No, Mr. Cook, A Flawed IOS Is Not Like A Sort Of Cancer

Apple’s CEO Tim Cook, talking about the request made by the law enforcement community to weakens IOS  stated that to comply to what the FBI is asking, would mean write a software that is sort of the equivalent of cancer.

The statement is technically wrong , a slap in the face of the people who are plagued by this deadly disease and the evidence that talk is cheap.

First: cancer is an highly evolved entity (being around since 4 billions of years or so) made of mutated cells that have lost its “self-killing” mechanism, that keep mutating and growing and creating new forms of cancer elsewhere in the body once removed by surgery or other therapies. This has nothing to do with a piece of software kept under strict control by a private company.

Second: Mr. Cook is absolutely within his rights when he tries to defend his company’s Intellectual Property, but this time Apple’s spin doctors pushed the limits much too far when for the sake of the controversy they involved people that are meeting their fate in a dire straits.

Third, of all arguments that could have been exploited by Mr. Cook’s spin doctors, referring to such a dramatic disease shows a true lack of compassion toward our fellows human beings. Maybe this is not what Mr. Cook had in mind, but this is how his statement looks like.

An Answer to Apple’s Answer about the Iphone Hack FBI’s Request

Apple addressed in a letter to its customers the issues related to the FBI’s request to be provided with Iphone cracking tools.

Here is a detailed analysis of Apple’s statement.

Why is Apple objecting to the government’s order?
First, the government would have us write an entirely new operating system for their use … It would be wrong to intentionally weaken our products with a government-ordered backdoor. If we lose control of our data, we put both our privacy and our safety at risk. …

True, but fact is that by providing unbreakable security measures Apple doesn’t need to care about data protection and privacy laws. As soon as Apple is not able to access users’ data, it is not subjected to the costly burden to comply with an (admittedly) bureaucratic and demanding (European) regulation and reduces its chance to be challenged in Court for privacy infringements.

Second, the order would set a legal precedent that would expand the powers of the government and we simply don’t know where that would lead us. Should the government be allowed to order us to create other capabilities for surveillance purposes, such as recording conversations or location tracking? This would set a very dangerous precedent.

ISPs and carriers are already forced to use devices that eases the (court authorized) wiretappings. Why Apple should be granted an exemption?

Is it technically possible to do what the government has ordered?
Yes, it is certainly possible to create an entirely new operating system to undermine our security features as the government wants. But it’s something we believe is too dangerous to do. The only way to guarantee that such a powerful tool isn’t abused and doesn’t fall into the wrong hands is to never create it.

The easiest pun would be: how about nukes? But (dark) humour apart, a private company has no “jurisdiction” over policy issues and cannot supersede the will of the People. In other words: it is not Apple’s job to decide what is “safe” and what is not.

Could Apple build this operating system just once, for this iPhone, and never use it again?
The digital world is very different from the physical world. In the physical world you can destroy something and it’s gone. But in the digital world, the technique, once created, could be used over and over again, on any number of devices. … Law enforcement agents around the country have already said they have hundreds of iPhones they want Apple to unlock if the FBI wins this case.

So what? A criminal investigation has its needs and can’t be stopped by the business interests of a private company.

Has Apple unlocked iPhones for law enforcement in the past?
No. … We’ve built progressively stronger protections into our products with each new software release, including passcode-based data encryption, because cyberattacks have only become more frequent and more sophisticated. As a result of these stronger protections that require data encryption, we are no longer able to use the data extraction process on an iPhone running iOS 8 or later.

Well, this raises an interesting point. If my memory still works, when, back in the days, Napster got indicted by a New York Court, it has been because the client has been designed without taking into account the involved copyright issues. In other words, the judge punished the fact that Napster was “per se” able to ease the infringement of the law. A sort of “liability by design”. So, enforcing the very same principle to the Apple’s statement, the point is that as a matter of fact IOS is deliberately designed to prevent a forensic investigation. Is this a source of liability?

The government says your objection appears to be based on concern for your business model and marketing strategy. Is that true?
Absolutely not. Nothing could be further from the truth. This is and always has been about our customers. …

I wander what Apple’s CEO would say to its stakeholders should the stocks value fall because of this refusal to comply with the FBI request. A company, and its CEO, have a duty of protection toward the people who invested its money. Sure, Apple has a terrific customer support and is – IP protection apart – a fairly open company. But this doesn’t change the fact that the business impact of a strategy is the main drive to take a decision.

Is there any other way you can help the FBI?
We have done everything that’s both within our power and within the law to help in this case. As we’ve said, we have no sympathy for terrorists. …

I’m sure Apple did. But the point is that, as I said before, that by building an unbreakable IOS version, there is little that Apple could do…

What should happen from here?
Our country has always been strongest when we come together. We feel the best way forward would be for the government to withdraw its demands under the All Writs Act and, as some in Congress have proposed, form a commission or other panel of experts on intelligence, technology, and civil liberties to discuss the implications for law enforcement, national security, privacy, and personal freedoms. Apple would gladly participate in such an effort.

If the FBI’s request has been based upon a valid law there it must be acknowledged. Full stop. If the law is wrong then it will be amended or withdrawn, but until is valid, then dura lex, sed lex.

A final note.

There is an untold assumption in all these issues: that a public prosecutor is not free to investigate a crime and this is clearly not possible.

In Italy, if a prosecutor needs something like the FBI does, he has the power to order it, and the criminal corporate liability regulations punishes as a criminal offense obstructing the investigation.

There is a clear difference between the Apple refusal to comply (grounded on business concerns and not on protecting people’s rights) and the privacy talibans (who just unreasonably put privacy above everything else.)

The actual question is: why people do not trust the State and its law enforcement agencies?

If we could trust the powers-that-be, than we might accept to strike a deal with the devil for the sake of a “greater good”, but truth is that we can’t trust the Leviathan.

So, to put it short, I find both position in bad faith:)

Iphone-as-a-weapon: back to 1991 (or: why you can’t trust commercial grade security)

The Iphone vs FBI quarrel about the “need” of Apple’s support to hack into an Iphone switches back the clock to 1991, when Phil Zimmermann gave PGP to the rest of the world, infringing the US veto on encryption export. So, this Apple vs FBI thing is actually nothing new since the position of the supporter for the two arguments is still the same.

But there is a new perspective, though, that worth to be considered and that wasn’t that spread at Zimmermann’s time: the role of non-for-profit, personal encryption.

A company, like Apple, sooner or later will comply with the disclose/hack support order by a court. It is just matter of finding a way to minimize the sales impact of such compliance.

Open-source, NGO, non-for-profit created encryption, on the contrary, has neither an “owner” nor a “CEO” who can be ordered to do something “nasty”. Furthermore, open-source based encryption already gives “the good guys” all the information they need to break the ciphers that endanger their investigation.

The point, though, is another: the FBI didn’t ask for the Iphone security’s blueprints. They just wanted a “tool” to exploit the gimmick, with no actual need to understand how would it works. And to me this is a nightmare scenario. I might trust a forensic expert who does his job in a lab, but I have some “problem” acknowledging the fact that every single law enforcement agent, with no actual competence, might have such a powerful tool to be used without actual supervision.

Again, we go back in time: who will watch the watchers?

Sir Clive Sinclair’s ZX Spectrum Vega Plus: Are You Ready To Go Back to Skool?

As many (now old) kids of the eighties I was part of the ZX Spectrum tribe (are you still there, Commodore folks???) and if now I do what I do for living, I have to thanks Sir Clive Sinclair‘s genius that through his glorious microcomputer showed me literally a brave new world.

Now he’s back with the ZX Spectrum Vega project: a crowdfunded project to manufacture a console with a thousand of original “old time” games.

I hope that the project will raise enough money to actually release the Vega Plus, but even if it doesn’t, offering support (as I just did) is a way to say “thank you Sir Clive!”

Is The IPhone Criminals’ Weapon of Choice?

According to NBC, Apple has been ordered by a federal judge to support the FBI in decrypting the Iphone used by the people accused of having slaughtered 14 people in San Bernardino, California, last December, 2, 2015. The court order has been necessary since Apple refused to voluntarily provide such support.

These are the bare facts, that have been turned into a horse of different colours by  bad-faith anti and pro encryption activist. The former sang the usual song “Strong Encryption Smooths Criminals”(FBI Records), while the latter waged the old flag “Weak Encryption Affects Civil Rights”.

The federal court neither asked for a backdoor nor for the enforcement  of a weaker Iphone security, but just said Apple to support the after-crime investigation. This court order doesn’t hampers people’s legal right to strong encryption, because the justice said something like “you have the right to own a strong safe, but the State has the right to try to open it whatever the mean in case of a criminal investigation”. In this context, then, the fact that Apple has been ordered to provide support to the FBI is not constitutionally illegal.

I still support strong encryption for the masses (and for companies too), but I don’t think that making a case out of this court order might help the civil right cause. It only works as as a (maybe unintended) advertising stunt for Apple that can portray itself as a “privacy shield”.

Staying Under the (Mainstream) Radar

Staying under mainstream radar while releasing meaningful and original contents is a good way to attract people actually interested in your activity, thus making easier – as Seth Godin said – turning strangers into friends and friends into customers.

An empirical look at the way people and companies use profiling and stats suggest that to get more traffic (i.e. pay-for-click ads) contents are shaped just to attract people rather than to provide actual information.

Think of the usual effects of looking at your analytics: you take note of the queries made by users and you shape your content accordingly, to be sure to attract people who use these words. The price you pay for being that “smart” is that you’re not the one who controls the content of your website because you let the users (or, better, Google) do it on your behalf.The result is that all websites are made equal and turned into some sort of digital brochure. In other words, is the tail that is wagging the dog.

Personally, I’m more at ease with Henry Ford’s quote

If I had asked people what they wanted, they would have said ‘faster horses.’

Upcoming Data Protection Regulation to Hampers Genetic and Pharmaceutical Research

The privacy hysteria that since twenty or so years affects policy makers and data protection authorities, reached a new peak with the upcoming data protection regulation whose text has been published last Dec, 18, 2015.

While, thanks God, the text clearly states that “biosample” as such aren’t “personal data”

genetic data should be defined as personal data relating to the genetic characteristics of an individual which have been inherited or acquired as they result from an analysis of a biological sample from the individual in question, in particular by chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis or analysis of any other element enabling equivalent information to be obtained

Nevertheless there is no clear reference to the fact that genetic (and, in general, health-related) researches can’t be pre-emptively limited to specific processing since scientists work with microscopes and not with crystal balls.

The result is that every research project that deals with patient (and patient’s relatives) records might face enormous bureaucratic burdens every time a new path of study emerges from the current one.

Furthermore, the regulation says that:

Member States may maintain or introduce further conditions, including limitations, with regard to the processing of genetic data, biometric data or health data

In other words, then, we will likely face a flood of local regulation that will make harder to perform researches that save human life.

Sure, there will always be the possibility to challenge in court the letter of the law, claiming that no provision can be interpreted in such a way to endanger human life and that data protection, in constitutional terms, is a “lesser right” when compared to the right to health. But this takes time, money and an open-minded court.

In the meantime, scientists will either slow down their activities or risk to be taken in court.

Does it make sense?

Italian Digital Signature Software Exposed to Man-in-the-middle Attack?

An independent researcher compiled a list of known Apple OSX-related vulnerabilities, including one that affects the Sparkle Updater Framework.

I’ve just checked my Mac with this command

find /Applications -name Sparkle.framework

and found that DikeX, the old version of the digital-signature tool released by Infocert S.p.a., uses Sparkle. I don’t know if the software is plagued by the bug, but this is exactly the point: nobody from Infocert just warned users with a single word about.

Alitalia’s Marketing Strategy and Cipolla’s Third Law on Stupidity

If you book the Alitalia’s cheapest fare on a flight it might happens (twice in two weeks, to me) that you aren’t entitled to get a decent quantity of miles for the Mille Miglia frequent flyer programme and mandatory given an (often) uncomfortable seat.

This Ryanair-like attitude (everything is an optional) might make sense for long hauls or mid-distance travels, where the passengers are available to pay a surcharge to board first or get some other goodie. But is completely useless for one-hour, taxi-like flights, were people go for the cheapest fare, and either don’t actually care about being good seated or earning a few miles.

Of course, Alitalia must justify the different fares for exactly the same thing (moving people from A to B), but this should be done by adding something more to the standard, and not by lowering the quality of the service first, and ask for more money to get something that was always been taken for granted until yesterday.

To put it short, letting a few “privileges” for the short-distance travelers wouldn’t have done any harm to Alitalia’s pocket, while it would have made people’s day better. Instead, the company chose to worsen its customers’ travel experience, without getting an actual benefit. This affects the passengers’ loyalty to such a company, and as soon as people is offered alternatives, they will surely catch it.

A classical application of Carlo Cipolla’s Third Law of Human Stupidity.

 

Why Him? (Marco Carrai, Matteo Renzi and Cybersecurity in Italy)

The appointment made by Italian PM Matteo Renzi of Marco Carrai as head of the Italian cybersecurity raised a storm of criticism and concern among the IT Security “professionals” that started complaining about his lack of competence, conflict of interest and so on.

Many of the complaints (a few of them I’ve heard privately, from people that called me for that purpose), though look more like a “why him and not me?” or “what does he have more than me?” instead of a serious analysis of Carrai’s adequacy-for-the-job.

He might not be the right person for such a role, but he is trusted by the prime minister and that is all that matters.

Not the first time, not the last time but – above all – not the first critical sector where such things happens.