• CRYPTO-GRAM, July 15, 2023

    From TCOB1@618:500/14 to All on Sun Jul 16 10:42:24 2023
    Crypto-Gram
    July 15, 2023

    by Bruce Schneier
    Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com https://www.schneier.com

    A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise.

    For back issues, or to subscribe, visit Crypto-Gram's web page.

    Read this issue on the web

    These same essays and news items appear in the Schneier on Security blog, along with a lively and intelligent comment section. An RSS feed is available.

    ** *** ***** ******* *********** *************

    In this issue:

    If these links don't work in your email client, try reading this issue of Crypto-Gram on the web.

    Security and Human Behavior (SHB) 2023 Power LED Side-Channel Attack
    Ethical Problems in Computer Security AI as Sensemaking for Public Comments UPS Data Harvested for SMS Phishing Attacks
    Excel Data Forensics
    Typing Incriminating Evidence in the Memo Field Stalkerware Vendor Hacked Redacting Documents with a Black Sharpie DoesnΓÇÖt Work The US Is Spying on the UN Secretary General Self-Driving Cars Are Surveillance Cameras on Wheels The Password Game
    Class-Action Lawsuit for Scraping Data without Permission Belgian Tax Hack
    The AI Dividend
    Wisconsin Governor Hacks the Veto Process Privacy of Printing Services
    Google Is Using Its Vast Data Stores to Train AI French Police Will Be Able to Spy on People through Their Cell Phones Buying Campaign Contributions as a Hack
    ** *** ***** ******* *********** *************

    Security and Human Behavior (SHB) 2023

    [2023.06.16] IΓÇÖm just back from the sixteenth Workshop on Security and Human Behavior, hosted by Alessandro Acquisti at Carnegie Mellon University in Pittsburgh.

    SHB is a small, annual, invitational workshop of people studying various aspects of the human side of security, organized each year by Alessandro Acquisti, Ross Anderson, and myself. The fifty or so attendees include psychologists, economists, computer security researchers, criminologists, sociologists, political scientists, designers, lawyers, philosophers, anthropologists, geographers, neuroscientists, business school professors, and a smattering of others. ItΓÇÖs not just an interdisciplinary event; most of the people here are individually interdisciplinary.

    Our goal is always to maximize discussion and interaction. We do that by putting everyone on panels, and limiting talks to six to eight minutes, with the rest of the time for open discussion. Short talks limit presentersΓÇÖ ability to get into the boring details of their work, and the interdisciplinary audience discourages jargon.

    For the past decade and a half, this workshop has been the most intellectually stimulating two days of my professional year. It influences my thinking in different and sometimes surprising ways 00 and has resulted in some unexpected collaborations.

    And thatΓÇÖs whatΓÇÖs valuable. One of the most important outcomes of the event is new collaborations. Over the years, we have seen new interdisciplinary research between people who met at the workshop, and ideas and methodologies move from one field into another based on connections made at the workshop. This is why some of us have been coming back every year for over a decade.

    This yearΓÇÖs schedule is here. This page lists the participants and includes links to some of their work. As he does every year, Ross Anderson is live blogging the talks. We are back 100% in person after two years of fully remote and one year of hybrid.

    Here are my posts on the first, second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh, twelfth, thirteenth, fourteenth, and fifteenth SHB workshops. Follow those links to find summaries, papers, and occasionally
    audio/video recordings of the sessions. Ross also maintains a good webpage of psychology and security resources.

    ItΓÇÖs actually hard to believe that the workshop has been going on for this long, and that itΓÇÖs still vibrant. We rotate between organizers, so next year is my turn in Cambridge (the Massachusetts one).

    ** *** ***** ******* *********** *************

    Power LED Side-Channel Attack

    [2023.06.19] This is a clever new side-channel attack:

    The first attack uses an Internet-connected surveillance camera to take a high-speed video of the power LED on a smart card reader -- or of an attached peripheral device -- during cryptographic operations. This technique allowed the researchers to pull a 256-bit ECDSA key off the same government-approved smart card used in Minerva. The other allowed the researchers to recover the private SIKE key of a Samsung Galaxy S8 phone by training the camera of an iPhone 13 on the power LED of a USB speaker connected to the handset, in a similar way to how Hertzbleed pulled SIKE keys off Intel and AMD CPUs.

    There are lots of limitations:

    When the camera is 60 feet away, the room lights must be turned off, but they can be turned on if the surveillance camera is at a distance of about 6 feet. (An attacker can also use an iPhone to record the smart card reader power LED.) The video must be captured for 65 minutes, during which the reader must constantly perform the operation.

    [...]

    The attack assumes there is an existing side channel that leaks power consumption, timing, or other physical manifestations of the device as it performs a cryptographic operation.

    So donΓÇÖt expect this attack to be recovering keys in the real world anytime soon. But, still, really nice work.

    More details from the researchers.

    ** *** ***** ******* *********** *************

    Ethical Problems in Computer Security

    [2023.06.21] Tadayoshi Kohno, Yasemin Acar, and Wulf Loh wrote excellent paper on ethical thinking within the computer security community: ΓÇ£Ethical Frameworks and Computer Security Trolley Problems: Foundations for ConversationΓÇ£:

    Abstract: The computer security research community regularly tackles ethical questions. The field of ethics / moral philosophy has for centuries considered what it means to be ΓÇ£morally goodΓÇ¥ or at least ΓÇ£morally allowed / acceptable.ΓÇ¥ Among philosophyΓÇÖs contributions are (1) frameworks for evaluating the morality of actions -- including the well-established consequentialist and deontological frameworks -- and (2) scenarios (like trolley problems) featuring moral dilemmas that can facilitate discussion about and intellectual inquiry into different perspectives on moral reasoning and decision-making. In a classic trolley problem, consequentialist and deontological analyses may render different opinions. In this research, we explicitly make and explore connections between moral questions in computer security research and ethics / moral philosophy through the creation and analysis of trolley problem-like computer security-themed moral dilemmas and, in doing so, we seek to contribute to conversations am ong security researchers about the morality of security research-related decisions. We explicitly do not seek to define what is morally right or wrong, nor do we argue for one framework over another. Indeed, the consequentialist and deontological frameworks that we center, in addition to coming to different conclusions for our scenarios, have significant limitations. Instead, by offering our scenarios and by comparing two different approaches to ethics, we strive to contribute to how the computer security research field considers and converses about ethical questions, especially when there are different perspectives on what is morally right or acceptable. Our vision is for this work to be broadly useful to the computer security community, including to researchers as they embark on (or choose not to embark on), conduct, and write about their research, to program committees as they evaluate submissions, and to educators as they teach about computer security and ethics.

    The paper will be presented at USENIX Security.

    ** *** ***** ******* *********** *************

    AI as Sensemaking for Public Comments

    [2023.06.22] ItΓÇÖs become fashionable to think of artificial intelligence as an inherently dehumanizing technology, a ruthless force of automation that has unleashed legions of virtual skilled laborers in faceless form. But what if AI turns out to be the one tool able to identify what makes your ideas special, recognizing your unique perspective and potential on the issues where it matters most?

    YouΓÇÖd be forgiven if youΓÇÖre distraught about societyΓÇÖs ability to grapple with this new technology. So far, thereΓÇÖs no lack of prognostications about the democratic doom that AI may wreak on the US system of government. There are legitimate reasons to be concerned that AI could spread misinformation, break public comment processes on regulations, inundate legislators with artificial constituent outreach, help to automate corporate lobbying, or even generate laws in a way tailored to benefit narrow interests.

    But there are reasons to feel more sanguine as well. Many groups have started demonstrating the potential beneficial uses of AI for governance. A key constructive-use case for AI in democratic processes is to serve as discussion moderator and consensus builder.

    To help democracy scale better in the face of growing, increasingly interconnected populations -- as well as the wide availability of AI language tools that can generate reams of text at the click of a button -- the US will need to leverage AIΓÇÖs capability to rapidly digest, interpret and summarize this content.

    There are two different ways to approach the use of generative AI to improve civic participation and governance. Each is likely to lead to drastically different experience for public policy advocates and other people trying to have their voice heard in a future system where AI chatbots are both the dominant readers and writers of public comment.

    For example, consider individual letters to a representative, or comments as part of a regulatory rulemaking process. In both cases, we the people are telling the government what we think and want.

    For more than half a century, agencies have been using human power to read through all the comments received, and to generate summaries and responses of their major themes. To be sure, digital technology has helped.

    In 2021, the Council of Federal Chief Data Officers recommended modernizing the comment review process by implementing natural language processing tools for removing duplicates and clustering similar comments in processes governmentwide. These tools are simplistic by the standards of 2023 AI. They work by assessing the semantic similarity of comments based on metrics like word frequency (How often did you say ΓÇ£personhoodΓÇ¥?) and clustering similar comments and giving reviewers a sense of what topic they relate to.

    Think of this approach as collapsing public opinion. They take a big, hairy mass of comments from thousands of people and condense them into a tidy set of essential reading that generally suffices to represent the broad themes of community feedback. This is far easier for a small agency staff or legislative office to handle than it would be for staffers to actually read through that many individual perspectives.

    But whatΓÇÖs lost in this collapsing is individuality, personality, and relationships. The reviewer of the condensed comments may miss the personal circumstances that led so many commenters to write in with a common point of view, and may overlook the arguments and anecdotes that might be the most persuasive content of the testimony.

    Most importantly, the reviewers may miss out on the opportunity to recognize committed and knowledgeable advocates, whether interest groups or individuals, who could have long-term, productive relationships with the agency.

    These drawbacks have real ramifications for the potential efficacy of those thousands of individual messages, undermining what all those people were doing it for. Still, practicality tips the balance toward of some kind of summarization approach. A passionate letter of advocacy doesnΓÇÖt hold any value if regulators or legislators simply donΓÇÖt have time to read it.

    There is another approach. In addition to collapsing testimony through summarization, government staff can use modern AI techniques to explode it. They can automatically recover and recognize a distinctive argument from one piece of testimony that does not exist in the thousands of other testimonies received. They can discover the kinds of constituent stories and experiences that legislators love to repeat at hearings, town halls and campaign events. This approach can sustain the potential impact of individual public comment to shape legislation even as the volumes of testimony may rise exponentially.

    In computing, there is a rich history of that type of automation task in what is called outlier detection. Traditional methods generally involve finding a simple model that explains most of the data in question, like a set of topics that well describe the vast majority of submitted comments. But then they go a step further by isolating those data points that fall outside the mold -- comments that donΓÇÖt use arguments that fit into the neat little clusters.

    State-of-the-art AI language models arenΓÇÖt necessary for identifying outliers in text document data sets, but using them could bring a greater degree of sophistication and flexibility to this procedure. AI language models can be tasked to identify novel perspectives within a large body of text through prompting alone. You simply need to tell the AI to find them.

    In the absence of that ability to extract distinctive comments, lawmakers and regulators have no choice but to prioritize on other factors. If there is nothing better, ΓÇ£who donated the most to our campaignΓÇ¥ or ΓÇ£which company employs the most of my former staffersΓÇ¥ become reasonable metrics for prioritizing public comments. AI can help elected representatives do much better.

    If Americans want AI to help revitalize the countryΓÇÖs ailing democracy, they need to think about how to align the incentives of elected leaders with those of individuals. Right now, as much as 90% of constituent communications are mass emails organized by advocacy groups, and they go largely ignored by staffers. People are channeling their passions into a vast digital warehouses where algorithms box up their expressions so they donΓÇÖt have to be read. As a result, the incentive for citizens and advocacy groups is to fill that box up to the brim, so someone will notice itΓÇÖs overflowing.

    A talented, knowledgeable, engaged citizen should be able to articulate their ideas and share their personal experiences and distinctive points of view in a way that they can be both included with everyone elseΓÇÖs comments where they contribute to summarization and recognized individually among the other comments. An effective comment summarization process would extricate those unique points of view from the pile and put them into lawmakersΓÇÖ hands.

    This essay was written with Nathan Sanders, and previously appeared in the Conversation.

    ** *** ***** ******* *********** *************

    UPS Data Harvested for SMS Phishing Attacks

    [2023.06.23] I get UPS phishing spam on my phone all the time. I never click on it, because itΓÇÖs so obviously spam. Turns out that hackers have been harvesting actual UPS delivery data from a Canadian tracking tool for its phishing SMSs.

    ** *** ***** ******* *********** *************

    Excel Data Forensics

    [2023.06.26] In this detailed article about academic plagiarism are some interesting details about how to do data forensics on Excel files. It really needs the graphics to understand, so see the description at the link.

    (And, yes, an author of a paper on dishonesty is being accused of dishonesty. ThereΓÇÖs more evidence.)

    EDITED TO ADD (7/13): Guardian article.

    ** *** ***** ******* *********** *************

    Typing Incriminating Evidence in the Memo Field

    [2023.06.27] DonΓÇÖt do it:

    Recently, the manager of the Harvard Med School morgue was accused of stealing and selling human body parts. Cedric Lodge and his wife Denise were among a half-dozen people arrested for some pretty grotesque crimes. This part is also at least a little bit funny though:

    Over a three-year period, Taylor appeared to pay Denise Lodge more than $37,000 for human remains. One payment, for $1,000 included the memo ΓÇ£head number 7.ΓÇ¥ Another, for $200, read ΓÇ£braiiiiiins.ΓÇ¥

    ItΓÇÖs so easy to think that you wonΓÇÖt get caught.

    ** *** ***** ******* *********** *************

    Stalkerware Vendor Hacked

    [2023.06.28] The stalkerware company LetMeSpy has been hacked:

    TechCrunch reviewed the leaked data, which included years of victimsΓÇÖ call logs and text messages dating back to 2013.

    The database we reviewed contained current records on at least 13,000 compromised devices, though some of the devices shared little to no data with LetMeSpy. (LetMeSpy claims to delete data after two months of account inactivity.)

    [...]

    The database also contained over 13,400 location data points for several thousand victims. Most of the location data points are centered over population hotspots, suggesting the majority of victims are located in the United States, India and Western Africa.

    The data also contained the spywareΓÇÖs master database, including information about 26,000 customers who used the spyware for free and the email addresses of customers who bought paying subscriptions.

    The leaked data contains no identifying information, which means people whose data was leaked canΓÇÖt be notified. (This is actually much more complicated than it might seem, because alerting the victims often means alerting the stalker -- which can put the victims into unsafe situations.)

    ** *** ***** ******* *********** *************

    Redacting Documents with a Black Sharpie DoesnΓÇÖt Work

    [2023.06.29] We have learned this lesson again:

    As part of the FTC v. Microsoft hearing, Sony supplied a document from PlayStation chief Jim Ryan that includes redacted details on the margins Sony shares with publishers, its Call of Duty revenues, and even the cost of developing some of its games.

    It looks like someone redacted the documents with a black Sharpie but when you scan them in, itΓÇÖs easy to see some of the redactions. Oops.

    I donΓÇÖt particularly care about the redacted information, but itΓÇÖs there in the article.

    ** *** ***** ******* *********** *************

    The US Is Spying on the UN Secretary General

    [2023.06.30] The Washington Post is reporting that the US is spying on the UN Secretary General.

    The reports on Guterres appear to contain the secretary generalΓÇÖs personal conversations with aides regarding diplomatic encounters. They indicate that the United States relied on spying powers granted under the Foreign Intelligence Surveillance Act (FISA) to gather the intercepts.

    Lots of details about different conversations in the article, which are based on classified documents leaked on Discord by Jack Teixeira.

    There will probably a lot of faux outrage at this, but spying on foreign leaders is a perfectly legitimate use of the NSAΓÇÖs capabilities and authorities. (If the NSA didnΓÇÖt spy on the UN Secretary General, we should fire it and replace it with a more competent NSA.) ItΓÇÖs the bulk surveillance of whole populations that should outrage us.

    ** *** ***** ******* *********** *************

    Self-Driving Cars Are Surveillance Cameras on Wheels

    [2023.07.03] Police are already using self-driving car footage as video evidence:

    While security cameras are commonplace in American cities, self-driving cars represent a new level of access for law enforcement and a new method for encroachment on privacy, advocates say. Crisscrossing the city on their routes, self-driving cars capture a wider swath of footage. And itΓÇÖs easier for law enforcement to turn to one company with a large repository of videos and a dedicated response team than to reach out to all the businesses in a neighborhood with security systems.

    ΓÇ£WeΓÇÖve known for a long time that they are essentially surveillance cameras on wheels,ΓÇ¥ said Chris Gilliard, a fellow at the Social Science Research Council. ΓÇ£WeΓÇÖre supposed to be able to go about our business in our day-to-day lives without being surveilled unless we are suspected of a crime, and each little bit of this technology strips away that ability.ΓÇ¥

    [...]

    While self-driving services like Waymo and Cruise have yet to achieve the same level of market penetration as Ring, the wide range of video they capture while completing their routes presents other opportunities. In addition to the San Francisco homicide, BloombergΓÇÖs review of court documents shows police have sought footage from Waymo and Cruise to help solve hit-and-runs, burglaries, aggravated assaults, a fatal collision and an attempted kidnapping.

    In all cases reviewed by Bloomberg, court records show that police collected footage from Cruise and Waymo shortly after obtaining a warrant. In several cases, Bloomberg could not determine whether the recordings had been used in the resulting prosecutions; in a few of the cases, law enforcement and attorneys said the footage had not played a part, or was only a formality. However, video evidence has become a lynchpin of criminal cases, meaning itΓÇÖs likely only a matter of time.

    ** *** ***** ******* *********** *************

    The Password Game

    [2023.07.04] Amusing parody of password rules.

    BoingBoing:

    For example, at a certain level, your password must include todayΓÇÖs Wordle answer. And then thereΓÇÖs rule #27: ΓÇ£At least 50% of your password must be in the Wingdings font.ΓÇ¥

    EDITED TO ADD (7/13): Here are all the rules.

    ** *** ***** ******* *********** *************

    Class-Action Lawsuit for Scraping Data without Permission

    [2023.07.05] I have mixed feelings about this class-action lawsuit against OpenAI and Microsoft, claiming that it ΓÇ£scraped 300 billion words from the internetΓÇ¥ without either registering as a data broker or obtaining consent. On the one hand, I want this to be a protected fair use of public data. On the other hand, I want us all to be compensated for our uniquely human ability to generate language.

    ThereΓÇÖs an interesting wrinkle on this. A recent paper showed that using AI generated text to train another AI invariably ΓÇ£causes irreversible defects.ΓÇ¥ From a summary:

    The tails of the original content distribution disappear. Within a few generations, text becomes garbage, as Gaussian distributions converge and may even become delta functions. We call this effect model collapse.

    Just as weΓÇÖve strewn the oceans with plastic trash and filled the atmosphere with carbon dioxide, so weΓÇÖre about to fill the Internet with blah. This will make it harder to train newer models by scraping the web, giving an advantage to firms which already did that, or which control access to human interfaces at scale. Indeed, we already see AI startups hammering the Internet Archive for training data.

    This is the same idea that Ted Chiang wrote about: that ChatGPT is a ΓÇ£blurry JPEG of all the text on the Web.ΓÇ¥ But the paper includes the math that proves
    the claim.

    What this means is that text from before last year -- text that is known human-generated -- will become increasingly valuable.

    ** *** ***** ******* *********** *************

    Belgian Tax Hack

    [2023.07.06] HereΓÇÖs a fascinating tax hack from Belgium (listen to the details here, episode #484 of ΓÇ£No Such Thing as a Fish,ΓÇ¥ at 28:00).

    Basically, itΓÇÖs about a music festival on the border between Belgium and Holland. The stage was in Holland, but the crowd was in Belgium. When the copyright collector came around, they argued that they didnΓÇÖt have to pay any tax because the audience was in a different country. Supposedly it worked.

    ** *** ***** ******* *********** *************

    The AI Dividend

    [2023.07.07] For four decades, Alaskans have opened their mailboxes to find checks waiting for them, their cut of the black gold beneath their feet. This is AlaskaΓÇÖs Permanent Fund, funded by the stateΓÇÖs oil revenues and paid to every Alaskan each year. WeΓÇÖre now in a different sort of resource rush, with companies peddling bits instead of oil: generative AI.

    Everyone is talking about these new AI technologies -- like ChatGPT -- and AI companies are touting their awesome power. But they arenΓÇÖt talking about how that power comes from all of us. Without all of our writings and photos that AI companies are using to train their models, they would have nothing to sell. Big Tech companies are currently taking the work of the American people, without our knowledge and consent, without licensing it, and are pocketing the proceeds.

    You are owed profits for your data that powers todayΓÇÖs AI, and we have a way to make that happen. We call it the AI Dividend.

    Our proposal is simple, and harkens back to the Alaskan plan. When Big Tech companies produce output from generative AI that was trained on public data, they would pay a tiny licensing fee, by the word or pixel or relevant unit of data. Those fees would go into the AI Dividend fund. Every few months, the Commerce Department would send out the entirety of the fund, split equally, to every resident nationwide. ThatΓÇÖs it.

    ThereΓÇÖs no reason to complicate it further. Generative AI needs a wide variety of data, which means all of us are valuable -- not just those of us who write professionally, or prolifically, or well. Figuring out who contributed to which words the AIs output would be both challenging and invasive, given that even the companies themselves donΓÇÖt quite know how their models work. Paying the dividend to people in proportion to the words or images they create would just incentivize them to create endless drivel, or worse, use AI to create that drivel. The bottom line for Big Tech is that if their AI model was created using public data, they have to pay into the fund. If youΓÇÖre an American, you get paid from the fund.

    Under this plan, hobbyists and American small businesses would be exempt from fees. Only Big Tech companies -- those with substantial revenue -- would be required to pay into the fund. And they would pay at the point of generative AI output, such as from ChatGPT, Bing, Bard, or their embedded use in third-party services via Application Programming Interfaces.

    Our proposal also includes a compulsory licensing plan. By agreeing to pay into this fund, AI companies will receive a license that allows them to use public data when training their AI. This wonΓÇÖt supersede normal copyright law, of course. If a model starts producing copyright material beyond fair use, thatΓÇÖs a separate issue.

    Using todayΓÇÖs numbers, hereΓÇÖs what it would look like. The licensing fee could be small, starting at $0.001 per word generated by AI. A similar type of fee would be applied to other categories of generative AI outputs, such as images. ThatΓÇÖs not a lot, but it adds up. Since most of Big Tech has started integrating generative AI into products, these fees would mean an annual dividend payment of a couple hundred dollars per person.

    The idea of paying you for your data isnΓÇÖt new, and some companies have tried to do it themselves for users who opted in. And the idea of the public being repaid for use of their resources goes back to well before AlaskaΓÇÖs oil fund. But generative AI is different: It uses data from all of us whether we like it or not, itΓÇÖs ubiquitous, and itΓÇÖs potentially immensely valuable. It would cost Big Tech companies a fortune to create a synthetic equivalent to our data from scratch, and synthetic data would almost certainly result in worse output. They canΓÇÖt create good AI without us.

    Our plan would apply to generative AI used in the US. It also only issues a dividend to Americans. Other countries can create their own versions, applying a similar fee to AI used within their borders. Just like an American company collects VAT for services sold in Europe, but not here, each country can independently manage their AI policy.

    DonΓÇÖt get us wrong; this isnΓÇÖt an attempt to strangle this nascent technology. Generative AI has interesting, valuable, and possibly transformative uses, and this policy is aligned with that future. Even with the fees of the AI Dividend, generative AI will be cheap and will only get cheaper as technology improves. There are also risks -- both every day and esoteric -- posed by AI, and the government may need to develop policies to remedy any harms that arise.

    Our plan canΓÇÖt make sure there are no downsides to the development of AI, but it would ensure that all Americans will share in the upsides -- particularly since this new technology isnΓÇÖt possible without our contribution.

    This essay was written with Barath Raghavan, and previously appeared on Politico.com.

    ** *** ***** ******* *********** *************

    Wisconsin Governor Hacks the Veto Process

    [2023.07.10] In my latest book, A HackerΓÇÖs Mind, I wrote about hacks as loophole exploiting. This is a great example: The Wisconsin governor used his line-item veto powers -- supposedly unique in their specificity -- to change a one-year funding increase into a 400-year funding increase.

    He took this wording:

    Section 402. 121.905 (3) (c) 9. of the statues is created to read: 121.903 (3) (c) 9. For the limit for the 2023-24 school year and the 2024-25 school year, add $325 to the result under par. (b).

    And he deleted these words, numbers, and punctuation marks:

    Section 402. 121.905 (3) (c) 9. of the statues is created to read: 121.903 (3) (c) 9. For the limit for the 2023-24 school year and the 2024 -- 25 school year, add $325 to the result under par. (b).

    Seems to be legal:

    Rick Champagne, director and general counsel of the nonpartisan Legislative Reference Bureau, said EversΓÇÖ 400-year veto is lawful in terms of its form because the governor vetoed words and digits.

    ΓÇ£Both are allowable under the constitution and court decisions on partial veto. The hyphen seems to be new, but the courts have allowed partial veto of punctuation,ΓÇ¥ Champagne said.

    Definitely a hack. This is not what anyone thinks about when they imagine using a line-item veto.

    And itΓÇÖs not the first time. I donΓÇÖt know the details, but this was certainly the same sort of character-by-character editing:

    Mr EversΓÇÖ Republican predecessor once deploying it to extend a state programmeΓÇÖs deadline by one thousand years.

    A couple of other things:

    One, this isnΓÇÖt really a 400-year change. Yes, thatΓÇÖs what the law says. But it can be repealed. And who knows that a dollar will be worth -- or if they will even be used -- that many decades from now.

    And two, from now all Wisconsin lawmakers will have to be on the alert for this sort of thing. All contentious bills will be examined for the possibility of this sort of delete-only rewriting. This sentence could have been reworded, for example:

    For the 2023-2025 school years, add $325 to the result under par. (b).

    The problem is, of course, that legalese developed over the centuries to be extra wordy in order to limit disputes. If lawmakers need to state things in the minimal viable language, that will increase court battles later. And thatΓÇÖs not even enough. Bills can be thousands of words long. If any arbitrary characters can be glued together by deleting enough other characters, bills can say anything the governor wants.

    The real solution is to return the line-item veto to what we all think it is: the ability to remove individual whole provisions from a law before signing it.

    ** *** ***** ******* *********** *************

    Privacy of Printing Services

    [2023.07.11] The Washington Post has an article about popular printing services, and whether or not they read your documents and mine the data when you use them for printing:

    Ideally, printing services should avoid storing the content of your files, or at least delete daily. Print services should also communicate clearly upfront what information theyΓÇÖre collecting and why. Some services, like the New York Public Library and PrintWithMe, do both.

    Others dodged our questions about what data they collect, how long they store it and whom they share it with. Some -- including Canon, FedEx and Staples -- declined to answer basic questions about their privacy practices.

    ** *** ***** ******* *********** *************

    Google Is Using Its Vast Data Stores to Train AI

    [2023.07.12] No surprise, but Google just changed its privacy policy to reflect broader uses of all the surveillance data it has captured over the years:

    Research and development: Google uses information to improve our services and to develop new products, features and technologies that benefit our users and the public. For example, we use publicly available information to help train GoogleΓÇÖs AI models and build products and features like Google Translate, Bard, and Cloud AI capabilities.

    (I quote the privacy policy as of today. The Mastodon link quotes the privacy policy from ten days ago. So things are changing fast.)

    ** *** ***** ******* *********** *************

    French Police Will Be Able to Spy on People through Their Cell Phones

    [2023.07.13] The French police are getting new surveillance powers:

    French police should be able to spy on suspects by remotely activating the camera, microphone and GPS of their phones and other devices, lawmakers agreed late on Wednesday, July 5.

    [...]

    Covering laptops, cars and other connected objects as well as phones, the measure would allow the geolocation of suspects in crimes punishable by at least five yearsΓÇÖ jail. Devices could also be remotely activated to record sound and images of people suspected of terror offenses, as well as delinquency and organized crime.

    [...]

    During a debate on Wednesday, MPs in President Emmanuel MacronΓÇÖs camp inserted an amendment limiting the use of remote spying to ΓÇ£when justified by the nature and seriousness of the crimeΓÇ¥ and ΓÇ£for a strictly proportional duration.ΓÇ¥ Any use of the provision must be approved by a judge, while the total duration of the surveillance cannot exceed six months. And sensitive professions including doctors, journalists, lawyers, judges and MPs would not be legitimate targets.

    ** *** ***** ******* *********** *************

    Buying Campaign Contributions as a Hack

    [2023.07.14] The first Republican primary debate has a popularity threshold to determine who gets to appear: 40,000 individual contributors. Now there are a lot of conventional ways a candidate can get that many contributors. Doug Burgum came up with a novel idea: buy them:

    A long-shot contender at the bottom of recent polls, Mr. Burgum is offering $20 gift cards to the first 50,000 people who donate at least $1 to his campaign. And one lucky donor, as his campaign advertised on Facebook, will have the chance to win a Yeti Tundra 45 cooler that typically costs more than $300 -- just for donating at least $1.

    ItΓÇÖs actually a pretty good idea. He could have spent the money on direct mail, or personalized social media ads, or television ads. Instead, he buys gift cards at maybe two-thirds of face value (sellers calculate the advertising value, the additional revenue that comes from using them to buy something more expensive, and breakage when theyΓÇÖre not redeemed at all), and resells them. Plus, many contributors probably give him more than $1, and he got a lot of publicity over this.

    Clever hack.

    ** *** ***** ******* *********** *************

    Since 1998, CRYPTO-GRAM has been a free monthly newsletter providing summaries, analyses, insights, and commentaries on security technology. To subscribe, or to read back issues, see Crypto-Gram's web page.

    You can also read these articles on my blog, Schneier on Security.

    Please feel free to forward CRYPTO-GRAM, in whole or in part, to colleagues and friends who will find it valuable. Permission is also granted to reprint CRYPTO-GRAM, as long as it is reprinted in its entirety.

    Bruce Schneier is an internationally renowned security technologist, called a security guru by the Economist. He is the author of over one dozen books -- including his latest, A HackerΓÇÖs Mind -- as well as hundreds of articles, essays, and academic papers. His newsletter and blog are read by over 250,000 people. Schneier is a fellow at the Berkman Klein Center for Internet & Society at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; and an Advisory Board Member of the Electronic Privacy Information Center and VerifiedVoting.org. He is the Chief of Security Architecture at Inrupt, Inc.

    Copyright © 2023 by Bruce Schneier.

    ** *** ***** ******* *********** *************

    --- BBBS/Li6 v4.10 Toy-5
    * Origin: TCOB1 - binkd.thecivv.ie (618:500/14)