer can give such authorization.
This is absurd even with complete lack of understanding of what the law is:
should your spouse be held criminally liable for paying your bills online
using your account?
Common sense says no.
In another case this week---[Facebook v. Power Ventures][fvp]---the same
court (though a different panel of judges) stepped back from the original
decision and stated that computer _users_ can indeed provide
authorization.
This authorization holds even if the service's Terms of Service say
otherwise.
Yet: the computer owner (in this case, Facebook) can revoke authorization,
which takes precedence over any authorization provided by a user of that
system.
So with a seemingly magical incantation,
a benign situation can be made into a federal crime,
just like that.
These situations highlight dangerous confusion over the interpretation of an
already dangerously vague law.
The CFAA is the law that was used to prosecute Aaron Swartz for federal
"crimes"---with a punishment of up to thirty-five years in prison---for
liberating documents hosted on JSTOR.
Because of this [draconian threat][eff-punish],
[Aaron committed suicide][aaron] on January 11th, 2013.
The CFAA already has blood on its hands;
it needs to be reined _in_,
not be given further broad powers.
So don't take news of the decisions in US v. Nosal and Facebook v. Power
Ventures as canceling one-another out;
things may appear the same for now,
but serious problems still need to be resolved.
[cfaa]: https://www.eff.org/issues/cfaa
[cfaa-passwd]: https://www.eff.org/deeplinks/2016/07/ever-use-someone-elses-password-go-jail-says-ninth-circuit
[cfaa-back]: https://www.eff.org/deeplinks/2016/07/ninth-circuit-panel-backs-away-dangerous-password-sharing-decision-creates-even
[uvn]: https://www.eff.org/cases/u-s-v-nosal
[fvp]: https://www.eff.org/cases/facebook-v-power-ventures
[eff-punish]: https://www.eff.org/deeplinks/2013/02/rebooting-computer-crime-part-3-punishment-should-fit-crime
[aaron]: https://www.eff.org/deeplinks/2013/01/farewell-aaron-swartz
Today is the [10th annual International Day Against DRM][day-drm]---a day
where activists from around the world organize events in protest against
[Digital Restrictions Management][drm].
DRM is a scheme by which tyrants use [antifeatures][] to lock down what
users are able to do with their systems, often cryptographically.
For example,
your media player might tell you how many times you can listen to a song,
or watch a video, or read a book;
it might [delete books][1984] that you thought you owned;
it might require that you are [always online][always-on] when playing a
game, and then stop working when you disconnect, or when they decide to
stop supporting the game.
If you try to circumvent these locks,
then you might be [called a pirate][pirate] and be thrown in prision under
the ["anti-circumvention" privisons of the Digital Millenium Copyright Act
(DMCA)][dmca].
These are all things [that have been long predicated][right-to-read], and
are only expected to get worse with time.
That is, unless we take a stand and fight back.
I had the pleasure of participating in
the [largest ever protest against the W3C][w3c-protest] and their attempts
to introduce DRM as a _web standard_ via the [Encrypted Media Extensions
(EME)][eme] proposal.[^photos]
This event was organized beautifully by Zak Rogoff of the [Free Software
Foundation][fsf] and began just outside the Strata Center doors where the
W3C was _actively meeting_,
and then continued to stop outside the Google and Microsoft offices,
both just blocks away.
We were [joined outside Microsoft][eff-protest] by Danny O'Brien,
the EFF's International Director,
who stepped out of the W3C meeting to address the protesters.
Afterward, most of us [traveled to the MIT Media Lab][media-lab] where
Richard Stallman---who joined us in the protest---sat on a panel along
with Danny O'Brien, Joi Ito of the MIT Media Lab, and Harry Halpin of the
W3C.
The W3C was invited to participate in a discussion on EME, but they never
showed.
As a demonstration of the severity of these issues,
[Harry Halpin vowed to resign from the W3C][hh-resign] if the EME proposal
ever became a W3C Recommendation.
I can say without hesitation that the protest and following discussion were
some of the most powerful and memorable events of my life---there is no
feeling like being a part of a group that shares such a fundamental
passion (and distaste!) for something important.
And it _is_ very important.
[DRM is pervasive][dbd]---the Web is just one corner where it rears its ugly
head.
The [International Day Against DRM][day-drm] gives you and others an
excellent opportunity to hold your own protests, demonstrations, and events
to raise these issues to others---and to do so as part of an
_international group_;
to send a strong, world-wide message:
a message that it is _not_ acceptable to act as tyrants and treat users as
slaves and puppets through use of digital handcuffs and [draconian
punishments for circumventing them][dmca].
[^photos]: The EFF has some [great photots][eff-protest]; I'm the one in the
hoodie between the giant GNU head and Zak Rogoff.
[day-drm]: https://www.defectivebydesign.org/dayagainstdrm
[drm]: https://www.defectivebydesign.org/what_is_drm_digital_restrictions_management
[antifeatures]: https://www.fsf.org/bulletin/2007/fall/antifeatures/
[lp2016]: https://libreplanet.org/2016/
[w3c-protest]: https://www.defectivebydesign.org/from-the-web-to-the-streets-protesting-drm
[eme]: https://w3c.github.io/encrypted-media/
[eff-protest]: https://w3c.github.io/encrypted-media/
[w3c]: https://www.w3.org/
[fsf]: https://fsf.org/
[media-lab]: https://motherboard.vice.com/read/we-marched-with-richard-stallman-at-a-drm-protest-last-night-w3-consortium-MIT-joi-ito
[hh-resign]: https://www.defectivebydesign.org/blog/w3c_staff_member_pledges_resignation_if_drm_added_web_standards
[dmca]: https://www.eff.org/issues/dmca
[dbd]: https://www.defectivebydesign.org/
[1984]: https://www.defectivebydesign.org/amazon-kindle-swindle
[always-on]: https://en.wikipedia.org/wiki/Always-on_DRM
[right-to-read]: https://www.gnu.org/philosophy/right-to-read.en.html
[pirate]: https://www.eff.org/deeplinks/2015/02/go-prison-sharing-files-thats-what-hollywood-wants-secret-tpp-deal
Mike Gerwitz