IANAL — I am not an attorney. I’ve never studied law, or even been inside a law school. I have a cousin who is an attorney, and quite a few close friends. But IANAL.

So why am I on the American Bar Association’s email list? I am not a member of the ABA. Why are they sending me a credit-card offer? It boggles the mind. One would assume that the ABA is not so desperate for funds that it would have to rent mailing lists to spam with credit-card offers.

And it’s not like I could sue them, right? Sigh.

Did you know that last year, 75% of data breaches were perpetrated by outsiders, and fully 25% involved internal actors? Did you know that 18% were conducted by state-affiliated actors, and 51% involved organized criminal groups?

That’s according to the newly release 2017 Data Breach Investigations Report from Verizon. It’s the 10th edition of the DBIR, and as always, it’s fascinating – and frightening at the same time.

The most successful tactic, if you want to call it that, used by hackers: stolen or weak (i.e., easily guessed) passwords. They were were used by 81% of breaches. The report says that 62% of breaches featured hacking of some sort, and 51% involved malware.

More disturbing is that fully 66% of malware was installed by malicious email attachments. This means we’re doing a poor job of training our employees not to click links and open documents. We teach, we train, we test, we yell, we scream, and workers open documents anyway. Sigh. According to the report,

People are still falling for phishing—yes still. This year’s DBIR found that around 1 in 14 users were tricked into following a link or opening an attachment — and a quarter of those went on to be duped more than once. Where phishing successfully opened the door, malware was then typically put to work to capture and export data—or take control of systems.

Ransomware is big

We should not be surprised that the DBIR fingers ransomware as a major tool in the hacker’s toolbox:

Ransomware is the latest scourge of the internet, extorting millions of dollars from people and organizations after infecting and encrypting their systems. It has moved from the 22nd most common variety of malware in the 2014 DBIR to the fifth most common in this year’s data.

The Verizon report spends a lot of time on ransomware, saying,

Encouraged by the profitability of ransomware, criminals began offering ransomware-as-a-service, enabling anyone to extort their favorite targets, while taking a cut of the action. This approach was followed by a variety of experiments in ransom demands. Criminals introduced time limits after which files would be deleted, ransoms that increased over time, ransoms calculated based on the estimated sensitivity of filenames, and even options to decrypt files for free if the victims became attackers themselves and infected two or more other people. Multi-level marketing at its finest!

And this, showing another alarming year-on-year increase:

Perhaps the most significant change to ransomware in 2016 was the swing away from infecting individual consumer systems toward targeting vulnerable organizations. Overall, ransomware is still very opportunistic, relying on infected websites and traditional malware delivery for most attacks. Looking again through the lens of DBIR data, web drive-by downloads were the number one malware vector in the 2016 report, but were supplanted by email this year. Social actions, notably phishing, were found in 21% of incidents, up from just 8% in the 2016 DBIR. These emails are often targeted at specific job functions, such as HR and accounting—whose employees are most likely to open attachments or click on links—or even specific individuals.

Read the report

The DBIR covers everything from cyber-espionage to the dangers caused by failing to keep up with patches, fixes, and updates. There are also industry-specific breakouts, covering healthcare, finance, and so-on. It’s a big report, but worth reading. And sharing.

Every company should have formal processes for implementing cybersecurity. That includes evaluating systems, describing activities, testing those policies, and authorizing action. After all, in this area, businesses can’t afford to wing it, thinking, “if something happens, we’ll figure out what to do.” In many cases, without the proper technology, a breach may not be discovered for months or years – or ever. At least not until the lawsuits begin.

Indeed, running without cybersecurity accreditations is like riding a bicycle in a rainstorm. Without a helmet. In heavy traffic. At night. A disaster is bound to happen sooner or later: That’s especially true when businesses are facing off against professional hackers. And when they are stumbled across as juicy victims by script-kiddies who can launch a thousand variations of Ransomware-as-a-Service with a single keystroke.

Yet, according to the British Chambers of Commerce (BCC), small and very small businesses are extremely deficient in terms of having cybersecurity plans. According to the BCC, in the U.K. only 10% of one-person businesses and 15% of those with 1-4 employees have any formal cybersecurity accreditations. Contrast that with businesses with more than 100 employees: 47% with more than 100 employees) have formal plans.

The BCC surveyed 1,285 business people in the U.K. in January 2017. Of the businesses surveyed, 96% were small or mid-sized businesses. About 22% operate in the manufacturing sector, and 78% operate in the services sector.

And all are woefully unprepared to defend themselves against direct target attacks – and against those which are totally generic. It’s like a car thief walking through a parking lot looking to see which vehicles are unlocked: There’s nothing personal, but if your door is open, your car belongs to the crook. Similarly, if some small business’s employees are click on a phishing email and end up victims of ransomware, well, their Bitcoins are as good as gold.

What can be done? Training, of course, to help ensure that employees (including executives) don’t welcome cybercriminals in by responding to phishing emails, malicious website ads, and social-media scams. Technology, which could be products like anti-malware software installed on endpoints, as well as services offered by internet service providers and security specialty firms. Indeed, the BCC survey indicated that 63% of businesses are reliant on IT providers to resolve issues after an attack,

Needed: A formal process for cybersecurity

Every company should have formal processes for implementing cybersecurity, including evaluating systems, describing activities, testing those policies, and authorizing action. After all, in this area, businesses can’t afford to wing it, thinking, “if something happens, we’ll figure out what to do.” In many cases, without the proper technology, a breach may not be discovered for months or years – or ever. At least not until the lawsuits begin.

As one would expect, small and very small businesses are extremely deficient in terms of having cybersecurity plans. According to the BCC, in the U.K. only 10% of one-person businesses and 15% of those with 1-4 employees have any formal cybersecurity accreditations. Contrast that with businesses with more than 100 employees: 47% with more than 100 employees) have formal plans.

While a CEO may want to focus on his/her primary business, in reality, it’s irresponsible to neglect cybersecurity planning. Indeed, it’s also not good for long-term business success. According to the BCC study, 21% of businesses believe the threat of cyber-crime is preventing their company from growing. And of the businesses that do have cybersecurity accreditations, half (49%) believe it gives their business a competitive advantage over rival companies, and a third (33%) consider it important in creating a more secure environment when trading with other businesses.

Again, one in five businesses in the United Kingdom have fallen victim to cyber-attacks in the past year. That number is probably comparable around the world. There are leading-edge service providers and software companies ready to help reduce that terrible statistic. With more and more hackers, including state-sponsored agents, becoming involved, the stakes are high. Fortunately, the tech industry is up to the challenge.

We have two Red Yucca plants in our garden. Both are magnificent: The leaves, with curlicue strings, are about two feet high. The flower stalks are about five feet high. Currently, each plant has only a single flower stalk; we expect them to have more shortly. We’ve seen these plants with dozens of stalks. The flowers are about 3/4 inch long.

The Red Yucca, or Hesperaloe parviflora, is not a yucca, though it looks like one. As the Texas Native Plants Database says,

Red yucca (which is not a yucca) is a stalwart in the landscapes of Texas and the southwest. Its dark green rosette of long, thin leaves rising fountain-like from the base provides an unusual sculptural accent, its long spikes of pink to red to coral bell-shaped flowers last from May through October, and it is exceedingly tough, tolerating extreme heat and cold and needing no attention or supplemental irrigation once established, although many people remove the dried flower stalks in the fall. Unlike yucca, the leaves are not spine-tipped, and have fibrous threads along the edges. Red yucca is native to Central and Western Texas. A yellow-flowered form has recently become available in nurseries, and a larger, white-flowered species native to Mexico, giant hesperaloe (H. funifera), which has only been found in one location in the Trans-Pecos, is also available. Hummingbirds are attracted to the flowers.

Our Red Yucca trumpet flowers definitely attract hummingbirds, as well as a wealth of insects. The plants are excellent for desert landscaping, since they don’t need to be watered. In fact, we planted the first one three years ago in an area of our garden that was completely barren, and now it fills that space perfectly.

There are public-relations disasters… and there are self-inflicted public-relations disasters. Those are arguably the worst, and it’s been a meaningful couple of weeks for them, both in the general world and in the technology industry. In some cases, the self-inflicted crises exploded because of stupid or ham-handed initial responses.

In PR crisis management, it’s important to get the initial response right. That means:

  1. Acknowledging that something unfortunate happened
  2. Owning responsibility (in a way that doesn’t expose you to lawsuits, of course)
  3. Apologizing humbly, profusely and sincerely
  4. Promising to make amends to everyone affected by what happened
  5. Vowing to fix processes to avoid similar problems in the future

Here are some recent public relations disasters that I’d label as self-inflicted. Ouch!

United Airlines beats passengers

Two recent episodes. First, a young girl flying on an employee-travel pass wasn’t allowed to board wearing leggings. Second, a doctor was dragged out of a plane, and seriously injured, for refusing to give up his seat to make room for a United employee. Those incidents showed that gate agents were unaware of the optics of situations like this, and didn’t have the training and/or flexibility to adapt rules to avoid a public snafu.

However, the real disaster came from the poor handling of both situations by executives and their PR advisors. With the leggings situation, United’s hiding behind obscure rules and the employee-ticket status of the young passenger, didn’t help a situation where all the sympathy was with the girl. With the ejected and beaten passenger, where to begin? The CEO, Oscar Munoz, should have known that his first response was terrible, and his “confidential” email to employees, which blamed the passenger for being unruly, would be immediately leaked to the public. What a freakin’ idiot. It’s going to take some time for United to recover from these disasters.

Pepsi Cola misses the point

A commercial for a soft drink tried to reinterpret a famous Black Lives Matter protest moment in Baton Rouge. That’s where a young African-American woman, Ieshia Evans, faced off against heavily armored police officers. In Pepsi’s version of the event, a white celebrity, Kendall Jenner, faced off against attractive fake police officers, and defused a tense situation by handing a handsome young cop a can of soda. Dancing ensues. World peace is achieved. The Internet explodes with outrage.

Pepsi’s initial response is to defend the video by saying “We think that’s an important message to convey.” Oops. Later on, the company pulled the ad and apologized to everyone (including Ms. Jenner), but the damage was done, so much so that a fun meme was of White House spokesman Sean Spicer dressed up as an United Airlines pilot offering a can of Pepsi.

Tanium’s bad-boy CEO sends the wrong message

Tanium, a maker of endpoint security and management software, has fallen into the trap of owner hubris. As this story in Bloomberg explains, the top executives, including CEO Orion Hindawi, run the company more for their own benefit than for the benefit of their customers or other shareholders. For example, says Bloomberg, “One of the most unnerving aspects of life at Tanium is what’s known internally as Orion’s List. The CEO allegedly kept a close eye on which employees would soon be eligible to take sizable chunks of stock. For those he could stand to do without, Hindawi ordered the workers to be fired before they were able to acquire the shares, according to current and former employees.” As Business Insider reported, nine executives have left recently, including the president and top marketing and finance officers.

And then there’s the power-trip aspect, says Bloomberg. “The company’s successes didn’t do much to lift morale. Orion berated workers in front of colleagues until they broke into tears and used all-hands meetings as a venue to taunt low-level staff, current and former employees said.” Bloomberg reports that a major VC firm, Andreessen Horowitz, made note of Orion’s managerial flaws and presented them to partners at the firm early last year, saying that Orion’s behavior risked interfering with the company’s operations if it hadn’t already. This sort of nonsense is not good for a company with a decent reputation for intellectual property. The company’s response? Crickets.

Uber drives off the clue train

I’m a happy Uber customer. When traveling, I’m quite disappointed when the service is not available, as was the case on a recent trip to Austin, where Uber and Lyft aren’t offered. However, I’m not a fan of the company’s treatment of women and of the misdeeds of its CEO. Those PR disasters have become the public face of the story, not its innovations in urban transportation and self-driving cars. When a female engineer went public with how she was mistreated and how the company’s HR department ignored the issue, the Internet went nuts — and the company responded by doing a mea culpa. Still, the message was clear: Uber is misogynistic.

And then there were several reports of public naughtiness by CEO Travis Kalanick. The best was a video of him berating an Uber driver. Yes, Kalanick apologized and said that he needs help with leadership… but more crickets in terms of real change. As Engadget wrote in mid-April, the time for Uber leadership to step down is long overdue for the good of its employees, drivers, customers and shareholders. It’s unlikely the company can withstand another self-inflicted PR disaster.

It doesn’t have to be this way

When a PR disaster happens — especially a self-inflicted one — it’s vital to get on top of the story. See the five tips at the top of this blog, and check out this story, “When It Hits the Fan,” on tips for crisis management. You can recover, but you have to do it right, and do it quickly.

Some large percentage of IT and security tasks and alerts require simple responses. On a small network, there aren’t many alerts, and so administrators can easily accommodate them: Fixing a connection here, approving external VPN access there, updating router firmware on that side, giving users the latest patches to Microsoft Office on that side, evaluating a security warning, dismissing a security warning, making sure that a newly spun-up virtual machine has the proper agents and firewall settings, reviewing log activity. That sort of thing.

On a large network, those tasks become tedious… and on a very large network, they can escalate unmanageably. As networks scale to hundreds, thousands, and hundreds of thousands of devices, thanks to mobility and the Internet of Things, the load expands exponentially – and so do routine IT tasks and alerts, especially when the network, its devices, users and applications are in constant flux.

Most tasks can be automated, yes, but it’s not easy to spell out in a standard policy-based system exactly what to do. Similarly, the proper way of handling alerts can be automated, but given the tremendous variety of situations, variables, combinations and permutations, that too can be challenging. Merely programming a large number of possible situations, and their responses, would be a tremendous task — and not even worth the effort, since the scripts would be brittle and would themselves require constant review and maintenance.

That’s why in many organizations, only responses to the very simplest of tasks and alert responses are programmed in rule-based systems. The rest are shunted over to IT and security professionals, whose highly trained brains can rapidly decide what to do and execute the proper response.

At the same time, those highly trained brains turn into mush because handling routine, easy-to-solve problems is mind-numbing and not intellectually challenging. Solving a problem once is exciting. Solving nearly the same problem a hundred times every day, five days a week, 52 weeks a year (not counting holidays) is inspiration for updating the C.V… and finding a more interesting job.

Enter Artificial Intelligence

AI has already proven itself in computer management and security. Consider the high-profile role that AI patter recognition plays in Cylance’s endpoint security software. The Cylance solution trains itself to recognize good files (like executables, images and documents) and malicious ones – and can spot the bad ones without using signatures. It can even spot those which have never been seen before, because it’s not training on specific viruses or trojans, but rather, on “good” vs. “bad.”

Torsten George is a believer, as he writes in “The Role of Artificial Intelligence in Cyber Security,”

Last year, the IT security community started to buzz about AI and machine learning as the Holy Grail for improving an organization’s detection and response capabilities. Leveraging algorithms that iteratively learn from data, promises to uncover threats without requiring headcounts or the need to know “what to look for”.

He continues,

Enlisting machine learning to do the heavy lifting in first line security data assessment enables analysts to focus on more advanced investigations of threats rather than performing tactical data crunching. This meeting of the minds, whereby AI is applied using a human-interactive approach holds a lot of promise for fighting, detecting, and responding to cyber risks.

Menlo Security is one of many network-protection companies that uses artificial intelligence. The Menlo Security Isolation Platform uses AI to prevent Internet-based malware from ever reaching an endpoint, such as a desktop or mobile device, because email and websites are accessed inside the cloud – not on the client’s computer. Only safe, malware-free rendering information is sent to the user’s endpoint, eliminating the possibility of malware reaching the user’s device. An artificial intelligence engine constantly scans the Internet session to provide protection against spear-phishing and other email attacks.

What if a machine does become compromised? It’s unlikely, but it can happen – and the price of a single breech can be incredible, especially if a hacker can take full control of the compromised device and use it to attack other assets within the enterprise, such as servers, routers or executives’ computers.

If a breach does occur, that’s when the AI technology like that of Javelin Networks leaps into action. The AI detects that the attack is in progress, alerts security teams, and isolates the device from the network. Simultaneously, the AI tricks the attackers into believing they’ve succeeded in their attack, therefore keeping them “on the line” while real-time forensics tools gather information needed to identify the attacker and help shut them down for good.

Manage the Network, Hal

Of course, AI can serve a vital purpose in managing a key element of modern networks beyond security. As Ajay Malik recently wrote in “Artificial intelligence will revolutionize Wi-Fi,”

The problem is that the data source in a wireless network is huge. The data varies at every transmission level. There is a “data rate” of each message transmitted. There are “retries” for each message transmitted.

The reason for not being able to “construct” the received message is specific for each message. The manual classification and analysis of this data is infeasible and uneconomic. Hence, all data available by different vendors is plagued by averages. This is where I believe artificial intelligence has a role to play.

Deep neural nets can automate the analysis and make it possible to analyze every trend of wireless. Machine learning and algorithms can ensure the end user experience. Only the use of AI can change the center of focus from the evolution of wireless or adding value to wireless networks to automatically ensuring the experience.

We will see AI at every level of the network operations center. There are too many devices, too many users, and too many rapid changes, for human and normal rule-based automation systems to keep up. Self-learning systems that adapt and solve real problems quickly and correctly will be essential in every IT organization.

“Alexa! Unlock the front door!” No, that won’t work, even if you have an intelligent lock designed to work with the Amazon Echo. That’s because Amazon is smart enough to know that someone could shout those five words into an open window, and gain entry to your house.

Presumably Amazon doesn’t allow voice control of “Alexa! Turn off the security system!” but that’s purely conjecture. It’s not something I’ve tried. And certainly it’s possible go use programming or clever work-around to enable voice-activated door unlocking or force-field deactivation. That’s why while our home contains a fair amount of cutting-edge AI-based automation, perimeter security is not hooked up to any of it. We’ll rely upon old-fashioned locks and keys and alarm keypads, thank you very much.

And sorry, no voice-enabled safes for me either. It didn’t work so well to protect the CIA against Jason Bourne, did it?

Unlike the fictional CIA safe and the equally fictional computer on the Starship Enterprise, Echo, Google Home, Siri, Android, and their friends can’t identify specific voices with any degree of accuracy. In most cases, they can’t do so at all. So, don’t look to be able to train Alexa to set up access control lists (ACLs) based on voiceprints. That’ll have to wait for the 23rd century, or at least for another couple of years.

The inability of today’s AI-based assistants to discriminate allows for some foolishness – and some shenanigans. We have an Echo in our family room, and every so often, while watching a movie, Alexa will suddenly proclaim, “Sorry, I didn’t understand that command,” or some such. What set the system off? No idea. But it’s amusing.

Less amusing was Burger King’s advertising prank which intentionally tried to get Google Home to help sell more hamburgers. As Fast Company explains:

A new Whopper ad from Burger King turns Google’s voice-activated speaker into an unwitting shill. In the 15-second spot, a store employee utters the words “OK Google, what is the Whopper burger?” This should wake up any Google Home speakers present, and trigger a partial readout of the Whopper’s Wikipedia page. (Android phones also support “OK Google” commands, but use voice training to block out unauthorized speakers.)

Fortunately, Google was as annoyed as everyone else, and took swift action, said the story:

Update: Google has stopped the commercial from working – presumably by blacklisting the specific audio clip from the ad – though Google Home users can still inquire about the Whopper in their own words.

Burger King wasn’t the first to try this stunt. Other similar tricks have succeeded against Home and Echo, and sometimes, the devices are activated accidentally by TV shows and news reports. Look forward to more of this.

It reminds me of the very first time I saw a prototype Echo. What did I say? “Alexa, Format See Colon.” Darn. It didn’t erase anything. But at least it’s better than a cat running around on your laptop keyboard, erasing your term paper. Or a TV show unlocking your doors. Right?

No, no, no, no, no!

The email client updates in the 10.12.4 update to macOS Sierra is everything that’s wrong with operating systems today. And so is the planned inclusion of an innovative, fun-sounding 3D painter as part of next week’s Windows 10 Creators Update.

Repeat after me: Applications do not belong in operating systems. Diagnostics, yes. Shared libraries, yes. Essential device drivers, yes. Hardware abstraction layers, yes. File systems, yes. Program loads and tools, yes. A network stack, yes. A graphical user interface, yes. A scripting/job control language, yes. A basic web browser, yes.

Applications? No, no, no!

Why not?

Applications bloat up the operating system release. What if you don’t need a 3D paint program? What if you don’t want to use the built-in mail client? The binaries are there anyway taking up storage. Whenever the operating system is updated, the binaries are updated, eating up bandwidth and CPU time.

If you do want those applications, bug fixes are tied to OS updates. The Sierra 10.12.4 update fixes a bug in Mail. Why must that be tied to an OS update? The update supports more digital camera RAW formats. Why are they tied to the operating system, and not released as they become available? The 10.12.4 update also fixes a Siri issue regarding cricket scores in the IPL. Why, for heaven’s sake, is that functionality tied to an operating system update?? That’s simply insane.

An operating system is easier for the developer test and verify if it’s smaller. The more things in your OS update release train, the more things can go wrong, whether it’s in the installation process or in the code itself. A smaller OS means less regression testing and fewer bugs.

An operating system is easier for the client to test and verify if it’s smaller. Take your corporate clients — if they are evaluating macOS Sierra 10/12/4 or Windows 10 Creators Update prior to roll-out, if there’s less stuff there, the validation process is easier.

Performance and memory utilization are better if it’s smaller. The microkernel concept says that the OS should be as small as possible – if something doesn’t have to be in the OS, leave it out. Well, that’s not the case any more, at least in terms of the software release trains.

This isn’t new

No, Alan isn’t off his rocker, at least not more than usual. Operating system releases, especially those for consumers, have been bloated up with applications and junk for decades. I know that. Nothing will change.

Yes, it would be better if productivity applications and games were distributed and installed separately. Maybe as free downloads, as optional components on the release CD/DVD, or even as a separate SKU. Remember Microsoft Plus and Windows Ultimate Extras? Yeah, those were mainly games and garbage. Never mind.

Still, seeing the macOS Sierra Update release notes today inspired this missive. I hope you enjoyed it. </rant>

Prepare to wait. And wait. Many Windows 10 users are getting ready for the Creators Update, due April 11. We know lots of things about it: There will be new tools for 3D designing, playing 4K-resolution games, improvements to the Edge browser, and claimed improvements to security and privacy protections.

We also know that it will take forever to install. Not literally forever. Still, a long time.

This came to mind when my friend Steven J. Vaughan-Nichols shared this amusing image:

Who could be surprised, when the installation estimation times for software are always ludicrously inaccurate? That’s especially true with Windows, which routinely requires multiple waves of download – update – reboot– download – update – reboot– download – update – reboot – rinse and repeat. That’s especially true if you haven’t updated for a while. It goes on and on and on.

This came to the fore about three weeks ago, when I decided to wipe a Windows 10 laptop in preparation for donating it to a nonprofit. It’s a beautiful machine — a Dell Inspiron 17 — which we purchased for a specific client project. The machine was not needed afterwards, and well, it was time to move it along. (My personal Windows 10 machine is a Microsoft Surface Pro.)

The first task was to restore the laptop to its factory installation. This was accomplished using the disk image stored on a hidden partition, which was pretty easy; Dell has good tools. It didn’t take long for Windows 10 to boot up, nice and pristine.

That’s when the fun began: Installing Windows updates. Download – update – reboot– download – update – rinse – repeat. For two days. TWO DAYS. And that’s for a bare machine without any applications or other software.

Thus, my belief in two things: First, Windows saying 256% done is entirely plausible. Second, it’s going to take forever to install Windows 10 Creators Update on my Surface Pro.

Good luck, and let me know how it goes for you.

It’s a bad idea to intentionally weaken the security that protects hardware, software, and data. Why? Many reasons, including the basic right (in many societies) of individuals to engage in legal activities anonymously. An additional reason: Because knowledge about weakened encryption, back doors and secret keys could be leaked or stolen, leading to unintended consequences and breaches by bad actors.

Sir Tim Berners-Lee, the inventor of the World Wide Web, is worried. Some officials in the United States and the United Kingdom want to force technology companies to weaken encryption and/or provide back doors to government investigators.

In comments to the BBC, Sir Tim said that there could be serious consequences to giving keys to unlock coded messages and forcing carriers to help with espionage. The BBC story said:

“Now I know that if you’re trying to catch terrorists it’s really tempting to demand to be able to break all that encryption but if you break that encryption then guess what – so could other people and guess what – they may end up getting better at it than you are,” he said.

Sir Tim also criticized moves by legislators on both sides of the Atlantic, which he sees as an assault on the privacy of web users. He attacked the UK’s recent Investigatory Powers Act, which he had criticised when it went through Parliament: “The idea that all ISPs should be required to spy on citizens and hold the data for six months is appalling.”

The Investigatory Powers Act 2016, which became U.K. law last November, gives broad powers to the government to intercept communications. It requires telecommunications providers to cooperate with government requests for assistance with such interception.

Started with Government

Sir Tim’s comments appear to be motivated by his government’s comments. U.K. Home Secretary Amber Rudd said it is “unacceptable” that terrorists were using apps like WhatsApp to conceal their communications, and that there “should be no place for terrorists to hide.

In the United States, there have been many calls for U.S. officials to own back doors into secure hardware, software or data repositories. One that received widespread attention was in 2016, when the FBI tried to compel Apple to unlock the San Bernardino attack’s iPhone. Apple refused, and this sparked a widespread public debate about the powers of the government to go after terrorists or suspected criminals – and whether companies need to break into their own products, or create intentional weaknesses in encryption.

Ultimately, of course, the FBI received their data through the use of third-party tools to break into the iPhone. That didn’t end the question, and indeed, the debate continues to rage. So why not provide a back door? Why not use crippled encryption algorithms that can be easily broken by those who know the flaw? Why not give law-enforcement officials a “master key” to encryption algorithms?

Aside from legal and moral issues, weakening encryption puts everyone at risk. Someone like Edward Snowden, or a spy, might steal information about the weakness, and offer it to criminals, a state-sponsored organization, or the dark web. And now, everyone – not just the FBI, not only MI5 – can break into systems, potentially without even leaving a fingerprint or a log entry.

Stolen Keys

Consider the widely distributed Content Scramble System used to secure commercial movies on DVD discs. In theory, the DVDs were encoded so that they could only be used on authorized devices (like DVD players) that had paid to license the code. The 40-bit code, introduced around 1996, was compromised in 1999. It’s essentially worthless.

Or consider the “TSA-approved” luggage locks, where the locks were nominally secured by a key or combination. However, there are master keys that allowed airport security staff to open the baggage without cutting off the lock. There were seven master keys, which can open any “TSA-approved” lock – and all seven have been compromised. One famous breach of that system: The Washington Post published a photograph of all the master keys, and based on that photo, hackers could easily reproduce the keys. Whoops!

Speaking of WhatsApp, the software had a flaw in its end-to-end encryption. as was revealed this January. The flaw could let others listen in. The story was first revealed by the Guardian, which wrote

WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol, developed by Open Whisper Systems, that are traded and verified between users to guarantee communications are secure and cannot be intercepted by a middleman.

However, WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.

The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted-in to encryption warnings in settings, and only after the messages have been re-sent. This re-encryption and rebroadcasting of previously undelivered messages effectively allows WhatsApp to intercept and read some users’ messages.

Just Say No

Most (or all) secure systems have their flaws. Yes, they can be broken, but the goal is that if a defect or vulnerability is found, the system will be patched and upgraded. In other words, we expect those secure systems to be indeed secure. Therefore, let’s say “no” to intentional loopholes, back doors, master keys and encryption compromises. We’ve all seen that government secrets don’t stay secret — and even if we believe that government spy agencies should have the right to unlock devices or decrypt communications, none of us want those abilities to fall into the wrong hands.

This is a great piece of unclaimed-money spam. Normally I redact the email addresses – but these are far too juicy to censor, especially the “from” address. Merely because the spam links to a genuine web page, such as this bio for Secretary Mnuchin or a report about Saddam Hussein from the BBC, doesn’t make the email itself valid. In this case, it’s certainly not valid. (And please hold the snarky comments about government officials using non-government email accounts.)

When you receive messages like this, delete them. Never reply, even to ask to unsubscribe or to berate the scammer, because that indicates to the scammers that they’ve found a valid email address, and demonstrates you actually read spam messages. That makes you much more valuable, so you’ll receive even more scammy spams.

From: Steven Terner Mnuchin email hidden; JavaScript is required

Dear Beneficiary,

I am Steven Terner Mnuchin, Secretary of the Treasury under the U.S. Department of the Treasury. You can get more details about me here on the link below;

https://www.treasury.gov/about/Pages/Secretary.aspx 

At the recently concluded meeting with the World Bank and the United Nations, an agreement was reached between both parties for us to settle all outstanding payments accrued to individuals/corporations with respect to local and overseas contract payment, debt re-scheduling and outstanding compensation payment. Fortunately, you have been selected alongside a few other beneficiaries to receive your own payment of $10.5million (Ten Million five hundred thousand United States Dollars only).

We have been notified that you are yet to receive your fund valued at $10.5million This money will now be transferred to your nominated bank account through our foreign bank unit in South East Asia Phnom Penh Cambodia.

You are advised to kindly reply this email with the below details enclosed to help us process your payment through our foreign payment bank in Cambodia.

(1) Full Names:

(2) Residential Address:

(3) Country of Residence:

(4) Age:

(5) Phone/Cell Number:

(6) Occupation:

Yours faithfully,

Steven Terner Mnuchin

Secretary of the Treasury

(U.S. Department of the Treasury)

Contact email; email hidden; JavaScript is required

When we moved to Arizona, we were surprised and delighted to see funny little parrots flying around our garden. Turns out that the rosy-faced lovebirds (which used to be called peach-faced lovebirds, but we can’t get used to the new name) are now resident in greater Phoenix.

These delightful birds are natives of Africa but were released into the Arizona desert either intentionally or accidentally. In any case, they are thriving. Says the Wikipedia,

It inhabits dry, open country in southwest Africa. Its range extends from southwest Angola across most of Namibia to the lower Orange River valley in northwest South Africa. It lives up to 1,600 metres above sea-level in broad-leaved woodland, semi-desert, and mountainous areas. It is dependent on the presence of water sources and gathers around pools to drink.

Escapes from captivity are frequent in many parts of the world and feral birds dwell in metropolitan PhoenixArizona, where they live in a variety of habitats, both urban and rural. Some dwell in cacti and others have been known to frequent feeders in decent sized flocks.

A 2013 story in the Arizona Republic goes farther about the Agapornis roseicollis:

Troy Corman of the Arizona Field Ornithologists, an organization of birders and professionals dedicated to public knowledge of the state’s avian inhabitants, was unsurprised by my fascination.

“These spunky and noisy, bright-green birds seem to attract a lot of attention,” he said.

Their unpredictable visits to city parks and backyard bird baths are said to be huge hits with residents, but the birds are not common sights. Most people I’ve spoken to immediately knew the birds I was talking about but had seen them just once or twice.

Corman co-wrote his organization’s status report on the lovebirds of Phoenix, explaining that they’ve been on the loose as feral flocks since at least the mid-1980s. Their breeding success here — and only here, among places the birds may have escaped within the United States — apparently owes to the comfortably dry and warm climate, ready availability of water and good supply of foods from native and exotic plants, including palm fruit, cactus fruit, apples and various seed pods, including the paloverde’s.

We had lovebirds in our garden in 2014 and 2015, but didn’t see any last year. However, now we are hosting them again on our feeders. This morning, we had six of those beautiful birds. Yay!

Judaism is a communal religion. We celebrate together, we mourn together, we worship together, we learn together, and we play together. The sages taught, for example, that you can’t study Torah on your own. We need 10 Jewish adults, a minyan, in order to have a full prayer service. Likewise, while we may observe Shabbat, Hanukkah, and Passover at home, it’s a lot more fulfilling to come together on Friday nights at the sanctuary, at the annual latke fry, or at the community seder.

When we love something, we want to share it. So why not be inspired to bring our Jewish friends into the kehilla kedosha (holy community), embracing them within a wonderful, sacred congregation? You’re not pushing membership on them, but rather inviting them into a loving community where they will be welcomed. Likewise, if they already are affiliated with a synagogue, that’s fine, too. This isn’t a zero-sum game; it’s an opportunity to build connections between and among communities. Our doors are wide enough for everyone who wishes to enter.

In my latest post on the Reform Judaism blog, I suggest five specific ways you can include your friends – from work, your yoga class, the dog park, or wherever you meet them – in synagogue activities.