Future Tense
The Citizen's Guide to the Future

Oct. 5 2015 5:37 PM

Study: 20 Percent of 911 Calls in San Francisco Are Butt Dials

From 2011 to 2014, San Francisco’s 911 dispatchers experienced a 28 percent surge in emergency calls. It wasn’t because of an increase in crime. Pranksters weren’t inundating the system. The real source? Butt dials.

According to a new report by Google, about 20 percent of all 911 calls made in San Francisco last year were pocket dials. As more people ditch landlines for smartphones—which are required to let users make emergency calls without having to unlock them—accidental emergency dials are on the rise. This is a big problem for 911 dispatchers who have to make sure the silence on the other end isn’t someone in danger. The extra investigation is straining an already overworked system.

Not only is it time-consuming for the dispatcher to take a long, silent butt dial, but it also exacerbates the follow-up process. The report found that it took an average of one minute and 14 seconds to determine if the call was accidental. Nearly 40 percent of the workers at a San Francisco call center said chasing down silent calls was the biggest “pain point” of their job.

Last year, FCC Commissioner Michael O’Rielly wrote a blog post suggesting that 50 percent of 911 calls were the result of butt dials. “Dedicated and hard-working public safety officials who answer and respond to Americans in times of need are being inundated by accidental wireless calls to 911," O'Rielly wrote. “This is a huge waste of resources, raises the cost of providing 911 services … and increases the risk that legitimate 911 calls—and first responders—will be delayed."

He suggested that wireless providers automatically send a text to 911 callers. “If consumers are alerted to the simple fact that they have dialed 911 accidentally, they may take precautions to prevent it from happening again,” he wrote. He also posed a penalty fee for repeat butt-dial offenders.

In the United Kingdom, emergency call centers adopted a system to quickly identify butt dials by prompting the caller to press “55” if they were there, according to the BBC. The technology helped reduce the volume of calls.

Google recommends automating the callback process for dispatchers and improving the way call centers keep track of accidental dials. Until 911 handlers find a solution, consider locking your phone or setting a passcode before jamming it back into your pocket. It might make an overworked dispatcher’s day a little better.

Video Advertisement

Oct. 5 2015 5:19 PM

California Governor Bravely Vetoes Bill to Ban Drones From Interfering With Firefighters

If you’re like me, you’ve been reading the news out of California this summer and fall, as the state has been ablaze with wildfires, and asking yourself: “When will someone stand up for obnoxious hobbyists who interfere with emergency rescue operations by flying their drones over active wildfires?” Well, friends, our hero has finally come along, and he’s California Gov. Jerry Brown. This weekend, Brown took me by surprise by vetoing a bill that would have made it unlawful to operate a drone “in a manner that prevents or delays the extinguishment of a fire, or in any way interferes with the efforts of firefighters to control, contain, or extinguish a fire.” Obviously someone has never heard the old political adage “Voters hate unextinguished fires.”

FT-drone logo

The vetoed measure, SB 168, came into being this summer, after several drone hobbyists made news by getting in the way of rescue operations. SB 168 seemed about as uncontroversial as a bill can get, catering as it did to the public’s reflexive dislike for both wildfires and drone hobbyists. But Brown, who has consistently opposed intrusive drone regulations, vetoed it anyway. Over the weekend, he also vetoed two other drone-control bills, which would have made it a misdemeanor to operate drones in or over state jails and prisons and to operate drones without permission at low altitudes on public-school grounds, respectively. In September, he vetoed a bill that would have required drone pilots to obtain permission before flying their devices over private property at low altitudes. It’s probably not coincidental that California is the capital of the drone industry in the United States and that drones stand to add a lot of money to the state economy if the sector is allowed to flourish.

But there’s more going on here than just good old laissez-faire capitalism. In his veto message to the California state Senate, Brown said that each of the three vetoed drone bills, along with six other bills that he declined to sign, “creates a new crime—usually by finding a novel way to characterize and criminalize conduct that is already proscribed. This multiplication and particularization of criminal behavior creates increasing complexity without commensurate benefit.” Though improper drone usage presents a public menace, a greater menace, Brown apparently believes, is a cumbersome code of laws that makes it far too easy for the state to turn citizens into prisoners. I’m sympathetic to Brown’s logic.

If I’m reading them correctly, each of the three vetoed drone-control bills sought to criminalize behavior that was already broadly prohibited. In the state of California, it is already a misdemeanor to “engage in disorderly conduct that delays or prevents a fire from being timely extinguished” or to prevent emergency responders from discharging their duties. The state already prohibits people from sneaking contraband into prisons or attempting unauthorized communication with prisoners; the state already prohibits uninvited visitors from disrupting school activities.

Legislators’ attempts to get specific are a function of frustration, both with drone operators whose actions too often defy common sense and with a federal government that is taking its sweet time to come up with comprehensive regulations for an industry that desperately needs them. The point of explicitly stating “No drones allowed” is to remove any doubt that drone-related misconduct is prohibited; to make things clearer for cops and prosecutors who might not immediately know what to charge when some jerk accidentally crashes his drone into a busy schoolyard or into a rescue helicopter. These won’t be the last drone-control bills that Jerry Brown will have to consider, and while I appreciate his big-picture approach to drone regulations, it’ll only take one big drone-related tragedy for the governor to get burned.

This article is part of a Future Tense series on the future of drones and is part of a larger project, supported by a grant from Omidyar Network and Humanity United, that includes a drone primer from New America.

Oct. 5 2015 4:18 PM

Wily Attack on Microsoft Outlook Is Especially Worrying Because Everyone Uses Outlook

Microsoft's Outlook email service isn't exactly, how do I put this, a favorite. Most people end up using it for work email at some point, but no one seems to really like it. As Gizmodo editor-in-chief Annalee Newitz put it in May, "Microsoft Outlook has the distinction of being one of the world’s most widely-used email and calendaring systems—and the one that arouses the most profound indifference in its users." So when a security issue crops up in Outlook, you might be tempted to just ignore it. But the whole ubiquity thing makes that really hard to do.

Take, for example, a new attack on the Outlook Web Application (Outlook's browser access) spotted by Ars Technica. A report released Monday from security firm Cybereason outlines a malware attack that sits on the Web app server and collects login credentials from a particular company or organization. Cybereason discovered the exploit after one of its clients noticed unusual activity on its network and had Cybereason scan its 19,000 endpoints (devices like laptops, smartphones, or any Internet-connected equipment).

The firm concluded that malware affecting the client had been strategically placed on a particular component of Microsoft's Exchange Server, which deals with Outlook email and calendar data. The malware offered a backdoor to decrypted HTTPS requests, exposing passwords and other data. Cybereason notes that its client was using the Outlook Web Application to allow for remote access (a common capability that allows employees to keep up with work email).

Cybereason explains:

Contrary to other web servers that typically have only a web interface, OWA is unique: it is a critical internal infrastructure that also faces the Internet. ... This configuration of OWA created an ideal attack platform because the server was exposed both internally and externally. Moreover, because OWA authentication is based on domain credentials, whoever gains access to the OWA server becomes the owner of the entire organization’s domain credentials. [Emphasis theirs.]

Outlook may be boring and corporate, but that's exactly what makes it a perfect target for a persistent attack over a long period of time: Tons of high-profile companies use it. Cybereason is just presenting one case study, but it's not unreasonable to think that such an effective attack is already in use against other organizations as well, or will be. Companies that use a third-party credential manager (for example, Slate uses Okta) are probably not vulnerable to this attack. I reached out to Microsoft for comment and will update with any response.

Update, October 6, 2015, 11 a.m.: A Microsoft spokesperson says, “The report conveniently skips over the important details of how an attacker might 'gain a foothold into a highly strategic asset' if a system is properly managed, secured, and up to date. For all types of critical servers and applications, we recommend IT administrators use the latest products and services, in combination with industry best practices for IT management.” Of course it probably wouldn't be in Microsoft's interest for Cybereason to publicly disclose that, but the company seems to be hoping that the attack exploits a vulnerability that was previously patched.

Oct. 5 2015 4:18 PM

A Drone, a Phone, an Attack Zone: Printer Hack

Wired logo

You might think that working on a secured floor in a 30-story office tower puts you out of reach of Wi-Fi hackers out to steal your confidential documents.

But researchers in Singapore have demonstrated how attackers using a drone plus a mobile phone could easily intercept documents sent to a seemingly inaccessible Wi-Fi printer. The method they devised is actually intended to help organizations determine cheaply and easily if they have vulnerable open Wi-Fi devices that can be accessed from the sky. But the same technique could also be used by corporate spies intent on economic espionage.

The drone is simply the transport used to ferry a mobile phone that contains two different apps the researchers designed. One, which they call Cybersecurity Patrol, detects open Wi-Fi printers and can be used for defensive purposes to uncover vulnerable devices and notify organizations that they’re open to attack. The second app performs the same detection activity, but for purposes of attack. Once it detects an open wireless printer, the app uses the phone to establish a fake access point that mimics the printer and intercept documents intended for the real device.

“In Singapore … there are many skyscrapers, and it would be very difficult to get to the 30th floor with your notebook [if there is no] physical access,” says Yuval Elovici, head of iTrust, a cybersecurity research center at the Singapore University of Technology and Design. “A drone can do it easily. This is the main point of the research, closing the physical gap with [a] drone in order to launch the attack or scan easily all the organization [for vulnerable devices].”

Student researchers Jinghui Toh and Hatib Muhammad developed the method under the guidance of Elovici as part of a government-sponsored cybersecurity defense project. They focused on wireless printers as their target because they say these are often an overlooked weak spot in offices. Many Wi-Fi printers come with the Wi-Fi connection open by default, and companies forget that this can be a method for outsiders to steal data.

For their demo they use a standard drone from the Chinese firm DJI and a Samsung phone. Their smartphone app searches for open printer SSIDs and company SSIDs. From the SSIDs, the app can identify the name of the company they’re scanning as well as the printer model. It then poses as the printer and forces any nearby computers to connect to it instead of the real printer. Once a document is intercepted, which takes just seconds, the app can send it to an attacker’s Dropbox account using the phone’s 3G or 4G connection and also send it on to the real printer so a victim wouldn’t know the document had been intercepted.

The attack zone is limited to 26 meters in radius. But with dedicated hardware, an attacker could generate a signal that is significantly stronger and extend that range further, Elovici notes. Any computer inside the attack zone will opt to connect to the fake printer over the real one, even if the real printer is closer in proximity to the rogue one.

A drone hovering outside an office building isn’t likely to be missed, so using this method for an attack has obvious downsides. But the aim of their research was to show primarily that adversaries themselves don’t need to be positioned close to a Wi-Fi device to steal data. A hacker could be controlling a drone from half a mile away or, in the case of autonomous drones, be nowhere near the building at all.

As for how close the drone would need to be to do the initial scan to detect vulnerable devices in a building, that depends on the specific printer, or other device’s, Wi-Fi signal. Typically the range of a printer is about 30 meters, Elovici notes.

Turning their mobile phone into a fake printer was not trivial, however.

After purchasing an HP6830 printer, they reverse engineered the protocol the printer used to communicate with computers sending it documents. Then they rooted a Samsung phone to install the Debian operating system on it. For the app, they wrote some Python code that simulates the HP printer.

Any organizations that are more interested in uncovering vulnerable devices than attacking them can simply install the Cybersecurity Patrol app on a phone and attach it to a drone to scan their buildings for unsecured printers and other wireless devices. A drone isn’t essential for this, however. As the researchers show in their demo video, a phone containing their app can also be attached to a robot vacuum cleaner and set loose inside an office to scan for vulnerable devices as it cleans a company’s floors.

“The main point [of the research] was to develop a mechanism to try to patrol the perimeter of the organization and find open printers from outside the organization,” Elovici says. “It’s dramatically cheaper than a conventional pen test.”

Also in Wired:

Oct. 5 2015 12:58 PM

Internet.org Will Use a Satellite to Beam Its Version of the Web to Sub-Saharan Africa

Facebook's Internet.org data access program finished its first year in July. And though the project has faced criticism over its implications for net neutrality, it seems to be attempting to navigate the situation and move forward. So there's probably no better way to show progress than to straight up wrangle a satellite.

On Monday Facebook and French Internet service provider Eutelsat Communications announced a collaboration to bring free Web connectivity to a large portion of sub-Saharan Africa. Internet.org and Eutelsat will use Spacecom's AMOS-6 satellite, which is scheduled to launch into orbit in late 2015. The goal is to begin offering free Internet.org coverage to the region in the second half of 2016.

The announcement explains:

The two companies will utilise the entire broadband payload on the future AMOS-6 satellite and will build a dedicated system comprising satellite capacity, gateways and terminals. In providing reach to large parts of Sub-Saharan Africa, Eutelsat and Facebook will each be equipped to pursue their ambition to accelerate data connectivity for the many users deprived of the economic and social benefits of the Internet.

The partnership makes sense because Eutelsat has experience implementing satellite broadband in many regions like Europe and the Middle East, but the language of the press release makes it pretty clear that everyone is out for themselves and ready to "pursue their ambition[s]" in this collaboration. Eutelsat gets to expand its offerings and lure what it calls "professional users" while attempting to generate goodwill by partnering with Internet.org. And for Internet.org it's an opportunity to piggyback on another company's expertise, while expanding and growing its user base.

The satellite hasn't even launched yet, and the goal to begin offering service is about a year away, so there's room for plenty of problems and delays, but it seems like a reasonably solid plan. Meanwhile Google continues to chase balloons around the sky in an alternative attempt to cover the Earth in broadband.

Oct. 2 2015 4:14 PM

Sheesh, Even Streetlights Are Getting Cameras and Internet Connections

We've been hearing about the amorphous idea of "smart cities" for a while, but trash cans, sidewalks, and stop signs still seem the same, right? As in the broader Internet of Things movement, though, some subtle creep is beginning, and street lights are the most recent target. 

In New York City, GE is working to get a pilot of its intelligent lamppost project approved. So far the company has tested the lights, which have LED bulbs on dimmers and include sensors and cameras, in San Diego, California, and Jacksonville, Florida. But putting them in New York would be a whole other experiment in terms of what they can do for ultra-high density urban issues like traffic and crowd movement.

DNA Info reports that GE is touting the potential energy savings of the dimmer bulbs as a major reason that the New York Department of Transportation should consider a pilot. "If you’re having a festival or an emergency you can make them really bright, or dim them down," Jason Whittet, a director at GE's Intelligent Cities program, said at a local Community Board meeting in Manhattan on Thursday.

The GE street lights could even be outfitted with custom sensors to monitor things like air quality and noise, similar to a smart streetlight project Chicago started in 2014. A big difference, though, is that the GE lampposts have cameras and motion sensors, too. GE is currently talking about these instruments in terms of congestion management (a big problem in New York) and pedestrian flow, but you can see how they could easily transition to functioning as surveillance tools even if GE never intends that as a use.

In the video below, GE explains, "Connecting a city to the industrial internet drives the change that can help turn ... challenges into opportunities." Kind of sounds like opportunities for a cybersecurity nightmare, but, hey, less traffic is always a good thing.

Oct. 2 2015 3:41 PM

Apple’s 3D Touch Is the Tapping, Pressing, Popping Future of the Interface

Wired logo

If you want to understand the potential of 3D Touch, the new of method of tapping and pressing on the screens of the latest iPhones, forget about the marketing lingo. Don’t think about Peeks or Pops or Quick Actions. Instead, think about reading—the kind you do with a textbook, highlighting text and scribbling in the margins. The kind of reading that you basically can’t do on your phone.

“Compare [reading a book] to reading in the New York Times app. Are you scrolling?” asks Georg Petschnigg, CEO of FiftyThree, the company behind the excellent Paper app. “Are you flipping articles? Are you selecting text? It’s actually really painful.” We don’t think about how dumb these processes are, but when you hear someone describe it out loud, it feels ridiculous. “If you want to select something ‘pause’,” he says. “Selection handles pop up, you have to drag them out, and then you have to wait, then you have to do an action, you have to wait for that stuff to appear. Then you move down.”

All those steps will soon turn into this: Press extra-hard on the screen and swipe across the letters. Presto; highlighted. “Instead of being an entrenched action that’s really full of friction,” Petschnigg says, “it becomes something that’s really intuitive.” Apple has already shown a couple of 3D Touch–based improvements here—you can now press extra-hard on your iPhone screen to define a word, for instance. But that, as with all of the tech inside 3D Touch, is just the very beginning. What’s lost inside the flash and branding of Apple’s new features is that your iPhone now has a pressure-sensitive display—and Apple’s providing data about it to developers in real time. On the iPhone screens are incredibly sensitive and incredibly responsive. (“It’s very clean, very linear, very high-resolution,” Petschnigg says. “That’s technical speak for, it’s rock solid, it’s totally accurate. You probably could build a sail using that stuff.”) Developers are still trying to wrap their heads around what all that means, but when they do, it could turn 3D Touch from glorified right-click into really, truly, the biggest interface innovation since multitouch.

The key change, Petschnigg says, is that pressure can help you distinguish between selecting something and doing something to it. Until now, those have been the same—as soon as you tap the screen, the thing under your thumb snaps to your control. But if you separate selection from manipulation, you get much more powerful, much more natural control. Things move more naturally, with weight and inertia. You can move the same things different ways, and different things can happen. “Say, a building block,” Petschnigg says. “Kids know that there’s a difference between lifting up the silicon block and pushing it.” We lost that nuance with multitouch, and pressure touch can give it back.

It’s all very heady and philosophical—Petschnigg apologized a few time during our conversation for having his head so far in the clouds. Developers are still figuring out what this all means. Petschnigg imagines you could use Peek and Pop to look through your notes faster, for one thing. And who knows what else? “We know basic selection, text selection is going to change,” he says. “Object selection is going to change. We know on the tools side we gained an entirely new dimension of expressiveness.” They’re prototyping a lot of new ideas. “Diagram tool!” he proclaims at one point, like he just remembered it. “In our diagram tool, if you want to pick up a shape, duplicate a shape, stamp a shape, these all start to feel totally natural. ”

There’s one more example he’s excited about: window management. As the world moves from mouse and keyboards to touchscreens, even for productive uses, how do we deal with having a dozen apps running at once? Right now, Petschnigg points out, the metaphor fails. “You know, you click on the window, it comes to the front. The same with ordering of shapes on the screen.” When you want something else, you Alt-Tab, which no one does, or rely on some hacky workaround. “Now,” he says, “you can push things back. You can’t push a window back today. Now, all of a sudden, the street that used to be one-way is now two-way. Things will change.”

Again, theoretical. Who knows how all this will shake out? Right now there’s really one big upside for FiftyThree: the $49 Pencil stylus lots of people already own just became way better. The Paper app knows the shape of the Pencil’s tip and can read its changing geometry as you move it around; now, thanks to pressure touch, the app also knows how hard you’re pressing on the screen. “With our sketch tool,” Petschnigg says, “you’ll be able to not just vary the width of a stroke, but the opacity, the lightness of it. Now it really feels like you’re carving on the screen as if you’re carving with a pencil.”

Here’s an easier example to understand. Magic Piano, Smule’s popular ivory-tickling app, uses 3D Touch in the most obvious of ways: to figure out how hard you hit the keys. Smule CEO Jeff Smith says this changes everything. “What’s happened with this new technology is we’ve moved from the harpsichord to the Steinway.” Before, the only way to change the tone and feel of a piece of music was to play a note longer—now you can play it louder. Or softer.

Apple’s data is rich enough that Magic Piano can measure the force from multiple fingers in real time, so you can pick out a single note in a chord to play a little more strongly (that’s called “voicing”). Pressure touch has single-handedly turned the iPhone and iPad into “an instrument that can now be expressive in terms of dynamic—loud, soft, but also articulation,” Smith says. “How notes are connected. For the first time, now, you can actually be quite expressive on the iPad and the iPhone, as you might be on a Steinway.”

Most people, though, won’t know this tech exists. And many more won’t know what to do with it. So Magic Piano now comes with a new slider in the app—slide it to the left, and the app does all the crescendo and dynamism for you. But slide to the right, and you’re entirely in control of whether “Somewhere Over the Rainbow” sounds stiff, lively, happy, sad, whatever you want. The slider solved a key problem, Smith says: “How do we find the balance of opening this up to people but over time giving people the tools to literally perfect piano playing?” He suspects that most people who use Magic Piano will start with the slider to the left but soon start moving it right and taking more control over the sound of their music.

After a week of using the new iPhones, I’m not blown away by what 3D Touch looks like now. Quick Actions are great, Peek and Pop are handy in spots, but none deserves the praise lavished upon them so far. So far. It’s been a while since I’ve talked to developers so excited about the possibilities of a new feature, simultaneously trying to integrate it and wrap their head around how big the possibilities actually are.

3D Touch is going to make using your phone—with your finger, with a stylus, with the tip of your nose—more natural, more obvious. It will let you do things you’ve never been able to do before, and it’ll let you do things in a way that actually makes sense. You’ll swipe to move something, press hard to select it. You’ll stop pinching—which, if you think about it, is a non-intuitive gesture—and start moving things with a single push. But it’s going to take a while.

Think back to the first introduction of the iPhone, in 2007. “To unlock the phone,” Jobs said, “I just take my finger and slide it across.” The audience gasped. “Want to see it again?”

Petschnigg remembers that moment well. “There was a physical thing on the screen,” he says. “You had to select the button and move it over.” It was better than the existing ideas, sure, but what was that button? It moved too freely, you didn’t know how it would move or how to make it stop. “By iOS 9, Petschnigg says, “you can actually use the entire screen to unlock. And that’s right — you don’t need to move a button around. The button was a holdover from old times. The entire screen can take the gesture.”

His point: That took years to figure out. And it was just a lockscreen! But we’re learning, slowly but surely, how the digital world should (and shouldn’t) reflect the natural one. And with pressure touch, we have more tools than ever to help us do it. Eventually, they won’t just come from Apple and that Huawei phone you can use to weigh an orange. Just as multitouch did, this kind of technology will be everywhere, fast. Everyone will have their own branding just as ridiculous as 3D Touch. But together, they’ll reinvent the way we use our phones.

In the meantime, it’s going to be a hell of a lot of fun. “We now have an opportunity for people to be even more expressive on these devices than ever before,” the piano-app-maker Smith says, “and in fact to begin to perfect technique that’s like in the real world.” Then he corrects himself, sort of. “I’m not saying this is as good as a piano. If you really want a piano, go buy one. But this is pretty good. And it’s getting way better!”

Also in Wired:

Oct. 2 2015 11:25 AM

In Iran, Even Bloggers Who Stay Away From Politics Can Be Arrested

In early September 2015, members of the Iranian technology community noticed that prominent Iranian tech blogger Arash Zad seemed to be missing from cyberspace. They soon learned from his family and friends that Zad had been under arrest since the end of July, when he was detained by the Revolutionary Guard's intelligence units. Zad is an Iranian who lives in Turkey but had been visiting his home country for a holiday. His arrest has shaken the Iranian technology community because Zad, while an advocate for women and digital security, has always steered clear of politics—and if he can be detained in Iran, there’s little hope for others who are fighting for digital freedom.

Zad's arrest comes at a time of great tension around Internet policy and regulation in Iran. President Hassan Rouhani’s administration has advocated for more Internet freedom and development in the field of IT—but there seems to be a counterbalancing effect by the Supreme Leader Ayatollah Khamenei as well hardline factions such as the judiciary and the Revolutionary Guards. According to recent reports, the Supreme Council of Cyberspace’s authority is increasing, alongside the launch of the guard’s new surveillance program known as Spider.

Amin Sabeti, an Iranian Internet researcher who follows cases of arrests of netizens inside Iran closely, told me that he saw Zad's arrest “as a strong signal from the Revolutionary Guards.” In the new climate of open foreign investment following the nuclear agreement, the guards are issuing a warning, he says, to entrepreneurs, technologists, and bloggers. The news of Zad's incarceration explained phishing emails that had been sent from his email account to many of his contacts at the beginning of August. For instance, Internet researcher Nariman Gharib received one such email on Aug. 2. Although not certain, it’s possible these attacks originated from the Revolutionary Guards intelligence units.

Zad, who was visiting Tehran on a trip from Turkey, is widely considered a tech pioneer tech in Iran. He first rose to prominence between 2008 and 2012 within the Iranian blogosphere with Weblogina, where he wrote about technology, Iran's IT culture, and startups. His work is largely focused on improving people’s digital lives. He founded Zig Zag Labs, a tech start-up that developed Ladybug, a project intended to encourage and empower Iranian women in the field of technology and entrepreneurship. Zig Zag Labs won the United Nations Youth Award for advancing the Millennium Development Goal of “Power to Women.” Zad is also one of the core members of the volunteer moderator team for Farsi translations on Twitter. In September 2012, the state-run IRIB Education channel Shabakaye Amoozesh Sima even featured Zad in an interview on its technology show Barkhat (“Online”). Prior to his arrest, he was slated to launch a new project aimed to educate elderly Iranians on new and secure communications tools.

The details of Zad's arrest remain unclear, though human rights organizations like Reporters Without Borders and Article 19 have called it out as arbitrary. Those close to Zad and his family have been reluctant to speak or publicize the case for fear of compromising his release.

Zad was a prolific presence on Twitter, and tweeted about his trouble-free trip to Iran up until a few hours before his arrest on July 31. His tweets give no indication that Zad considered his work in opposition to the Iranian authorities—indeed, he had seemed welcome by the government. This arrest highlights the often unexpected turn of events for those with a public online presence within Iran can face. This is not the first time a technologist and blogger, with no particular political agenda, has been persecuted in Iran. In 2013, the eight technology bloggers known as Narenji were similarly arrested for arbitrary reasons that many associated with their connections to Western organizations.

It is clear, however, that Iranian authorities such as the Revolutionary Guards perceive threats to the state based on red lines that are often invisible to the “offenders” and tied to the current political climate. It seems as if Iran’s hardliners are increasingly concerned about the country’s startup community. In an article of caution against startup projects, the newspaper Kayhan, which is affiliated with the office of the Supreme Leader, warned that Western-funded startup projects could steal the ideas and labor of Iran’s educated and entrepreneurial youth. Given the importance of this publication, this is a clear sign that greater controls in this sphere are coming.

The nuclear agreement raised hopes among Iranians that improvement in economic development and online freedoms could be on the horizon. Cases like Zad's give pause to that optimism. Like many other policies in Iran, the arrest of a figure like Zad further reinforces fear and self-censorship online.

Oct. 2 2015 9:30 AM

Why Don’t Companies Want to Hear About Their Security Problems?

You probably already realize that perfect security is an illusion. If someone really wants to get into a house, the deadbolts and window locks most of us have aren't going to be enough protection. And the same holds true in cybersecurity. There’s a growing consensus that strong security actually comes from assuming the worst and viewing vulnerabilities as inevitable, instead of relying on traditional anti-virus software and patches alone. But in practice most institutions, like companies and governments, still use the outdated “patch and pray” approach. In a Washington Post story from June, Craig Timberg called this disconnect "a tragedy of missed opportunity."

As large-scale corporate and government hacks grow increasingly common, though, it's clear that this inertia will have to change one way or another. And instead of coming from within, change may actually come from outsiders.

Some companies have accepted scrutiny in the form of bug bounty programs. Security professionals or hobbyist hackers can submit vulnerabilities and potentially receive rewards for their discoveries. But until recently these dedicated communication channels were rare.

The shortage speaks to longstanding tension between institutions and hackers. A prominent example came in April when security researcher Chris Roberts tweeted from a United Airlines flight about his ability to access the vital controls of a plane through its in-flight Wi-Fi. He was met at the gate by FBI agents and banned from United.

Meanwhile, in August, the chief security officer of software company Oracle published a blog post/rant (which was removed a day later) about why she is frustrated by customer feedback about potential security bugs. She noted that she tells individuals who submit concerns, “Please comply with your license agreement and stop reverse engineering our code, already.”

In an attempt to address this gap, a new generation of services is trying to act as a middleman, creating platforms that organizations can use to easily get bug bounty programs up and running.  

One of these is HackerOne, a startup founded in 2012 to connect companies with the white hat (ethical) hackers who want to break sites and services in a good way. HackerOne does all the work of maintaining a bug submission platform, building a community of trusted hackers, and managing reward money. Companies just have to fund awards and be open to receiving feedback. (Disclosure: HackerOne's chief policy officer, Katie Moussouris, is a cybersecurity fellow at New America; New America is a partner with Slate and Arizona State University in Future Tense.)

But why has it been so hard for companies to admit that vulnerabilities are inevitable in the first place? “It’s such a break from the norm in any other enterprise," said Alex Rice, a HackerOne co-founder and the former head of product security at Facebook. "That’s just how most companies operate. It’s like ‘Yeah, we’ve got this one, we’re good.’ ”

And Rice says that even the security professionals within a company may not understand just how much risk there is unless they've dealt with a massive corporate breach firsthand. “They want to convey accountability and ownership over [security],” he said. “In most cases there’ll be some one-off thing, they’ll say that they’ve got it, and then the next breach won’t come up for another three years and for those three years it will look like they’re doing a great job.”

HackerOne doesn't give its network of volunteer hackers any special insight or advantages. They have the same access a malicious hacker would. (Most volunteers work on bug bounty projects because they want to sharpen their skills or simply because they find it enjoyable. Reward money doesn't hurt either.) And by using one of these bug bounty coordinator platforms, companies are preparing themselves to welcome inspection and critiques, rather than receiving it grudgingly, ignoring it, or deploying law enforcement.

The situation is far from resolved, though. As Kathleen Richards wrote on SearchSecurity in March, “The reality is most organizations still do not have mechanisms that enable ‘outsiders’ to safely report security flaws.”

It's a bad climate for individuals, but a big opportunity for companies like HackerOne. When there's a major breach, “It feels like it’s this failure by the company to have not prevented it,” Rice said. “But it’s really quickly shifting to the point where everybody’s had a breach at some point, and the real differentiator for companies is how they respond and how much confidence they build.”

Oct. 2 2015 8:50 AM

A Short History of the Gitmo Undersea Cable No One Is Talking About

Generally, when we hear about undersea fiber-optic cables, it's because some sharks are trying to shut down the Internet with their teeth. But there’s more to them than that. Right now, there is a kind of magic at work beneath the Atlantic Ocean. Xtera Communications Inc. is in the midst of building an undersea fiber-optic cable from Dania Beach, Florida, to Guantánamo Bay. The $35 million project, which the Defense Department awarded to the Texas-based firm in May 2014, hasn’t been much publicized, for obvious strategic reasons. Not many people are talking about the cable—certainly not President Obama or Cuban President Raúl Castro.

But the cable is critically important—not least because of the effects it could have on the ever-evolving diplomatic talks between Cuba and the United States. As more and more people urge the U.S. government to shut down the Naval Station at Guantánamo, it's important to remember that Gitmo is no longer just a surface structure. This subterranean submarine cable, predicted to be 950 miles in length, represents a substantial investment in the future of the base. And the real question: Who will benefit from it?

The world first got wind of it in July 2012, when Navy Capt. Kirk R. Hibbert revealed in an interview with Carol Rosenberg of the Miami Herald that U.S. officials had sent a diplomatic note to Havana explaining the fiber-optic project and that he'd received no opposition from his Cuban military counterparts.

A year later, Ronald Bechtold, then the the chief information officer at the office of Secretary of Defense Chuck Hagel, unexpectedly announced, "It’s going to be for the entire island in anticipation that one day that they’ll be able to extend it into mainland Cuba." The Miami Herald sought to confirm these reports with the Army Col. Greg Julian, who refuted them in the strongest of terms and stated, “[Bechtold] was out of his mind. He is no longer working for the Department of Defense." He emphasized, “There is no intent to extend the cable to the mainland. It's a closed node for Department of Defense personnel.” In March 2015, the Department of Defense confirmed that the undersea cable would let the base end its reliance on slow commercial satellite services. The latest update regarding the cable came on Sept. 6, 2015, when the Miami Herald's Rosenberg shared that the XTera Communications' contractors hoped to wrap up the project by January 2016. She noted, "It should also end complaints by some of the 2,000-member prison staff that Internet access was better during deployments to Iraq and Afghanistan."

That brings us up to the present. Contractors are finishing their work on the cable. A few weeks ago, the New York Times' Editorial Board published "How to Close Guantánamo," highlighting what it would take for President Obama to fulfill a key promise made early in his first term. Gitmo was in the news again this past Monday, when Cuban President Raul Castro, in his speech during the 70th Session of the U.N. General Assembly, called for "the return to our country of the territory illegally occupied by the Guantanamo Bay Naval Base."

There are several possible results for the cable should Gitmo close. Fred Soons, a professor emeritus of public international law at Utretcht University in the Netherlands, weighed in by email and speculated, "If Cuba is interested, it could buy the cable."

Medea Benjamin, the co-founder of the activist group CODEPINK, had a different vision: "We'd love to see [the Naval Base] converted into an international center for sustainable energy and non-violent conflict resolution. The submarine cable would come in very handy to ensure that this international center is connected to the rest of the world." She added, "If the U.S. company XTera had any sense, it would be negotiating with the Cuban government right now about how the cable could help connect to Cuban people to the Web."

But the Cuban government isn't exactly rushing to provide Internet access to its citizens. Freedom House estimates that a mere 5 percent of the country has unrestricted Internet access that's compatible with what's available in the United States.

What other fate could the Gitmo cable face if the U.S. Naval Station shut down? In an email, retired Capt. Ashley Roach suggested that the controversial cable, if ever declassified by the U.S. government, could end up much like the U.S. Navy's former sound surveillance system off the West Coast. Ultimately, civilian researchers were allowed to use part of it to monitor marine mammals like whales. Lionel Carter, a professor of Marine Geology at Victoria University of Wellington, told me, "If, for any reason the proposed cable was retired before the end of its design life (circa 20–25 years), it could be utilized to monitor the ocean currents passing through the Florida Straits to feed into the Gulf Stream. Such monitoring has been underway for several decades."

But for now, even if the Department of Defense were to close the military prison camp, it's likely the Naval Base would stay operational. And, so long as the sharks don't get the Gitmo cable, it's apt to support the American military for a long time to come.