Recently in Activism Category

To ignore or not?

Updated 11/16/2016, 11:15AM

Merrimack College's Assistant Professor of Communication and Media, Melissa "Mish" Zimdars created a list of False, Misleading, and Clickbait websites (Google Doc) as a resource for her students who are learning about the media landscape. This list has been making the rounds on social media and it intrigued me for its potential operational uses. For me, this meant loading the sites into a "blacklist" I maintain on a proxy server that all of my internet traffic goes through. The proxy would prevent any content hosted on the domain names from even being loaded. However, most people don't have access to this type of infrastructure, so I started looking at browser plugins like uBlock Origin, which allows for the total blocking of websites based on domains. Using Melissa's list as a source and uBlock's scripting, I can now easily block 80% of the bullshit I see on a daily basis flowing through social media. Success!

I love technology and the quick wins that can impact your life, but too often we don't step back to consider if the win is real or false. Is blocking these sites the best idea? When many people digest memes as fact or get their "news" from bullshit sites, is ignoring the source all together the right thing to do? "Oh, I can't read this. I blocked the domain for bullshittery," is not a convincing counter argument. Especially to someone who would believe a meme as fact or who dabbles in light conspiracy theory. If you don't know what is being said, how can you refute? I was ruminating on this when another article passed in front of my eyes, detailing a solution put together by a Princeton Hack-a-thon Team. Their solution is to simply overlay a button that says "UNVERIFIED" next to any story shared on the Facebook platform that does not meet a list of criteria they set. Perhaps there could be a natural integration of this list with the Princeton team's solution. This prevents wholesale blocking of sites and allows people to proceed with caution. 

Larger questions of information consumption and curation still remain. The Princeton team claims they rely on "AI" to understand if the site engages in bullshittery or not. How much can we trust that process? Mish's list was hand curated, but what qualifications does she have in judging bullshit? I suspect very good ones, but that question needs to be asked of her and every "news" source that crosses your path. What qualifications do I have to write this post? Do I have an authoritative voice for this subject? Not really, but I love asking questions.

The internet has provided the world such an amazing platform. The platform has been monetized by advertising, giving rise to the idea of click-bait. Inflammatory headlines, purposefully skewed facts, memes, and more are all designed to lure people to sites. As people click on those links, money is made by serving ad impressions. Driving traffic to sites is the #1 business case for the internet. So site owners are now incentivized to make headlines wilder and wilder. To play fast and loose with facts. To call their site satire somewhere buried in legalese while every other outward appearance is that of a legitimate site. Beyond that we also have outfits that are purpose built on peddling influence around the globe. A 2015 article detailed Russian Web Brigades, whose sole purpose was to flood the internet with pro-Russian propaganda. Their method was to create multiple sources that seemed to confirm information independently, providing journalists with enough source material to feel comfortable publishing on real platforms. This format was then turned toward US Communities, detailed in another 2015 article about the Russian Trolls. There is even circumstantial evidence that these same trolls were pimping for the trump campaign.

This puts everyone at a disadvantage for finding truth. Does increasing the signal to noise ratio make self-censorship acceptable? Is this action "censorship" when it ultimately results in the removal of half-truths, lies, and manipulation from your information sources? Is there an acceptable level of bullshittery that we can deal with? For example, I removed all satire sites from Mish's list because I can cognitively identify satire...others may not be able to. Do we lose humor to deal with edge case idiocy?

The scale of this issue is beyond memory capacity for humans and new sites could be added to Mish's list every day. Bullshit at internet scale is beyond human comprehension. The Princeton team's solution absolutely helps but how else can we increase the signal to noise ratio? Are blocking tools acceptable? I can barely remember where I've left my keys every day much less remember if some random website is real, fake, partially fake, clickbait, satire, or pure evil. Certainly context of the site and tuning our perception can help filter things out naturally but, again, the scale of the issue is already large and will continue to grow.

Dancing madly on the lip of a volcano

John Oliver spent 18 minutes discussing the latest iteration of the crypto wars sparked by the recent Apple v. FBI case. In his summation, he provided a fantastic metaphor for cybersecurity, "dancing madly on the lip of a volcano". I think this metaphor is especially pointed as we see a greater increase in regulatory intervention by bodies with very limited views or education into security. There is no global consensus on cyber security and the house is on fire as of late.  

Security researcher Matt Blaze (@mattblaze), who was featured in Oliver's piece, tweeted the following:

PrivacyWonk moves to TLS (finally...)

After waiting for what seemed like an eternity, the site finally has a Let's Encrypt certificate!

I took some time to setup TLS properly this evening (total project time: 2 hours), following fantastic guides from Mozilla and other sources (, Qualys SSL Server Test, and Scott Helme's SecurityHeaders) ensure a secure and modern implementation. See reports below.

Was this necessary for a site that simply serves up my idle thoughts on privacy and security? Absolutely.


Because if I can do it for my little blog serving an annual readership of 20k (most of which are SEO spammers), you can do it for your web app that collects, uses, and disseminates data. 

It's 2015, it's time for this level of encryption and site protection to become the new normal. Invest in AppSec, invest in Security Engineering, and invest in the trust of your customer or reader.


Qualys Report: Yahtzee!

SecurityHeader Report: Content-Security Policy and Public-Key-Pins will be future projects for the site

Cybersecurity as Realpolitik by Dan Geer

Dan Greer delivered the following speech at this year's (2014) BlackHat. The video and text are presented below. I have republished the text below but edited from original text format to be a bit more readable and printable.

[ nominal delivery draft, 6 August 2014 ]

Cybersecurity as Realpolitik
Dan Geer

Good morning and thank you for the invitation to speak with you today. The plaintext of this talk has been made available to the organizers. While I will not be taking questions today, you are welcome to contact me later and I will do what I can to reply. For simple clarity, let me repeat the abstract for this talk:

Power exists to be used. Some wish for cyber safety, which they will not get. Others wish for cyber order, which they will not get. Some have the eye to discern cyber policies that are "the least worst thing;" may they fill the vacuum of wishful thinking.

Why biometrics are bad authenticators

The Chaos Computer Club, a Germany based hacker collective with a rich history of publicly demonstrating security risks, published an article describing how it had broken the new iPhone Biometric authentication service. They used tools and techniques originally developed in 2004 to fool the iPhone fingerprint sensor. 

"The biometrics hacking team of the Chaos Computer Club (CCC) has successfully bypassed the biometric security of Apple's TouchID using easy everyday means. A fingerprint of the phone user, photographed from a glass surface, was enough to create a fake finger that could unlock an iPhone 5s secured with TouchID. This demonstrates - again - that fingerprint biometrics is unsuitable as access control method and should be avoided."

The CCC hacker Starbug, who conducted much of the biometric research, said in 2007, "As we have said now for more than years, fingerprints should not be used to secure anything. You leave them everywhere, and it is far too easy to make fake fingers out of lifted prints."

Prepare for Google's Privacy Policy Shift

On Thursday, March 1st, Google's new unified privacy policy goes into effect. Previously, all Google services maintained separate silos of data operating under separate privacy policies. This is no longer the case. Google is now unifying it's data and, ultimately, building rich stores of data about you. Below are a few actions you can take to mitigate the amount and type of data Google will have access to after the policy change goes into effect.

1. Do not perform Google Searches while signed into your account.

This is the simplest way to ensure Google does not capture search history associated with your user ID/profile. As an alternative, keep your Google account signed in on one browser (e.g. Firefox) and use another browser operating under privacy protection mode (e.g. Chrome's Incognito Mode) to conduct searches. This is not fool proof -- google can certainly be smart enough to identify signed in sessions and non-signed in sessions originating from the same IP address...but it's a start.

Please note all steps below assume you are signed into your Google account

2. Remove your Google History

If this is already disabled, you will see two buttons that read "No Thanks" and "Enabled Web History". Simply click "No thanks" and pat yourself on the back for being smart about your search privacy.

If web history is enabled:
  • Click the button says "View History"
  • Click "Remove All Web History"

Doing this automatically stops the future collection of web history. If you ever wish to resume history collection, simply click the "Resume" button.

3. Remove your YouTube History
  • Click on "YouTube" in the toolbar at the top of the page
  • On the right of the page, click your username and select "Video Manager"
  • On the left side of the page, click the "History" button
  • Click the "Clear Viewing History" button, confirm your choice when the pop-up displays
  • Refresh the page/click the "History" button again
  • Finally, click "Pause Viewing History"
4. Disable Google Chat/Talk History
  • In Gmail, click on the cog/wheel in the upper right corner
  • Click Mail Settings
  • Click Chat
  • Ensure "Never save chat" history is enabled

5. Remove old e-mail from Google

Navigate to and look at the date on the e-mails, these are the oldest e-mails stored in your Google Account.Take a walk through memory lane...Scary, huh?

To remove these e-mails from Google Servers:
  • Click the cog/wheel in the upper right corner of Gmail
  • Select "Mail Settings"
  • Select "Forwarding and POP/IMAP"
  • Click "Enable IMAP"
  • Download a mail client such as Thunderbird, Outlook, Apple Mail, etc
  • Follow directions to setup mail client:
    • Using the mail client, create a local email storage file= such as an outlook PST or a Thunderbird local folder
    • Download all e-mails from Google to your local storage
    • Delete all e-mails from Google
    • Repeat this every month, ensuring only the last six months of e-mail stay on Google's Servers

6. Android Phone - Web Browser

  • Open your Web Browser
  • Click the Menu Key on your phone
  • Select "More"
  • Select "Settings"
  • Clear your history, cache, and location access.
  • Suggest disabling "Enabled location" to prevent future websites from accessing your location.

Security Best Practices for your Google Account

While not related to the impending privacy changes, the follow steps are two important functions to enable on your Google account.

7. Google Mail Connection

  • In the Gmail settings, click on the "General" settings tab
  • Ensure "Browser Connection" has "Always use https" enabled

8. 2-Step verification

2-Step verification is similar to what major banking websites are now using. This service provides stronger security protection on your account. The process is very simple: Once activated, you will need to verify the device(s) you frequently sign into your google account from. Your home computer, your work computer, your iPad, etc. To do this, Google will send you an SMS text message with a unique code. You will be required to enter both your password and this code to verify the device you are signing into Google with. This will prevent people from accessing your account from unauthorized devices/computers.

To enable:

SOPA Progress Slowed

It appears the anti-SOPA/PROTECTIP grassroots movement and lobbyists have struck a blow to the forward progress of the two bills. Over the weekend many Senators, Congressman, and the White House publicly announced their opposition to the bills or the DNS provisions.

Ars has a great write up by Timothy Lee:

MSNBC's "Up with Chris Hayes" hosted a debate about SOPA with NBCUniversal Executive Vice President and General Counsel Richard Cotton and co-founder Alexis Ohanian, as well as former Rep. Joe Sestak (D-PA) and former lobbyist Jack Abramoff. Rick Cotton and Alexis Ohanian dominated most of debate.

I found Richard Cotton's tactic in this debate to be hysterical and typical of the debate thus far: state your position loudly, frequently, and do not yield any ground to other arguments. Cotton spent the entire debate vehemently insisting that SOPA will not effect any U.S. websites/companies and frequently trying to talk over Alexis and Chris. He said some variation of "wholesale devoted to theft/illegal activity/thievery" 10 times, "devoted to foreign sites only" 6 times, and told someone their interpretation of the bill was flat out wrong twice within the roughly 18-minute long debate. Alexis and Chris made some good points.

Interesting debate -- especially seeing an NBC show host challenge and spar with an NBC VP over the stance the company has taken. Kudos to NBC for their just stop supporting this bill.

SOPA Hearing Transcript

The transcript (PDF) from the December 15, 2011 House Judiciary Committee markup of H.R. 3261, Stop Online Piracy Act (SOPA). This was one of the most infuriating sessions to watch live and reviewing the testimony and comments, in writing, a month later still boils my blood. There is a PrivacyWonk hosted copy available (PDF) in case the House moves the copy that is hosted there.

The markup session produced 495 pages of text, including the following gems:

Mr. Watt.  I thank the gentleman for yielding, and I just want to make a couple of points.  First of all, I want to go back to what my friend, Ms. Lofgren's comments she made and discourage any of us from talking about who has been bought off or even experts.  There has been a lot of money floating around in a lot of different places on this issue, and I just don't think it is worthy of us to be talking about who got bought off and who got hired by whom, especially when we start identifying the people.

Mr. Chaffetz.  Thank you, Mr. Chairman.  I have the greatest respect for you and for Ranking Member Conyers.  I do appreciate the manager's amendment.  I do think it is certainly better.   There is clearly a problem.  I understand that there is a problem, but I worry that this is the wrong remedy.  I was trying to think of a way to try to describe my concerns with this bill, but basically we are going to do surgery on the Internet, and we haven't had a doctor in the room tell us how we going to change these organs.  We are basically going to reconfigure the Internet and how it is going to work without bringing in the nerds, without bringing in the doctors.

Ms. Jackson Lee. ... And then, Mr. Chairman, if I might have a moment of personal privilege and just cite for my colleagues, because I do think that we should be respectful of each other, I am reading a tweet that has gone out from "GOP Rep King, Bored by the dialogue of Representative Jackson Lee."  I have no reason to think that anybody cares about my words, but I would offer to say that Mr. King owes the committee an apology, said that we are debating the Stop Online Piracy Act and that he is killing time by surfing the Internet.  I have never known Mr. King to have a multi-task capacity, but if that is his ability, I do think it is inappropriate while we are talking about serious issues, to have a member of the Judiciary Committee be so offensive.  So I am putting on the record, he is not here -- I -- 
Mr. Sensenbrenner.  Chairman, I demand the gentlewoman's words be taken down.  
Ms. Jackson Lee.  Well, I am not taking them down, so you can break this hearing because I am not.  I would ask Mr. --  ...

There is much more contained within the transcript. It is an almost 500 page demonstration of special interest lobbying, willful ignorance of the outside-the-beltway world and the internet.

For more on SOPA, please see the opposition letter. Please use this letter and send to your representatives to add your voice to the debate.

My SOPA Opposition Letter

I like participating and love what the Center for Democracy and Technology and others are doing at the American Censorship Project. However, this is an issue I feel very strongly about and decided to sit down and compose my own letter & e-mail to my representative. There are two versions of the letter -- one for you to read and interact with on this blog and one for you to copy and paste and send to your representative. The second version removes formatting to ensure sources (URLs) transition through the "Write your Representative" pages.

To the Honorable <<Representative>>,

I am writing to express my staunch disapproval to H.R. 3261: Stop Online Piracy Act (SOPA) and S. 968: Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act of 2011 (PROTECTIP). There is no substantial disagreement with the goal of combating the online infringement of copyrights and trademarks; that is a valid and important aim. However, these bills are incredibly dangerous to the country. Some of the specific provisions are far more controversial and would do far more damage than the authors (the MPAA and other lobbying arms of the entertainment industry) of the bill or the "expert" testimony would suggest. A Politico article by Jennifer Martinez titled "Shootout at the digital corral" published on November 16, 2011, provides excellent detail on the bills and the simple fact that the entertainment lobby has outspent the technology lobby for the past two years. The entertainment lobby has bought and paid for these bills, spending over $200M in 2010 and 2011, that will substantially harm the still growing and increasingly important digital economy: making it impossible to innovate, killing start-ups, and any jobs associated with them.

The public reaction to these bills in the United States has been visceral. Opponents of the bill include: Google, Yahoo!, Facebook, Twitter, AOL, LinkedIn, eBay, Mozilla Corporation, the Brookings Institution and human rights organizations such as Reporters Without Borders, the Electronic Frontier Foundation, the ACLU, Human Rights Watch, and the Center for Democracy and Technology.

Sandia National Laboratories, a part of the U.S. Department of Energy, concluded that the SOPA legislation would "negatively impact U.S. and global cybersecurity and Internet functionality." Sandia joins Republican Representative Dan Lungren, who also worried that SOPA would undercut efforts to secure the internet with DNSSEC.

Harvard Business Review blogger James Allworth wrote, "Is this really what we want to do to the internet? Shut it down every time it doesn't fit someone's business model?" concluding that the bill would "give America its very own version of the Great Firewall of China." I do not believe this quote is hyperbole. The bill will significantly impair the freedom of the internet that we as a country have advocated very publicly. See Hillary Clinton's speech on Internet Freedom at GW University.

There has also been international outcry to the bills. The European Parliament passed (by a large majority) a resolution criticizing SOPA. The resolution emphasizes "the need to protect the integrity of the global Internet and freedom of communication by refraining from unilateral measures to revoke IP addresses or domain names." The United States has great allies in Europe and we would not be doing ourselves any favors by passing a bill that does *nothing* to protect us and everything to antagonize Europeans.

We cannot legislate an internet that protects everyone, everywhere, at every second. But we also cannot take the interests of a few companies' antiquated business models over the interest and rights of our citizens. SOPA and PROTECTIP are bad pieces of legislation. This fact is highlighted in the poor grasp of internet technology the bills put forward; the entertainment industry spent millions of dollars to produce pieces of legislation that *break* the internet. These bills represent the last throes of an industry failing to adapt to a new marketplace. These companies would have done better to take their $200M+ of lobbying and invest it in innovation, research and development, and job creation around that R&D.

Please help stop this bill.

Thank you,

ECPA Reform -- Keeping the momentum

Reforming government takes a long time, it rarely happens overnight. It can often takes years of negotiation, grassroots campaigning, and lobbying to effect change. That's our system, for better or worse. Right now, one such issue working its way through the process is reforming the 25-year old, and very stale, Electronic Communications Privacy Act (ECPA) of 1986. Over the past year, there has been substantial activity around the issue. Big companies and advocacy groups from both the left and right have come together to demand updates to the electronic surveillance laws. The laws no longer work with our current technological environment and offer very little privacy protection to individuals. It also puts companies who handle  information in difficult positions: protecting consumer data or disclosing information to government without clear guidelines. Center for Democracy and Technology (CDT) has put together a great primer on the history of ECPA, the privacy concerns, the technological changes that have occurred since 1986, and why reform is needed.

Over a year ago, there was a a lot of activity around ECPA reform, including a hearing held by the Senate Judiciary Committee and Google helping form the Digital Due Process Coalition. The coalition is comprised of many big tech companies and advocacy groups "[t]o simplify, clarify, and unify the ECPA standards, providing stronger privacy protections for communications and associated data in response to changes in technology and new services and usage patterns, while preserving the legal tools necessary for government agencies to enforce the laws, respond to emergency circumstances and protect the public." Additional background from Alex Howard at O'Reilly Radar.

ECPA reform has made its way into the Congressional records with draft legislation put forward. On May 17, 2011 Senator Patrick Leahy (D-VT) introduced a bill to modernize and update the ECPA titled Electronic Communications Privacy Act Amendments Act of 2011 (PDF) (S. 1011).

CDT has recently formed a group of both left and right organizations to support a petition for privacy law reform, specifically targeting ECPA. The site, "Not Without A Warrant" allows individuals to electronically sign the petition and add their voice to the reform movement.

PrivacyWonk has signed the Not Without A Warrant petition. Will you?