The Biggest Threat to Cyber-Security is Surveillance

The biggest threat to cyber-security is surveillance. Or rather the will, ability and legal status of organisations who prioritise surveillance and active attack abilities above defence and security.

The point is, that surveillance does not mean passive wire-tapping. It means attacking infrastructure where the data you want is available unencrypted, or infrastructure through which the message or data travels. Infrastructure which might not be under control of the entity trying to gain these surveillance-capabilities. For instance it might target the sender or the recipient of an encrypted e-mail or instant-messenger message. Or an intermediary, in order to know who communicates with who in the first place. All these actions are not comparable with passive wire-tapping, in fact, these attacks are indistinguishable from hacker-attacks aimed towards any other goal, like the enactment of botnets; and they also enable the attacker not just to eavesdrop, but to do whatever else he pleases, from launching man-in-the-middle attacks to denial-of-service, ransomware, attacking somebody else and so on. So surveillance is an attack as any other.

The problem now stems from the fact, that in order to attack somebody, you need knowledge of insecure systems, vulnerabilities, on their part. Typically, what you use are exploits, and if they’re not published yet, they’re called zero-day-exploits. Now, as long as you don’t tell anyone, these vulnerabilities don’t get fixed. They might be found by somebody else, and published or not. As soon as they get published, they loose their value for attack. Now, during that period when you have a zero-day-exploit on your hands, you might mitigate that vulnerability on your systems. But you actually can’t mitigate them on all systems of your allies, because then the secret would go out. So you don’t. Which leads to one outfit having knowledge of vulnerabilities leaving every other outfit at risk.

In a practical example, 2013 a server was hacked, that was used by the NSA as staging system for attacks. The Shadow Brokers hack was made public only in 2016, and it turned out, the NSA had stashed a load of zero-day-exploits there, some of which were still zero-days in 2016, but the majority of them had already been made public. Now, not only illustrates this that independent researches will find these “secret” vulnerabilities eventually, but also something much more sinister: The NSA had actually put every other US-agency, including FBI and DOD, the government, critical infrastructure (including power plants, water supply and hospitals) and finally all its own citizens at risk.

With all the secret services world-wide, and often also police-units (For instance, the Zürich Police bought surveillance software from Hacking Team containing three zero-day-exploits) involved in ramping up their cyber-attack-capabilities, most often with the goal of surveillance, we can see an extreme effect on creating a market for zero-day-exploits. Where fifteen years ago no noticeable market existed at all, we now have one whose prices start at USD 40’000 and go up to USD 500’000 per exploit, as evidenced by the price-list published by Zerodium In other words, secret services and police are actively undermining the security of everyone on this planet, friend and foe alike.

The trouble is, highly technological societies are much more vulnerable to this. For guerillas, insurgents and terrorists the benefits of being able to exploit vulnerabilities is much greater, and they don’t really have to defend any friends from such attacks. So the ones that suffer the most, are the people and governments of exactly the same nations and states whose secret services and police are actively undermining their security. This is a grave situation, as most governments have not even realised what it is they have their secret services and police doing, and are actively trying to destroy their own security with initiatives that call for weakening of crypto or for government back doors. Or at least, trying to explicitly legalise these practices as seen with Switzerlands NDG, which of course will have a very much adverse effect of security.

The solution is surprisingly simple, the only impediment is, as usual, the widespread incomprehension of the problem itself. Since every vulnerability that is made public eliminates the exploitation of it for everyone, the only solution is to make every vulnerability public as soon as possible. The usual, and in fact “best practice” of the computer industry, is called “responsible disclosure”, where the manufacturer of a software or product is informed a few days or maximum weeks in advance, so he can fix the vulnerability, before the issue is made public. And in the end, it’s the only solution that will really make us more secure.

On Ebooks and pricing

I’m an avid reader. And I’ve got quite a collection of books. But apart from some pdfs I bought at rpgnow and some I’ve got from humblebundle, I bought exactly one ebook on the internet.

One reason for this is DRM. I can’t stand it, and I vote with my boots. I will never support such a completely consumer-hostile scheme, not with my money, and I even try to boycott the most egregious abusers of it by not buying their other products as well. Amazon for instance. There are of course some other abuses producers can indulge in which might want me to boycott them, like lobbying for extensions of copyright or ripping of the academic communities with journals and other such rent-seeking activities. But I won’t go into detail here; if buying a book is not as easy as can be or the book has antifeatures like DRM, you can stop right now, you’ve already lost.

Another reason is price. I’m very well aware that producing an ebook has a lot of the same fixed costs as one on paper has, but still, ebooks are much, much too expensive. The one thing that most people seem to forget, is that while ebooks have the same fixed costs (basically the writer and the editor; see Charlie Stross‘ Blog for details) there are practically no costs associated with the individual file you sell. So that base price of the individual unit which came beforehand from printing, stock and distribution, falls away, what remains is the amount for writer, editor, marketing, etc. which can be spread out over as how many units you like.

The question is, where actually is the “right” price for ebooks (and movies, by the way, which also seem to be much too expensive)?

The facts to keep in mind are: Budget and time are constrained on the buyers side. For most books, the things that tell stories are the immediate competition: Movies and computer games, But basically everything else that entertains people is competing with books, like forums and blogs and other places of discourse on the internet. And the public domain will also compete with newer books. Also, while people can (and will, no matter of copyright) share books with their friends they can’t actually resell them and recoup some of the money they spent. So the price needs to be rather low, to compete with all the other offerings, with public domain books, and with used books on paper.

Now, I’ve noticed from my behaviour regarding computer games, that I actually bought a lot of games I already had again, at gog.com or steam. Why? Mostly because they were cheap. With some autumn- summer- and christmas-sales, I’ve just about re-bought all the computer games I’ve already had.

This leads me to the conclusion of what the “sweet price” for ebooks is: The price where I can re-buy all the books I’ve ever had on paper or ever read within the space of maybe a year or two. In my case, that’s probably around 2000 books, some of which I’ve gotten for SFR 1 at garage sales, some I lent out from libraries, some I bought at retail price. The price for all of them should probably be below SFR 10’000; and with the SFR 1 paper ones as measuring stick, probably not a lot more than that. Say between SFR 1 and 4 (one swiss franc, by the way, is slightly more than a dollar nowadays).

Of course, you won’t want to make every book this price; you might want to put prices of popular ones more towards SFR 4 and unpopular ones more towards SFR 1, and of course, for new releases you want to have prices rather towards the prices of the paper version, SFR 15 maybe. Still, even new releases should have prices markedly lower than the paper version, since you really don’t have to take any logistics into account. Plus, you might want to have sales with huge discounts, and bundles, like “all the works of Isaac Asimov for SFR 30”. Take a look at steampowered.com around christmas, and you’ll see what I mean.

Exactly the same thinking can of course be applied to other digital goods, like movies and television series. I suspect the prices there could be a bit higher, maybe something around SFR 3-10 for movies, and maybe SFR 1-4 for single episodes, or SFR 10-20 for whole series. And again, newer ones priced above that, And bundles (“all the James Bond movies for SFR 50”).

The main point here is: There is a price that is so low, people will buy these things just to have them (or even fear that “it will cost more after this sale”), regardless of whether they even get around on reading or watching them. Just for the sake of collecting. Because they remember them, or because they’ve heard about that author and plan on reading something of him some time in the future. It doesn’t even matter if they already have gotten that book from a friend, for free. And, most importantly, it doesn’t matter if they will even find the time to read it; or even expect to find the time.

On Ebooks and pricing

I’m an avid reader. And I’ve got quite a collection of books. But apart from some pdfs I bought at rpgnow and some I’ve got from humblebundle, I bought exactly one ebook on the internet.

One reason for this is DRM. I can’t stand it, and I vote with my boots. I will never support such a completely consumer-hostile scheme, not with my money, and I even try to boycott the most egregious abusers of it by not buying their other products as well. Amazon for instance. There are of course some other abuses producers can indulge in which might want me to boycott them, like lobbying for extensions of copyright or ripping of the academic communities with journals and other such rent-seeking activities. But I won’t go into detail here; if buying a book is not as easy as can be or the book has antifeatures like DRM, you can stop right now, you’ve already lost.

Another reason is price. I’m very well aware that producing an ebook has a lot of the same fixed costs as one on paper has, but still, ebooks are much, much too expensive. The one thing that most people seem to forget, is that while ebooks have the same fixed costs (basically the writer and the editor; see Charlie Stross‘ Blog for details) there are practically no costs associated with the individual file you sell. So that base price of the individual unit which came beforehand from printing, stock and distribution, falls away, what remains is the amount for writer, editor, marketing, etc. which can be spread out over as how many units you like.

The question is, where actually is the “right” price for ebooks (and movies, by the way, which also seem to be much too expensive)?

The facts to keep in mind are: Budget and time are constrained on the buyers side. For most books, the things that tell stories are the immediate competition: Movies and computer games, But basically everything else that entertains people is competing with books, like forums and blogs and other places of discourse on the internet. And the public domain will also compete with newer books. Also, while people can (and will, no matter of copyright) share books with their friends they can’t actually resell them and recoup some of the money they spent. So the price needs to be rather low, to compete with all the other offerings, with public domain books, and with used books on paper.

Now, I’ve noticed from my behaviour regarding computer games, that I actually bought a lot of games I already had again, at gog.com or steam. Why? Mostly because they were cheap. With some autumn- summer- and christmas-sales, I’ve just about re-bought all the computer games I’ve already had.

This leads me to the conclusion of what the “sweet price” for ebooks is: The price where I can re-buy all the books I’ve ever had on paper or ever read within the space of maybe a year or two. In my case, that’s probably around 2000 books, some of which I’ve gotten for SFR 1 at garage sales, some I lent out from libraries, some I bought at retail price. The price for all of them should probably be below SFR 10’000; and with the SFR 1 paper ones as measuring stick, probably not a lot more than that. Say between SFR 1 and 4 (one swiss franc, by the way, is slightly more than a dollar nowadays).

Of course, you won’t want to make every book this price; you might want to put prices of popular ones more towards SFR 4 and unpopular ones more towards SFR 1, and of course, for new releases you want to have prices rather towards the prices of the paper version, SFR 15 maybe. Still, even new releases should have prices markedly lower than the paper version, since you really don’t have to take any logistics into account. Plus, you might want to have sales with huge discounts, and bundles, like “all the works of Isaac Asimov for SFR 30″. Take a look at steampowered.com around christmas, and you’ll see what I mean.

Exactly the same thinking can of course be applied to other digital goods, like movies and television series. I suspect the prices there could be a bit higher, maybe something around SFR 3-10 for movies, and maybe SFR 1-4 for single episodes, or SFR 10-20 for whole series. And again, newer ones priced above that, And bundles (“all the James Bond movies for SFR 50″).

The main point here is: There is a price that is so low, people will buy these things just to have them (or even fear that “it will cost more after this sale”), regardless of whether they even get around on reading or watching them. Just for the sake of collecting. Because they remember them, or because they’ve heard about that author and plan on reading something of him some time in the future. It doesn’t even matter if they already have gotten that book from a friend, for free. And, most importantly, it doesn’t matter if they will even find the time to read it; or even expect to find the time.

Swisscom Peering Policy Perversions

Was ist ein Peering?

Wenn man von einem Internetprovider Daten zu einem anderen schicken will, dann geht das an erster Stelle über einen Upstream, einen grösseren Internetprovider an dem andere Internetprovider angehängt sind. Diesen Upstream bezahlt man.

Ein Peering ist nun, wenn man eine direkte Leitung zum anderen ISP einrichtet, und allen Traffic vom und zu diesem ISP (aber nur den) direkt darüber leitet. Dies geht relativ kostengünstig wenn man bereits im selben Datacenter Infrastruktur hat, und es gibt Vereine, hier die SwissIX welche die gemeinsame Infrastruktur (die Switches) in diesen Datacentern betreiben.

Mit einem Peering sparen nun beide Seiten Upstream-Kosten, und die Kunden profitieren von kürzen Pfaden, also schnellerem Zugriff. Es ist also in den meisten Fällen eine Win-Win Situation.

Es gibt vereinzelt Fälle wo der eine Partner mehr profitiert als der andere, typischerweise profitiert dann der der mehr Daten saugt als er liefert.

Swisscom saugt

Die Swisscom ist einer der grössten Endkunden-Provider der Schweiz, und damit auch einer der grössten Empfänger von Daten. Man würde nun erwarten dass die Swisscom ein sehr grosses Interesse daran hat zu peeren, speziell mit Providern deren Kunden bei Swisscom-Kunden beliebte Seiten anbieten.

Stattdessen verlangt die Swisscom eine monatliche Miete. Mit anderen Worten, die Swisscom spart Upstream-Kosten, die Kunden der Swisscom haben besseren Zugriff auf Webseiten, und die Swisscom lässt sich das auch noch bezahlen.

Der andere ISP spart etwas Upstream-Kosten, und drückt dann stattdessen gleich wieder Geld an die Swisscom ab. Finanziell kann das nur bei sehr grossem eingespartem Datenvolumen funktionieren; wenn die Einsparungen grösser sind als die monatliche Rente an die Swisscom.

Der einzige Grund weshalb das funktionieren kann, ist dass die Kunden anderer ISPs, die Webseiten anbieten, ein Interesse daran haben dass ihre Seiten schnell bei den Swisscom-Kunden ankommen. Und dieses Interesse haben sie, weil die Swisscom einen Grossteil aller Endkunden bei sich angehängt haben. Ein sehr deutlicher Missbrauch einer marktbeherrschenden Stellung.

Tatsächlich haben sich auch schon Provider in der Schweiz dagegen gewehrt, z.b. hat Init7 einen Teilsieg gegen die Swisscom errungen. Aber dass die Swisscom immer noch für Peerings Geld verlangen kann, zeigt deutlich dass da von Wettbewerb keine Spur vorhanden ist, und die Swisscom nach wie vor bereit ist ihre Kunden, und die Qualität deren Internetverbindung, gegen kleinere Internetprovider auszuspielen.

Die Verlierer dieser Monopolrentenpolitik der Swisscom sind die anderen Internetprovider, deren Service anbietende Kunden, und die Kunden der Swisscom.

Swisscom Peering Policy Perversions

Was ist ein Peering?

Wenn man von einem Internetprovider Daten zu einem anderen schicken will, dann geht das an erster Stelle über einen Upstream, einen grösseren Internetprovider an dem andere Internetprovider angehängt sind. Diesen Upstream bezahlt man.

Ein Peering ist nun, wenn man eine direkte Leitung zum anderen ISP einrichtet, und allen Traffic vom und zu diesem ISP (aber nur den) direkt darüber leitet. Dies geht relativ kostengünstig wenn man bereits im selben Datacenter Infrastruktur hat, und es gibt Vereine, hier die SwissIX welche die gemeinsame Infrastruktur (die Switches) in diesen Datacentern betreiben.

Mit einem Peering sparen nun beide Seiten Upstream-Kosten, und die Kunden profitieren von kürzen Pfaden, also schnellerem Zugriff. Es ist also in den meisten Fällen eine Win-Win Situation.

Es gibt vereinzelt Fälle wo der eine Partner mehr profitiert als der andere, typischerweise profitiert dann der der mehr Daten saugt als er liefert.

Swisscom saugt

Die Swisscom ist einer der grössten Endkunden-Provider der Schweiz, und damit auch einer der grössten Empfänger von Daten. Man würde nun erwarten dass die Swisscom ein sehr grosses Interesse daran hat zu peeren, speziell mit Providern deren Kunden bei Swisscom-Kunden beliebte Seiten anbieten.

Stattdessen verlangt die Swisscom eine monatliche Miete. Mit anderen Worten, die Swisscom spart Upstream-Kosten, die Kunden der Swisscom haben besseren Zugriff auf Webseiten, und die Swisscom lässt sich das auch noch bezahlen.

Der andere ISP spart etwas Upstream-Kosten, und drückt dann stattdessen gleich wieder Geld an die Swisscom ab. Finanziell kann das nur bei sehr grossem eingespartem Datenvolumen funktionieren; wenn die Einsparungen grösser sind als die monatliche Rente an die Swisscom.

Der einzige Grund weshalb das funktionieren kann, ist dass die Kunden anderer ISPs, die Webseiten anbieten, ein Interesse daran haben dass ihre Seiten schnell bei den Swisscom-Kunden ankommen. Und dieses Interesse haben sie, weil die Swisscom einen Grossteil aller Endkunden bei sich angehängt haben. Ein sehr deutlicher Missbrauch einer marktbeherrschenden Stellung.

Tatsächlich haben sich auch schon Provider in der Schweiz dagegen gewehrt, z.b. hat Init7 einen Teilsieg gegen die Swisscom errungen. Aber dass die Swisscom immer noch für Peerings Geld verlangen kann, zeigt deutlich dass da von Wettbewerb keine Spur vorhanden ist, und die Swisscom nach wie vor bereit ist ihre Kunden, und die Qualität deren Internetverbindung, gegen kleinere Internetprovider auszuspielen.

Die Verlierer dieser Monopolrentenpolitik der Swisscom sind die anderen Internetprovider, deren Service anbietende Kunden, und die Kunden der Swisscom.

Patents on Bronze Age Technology

This here is from Apple’s Slide-to-Unlock patent, which is currently being invalidated.
Slid to Unlock Patent
However, the question remains why this could be granted in the first place. Laziness? A case of “it said computer, so I turned off my brain”? Or job-blindness “I couldn’t find any prior art in the patent database”?

Because the amount of prior art is actually staggering. This here is one of the earliest I could casually find:
 Abydos King List. Temple of Seti I, Abydos
Yes, it’s hieroglyphs, and they’re from roughly 1290 B.C. The topmost hieroglyph is a “z” (or hard “s”), and the symbol is that of a door bolt. And since hieroglyphs are rather old, and Seti I. by no means one of the early pharaohs, this means there’s most probably much older evidence out there for “slide-to-unlock”.

And I’d wager there’s so much more of this crap out there. Chances are very slim that this is an isolated case, this is most probably endemic, system inherent.

Patents on Bronze Age Technology

This here is from Apple’s Slide-to-Unlock patent, which is currently being invalidated.
Slid to Unlock Patent
However, the question remains why this could be granted in the first place. Laziness? A case of “it said computer, so I turned off my brain”? Or job-blindness “I couldn’t find any prior art in the patent database”?

Because the amount of prior art is actually staggering. This here is one of the earliest I could casually find:
 Abydos King List. Temple of Seti I, Abydos
Yes, it’s hieroglyphs, and they’re from roughly 1290 B.C. The topmost hieroglyph is a “z” (or hard “s”), and the symbol is that of a door bolt. And since hieroglyphs are rather old, and Seti I. by no means one of the early pharaohs, this means there’s most probably much older evidence out there for “slide-to-unlock”.

And I’d wager there’s so much more of this crap out there. Chances are very slim that this is an isolated case, this is most probably endemic, system inherent.

The New Robot Patent

Just like the old Robot Patent (by Emperor Joseph II) this is of course all about rent-seeking.

As we’ve noted in The Moby Dick Support Device, some egregiously stupid patent-officers started accepting patents based on the un-reasoning that a computer running a program makes it a different computer, just as a bookshelf which is used to store copies of Moby Dick is an entirely different thing than an ordinary bookshelf.

Now comes the second chapter, enter the robot. Yes, they’re not doing much right now, but watch the flurry of all-new bogus patents rolling in as soon as they will get more useful. Everyone and their lawyers will start patenting everyday actions, coupled with the phrase “with a robot”.

saulgoode writes at Techdirt:

If the bobble heads at the Patent Office continue on the path they are currently following then we can certainly expect a rush of patents on all kinds of human activity with the caveat of it being done “with a robot” — e.g., dig a hole with a robot, change a tire with a robot, build a swing set with a robot — just as “with a computer” seems to justify patents being issued on things such as getting feedback from a buyer or scrolling through a document.

Ah, Arkham Asylum Patent Offices, home of the criminally insane. How could one ever, with this concise list of non-patentable matters: EPC, Art. 52, come to such a ridiculous interpretation? (Same in the USA, see The Moby Dick Support Device).

The New Robot Patent

Just like the old Robot Patent (by Emperor Joseph II) this is of course all about rent-seeking.

As we’ve noted in The Moby Dick Support Device, some egregiously stupid patent-officers started accepting patents based on the un-reasoning that a computer running a program makes it a different computer, just as a bookshelf which is used to store copies of Moby Dick is an entirely different thing than an ordinary bookshelf.

Now comes the second chapter, enter the robot. Yes, they’re not doing much right now, but watch the flurry of all-new bogus patents rolling in as soon as they will get more useful. Everyone and their lawyers will start patenting everyday actions, coupled with the phrase “with a robot”.

saulgoode writes at Techdirt:

If the bobble heads at the Patent Office continue on the path they are currently following then we can certainly expect a rush of patents on all kinds of human activity with the caveat of it being done “with a robot” — e.g., dig a hole with a robot, change a tire with a robot, build a swing set with a robot — just as “with a computer” seems to justify patents being issued on things such as getting feedback from a buyer or scrolling through a document.

Ah, Arkham Asylum Patent Offices, home of the criminally insane. How could one ever, with this concise list of non-patentable matters: EPC, Art. 52, come to such a ridiculous interpretation? (Same in the USA, see The Moby Dick Support Device).

A (Patent-)Law to promote the welfare of Lawyers

I already wrote about it, on how Patents kill Innovation. If you’re looking for more background on some of the assertions in this text, they’re explained there.

Right now the german Bundesgerichtshof decided that it would be a good idea to allow software Patents, even if the European Patent Treaty says in Article 52 “The following in particular shall not be regarded as inventions … mathematical methods … programs for computers”. How did the BGH get the idea to rule on such a case in the first place, and not dismiss the whole affair as illegal and contempt of justice?

Either this is, according to Henlons Razor, an act of incredible stupidity, or there were some serious interests in the background lobbying. And in fact, those interests very much exist, and they’re very much part of the judical system itself.

As it happens, apart from Pharmacy, nobody will make money from Patents he applies for. Yes, this sounds like a very bold statement, but keep in mind that this applies to all of the patents of a field taken together; there might be financially successful patents among them, but this is eaten up by all the other patents which just cost money. No where does this money go to? Legal costs of course. So in all fields of enterprise except pharmacy, patents only fill the coffers of Lawyers, Attorneys, Judges and the Patent Office. It has been estimated that those costs make up to 20% of the final product price, making the patent system in the end just a tax-system which funels a tax of 20% to the legal system.

Obviously, those on the receiving end have a strong inventive to keep it this way, and won’t allow anyone to interfere with their rent. And most probably this is what happend with the BGH. As people in the legal system they are bound to know a lot of people also in the legal system, and those Lawyers and Attorneys will have biased views which they probably have communicated to the BGH. By now, the BGH is probably firmly convinced that patents are necessary for innovations to happen (or any suchlike hogwash).

Are you curious about that “Pharmacy exemption”? Well, the patent system works there (with its main effect) as intended, with some severe side effects. Patents are granted, the patents licensed to third parties, and the license-fees not only cover the legal costs but are high enough to make a decent profit. Not anticipated was that the big players in that field lobbied succesively “patents on prducts” and “patents on genome-sequences” into the law, plus that they wreck havoc on smaller players and on the general public, most noteably on the public in third world countries.

So even if patents on pharmacy work as expected when viewed from within the system, the idea of patents as such is inherently flawed in regard of innovation, development, economy and ecology. And if you’re a proponent of free markets, patents as “government granted monopolies” are an abomination anyway. Patents are an inherently mercantilistic idea (especially due to the fact that a patent does not allow you to produce any product, but allows you to forbid your competion to produce it), along the lines of such illuminaires as tariffs, subsidies and protective duties.