Episode 38: Randomness and Predictability

Posted on by Christie Koehler

Download: Episode 38

This week Audrey and I chat about the KRACK WPA2 vulnerability, the technical skills of the judge in Oracle v Google, how Facebook is ruining our democracy, part 34, and more. Enjoy!

Show Notes

KRACK Wifi vulnerability

Oracle v Google Judge Alsup

Civic data FUBAR at NYPD

Facebook ruining our democracy, part 34

Things we like on the internet this week

Community Announcements

Kickstarter for Year 3

Today we’re launching the Kickstarter campaign for our next year of publishing The Recompiler. We have another four issues planned, more podcast episodes, and even another book. Click through to see more info and to find out about our fabulous rewards (Stickers! Posters! Zines!)

We’re also throwing a kickoff party tomorrow, Wednesday October 25 from 6-8pm, at Books With Pictures. The shop is at 1100 SE Division St, #103 in Portland, OR.

Issue 8 now shipping

The other exciting news this week is that we’re shipping Issue 8! Our wildcard issue has a little of everything, from citizen astronomers to cell networks.

First ever telethon on Nov 11th

On November 11 we’re going to be doing a live broadcast, for our upcoming Kickstarter. Join Christie and Audrey from 10am-4pm Pacific for technology discussion, tech support questions, special guest interviews, and a whole batch of tongue twisters like Christie promised us in May. You can join in by telling us what we should talk about, using this form.

We love hearing from you! Feedback, comments, questions…

We’d love hearing from you, so get in touch!

You can leave a comment on this post, tweet to @recompilermag or our host @christi3k, or send an email to podcast@recompilermag.com. You can also leave us an audio comment by calling (503) 489-9083.

Transcript

Christie: Hello and welcome to The Recompiler, a feminist hacker podcast where we talk about technology in a fun and playful way. I’m your host Christie Koehler.
Episode 38, randomness and predictability. This week, Audrey and I chat about the KRACK WPA2 vulnerability, the skills of the judge in Oracle v. Google and how rare and important they are, how Facebook is ruining our democracy, part 34, and more. Enjoy.
Hey, Christie here with some announcements. First, thank you for your patience through our unintentional summer hiatus. That’s on me, I got busy with day job and day job travel, but we’re getting back on schedule and I’ve got some great interviews in the backlog that we’ll get caught up with and publish soon.
Today, we’re launching the Kickstarter campaign for our next year of publishing The Recompiler, that’s year three. We have another four issues planned, more podcast episodes and even another book. Click through on the show notes and find out more about our fabulous awards, there are stickers, posters, zines, all kinds of cool stuff. We’re also throwing a kickoff party tomorrow, that’s Wednesday, October 25th, from 6:00PM to 8:00PM, at Books With Pictures. This is in Portland, so obviously this is for Portland local people. We’d love to see you there.
Issue eight, our wildcard issue, is now shipping. It has a little bit of everything, from citizen astronomers to cell networks. Check it out, shop.recompilermag.com.
On November 11th, Saturday November 11th, we’re going to be doing our very first live broadcast for the podcast. This is part of our Kickstarter campaign. Please join us from 10:00AM to 4:00PM Pacific for a technology discussion, tech support questions and special guest interviews. Oh yes, and a whole bunch of tongue twisters that I promised you all back in May. You can join in, in telling us what we should talk about using the form linked to in the show notes. Enjoy the show.
Hey Audrey.

Audrey: Hi Christie.

Christie: Podcast.

Audrey: It’s been a little while.

Christie: Do you remember how to do this? I’m not sure I do.

Audrey: We start talking and hope for the best.

Christie: Alright, so it’s been a busy summer.

Audrey: Yeah, I’m still not sure … I mean the weather tells me but I don’t know if believe in my heart that summer is over. It just, I don’t know, went by.

Christie: I feel like I just kept waiting for it to not be hot and smokey, and then it became dreary fall, like all of a sudden. So now I’m like, “Where’s my light therapy lamp and its power supply?” I’ve got to find that now. In a way I’m glad that we didn’t have to talk about the Google memo though. Oops, okay.

Audrey: Yeah, I guess there’s been a few things in the news that we can kindly skip over knowing that people have heard more than enough about them.

Christie: Indeed. So, lucky for us we have not run out of security exploits to talk about.

Audrey: Seriously.

Christie: This one, they always come up with a good name, although this one is like I guess straightforward, KRACK, with a K, and KRACK attacks. I guess that’s sort of an-

Audrey: I guess there’s like a little cartoon to go with this? You know?

Christie: Well, there’s on, KRACKattacks.com, so I guess its kind of a wifi signal that morphs into a padlock and through that is a strange red arrow and then the lock is kind of shattered. But you mean more of a whimsical cartoon?

Audrey: Yeah, you know, I mean, you say KRACK attack and I think its gotta be some action comic, right?

Christie: And so that stands for, what do you call an acronym when they’re using words, letters not just at the beginning. Is it still an acronym?

Audrey: I think so.

Christie: So it’s Key Re installation Attacks, breaking wpa2 by forcing non reuse.

Audrey: I guess other ways they would just have KRA.

Christie: KRA, which is, what is that? This one was a little, I mean I get the sort of top level summary of the exploit. So basically okay … this is a vulnerability in the wifi protocol 80211i, which is wpa2, which was supposed to be sort of the standard for a well encrypted wifi network right?

Audrey: Yeah, it’s a step up from a previous standard that was discovered to have vulnerabilities.

Christie: And, this protocol requires a four-way handshake between the access point and the client, so between the router or the wifi access point and whatever device you’re connecting. That’s where the nonces were exchanged and things like that and its in the third step that the vulnerability comes in and basically a malicious actor could block acknowledgment of receipt. The third step is the access point sending more information about the handshake to the client and the client is supposed to send acknowledgment. It’s in blocking that acknowledgment that causes the access point to resend the message. When that happens the same key is reinstalled into the client and the packet number counters all get reset to zero.
This article says some implementations, like Android 6, the key gets set to zero, which doesn’t sound good. Okay, I’m quoting from this blog post here that we’ll link to in the show notes. It says “The implication is that by forcing the access point to replay this message, an adversary can cause acknowledgment connection to reset nonces and thus cause key streamer use in the stream cipher. With a little cleverness this can lead to full decryption of traffic streams.” And that can lead to DCP hijacking attacks.

Audrey: I feel like we should breakdown the details a little bit more. That’s a lot of security jargon.

Christie: It is. So, and I’m not sure I’m, I think on a lot of these terms I have a general sense, like in this blog post there’s this diagram from Wikipedia that has a lot of jargon in it. Like an a-nonce and an s-nonce, plus some MIC, so where is a good place to start do you think?

Audrey: Well, just step back to the actual interchange right? It’s talking about a client and, what do you call the router in this case, the access point?

Christie: Yeah, access point.

Audrey: So the client and the access point and it says that it only applies on secured access points, like ones with patchwork, which is pretty interesting to begin with, that maybe an open access point isn’t vulnerable just because it doesn’t go through the handshake?

Christie: Well, right, but isn’t an open access point readable anyway?

Audrey: Yeah, I mean I guess, I don’t know, I’m just thinking, they kind of get into two layers of this right? Whether its open web traffic or encrypted traffic you know? Like http versus https? So, it wasn’t clear to me just reading through, does this effect eavesdropping or just a compromised access point?

Christie: So in the process of a client, whether it’s a laptop or a phone or whatever, connecting to the access point, there’s a multi-step process whereby they establish an encrypted connection right?

Audrey: Mm-hmm (affirmative).

Christie: And wpa2 or 80211i that’s a four-way handshake?

Audrey: Mm-hmm (affirmative).

Christie: One, two, three, four and do you know how to explain each of the steps?

Audrey: Well the first one is when the client says “Hey access point, I’ve got your password, right?”

Christie: I think so although in this diagram the first arrow is going from the access point to the client.

Audrey: So maybe that first step doesn’t even count as part of the handshake?

Christie: That’s what I don’t know.

Audrey: Because after that the access point says “Hey client, here I am” right?

Christie: What I’m trying to figure out is this four-way handshake, what part in the whole establishment of connecting is that? Is it already past that point. Let’s see what Wikipedia says. wpa2 –

Audrey: When we talked about cryptographic handshakes before, right, with SSL, the way that it works is that they had to negotiate transmission, not encoding, what’s the word I’m thinking? They had to choose which standard they were going to use right?

Christie: Right, which I don’t think is encapsulated in the four-way handshake.

Audrey: Yeah, I don’t know. I guess a lot of this is being written assuming we understand how clients connect over wifi.

Christie: Right, which is, because there’s another layer on top of TCIP, so it gets really complicated

Audrey: Well I mean I guess we know what step three is because that’s the vulnerability. We know that the client tells the access point it has the password, the password verifies that that password is correct, right? And it sends a message back. The client then starts the handshake, or continues to handshake, that part’s not clear to me. I think this is when the key exchange happens right?

Christie: I lost the tab with the diagram. I wish he had linked to this diagram. God, here’s a paper on it.

Audrey: It’s funny because it just was announced this week right? Like Sunday night, Monday morning, and I think we’ve both been looking at kind of the same links and I haven’t seen the level of description that I think we’re aiming for here. So that’s kind of interesting you know. We’re trying to dig that information out of what’s been posted. This has had such a wide impact, this isn’t just something that’s of interest to crypto nerds right?

Christie: I just found this, I think I just searched for a-nonce wpa2 or something, and here’s an article from the end of 2015 that actually I think does a little better job – I’ll send it to you here – with the overview of the process.

Audrey: Okay.

Christie: During the authentication process the supplicant, which is the client, and the authenticator, the access point, each attempt to prove that they independently know the pre-shared key, PSK pass phrase, without disclosing the key directly. I think the PSK is like “Hey, what’s your wifi password?”. I think. This is done by each encrypting a message using a pairwise master key, PMK, that they have generated transmitting each way and then decrypting the message once they’ve each received.

Audrey: Okay, this is a little bit like the SSL handshake then. Where they basically pass a message and say hey, these match what you’re expecting.

Christie: Yeah, they each try to demonstrate what the secret handshake is.

Audrey: Again, without transmitting that piece of information.

Christie: Right.

Audrey: Okay, so then we get this four-way transient key that’s their established key for communication.

Christie: Right, and it says which is comprised of the fine concatenated data. Pairwise master key, authenticator nonce, so I think that’s the a-nonce, supplicant nonce, I think that’s the S-nonce in that diagram, authenticator MAC address, supplicant MAC address.

Audrey: Is a nonce basically like assault here?

Christie: That’s how I understand nonces, like a non-reusable token? Is it a part mount too? This segment has become our ‘figure out how things work’. It says in cryptography, nonce is an arbitrary number that may only be used once.

Audrey: Okay.

Christie: It is similar in spirit to a nonce word, hence the name. What is a nonce word? It is a lexeme created for a single occasion to solve an immediate problem of communication. I’m not going to click on lexeme because we don’t need to fall down the rabbit hole. Okay so now I’m going to flip back over to this chart. So the access point sends the authenticator nonce …
So this four-way handshake, the authenticator nonce, the supplicant nonce, plus the MIC which I just looked up and now I forget what it stands for, they’re exchanging information to create the key that they’re going to use to encrypt information for that session. Okay I think I understand that part

Audrey: Yeah, I’m starting to see how this fits into systems that we’ve talked about before so that’s really helpful. This older page that you sent me, it talks about how step two actually has a security vulnerability as well. Maybe not a very practical one but it says that by step two an attacker could’ve intercepted that the handshake was from a password cracking attack.

Christie: What’s the GTK? That’s one thing I haven’t …
Okay so if they block the acknowledgment then the access point re-sends a piece of information, that’s bad in and of itself because anytime you have key reuse you can potentially break the cipher right?

Audrey: Right, yeah.

Christie: And I don’t quite understand how that works mathematically, I just know that its a thing.

Audrey: Randomness and predictability are opposite directions. I know that randomness creates security and predictability creates insecurity because you have a way of analyzing how you got that result.

Christie: Right it creates patterns that can then derive with the encrypted information loss. Then to add to this, certain client implementations of wpa also reset the key to zero, which sounds even worse, because then it’s a known thing, if its zero.

Audrey: Yeah, they specifically call out Androids and Linux, they think this can have the biggest impact.

Christie: They say “exceptionally devastating “.

Audrey: Although they followup by saying that there are more ways that MAC [inaudible 00:19:31] and open BSD can be targeted. That they can know originally.

Christie: Okay so there’s a lot more detail that probably doesn’t make sense for us to go over here but one of the things that I thought was interesting about this is what it reflects about the standards process right? The complex nature of testing protocols in a verifying that an implementation of a protocol standard does what we think it does and doesn’t have security vulnerabilities?

Audrey: There’s a thing that they say up at the top about how there’s some parts of this that maybe had been recommended right? Like the most secure way to do it was a recommended thing in this standard but not an enforced part of this standard. It lets the standard loose enough to be insecure in these ways.

Christie: And one thing I didn’t realize, because I am sort of used to web standards, which are much more open process, but apparently IEEE, which is the organization that governs the wifi standards, that’s a closed process. The specification isn’t even made public for six months after it’s adopted.

Audrey: Oh. So who participates in that process? Like Cisco and –

Christie: I did not get that far into it.

Audrey: Even with web standards they’re generally, the main participants are companies that benefit from the companies that will be implementing them.

Christie: Yeah, that was my guess too I just didn’t look it up. This article also says that IEEE standards are poorly specified, there’s no formal description of the 80211i, wpa2 handshake state machine. This means implementers have to implement their code using scraps of pseudo-code scattered around the standards document.

Audrey: So like you said, even proving that the standard was implemented correctly could be very difficult?

Christie: Exactly. So the argument this thing is making is that basically we need to figure out how to formally verify these implementations of these protocols, which is something we’re just beginning to even figure out how to maybe, possibly do.

Audrey: Well, in terms of mitigating this particular attack, it seems like its implied that both access points and clients should be updated? The clients maybe to enforce a stricter version of the standard and the access points to maybe not be hackable in this way?

Christie: Yeah, that was my understanding. Note that if your device supports wifi it is most likely affected.

Audrey: Yeah, when they said this on Sunday night everyone’s like “Give your assistant a hug now” because it’s very stressful to start your work week with this kind of information.

Christie: Especially because we talk about all the time how many internet connected devices there are and the vast majority of them, we have no ability to update ourselves.

Audrey: Yeah and that is something that I saw pointed out early on too that it’s these sort of internet of thing type devices claim to be the ones still sitting there, vulnerable, and not getting updated and continue to provide that vulnerability.

Christie: So then they talk about https provides a layer of protection but that’s not like foolproof or whatever.

Audrey: I’ll have to read up on that later. I’m curious about the specific vulnerabilities.

Christie: This stuff is just so complicated.

Audrey: Well sure, we’ve spent like ten minutes trying to figure out how the attack actually breaks down.

Christie: It is interesting to me that a lot of the articles start with … its like they are all written for other security professionals or other people with significant understanding of how wireless networks work.

Audrey: And the more mainstream coverage will basically be like “There’s a major vulnerability. No you can’t do anything about it. Companies are working to change that.” You won’t really get an explanation of where that vulnerability comes from or like you said this is a part of the standards process, this is a part of the implementation of those things. Those are aspects that we all have a stake in, but we’re not necessarily given access to understand that.

Christie: I think that one of the main things that keeps me paying attention to this is we are doing this podcast so, I’m like “Oh, I’ve gotta bookmark that so we can talk about it” but otherwise, do you think most people are like “Again” and then kind of move on?

Audrey: Mm-hmm (affirmative)-I do, yeah. I just think that we’re learning to live with a lot of insecurity and to not think about it unless it hits us personally. I think, like financial fraud, identity theft, its not even in the news that much anymore.

Christie: Or things like Equifax breach and then “oh” the IRS is gonna use Equifax to provide some part of their identity system. I couldn’t even bring myself to click on that one.

Audrey: Yeah I mean there’s just stuff like that where its funny because there’s so many cracks in the system, in these kind of systems, and yet we haven’t had the major global collapse that would make everybody go “Oh yeah, that’s serious. As long as it doesn’t affect too many people at once and it doesn’t affect us, then we just kind of keep shoving that off to the side. There isn’t an organization we can go to for all of these things together that is going to try to take action to increase regulation or even just cohesively expose more of it. It’s all sort of split up.

Christie: And I think its not something that the … it sort of comes up in terms of regulation which is being dismantled and then consumer protection which is becoming harder and harder for non-governmental organizations to do because they have so much work to do.

Audrey: Some of this stuff is genuinely complex like we’re talking about.

Christie: I think to me that’s why I am as invested as I am in technology education and why I want to talk about this stuff like on the podcast because you need a fair amount of technical knowledge to be able to sort this stuff out. And that’s one of the things that’s so interesting about the judge in the Oracle v. Google. It is Oracle v. Google right? You get the plaintiff first?

Audrey: Yeah and I think so. And then Waymo also.

Christie: Oh that’s gonna be interesting.
So the Honorable Alsup, assuming that’s how you say his name, I guess that’s not very ambiguous. So Sara Jeong wrote a pretty long piece about the judge who presided over the Oracle v. Google, Java API copyright infringement case, twice.

Audrey: I think he’s stuck with it.

Christie: We’ve talked about this before. Audrey, you sent this to me and said we should talk about it. What intrigued you about it?

Audrey: It’s interesting just in a bunch of different ways. It’s an extended profile of a Judge who is involved in a really big influential case that again, outside of people in software development, you might not understand how much this particular case matters. That also means that you may or may not know why it matters that the jury has nobody with a technology background and how it is kind of exceptional that there is a judge who’s seen these kind of cases, who is in the Bay Area, who just happens to be a lifelong nerd. He writes little, well not little some of them are quite extensive, BASIC programs including a bunch of stuff for HAM radio, he’s been into HAM radios since he was a kid or a teenager. It’s just interesting that he could’ve been an engineer and instead he got very interested in the law because he was concerned about justice. He’s strangely very qualified to be seeing these cases and to call out the bullshit that the companies are doing that the lawyers kind of try to do because they know that there’s a lot of ignorance.

Christie: The article talks about how he makes the attorneys, he forces them to understand what they’re talking about by asking for tutorials and reference reading materials and things like that. I thought that was interesting.

Audrey: He tries to go into it being as informed as possible on the specific technologies that are being discussed so that if they’re saying things that can’t possibly be factual or make sense, he can call them out.

Christie: None of this is by his legal training, it’s all just things that he’s been interested in throughout his life.

Audrey: Yeah and just kind of having the funny situation where he’s in the part of the country where he’ll see some of these cases.

Christie: I think its funny how much the article talked about the nine-line range check function and how the judge basically said “You’re fixating on this and its not important”. I’ve written very similar functions in quickBASIC”. “It’s the kind of thing I have done many times myself in quickBASIC”, he said, five years after that hearing.

Audrey: I don’t know. Just looking at the different legal decisions around this particular case and pieces of it, really shows you what a difference it makes to have that basic technical education and to have just done enough work that you know the difference between something that sounds very simple and something that actually is. Or something that sounds complicated and actually is.

Christie: It really shows how being a judge is somewhat of a unique profession or a different kind of profession in that you have to have a keen awareness of what you don’t know and the ability to learn that information in order to really be a good judge. It reminded me of SCOTUS right now or recently was … were they hearing one of the gerrymandering cases or was it a voting rights? I can’t remember but I saw little snippets here and there about where certain justices were really revealing their lack of understanding about sociological research methods?

Audrey: Oh yeah I remember something.

Christie: So I think this is an interesting case because it was really important that Judge Alsup brought his technical knowledge to the case but I think this is really important not just for cases about technical things but also other – I think to me it shows the complexity of our society.

Audrey: Yeah and how maybe we’re treating things as very specialized kinds of education when we shouldn’t be because just the collective impact is so big. Like maybe everyone should understand something about algorithms and something about data analysis and something about the implementation of software. We would just have a more functioning and safer society with those things .

Christie: And I feel like it’s those “integrated” studies, which is something I fell into in college by accident, but I look back now and realize … I took a history of physics course and I think that you can get through a whole science education all the way through PhD without ever really learning about the history of your field and you’re missing so much context without that information.
But I also think that it’s one of those things that really gets derided right? Mixing the hard sciences with liberal education or whatever.

Audrey: Yeah, I mean, it’s just more of that hard versus soft stuff that the more I look at it, the less it makes sense to me in terms of how things are divided up. Software technology is just open to interpretation so much more [inaudible 00:35:19].

Christie: I like that we now know his call sign. I wonder how many people have read this article and then now try to find him on shortwave?

Audrey: Probably, yeah. Getting my HAM license is still on my to-do-list, something I’m hoping to do for the winter maybe.

Christie: Yes, I bought my study book months ago. I gotta go find it, I don’t know where it went.
There’s a bit in here where he talks about having the IBM machine in the mid ’80s and wanting to program it and looking at the DOS reference limitation and then BASIC and he decided to go with BASIC. I think its probably the exact same bright blue, well the binder that it came in was gray but the first sheet is a cyan blue manual. I think its the same thing that I learned BASIC from, not the same years, couple years later. That kind of made me smile. I recently went and bought myself a copy of that on Ebay just for the nostalgia factor.

Audrey: That’s cool.

Christie: Yeah this same judge is hearing Waymo versus Uber, that’ll be really interesting. Again, he issued a court order for them to provide reading material to learn about the issue and he was very clear about “I’m already familiar with BASIC, light and optics involving lens such as focal links, the non-linear nature of focal points below us”.

Alexa: Sorry, I don’t know that one.

Christie: Sorry, that is now muted. I don’t know what I said that triggered that.
His technical knowledge isn’t just about programming, he’s been a lifelong geek.

Audrey: Did Amazon just try to interrupt our conversation?

Christie: Yeah, I triggered the dot on my desk. I tried to remember to mute it before but I didn’t. I’m not sure what I said that, this happens, it’ll butt into my conversations with Cheri too and we’re like “Shut up, we’re not talking to you”.

Audrey: I thought his disclaimer on the Waymo/Uber stuff was really funny because, especially because reading his profile you understand, this is somebody who sat down and did his own radio contellations. The radio transmission calculations to find out when it would be best to contact different places. He’s already got some understanding of physics.

Christie: I thought it was really interesting how he’s written all these, I mean someone might poo-poo BASIC, but he’s written these really complicated programs and he’s done it pretty much isolated from anything that we, and certainly people younger than us, would consider the programming community. Like he didn’t know what GitHub was. He doesn’t google for answers to programming questions. That was interesting to me just in terms of, again that viewpoint, on what it means to be a programmer or to have technical skill. I think all of us has heard “Your resume is your GitHub profile” and you realize just how short sighted that is.

Audrey: Right yeah. Its sort of dated but this is how a lot of hobbyists have performed over the years. The other stuff that we’re talking about and you see is pretty recent

Christie: I like that he emailed Sarah after the interview concluded to say that he found the bug in the program he was demoing. Okay.
Well let’s hope he stays on the bench for a while yet.

Audrey: Yeah, I think these cases need him.

Christie: He’s doing a certain amount of mentoring. It talks about his clerks and looking for clerks with technical skill.

Audrey: And how some of his opinions just by really explaining how he comes to those conclusions and the kind of reading and analysis that’s required to, he’s providing education just even in a broader way. She says a couple of times that are courses that are being taught that rely on this work so that new lawyers know something about what they’re looking at.

Christie: It also kind of flips this age ism issue that we have in tech. It really kind of flips that too? I think he’s in his 70s and it’s his longevity and his life experience that are allowing him to make an impact in these ways. Right?

Audrey: It’s pretty cool. I enjoyed briefing this and just learning a little bit more about what was going on there.

Christie: This shirtless picture of him when he’s really young in front of the HAM radios is kinda funny too.

Audrey: Yeah.

Christie: So I don’t know about you Audrey but if you paid $25 million for a database would you wanna know how to back that database up as part of that $25 million?

Audrey: Yes. [crosstalk 00:41:11] I can’t imagine spending that much money on a database but …

Christie: NYPD, city of New York, apparently has and to make it even more interesting, this is a database that collects their information civil …

Audrey: Civil asset forfeiture.

Christie: Yes, that’s a much better way to say it. So this was just a little thing that came across my Twitter feed and I find it mostly because the interest and momentum around civic tech and civic data and open data kind of ebbs and flows. I feel like we’re in an ebb right now, I don’t know maybe people are just distracted by all the other ridiculous stuff going on.

Audrey: I think that there were a lot of projects that wound up at the same time that have kind of trailed off too. So there’s still things going on but either they’re more embedded and there’s less of that new shiny.

Christie: I feel like, I don’t know if this goes into the nobody wants to do maintenance. Its not just about implementing that thing but continuing to use it and shepherd it. There’s a group Bronx Defenders that basically asked for data about forfeitures or assets that NYPD seized and the City Attorney has been arguing that NYPD lacks the technical capability to extract the information from this $25 million dollar database.

Audrey: Which sort of makes me wonder if its actually a database.

Christie: Right and so there’s also an issue if they can’t access it then they’re probably not backing it up correctly. I mean if you can’t access the original copy of your data you probably can’t access its backup either.

Audrey: Probably not.

Christie: There’s not a lot in this article I just thought it was interesting.

Audrey: They don’t tell us what database software this is built on?

Christie: Other than its DB2. But we can’t make any mongo DB jokes about it.

Audrey: Well no I mean I was going for Oracle because its really expensive and doesn’t do anything? The article that you have does talk to a consultant who works in this area saying that it is probably possible to skip the front end software and just get at the database [inaudible 00:44:13]. Again like if its a database and they didn’t delete it, I would also expect that to be true.

Christie: Right so did they write an incomplete interface so they presumably they’re putting information into this database? Did whatever front end they’re using just not show the records?

Audrey: This is possible. I have used some of those kind of front ends. If they didn’t pay for ongoing development then they probably don’t have anybody with the expertise to change that interface.

Christie: Okay. Good times.
It would be interesting to see if we can keep an eye on this and see what they eventually figure out. I’m hoping it doesn’t involve another $25 million dollar contract. [crosstalk 00:45:17]
You’ve got to think if this is happening in, this is a pretty specific case, NYPD New York is big right? That’s still a very specific application. You’ve got to think that this kind of thing is happening all over.

Audrey: Probably yeah. I think this goes back to something that we’ve talked about before too that we rely on a lot of infrastructure that really doesn’t have any forward development plan. It doesn’t have a maintenance plan. It doesn’t have anybody asking pesky questions. It took a group of lawyers and activists to say “Well, we’d really like to know what’s actually happening with the money, the assets that you’re taking from people”. For somebody to notice that there was a problem here.

Christie: Right and I think we’ve both had the experience of being the person in the room that’s like “Excuse me, how do we get the data back out of this?”. Then you don’t have a job later on or people ignore you.

Audrey: What if this thing breaks? What if it doesn’t work exactly like we thought? Yeah, and an organization might not have anybody who’s asking this question, it’s not the default.

Christie: Right, because its not incentivized. It’s not rewarded. At least in my experience.

Audrey: In my experience its tolerated up to a certain point but if you interfere with the vision that everyone has for what’s going on then probably they’ll tell you to drop it.

Christie: Nobody wants to Debbie Downer on their team.

Audrey: Or just to be told that their idea is inherently bad and wrong and they should start over.

Christie: Right. Speaking of which, I’m not sure it’s exactly Facebook’s vision to ruin our democracy but they seem to be doing a good job of it. Maybe this is why 20-year-olds shouldn’t get to run billion dollar companies. [crosstalk 00:47:29]
This is not the first time we’ve talked about Facebook. I don’t remember what the last thing is that we talked about, if it was hiring, they were sort of creating a volunteer program to identify fake news, something like that.

Audrey: It might have been the end targeting the housing advertising that allowed racial categories.

Christie: Right okay, so I don’t think we recorded at all during the summer but there’s been like incremental things coming out about Facebook’s platform and how various agencies and groups have been able to use the platform to create a significant amount of influence. This is of course after Zuckerberg swore up and down how ridiculous it was, that that was even a possible thing.

Audrey: Because of course Facebook, even though what 70% of the population uses it or something. Facebook clearly has no impact on how we vote.

Christie: So groups like ProPublica and I’m sure others have stayed on top of this. One of the things that they found out is that the way Facebook’s ad targeting works … we talked about the being able to selectively target housing ads, specifically along racial lines which is not okay. Then ProPublica discovered that you can basically target anti-Semitic ad categories to people who are anti-Semitic. Want to market Nazi memorabilia or recruit marchers for a far right rally? Facebook’s self-serving ad buying platform has the right audience for you. It seems like this is one of those things where you could look for like a generic string in a profile or something like that. Do you remember if it was – it wasn’t that Facebook gave you a checkbox saying “Jew Haters” –

Audrey: Oh no, you could look at clusters of interests and put this together.

Christie: Facebook enabled advertisers to direct their pitches to the news feeds of almost 2300 people who expressed interest in the topics of “Jew Hater”, “How to Burn Jews” or “History of why Jews ruin the world”. They tested this, yeah. So Facebook did something to offset this once they were contacted but I think it kind of shows an additional layer of problematic usage that Facebook enables.

Audrey: Yeah and I mean back to that scale issue you know? A newspaper might have taken hundreds of ads or something, so you could have one or two people just check over every single one for this kind of stuff. Newspaper is never as targeted. Facebook wants to, because it’s an advertising driven business like Google is, a lot of things that we rely on, they want to do this at the biggest scale possible and they just aren’t allocating resources appropriate to that scale. It is a self-service platform. They only add restrictions and checks on this stuff when somebody points out a problem. It’s treating all interests equally.

Christie: Oh I’m wrong about the, they actually … Facebook’s algorithm automatically transforms people’s declared interests into advertising categories. So it’s not check boxes but it’s a drop down.

Audrey: Okay.

Christie: Like demographics, education, field of study. Wow.

Audrey: Again its just automatically assembling that from assuming that the data is neutral right? That it’s all the same kind of thing. Puppies and kittens are equivalent to anti-Semitism.

Christie: It’s hard for me to believe that they have no ability to do sentiment analysis or to identify these certain things right? Remember the experiment they did on everyone a couple years ago right?

Audrey: There’s been some more recent stuff too about them experimenting with people’s news feeds and yeah how it impacts their behavior. So yeah, I mean obviously they have the tools for this in general, their ways to handle this. Even if there are hundreds of categories that show up on those drop downs, that’s still something that you can pay people to look at against a checklist of what’s appropriate and inappropriate before they become live for advertisers.

Christie: Then I feel like another big thing that happened was that, I don’t remember who tracked this down but, someone figured out that there was a good bit of advertising, a hundred thousand dollars worth of ads placed during the 2016 Presidential election by inauthentic accounts that appeared to be affiliated with Russia.

Audrey: Looking at the amount of this and the scale and the bias in it, that whole thing about how it’s just really strange to think that Facebook could have an impact here. It doesn’t make sense.

Christie: Each time one of these happens like this post directly from Facebook about is says “We don’t allow inauthentic accounts on Facebook and as a result we have since shut down the accounts and pages that we identified that were still active”. Damage already done right? You did allow, you did allow the accounts.

Audrey: That makes it sound like they’re just bringing it back to the real names policy instead of addressing what’s actually going on there. Inauthentic just means those weren’t separate people.

Christie: It’s weird to me that sort of claim that they didn’t know who they were doing business with. To me that’s a fundamental tenet of good fiduciary practice right? It feels like it’s one more way that Facebook just “Oh, it’s the computer, it’s the algorithm”.

Audrey: Instead of thinking that traceability and accountability might be really important.

Christie: And that they made a decision to not pay attention to that. That’s not okay.
So that’s a downer. What lifts me back up a little bit is that people are paying attention to this and applying pressure and one of them is ProPublica. They are in part to offset a “We don’t know” from Facebook they’re crowdsourcing, collecting information about the ads that are displayed. So they’ve got browser extensions for Chrome and Firefox to collect this information.

Audrey: There’s a really direct way that people can help ProPublica track what’s going on.

Christie: Also says “One benefit for interested users is that the tool will show them Facebook political ads that weren’t aimed at their demographic group and they wouldn’t ordinarily see”.

Audrey: Which seems like it could be pretty interesting and eye opening.

Christie: Every now and then I will sort of follow a hashtag or I’ll be looking at someone’s replies on Twitter and I’ll see sort of MAGA people right? It’s really eye opening, like how? How is that your point of view? It doesn’t give you a sense of how widespread it is.

Audrey: Sometimes the stuff that I see seems sort of knee jerk that I start to wonder if it is just another bot kind of thing or somebody who is paid to spam this stuff.

Christie: Right. So one of the things that Facebook has said that they will start doing is requiring political advertisers to disclose which page paid for an ad. This is something that in 2011 they spent a lot of time arguing with the Federal Election Commission that they couldn’t do because it was inconvenient and impracticable to include disclaimers in political ads because the ads are so small in size. The commission was too divided to make the decision on Facebook’s request for an advisory ruling so they were deadlocked.

Audrey: Because they can’t decide if Facebook’s bullshitting them?

Christie: Because the ads are so small in size. Really? Really Facebook you cannot solve that technical issue?

Audrey: With all their resources. Technical, and it’s a decision issue, they undoubtedly put in that level of tinkering on so many other parts of the site. It seems like they’re trying to do just enough to stay out of real trouble and just enough that people don’t go and try to burn them to the ground. It’s not proportional to the kind of damage that’s being done. Not at all.

Christie: No. This is a company that needs to be regulated and I just … it says that now that they’ve dropped their objections to adding disclosures but just revealing which page opened the ad doesn’t tell you what the source of money is behind the page.

Audrey: In TV advertising they have to say what PAC paid for it right?

Christie: And then you can go look up … now Super PACs are another issue, if that’s C4 or whatever it is.

Audrey: Yeah there’s lots of ways that it can be obscured but at least you can go find out what organization is this?

Christie: Right, and I think it’s still a little harder to funnel foreign money into those Super PACs, I don’t know, maybe people have figured it out. I’m pretty sure it’s against US law that foreign entities can buy political advertising. I’m pretty sure that’s not a thing we allow.

Audrey: It doesn’t seem like a thing we would want, especially with what’s happened this last year. Can you imagine, back to TV advertising again, if a TV ad ran that said “Russians for Candidate”. You would think that it was just a joke named for a PAC, right? Or if it said “Paid for by the Government of Estonia”, you’d be pretty upset about that, that would be pretty inappropriate.

Christie: Facebook is a tech company.

Audrey: And so it’s not a media company, they [inaudible 01:00:56]. Advertising, I don’t know, advertising should be advertising. Why is newspaper and TV media advertising different than web advertising in general? Why should those have two sets of political regulations?

Christie: Right, the arguments from Facebook feel very intellectually dishonest.
Well, there’s gotta be something good on the internet that we like.

Audrey: Maybe.

Christie: I have to look at my favorites again. I know I had something. Or likes, oh wait what did they used to be called, favorites?

Audrey: Yeah.

Christie: Emergency kittens has an amazing photo, this cat must have been standing on glass or something because it’s from underneath, this very foofy cat, here I’ll put it in the ether pad we’ve got going. That’s a good one. I have to grasp at straws here or whatever. I still continue to be amused at the ways that people use social media in novel ways. I don’t know if you saw this tweet going around but it says “KFC follows 11 people. Those 11 people? 5 spice girls and 6 girls named herb. 11 herbs and spices. I need time to process this.”

Audrey: I did see that.

Christie: I try not to do brand’s advertising for them but I couldn’t help but favorite that one because I thought it was just so clever.

Audrey: I just opened the kitten, this is great.

Christie: Isn’t that an amazing photo?

Audrey: Cute little paws. Yes.

Christie: Right, it’s got to be on like a piece of glass. I started thinking about how I could replicate it.

Audrey: I don’t know do you have a –

Christie: I’d have to go get. I’d probably go up to Tap and get a piece of plexiglass or something. I don’t know. With the bulldog is young enough still that we don’t need more highly breakable things around.

Audrey: Keeping it clean seems like the tricky part.

Christie: Yeah, glass is a pain in the butt to clean streak free.

Audrey: And fingerprints would kind of get in the way.

Christie: Anything you like on the internet this week?

Audrey: Yeah, my friend Laura who is also a Recompiler contributor, has a newsletter called ’31 days of Halloween’ and every night she just sends out another set of links and interesting things and there was one earlier this week that was an example of creepy pasta.

Christie: Creepy pasta?

Audrey: It’s a looping creepy story basically.

Christie: Okay.

Audrey: It’s I don’t know, it’s just really good and the stuff that she’s been putting together is a lot of fun and there’s yeah, always silly dancing pumpkin .gifs.

Christie: Nice. Will we have a link for that in the show notes?

Audrey: Yep.

Christie: Alright, well, we figured out how to do the podcast again.

Audrey: Yay!

Christie: We’ve got lots of cool stuff coming up including our first telethon.

Audrey: Should be very exciting.

Christie: Should be very exciting. I’m gonna have to do some vocal warmups so I can do my tongue twisters. That’ll be on the eleventh and we’ll have links in the show notes and on the Recompiler website. Any other teasers you want to give Audrey?

Audrey: Well, we’re about to, the telethon is part of the Kickstarter we’re about to launch in just a few days so it might already be going by the time this podcast is out. We are getting ready for year three of The Recompiler, our next four issues, and we’re kind of throwing a party online with a lot of fun stuff and ways that people can support The Recompiler and get some cool rewards.

Christie: Awesome. I’m looking forward to that. Alright thanks Audrey.

Audrey: Thanks Christie.

Christie: That’s a wrap! You’ve been listening to The Recompiler podcast. You can find this and all previous episodes at recompilermag.com/podcast, there you’ll find links to individual episodes as well as the show notes. You’ll also find links to subscribe to The Recompiler podcast using iTunes or your favorite pod catcher. If you already subscribe via iTunes, please take a moment to leave us a review, it really helps us out.
Speaking of which, we love your feedback. What do you like? What do you not like? What do you want to hear more of? Let us know. You can send email feedback to podcast@recompilermag.com or send feedback via Twitter to @recompilermag or directly to me, Christi3K. You can also leave us an audio comment by calling 503-489-9083 and leaving a message.
The Recompiler podcast is a project of Recompiler Media, founded and led by Audrey Eschright, and is hosted by yours truly Christie Koehler. Thanks for listening.