Not a “Hack”

Last week, Apple publicly announced it would oppose a US court’s order to help the FBI hack into an encrypted iPhone. The details are complicated, and are covered elsewhere. In short, good on Apple.

But there is this great, bizarre statement in a subsequent motion where the government urges the court to force Apple to comply (p. 20):

Not a "hack"

Basically, they take exception when Apple claims:  “The government is asking Apple to hack our own users.” Really, says the government, this is no different than a software update. It’s no big deal. What the FBI requests is not a “hack.”

So now, the technical details of the court’s order: The FBI wants Apple to create a fake version of iOS. That fake operating system should disable the auto-erase security feature the user had enabled, and it should circumvent the phone’s hardware which enforces that security. The fake iOS should also disable the login attempt rate-limiting (another security feature). And the fake iOS should drop the requirement that passwords be entered manually, so the FBI can do some high-speed, automated password cracking. The software should then be cryptographically signed by Apple so the fake iOS won’t get blocked by a security chip designed to block fake upgrades. The fake iOS should then be loaded into RAM, and the phone should be tricked into running that instead of the legitimate iOS on disk (I’m not actually sure how to do that, but it probably involves tampering with a tamper-resistant bootloader).

This, says the government, is not “hacking” an iPhone.

For comparison, here are some things the government has claimed to be “hacking”:

  • Downloading too many files. link
  • Visiting publicly accessible web pages by guessing the URL. link
  • Downloading files by typing commands instead of using a mouse. link
  • Pressing the touch screen buttons on a buggy video poker machine. link
  • Sharing a username and password. link

I don’t even

I encrypt everything with PGPgpPpgpGnuPG, I think.

Poking around my computer this morning, trying to set up gpg in some software. Or is is pgp? Wait, it’s GnuPG, which must be the same as gpg, which implements pgp, but no, cause I’ve got this other software that lets me pick if I want to use GnuPG or gpg, so they must be different, right? Or no…, that’s just confusing UI…, or… something….

And then I found that I can also install this Debian package called pgpgpg, which is a “Wrapper for using GnuPG in programs designed for PGP.” Don’t say it like “pgp – gpg.” It’s more fun to say like “pgPgpg,” or “pg-pg-pg.”

And it occurs to me how much I hate using pgp, or gpg, or pgpgpg, or whatever I’m using, and I don’t know what I’m using, and maybe I’m just not going to sign my bug reports to Debian.

But there’s a fix! I’m going to start using PGPgpPpgpGnuPG, which is really more straightforward. The “pgp” stands for “PGP,” while the “P” stands for “Pretty-good-privacy.” The “g” (no, not that “g”, the other “g”) stands for “GNU,” which is a recursive acronym. The “Gnu” (the one in “PGPgpPpgpGnuPG”, that is), that “Gnu” also stands for “GNU,” but that “GNU” doesn’t stand for “GNU’s not Unix.” It’s just “GNU,” kinda like “KFC.” The “G,” the “P,” and the “g” near-ish the front are there for backwards compatibility. The “O” stands for “Open” which, of course, stands for nothing.

And most important is the final “PG,” which stands for “secure.”

I encourage all my friends to use it.

Rawscripts – The Good

Rawscripts.com was my first software project. It’s a screenwriting webapp. It’s how I learned to code. It shows.

Now I continue to run and maintain the site, but I haven’t actively worked on the Rawscripts for a couple of years — at least until this Spring. For technical reasons (some technology I used was being deprecated; users would be locked out of the site; I would be effectively deleting other people’s hard work on account of my own negligence/incompetence), I’ve spent a lot of time these past few months fixing up the site. The long hours are still in very recent memory, so most of my thoughts about this fit in the categories “Bad” and “Ugly,” but why not start with “Good?” Here are some things I’ve done or learned this year that make me very, very happy.

Flask-Postgresql-Dokku-VPS!

In the timeline of Rawscripts, I spent one year building it to run on Google AppEngine, and then four years trying to get it off. As of last week, that is complete. The easiest part was rewriting the backend because Flask is awesome. My new database uses SQL (whaaat!?) so there are countless tools, libraries, and resources that make database work easy instead of a burdensome nightmare. Plus I get to ride this awesome wave of new DevOps tools like Dokku that make hosting and maintenance feasible. I actually have some basic control of the the site now, instead of managing it in very narrowly prescribed ways. With this new stack, I feel lighter. Like, literally, at my keyboard, I feel lighter.

Students!

Over the years I’ve heard from teachers who have their middle-school creative writing class using Rawscripts. Typically, the teacher can’t install new software on school computers, or can’t afford professional screenwriting software for each student, so Rawscripts fits their needs. Getting those emails makes my day.

With my new setup, I can effortlessly run SQL commands that count the number of registered email addresses that contain “.edu” or “student” or “k12”. From a super rough search, there were over 2000 students using Rawscripts this school year — many thousands more in the whole history. That makes me really happy.  Earlier this year, when I knew the site was going to need an overhaul, I was considering just shutting the whole thing down. When I realized that, through minimal effort, I’ve been effectively donating to dozens of schools, it was a huge incentive to keep Rawscripts running.

HTTPS!

Such a satisfying green. Honestly, I just like looking at this:

rawscripts-https

All traffic to and from Rawscripts is now encrypted. I couldn’t do this when the site ran on AppEngine, and that was frustrating. For the past few years, the feeling has shifted to embarrassment. I’ve taught people how to use encryption. I’ve harangued people for not using encryption. And yet, for years, I’ve been running this site that sends people’s writing in plaintext across the Internet. That’s embarrassing.

But this is the “Good” post! Everything is encrypted now. There is no plaintext version. Dokku sets up a bunch of sane defaults like good cipher suites, forward secrecy, and disabling SSL3. Out of the box, it gets and “A” from Qualy’s SSL Labs. I’ll be adding a few more things like HSTS soon.

Plus, Dalton Trumbo…. Been thinking about him lately. Years ago, I started learning about the Crypto Wars, and Internet surveillance, and Free(-as-in-Speech) Software. There were a couple of specific times it all clicked so I could see my part in it. One was the afternoon I read about Dalton Trumbo, the Hollywood screenwriter blacklisted after refusing to testify before the House Un-American Activities Committee. He kept writing under pseudonyms, and needed to keep his identity a secret. When “Robert Rich” won an Oscar for the screenplay of “The Brave One,” no one was there to claim it. And more than just hiding, Trumbo needed a whole network of people who could help get his work produced while letting him write in private. And there I was, managing a screenwriting tool that didn’t encrypt data in transit. It felt like snitching.

This is all way too grandiose. Simple fact is, everyone wants some privacy. It’s a basic human need. No one who uses Rawscripts wants someone looking over their shoulder as they write, or the digital equivalent thereof. But still, I turned on encryption and Dalton Trumbo came to mind.

Life! Generally!

For years, I’ve spent time and some money running this website for free. At its best, it’s a dumb hobby. More typically it’s a burden… and somehow… this paid off. I started this project five years ago with zero computer knowledge. Last year I was working as a software developer at Amazon. Next week I get my Northeastern University diploma for a BS in Computer Science. I just accepted an offer to go to the University of Michigan Law School where they’ve got close ties to the tech law I want to do. Yeah, somehow this paid off. The path was far from obvious, but things are really, really good.

OMG THIS PERSON KEEPS EMAILING ME ANGRY SHIT JUST SAYING “its broken”     THATS NOT HELPFUL.!.!! — WHAT THE FUCK IS BROKEN? THE SITES NOT BROKEN CAUSE THERES LIKE A THOUSAND FUCKING PEOPLE USING IT JUST FINE right fucking now!!!1!   PLEASE FOR THE LOVE OF GOD GIVE ME ANY DETAILS AND i WILL DROP EVERYTHING TO FIX THIS FOR YOU OR DO YOU JUST WANT TO COMPLAIN ffs iM TRYING TO HELP AND YOU KEEP KICKING ME FUCK YOU AND FUCK THIS

(More next time in “Rawscripts – The Bad”)

Dumb Joke, Half-assed Execution

What time is it in UNIX?

UNIX-time

Well, makes me chuckle.

But my main thinking is about the execution of the joke. Black and white circles and texts gets the point across, but that’s it. Maybe it’d be better to go all skeuomorphic; add glow to the UNIX numbers like they were LEDs, put glare on the clocks, make the labels look they are inlaid on fake wood plaques, give everything some depth.

Actually, forget the vector images because photorealism would be better. Get a photo of those kinds of clocks, then photoshop1 one out and insert a digital display. Make it look seamless. Or better still, don’t just use a picture of clocks — insert it into a scene. Grab a still of Marry Tyler Moore and Ted Knight in the news room and insert it in the background.

But if photorealism is the goal then I should take a photo, which means I need the clocks. So, step one, research the materials and designs of the clocks, plaques, metal cages, wall paint, and the cinderblock walls to which they were always attached. What I have in mind is very mid-70’s, which fits with the UNIX time, so find popular manufacturers from that era. Figure out what can be bought online and what should be built. Make a small wall and age the paint. Find a place to order REAL fake wood plaques for the city names (with era-accurate fonts, of course). Assemble and mount the clocks. I’m sure I could find those metal grates to go over the clocks, but it’d probably be cheaper to make them myself, so that’s an excuse to learn to weld. For the UNIX time, I’d probably have to build it. LED’s are too modern, so maybe the old-time, dynamic signs where panels flip around to change letters and numbers. More research! What are they called? I think they still have one of those displaying train information at 30th Street Station in Philly. Old Hitchcock films? Maybe they have those in “North By Northwest” in one scene at the airport. Don’t know, but I’ll need to 3d-print the frame, laser etch the numbers, rig it all together with some motors and a microcontroller. OK, put ALL of this together, make all the clocks consistent with some time in 1974, light it with some cheap fluorescent bulbs, and take a picture.

But as long as I’ve built it, the joke would be best if I just hung up the clocks and used them. Set all the clocks to the correct time, then have a damn good laugh when UNIX time overflows.

Or, perhaps, I’ve already spent more than enough time on this.

  1. You know, obviously I’d use GIMP, but it’s hard not to use “photoshop” as a verb.

Finished Taking the LSATs

It went well. The relief was so great that I left the test with a bounce in my step and saw everything with fresh eyes.

I got back to my apartment and saw my kitchen table with those fresh eyes. For the past three months, and up until this morning, this scene seemed reasonable. Tonight I got home and immediately suspected that I have been living like a maniac.

lsat-kitchen-table

The past 40 LSATs to practice on; another book specific to the logic section; three brands of pencils because I needed to try them out and only take the best; timer; two printed copies of the LSAT rules and checklists; extra photo IDs; and, obviously, my Adderall.

I used to be such a shitty student. I’m much better now. It occurred to me tonight that I may not have found a sensible balance.

 

 

Software, videos, ramblings, and confusion from Ritchie Wilson.