The Daily Parker

I'm chilling in my hotel room on the second day of my trip, not sure how much longer I'll remain awake. (Waking up at 5am sucks, even more so when it's 4am back home.) This is a problem in that I need to write some code before tomorrow.

So I've spent a few minutes perusing the blog feeds and news reports that came in today, and I have a favorite. The favorite is not:

• Philip Bump explaining how President Trump made a bad night for his party even worse by being himself;
• Cook County (which contains Chicago) may de-criminalize marijuana very soon;
• Foreign policy guru Andrew Bacevich cutting Trump's Afghanistan policy into little ribbons;
• Paul Krugman taking apart the GOP's latest tax plan;
• Bruce Schneier testifying before Congress about the Equifax breach; nor
• Josh Marshal pointing out that Trump's numbers predicted last night's voter numbers.

No, though all of those brought little flutters of joy to my heart, the story that London is going to make Oxford Street a pedestrian utopia by 2020 really got my interest. Since I have never driven a car anywhere in Zone 1 and have no intention of ever doing so, I think blocking 800 meters of Oxford Street to cars is fookin' brilliant.

I'm about to fly to San Antonio for another round of researching how the military tracks recruits from the time they get to the processing center to the time they leave for boot camp (officially "Military Basic Training" or MBT).

I have some stuff to read on the plane:

• WPA, which is probably securing your WiFi, has been hacked after 14 years. Great. At least SSL is still secure.
• The New Republic claims that Republicans are ignoring the will of the people by tossing out ballot initiatives. (This is not new.)
• Chicago saw record rainfall Saturday. I know; I was in it.
• The Navy Pier bicycle flyover will take another two years and more money, because Chicago.
• President Trump made some remarks about Obamacare with the sensitivity and coherence we've come to expect from the man.
• Speaking of, the Washington Post has a view into the Adult Day Care facility at 1600 Pennsylvania Ave NW.
• Deeply Trivial name-checked The Daily Parker in a post about Sears.

OK, off to K20. Or K18. Or wherever my plane has got to.

Imagine the largest office building (in land area) you've ever been in, add a small shopping mall, four food courts, and the security that demonstrates exactly how silly and ineffectual airport security is, and that's the Pentagon.

I'm in a little island that's like an anti-SCIF (Secure Compartmented Information Facility). We're in the one unclassified office in the ring, complete with unclassified Internet service, and because of that, behind two steel doors and in a Faraday cage. And it's literally the only place we're allowed to take pictures, which is sad because every hallway in the building is a museum exhibit. It's weird.

That, and we can't go to the bathroom without an escort, makes this a very strange day indeed.

Also, it's like an ongoing pop quiz in uniform insignia recognition. And I'm still having problems with upper enlisted ranks.

Home tomorrow, after a visit to a military facility outside Baltimore.

I've got a lot going on today, with a final rehearsal tonight before Saturday's dress for Carmina Burana (get tickets here) and two business trips in the next 10 days. But there are a few articles to note in today's media:

• Dove ran a commercial this weekend that suggests an African woman can use their soap and become Irish. There has been some response.
• Politico reported that White House Chief of Staff John Kelly's cell phone got tapped. Schneier points out that all politicians should assume this about off-the-shelf phones.
• James Fallows weighs in on what retiring US Senator Bob Corker (R-TN) said about President Trump over the weekend, and what that means. Or doesn't.
• Meanwhile, outside politics, Hoa Loranger at NNG lays out what she wishes she'd learned about UX when she began her profession.
• The Atlantic looks at the similarities between Blade Runner 2049 and Ishiguro's Never Let Me Go.

Back to work now.

Via Bruce Schneier, a British reporter requested her data dossier from Tinder. As with so many other things in life, she was shocked, but not surprised:

The dating app has 800 pages of information on me, and probably on you too if you are also one of its 50 million users. In March I asked Tinder to grant me access to my personal data. Every European citizen is allowed to do so under EU data protection law, yet very few actually do, according to Tinder.

With the help of privacy activist Paul-Olivier Dehaye from personaldata.io and human rights lawyer Ravi Naik, I emailed Tinder requesting my personal data and got back way more than I bargained for.

Some 800 pages came back containing information such as my Facebook “likes”, my photos from Instagram (even after I deleted the associated account), my education, the age-rank of men I was interested in, how many times I connected, when and where every online conversation with every single one of my matches happened … the list goes on.

What will happen if this treasure trove of data gets hacked, is made public or simply bought by another company? I can almost feel the shame I would experience. The thought that, before sending me these 800 pages, someone at Tinder might have read them already makes me cringe.

Tinder’s privacy policy clearly states: “you should not expect that your personal information, chats, or other communications will always remain secure”. As a few minutes with a perfectly clear tutorial on GitHub called Tinder Scraper that can “collect information on users in order to draw insights that may serve the public” shows, Tinder is only being honest.

But as Schneier points out, "It's not [just] Tinder. Surveillance is the business model of the Internet. Everyone does this."

Republican Illinois governor Bruce Rauner, the best governor we have right now, vetoed a bill that would have required companies to get affirmative consent from consumers before selling their geolocation data:

“The bill is not overreaching,” said Chris McCloud, a spokesman for the Digital Privacy Alliance, a Chicago-based nonprofit advocating for state-level privacy legislation. “It is merely saying, ‘If you’re going to sell my personal geolocation data, then just tell me upfront that’s what you are going to do so I can make a decision as to whether I want to download this app or not.’ ”

The Federal Trade Commission has issued general guidance, and there are a variety of industry self-regulatory codes of conduct, from automakers to online advertisers, but federal law does not provide clear geolocation privacy protection.

The online advertising industry increasingly depends on tracking consumers to serve up lucrative and effective targeted ads. Data collection enables advertisers to learn everything from your search habits and recent purchases to where you travel, often in real time.

Remember: you're the product, not the customer. And that's how Republicans like it.

The January release of Google Chrome will prevent videos from auto-playing:

Starting in Chrome 64, which is currently earmarked for a January 2018 release, auto-play will only be allowed when the video in question is muted or when a "user has indicated an interest in the media."

The latter applies if the site has been added to the home screen on mobile or if the user has frequently played media on the site on desktop. Google also says auto-play will be allowed if the user has "tapped or clicked somewhere on the site during the browsing session."

"Chrome will be making auto-play more consistent with user expectations and will give users more control over audio," writes Google in a blog post. "These changes will also unify desktop and mobile web behavior, making web media development more predictable across platforms and browsers."

I mean, really. The more advertisers annoy the shit out of us, the less effective it will be effective.

While not quite as viscerally grotesque as a 140-tonne fatberg, new details about the failures at Equifax that led to its massive data breach are still pretty disgusting:

Equifax has confirmed that attackers entered its system in mid-May through a web-application vulnerability that had a patch available in March. In other words, the credit-reporting giant had more than two months to take precautions that would have defended the personal data of 143 million people from being exposed. It didn't.

As the security community processes the news and scrutinizes Equifax's cybersecurity posture, numerous doubts have surfaced about the organization's competence as a data steward. The company took six weeks to notify the public after finding out about the breach. Even then, the site that Equifax set up in response to address questions and offer free credit monitoring was itself riddled with vulnerabilities. And as security journalist Brian Krebs first reported, a web portal for handling credit-report disputes from customers in Argentina used the embarrassingly inadequate credentials of "admin/admin." Equifax took the platform down on Tuesday. But observers say the ongoing discoveries increasingly paint a picture of negligence—especially in Equifax's failure to protect itself against a known flaw with a ready fix.

(Emphasis mine.)

Whenever people conservatives say that private industry is better at solving problems than government, I just think about some of the companies I've worked for, stir in crap like this, and laugh out loud.

Credit reporting agency Equifax reported last week that thieves had made off with 143 million customer records:

According to a person familiar with the breach investigation, Equifax appears to have been targeted initially because the company keeps on file millions of active cards, belonging to people who pay $19.95 or more per month to have Equifax monitor their credit reports and alert them to potential fraud. The hack, which the company says took place in late July, put as many as 143 million consumers -- or half the U.S. population -- at risk.

The person, who requested anonymity to discuss the ongoing investigation, said the web application the attackers used to breach Equifax’s corporate network granted access to both the credit card files and back-end systems storing the exhaustive data profiles on consumers. Those profiles include Social Security numbers, driver’s license numbers and other sensitive information, Equifax said Thursday in a statement.

Criminals took advantage of a “U.S. website application vulnerability to gain access to certain files” from mid-May through July of this year, Atlanta-based Equifax said. The intruders also accessed dispute documents with personal identifying information for about 182,000 consumers. Credit card numbers for about 209,000 consumers were also accessed, the company said.

“You would expect these guys to have compartmentalized this data far enough away from a web server -- that there would not be any way to directly access it,” said Tim Crosby, senior consultant with security-assessment firm Spohn.

Knowing how large companies work, and knowing about the diffusion of responsibility principle, and having a healthy belief in the power of governments to correct for bad incentives, I can't say I'm surprised. Neither is the Atlantic's Ian Bogost:

There are reasons for the increased prevalence and severity of these breaches. More data is being collected and stored, for one, as more people use more connected services. Corporate cybersecurity policy is lax, for another, and sensitive data isn’t sufficiently protected. Websites and apps, which are demanded by consumers as much as they serve the interests of corporations, expose paths to data that should be better firewalled. Software development has become easy and popular, making security an afterthought, and software engineering has failed to adopt the attitude of civil service that might treat security as a first-order design problem. And hacking and data theft have risen in popularity and benefit, both as an illicit business affair and as a new kind of cold warfare.

Of course Equifax, as would be expected of a normally-functioning American corporation, bungled the response:

On Thursday night, I entered my last name and the last six digits of my Social Security number on the appropriate Equifax web page. (They had the gall to ask for this? Really? But I digress.) I received no “message indicating whether your personal information may have been impacted by this incident,” as the site promised. Instead, I was bounced to an offer for free credit monitoring, without a “yes,” “no” or “maybe” on the central question at hand.

By Friday morning, this had changed, and I got a “your personal information may have been impacted by this incident” notification. Progress. Except as my friend Justin Soffer pointed out on Twitter, you can enter a random name and number into the site and it will tell you the same thing. Indeed, I typed “Trump” and arbitrary numbers and got the same message.

So, yes, your worst suspicions are now confirmed. Equifax may actually make money on this breach. We would expect nothing less from the credit reporting industry, with which few of us would choose to do business but nearly everyone has to sooner or later.

The solution many people recommend is to freeze your credit reports—for a fee, multiplied by 4 to make sure you get all of the credit-reporting agencies. (Everyone has heard of Equifax, TransUnion, Experian...and Innovis. You've heard of Innovis, right? The one that doesn't offer a free annual report?)

Almost immediately, a team of lawyers including a former Georgia governor filed a class-action lawsuit. So have a group of plaintiffs in Oregon. We can also expect an action from the SEC relating to at least three Equifax managers selling their stock right before the announcement.

This situation is why we have government. The incentives for credit-reporting agencies run directly counter to the incentives of the hundreds of millions of people whose data they store. (You're not Equifax's customer; commercial enterprises are.) Without government regulation and higher liabilities for data breaches, this will just keep happening. But that's not "business-friendly," so the right-leaning American and British governments will dither for another few years until someone publishes the leaders' own data. Because their incentives are bad, too.

Via Bruce Schneier, an essay on how the fact that something appears in nature means it can exist, and what this means for military robots:

In each of the [Planet Earth II] documentary’s profiles of monkeys, birds, and lizards, I saw what technologists refer to as an “existence proof.” Existence proofs are the simplest way to resolve an argument about what is technologically possible. Before 1900, people argued whether building a human-carrying powered airplane was possible. In 1903, the Wright Brothers ended the debate with an existence proof. As I watched Planet Earth II, I saw existence proof after existence proof of technological capabilities that, applied to warfare and espionage, would make global militaries and intelligence agencies significantly more powerful – but also significantly more vulnerable.

I realized Hollywood has it all wrong. The future of military robotics doesn’t look like The Terminator. It looks like Planet Earth II.

Imagine a low-cost drone with the range of a Canada goose, a bird that can cover 1,500 miles in a single day at an average speed of 60 miles per hour. Planet Earth profiled a single flock of snow geese, birds that make similar marathon journeys, albeit slower. The flock of six-pound snow geese was so large it formed a sky-darkening cloud 12 miles long. How would an aircraft carrier battlegroup respond to an attack from millions of aerial kamikaze explosive drones that, like geese, can fly hundreds of miles? A single aircraft carrier costs billions of dollars, and the United States relies heavily on its ten aircraft carrier strike groups to project power around the globe. But as military robots match more capabilities found in nature, some of the major systems and strategies upon which U.S. national security currently relies – perhaps even the fearsome aircraft carrier strike group – might experience the same sort of technological disruption that the smartphone revolution brought about in the consumer world.

The next war won't look anything like the last one. (Then again, it never does.)