Category Archives: History

History, Poetry, Security

Apple Concedes in Right-to-Repair Fight

1 Comment

There are a lot of ways to tell this story about Apple allowing people to repair devices at a shop not owned and operated by Apple. It’s a wise move and here’s a personal anecdote why I would say so.

Nearly 25 years ago I worked as an authorized Apple repair engineer. I’d pore over videos sent to the independent repair shop I worked in. High-quality productions on CD from the manufacturer gave me x-ray vision, to see every step of decomposing and assembling Apple hardware.

In one hilarious day at work I was tossed a broken Apple product at noon by my manager and told to have it sorted out over lunch. Soon I had every screw and nut carefully removed down to the last one, parts laid out across the giant work space.

That means I did not just pull a part and replace using the “consumer-friendly” method of preset tabs and levers, common in today’s world. Instead I took apart, tested and rebuilt that device to be like new, given a carefully orchestrated training model from Apple themselves.

I said hilarious because when my manager returned from lunch he said “Damnit Davi, just pull a bad part and swap it. Do you have to understand everything? You could have joined us for lunch.”

Feed belly or mind? The choice for me was clear. He didn’t much care for the fact that I had just finished academic studies under Virgil’s Georgics (29 BCE) phrase “Rerum cognoscere causas” (verse 490 of Book 2 “to Know the Causes of Things”)

Sometimes I even put a personal touch on these repairs. One Apple laptop sent by the DoD was used in GPS development for strike fighters, so I made its icon for the system drive look like a tiny F-16 Falcon.

The generic Apple MacOS environment as it shipped

An appreciation for that extra effort meant a nice note from the US gov on formal stationary. Apple wanted computing to be “personal” and that is exactly what repair shops like ours were doing for customers.

Three years later I was managing a team of engineers who would desolder boards and update individual chips. As good and efficient as we were, however, everyone knew there was an impending slide into planned obsolescence economic models. Accountants might have asked us how many Zenith TV repair technicians exist, given Zenith itself disappeared. Remember these?

Zenith TV were meant to be kept for generations and repaired by local electronics experts, if not yourself

Profit models on the wall seemed to rotate towards shipping any malfunctioning products back to manufacturers, who would forward them to Chinese landfills for indefinite futures, instead of to engineers like me or my team who would gladly turn them around in a week.

Anyway it was 2010 when I owned an Apple iPhone. It died abruptly. Locked out of repairing it myself by the company policy, I took it to a desk in their billboard-like sensory-overload retail/fashion store.

An Apple employee looked at the phone and told me a secret sensor showed red, so no warranty would be honored. There had been no moisture I was aware of, yet Apple was telling me I couldn’t return my dead device because they believed that faulty device more than me?

Disgusted with this seemingly illegal approach to warranty issues, I quickly and easily disassembled that iPhone, replaced their faulty red sensor with a new one, and returned again. Apple confirmed (as a stupid formality) the new sensor wasn’t showing red, and gladly swapped the phone with a brand new one instead of repairing mine.

I wasn’t wrong, their inability to engineer honestly was…as they were forced to admit three years later:

…owners that were denied warranty repairs over internal moisture sensors that falsely registered water damage are a step closer to collecting their share…

Immediately after they swapped my defective phone I sold the new one and stopped using any Apple products, as I announced in my HOPE talk that year.

Good news, therefore, that today Apple finally has gone back to a mode of operating that honors the important consumer right-to-repair, as Vice reports:

After years of fighting independent repair, Apple is rolling out a program that will allow some independent companies to buy official parts, repair tools, and diagnostic services outside of the company’s limited “authorized” program. It’s a big win for the right to repair movement…

I’ve written about this on my blog for nearly 15 years already, so it’s encouraging to see progress even if it does come late.

RIP Senator Wellstone.

History, Security

Database Authentication Setting Leads to Arrest

Leave a comment

Cloud-hosted data sadly has been turning out to be more prone to breach than those run in a traditional private architecture, and now people are facing arrest for using database products without authentication enabled.

It’s a bitter pill for some vendors to swallow as they push for cloud adoption and subscriptions to replace licensing. Yet we published a book in 2012 about why and how this could end up being the case and what needed to be done to avoid it.

Despite our best warnings we have watched ransomware emerge as a lucrative crime model. Software vendors have been leaving authentication disabled by default, hedging on even the most basic security tenets as “questioned” or delayed. Unfortunately this meant since at least 2015 private data ended up being widely exposed all over the Internet with little to no accountability.

Cloud made this problem even worse, as we wrote in the book, because by definition it puts a database of private information onto a public and shared network, introducing the additional danger of “back doors” for remote centralized management over everything.

Take for example today on the Elasticsearch website you see an obvious lack of security awareness in their service offering self-description:

Known for its simple REST APIs, distributed nature, speed, and scalability, Elasticsearch is the central component of the Elastic Stack, a set of open source tools for data ingestion, enrichment, storage, analysis, and visualization.

They want you to focus on: Simple. Distributed. Fast. Scalable.

Safe? The most important word of all is missing entirely.

Normal operations must include safety, otherwise the products should fail any “simple” test. Is a steam engine still allowed to be defined as “simple” if use means a good chance of burning the entire neighborhood down?

Hint: The answer is no. If you have high risk by default, you don’t have simple. And “distributed, fast, scalable” become liabilities like how a dangerous fire spreads, not benefits.

Should vendors be allowed to sell anything called “simple” or easy to use unless it specifically means it is safe from being misconfigured in a harmful manner? For databases that deploy to cloud that means authentication must be on by default, no?

Ecuador quickly has leaped into global leadership on this issue by raiding the offices of an Elasticsearch customer and arresting an executive who used a big data product simply configured to be unsafe.

Ecuadorian authorities have arrested the executive of a data analytics firm after his company left the personal records of most of Ecuador’s population exposed online on an internet server.

[…]

According to our reporting, a local data analytics company named Novaestrat left an Elasticsearch server exposed online without a password, allowing anyone to access its data.

The data stored on the server included personal information for 20.8 million Ecuadorians (including the details of 6.7 million children), 7.5 million financial and banking records, and 2.5 million car ownership records.

The primary question raised in the article is how such a firm ended up with the data, as it wasn’t even authorized.

Yet that question may have a deeper one lurking behind it, because database vendors failed to enforce authentication it undermines any discussion of authorization. Could Ecuador move to ban database vendors that make authentication hard or disabled by default?

A hot topic to explore here is what vendors did over the past seven years to prevent firms like the one in this story from ending up with data in the first place, as well as preventing further unauthorized access to the data they accumulated (whether with or without authorization).

A broad investigation of database defaults could net real answers for how Ecuador, and even the whole world, can clarify when to hold vendors accountable for ongoing security baseline errors that are now impacting national security, highlighting the true economics of database privacy/profit.

Update October 2019: An unprotected Elasticsearch cluster contained personally identifiable information on 20 million Russian citizens from 2009 to 2016.

History, Security

Margaret Mead and Me

Leave a comment

When I was a child, visiting an anthropology conference, Margaret Mead had me sit on her lap. My recollection is vague yet always is flavored by my mother telling me Mead asked me questions and wanted to know how I would evolve with two anthropologists as parents.

If Mead were alive today I’d maybe disappoint her to admit I strayed from anthropology into being a student of history instead. And I might defend my choice by telling her it helped me better understand stories she told such as this one:

Anthropological Intelligence, David Price, page 287

It surely sounds good for anthropologists to say they were engaged in a form of historic exceptionalism by serving to defeat fascism in the 1940s. However, historians probably could disagree with that framing and say an eternally valid moral choice was being made more than an historic one.

To be fair, she earlier had famously said:

Children must be taught how to think, not what to think. They must be taught that many ways are open to them.

The question then seems to be whether we can or would want to restrict “ways” for people (even anthropologists, or sons of anthropologists) by teaching how to think.

Who reasonably would predict (based on history) where a child will lead in the future? And I guess that was the point of Mead having me sit on her lap for questioning.

Energy, History, Security

Take Your Bike Helmet Off and Hold Cars Accountable

Leave a comment

There’s a new first-person account in the New Yorker of some cultural differences between cycling in Holland and America:

Angela van der Kloof, a cycling expert and project leader with the Delft mobility consultancy Mobycon, told me, “From a young age in the Netherlands, we’re trained to take note of others. Not by a teacher but by the way we do things. I think we are very much used to physical negotiation.” Dutch people live in small houses, ride on crowded trains, and generally jostle against one another—the Netherlands has the sixteenth-highest population density in the world. Navigating complicated traffic situations, calmly and systematically, came naturally to our neighbors.

The key to this story is actually how Dutch women had the power to organize and campaign for protecting children from being murdered by people operating cars:

With cars came carnage. In 1971 alone, thirty-three hundred people—including more than four hundred children—were killed on Dutch roads. A number of organizations, including a group named Stop de Kindermoord, or Stop the Child Murder, began agitating to take the streets back from automobiles.

Contrast this story with America, where cars are treated like guns and operators are allowed to commit indiscriminate murder as an expression of an individual’s power over society, which Next City has explained in qualitative examples:

Morgan stayed in the intensive care unit for another month. For the first two weeks, the doctors weren’t positive she would survive. By the end of it all, medical expenses totaled more than $500,000.

“I was scared to death,” says her husband, David Morgan.

His fear would soon turn to anger when he realized that local police had no interest in pursuing charges against the woman who nearly killed his wife. After the State Highway Patrol’s investigation concluded that there were no grounds for felony charges, the district attorney also demurred from pressing charges.

“As far as the state of Mississippi goes, you could be an armadillo hit on the road, and the state treats you just the same as a… cyclist,” Morgan says.

What the New Yorker article about cycling in Holland misses entirely, ironically, is that the density of crowds cited by those living in Holland is not a sufficient ingredient on its own. Next City explains this using NYC quantitative data. Clearly NYC is an American city where people also are used to physical negotiation:

Consider crash data from New York City, which has installed more than 350 miles of bike lanes. There were 14,327 pedestrian and cyclist injuries in 2012 as a result of vehicle crashes, but police cited only 101 motorists with careless driving, a rate of less than 1 percent.

The actual difference is thus not growing up in density, but rather the levels of political engagement by women.

Cycling historically has been described as an independence movement for women, which should put male-dominated legislative action impeding people cycling in its proper perspective. Also women cyclists in America tend to be more at risk from cars and thus more likely to design safety infrastructure, as drivers put them more at risk:

“What we found was that female cyclists had a significantly different experience riding than the male riders did. … Female riders tend to have more aggressive interactions with drivers than male riders did.” …researchers found — no surprise — that protected bike lanes offered the best protection. Cars stayed an average 7.5 feet from cyclists cruising along a bike lane separated from traffic by bollards. No bike lanes, more close calls.

A campaign like “Stop de Kindermoord, or Stop the Child Murder” emphasizes the rights of children to live free from harm by adults in cars. America is about as likely to see a campaign like that succeed as elect a woman President instead of a man repeatedly accused of harming children for his self-benefit.

Don’t forget, America remains the only country in the world that has failed to sign the Convention on the Rights of the Child.

Holding cars accountable for killing cyclists and pedestrians would be like Epstein going to jail decades ago for harming children, yet instead he was seen free and partying freely with the White House Occupant.

The bottom line is that the safety of roads is about political power. That is why putting on helmets is the wrong answer. When cycling below 12 mph, which is the vast majority of commuter cyclists, the right answer is to place responsibility of safety upon those operating heavily armored machinery.

In a world where others may be harmed by their actions, machine operators must be accountable. If you think this is foreshadowing the problem of holding drone owners responsible for killing people, you are right.

Bay Area Bicycle Law points out that from 2013 to 2017 3,958 Cyclists have died across the U.S. for an average of 792 each year. 98% (777 of the 792) were in accidents with motor vehicles and 83% of cyclists had helmets on when they were murdered.

Let me say that again, 98% were in accidents with motor vehicles and a whopping 83% died with helmets on. Do you see the problem?

California, with far less density than NYC or Holland, repeatedly has opposed helmet laws and for the right reasons (same as in Holland).

Peter Jacobsen, a Sacramento-based public health consultant, believes helmet laws may make streets less safe for cyclists. Australia and New Zealand recently introduced compulsory helmet laws, and bike use fell by 33 percent, he said. Numerous reports have found that cycling conditions improve with more riders on streets. By reducing the number of cyclists through helmet laws, conditions actually get more dangerous.

He also said studies have shown that motorists drive closer to cyclists with helmets on, and that helmets only reduce minor injuries, not fatalities. “Bike helmets are padding; they’re not armor,” he said.

Cars are armor. If cyclists put on armor, they’d be a car.

Not only do helmet laws decrease cycling by a significant amount, they do not show any real decrease in the death rate. In other words, data repeatedly shows how helmets impede cycling and thus make it less safe for the vast majority of cyclists.

Exceptions do exist and are important: habitually unsteady high-risk riders such as children and racers. These exceptions are easily handled, however, such as requiring helmets to compete in a race where contestants will gladly abide for the chance of winning.

The right formula is encourage more cyclists operating at speeds averaging below 12 mph in physically separated lanes, with NO adult requirement for helmets, and strict accountability for those who operate heavy (i.e. dangerous) machinery in the midst. Protecting the vulnerable shouldn’t be that difficult to figure out for our streets.

The fact that Holland has effectively already done it (as well as Denmark, Sweden, etc.) means America is running out of excuses to justify murderous drivers, as “A view from the cycle path” has illustrated quite simply:

“The absolute number of child fatalities dropped by 98% over a period of time when the population size and the proportion of trips made by bicycle both rose significantly.”

The answer to the problem of cars killing cyclists is directly related to how the American political system allows care and consideration for vulnerable populations at risk of being harmed due to a weapon authorization for individuals.

We need to be intelligent enough to start the move away from these American headlines:

Which means sites like Twitter need to recognize the harm from its role in peddling active calls to use cars to murder non-whites, and how this propaganda relates to “Republicans want to legalize running over pedestrians“:

…state Rep. Keith Kempenich, perversely suggested that shielding drivers who kill protesters was a necessary anti-terrorism measure.

All that being said, there recently have been at least two notable exceptions to the sad state of weaponized roadways in America:

  1. White supremacist use of car as weapon. Found guilty of first-degree murder
  2. Driver charged with intent to kill. 5 cyclists dead