Episode 56: Something about Scully’s vibrator

Posted on by Christie Koehler

Download: Episode 56

This week Audrey and I chat about recent autonomous vehicle fatalities, consequences of arbitrary file storage in Bitcoin’s blockchain, the OIG’s report on the FBI’s statements about their iPhone hacking capabilities, and more. Enjoy!

Show Notes

 

Community Announcements

The Responsible Communication Style Guide is headed back to the printers!

When we sold out of print copies of The Responsible Communication Style Guide last fall, we promised to do another print run in early 2018. We’re happy to announce that we’re ready.

If you’ve been waiting to pick up a printed book (or enough for the rest of the office so they stop filching your copy), this is your chance. Order now!

Now Broadcasting LIVE most Fridays

We broadcast our episode recordings LIVE on most Fridays at 10am PST. Mark your calendars and visit recompilermag.live to tune-in.

We love hearing from you! Feedback, comments, questions…

We’d love hearing from you, so get in touch!

You can leave a comment on this post, tweet to @recompilermag or our host @christi3k, or send an email to podcast@recompilermag.com.

Transcript

CHRISTIE: Hello and welcome to The Recompiler, a feminist hacker podcast where we talk about technology in a fun and playful way. I’m your host, Christie Koehler.

Episode 56. This week Audrey and I chat about recent autonomous vehicle fatalities, consequences of arbitrary file storage in Bitcoin’s blockchain, the OIG’s report on the FBI’s statements about their iPhone hacking capabilities, and more. Enjoy!

I guess we should just get to it.

AUDREY: Yeah.

CHRISTIE: You got some announcements for us, Audrey?

AUDREY: I do, yeah. We are a media sponsor for an upcoming conference called Heartifacts. It’s about intimate and important conversations that we as software professionals need to have about mental health, communication, and our community involvement. And so, in addition to just telling you about it, they actually are offering a discount code. But the conference is happening October 20th and 21st in Pittsburgh this year. And you can use…

CHRISTIE: October or April?

AUDREY: April. What did I just say?

CHRISTIE: October.

AUDREY: Alright, let me start over. Okay. So yeah, Heartifacts is happening in Pittsburg April 20th and 21st. And you can get 20% off registration for the conference using our code, which is media-RECOMPILE. It’ll probably be easier if you read it. But we’ll have it in the show notes.

CHRISTIE: Awesome. media-RECOMPILE. 20% off, that’s a good deal.

AUDREY: It is, yeah. Yeah, and I heard about this conference a few months ago and it just seemed like a really great theme and I hope to hear more about the talks.

CHRISTIE: Cool. And we want to mention the Responsible Communication Style Guide.

AUDREY: Yes. We are still taking orders, pre-orders, for the second printing of our book, ‘The Responsible Communication Style Guide’. We have a couple more weeks hopefully to hit our minimum. We need about 50 books to be able to do the full batch. And so, we’re just part of the way there. But if you’ve been thinking about picking up more copies for your workplace or for a school program, something like that, bigger orders definitely help get us there. And you can always email us at info@recompilermag.com if you want to talk about invoicing or bulk shipping or things like that.

CHRISTIE: Cool. So, RCStyleGuide.com for more info. And of course, we’ll have the link in the show notes. Alright, let’s get to it.

So, this happened a little bit ago, but there was so much news and then we both got sick. We kind of, it got a little lost in the shuffle. But Uber had an incident with a very not good outcome with one of its autonomous vehicles in Arizona. And they killed someone walking their bicycle. And did you watch the video of the crash?

AUDREY: I did watch the video, yeah. The one I watched, and hopefully this is the version everyone has, doesn’t show the full impact. But just to the point of the crash. Yeah, and we have both outside and inside the car.

CHRISTIE: And it kind of switches back and forth between the view on the driver and the view outside of the car.

AUDREY: I think maybe what I saw had the one after the other.

CHRISTIE: Okay, yeah. That might be true. At first I wasn’t going to watch it. And then I did for some reason, and it was okay.

AUDREY: Yeah. I feel similarly. And I think I just really, I try not to watch violent videos in general. And I really wanted to understand the circumstances a little bit better than I felt like any of the written descriptions I had were telling me. And so yeah, for that reason, I’m glad that I did.

CHRISTIE: Did anything in particular stand out to you?

AUDREY: Yeah, a couple of things. One of them I think has been commented on a lot, which is that the driver definitely was not looking at the road at the time that the accident happened, and does not appear to have been paying close attention to the road in the seconds leading up to it. And the other thing is that the woman who was killed is walking her bike. And as a non-driver, I feel like this comes up on the podcast a lot, I don’t drive. I do walk a lot. I’ve recently started riding my bike again. And when I’m out on foot at night, often if I see a car coming, I run. And so, if I think that there’s any chance that they might get close to me or they might not stop, I will run through intersections. And so, it really struck me as just interesting that she’s walking. She seems to be walking calmly across the road. Which I don’t know her and I don’t know a lot about her pedestrian practices, but it just made me think that whatever she thought was going on, she didn’t see a risk. She didn’t feel unsafe.

CHRISTIE: Or didn’t have enough time to respond to it. It wasn’t totally clear to me if the road was completely straight. We don’t know what her visibility, what she could see.

AUDREY: That’s true.

CHRISTIE: And I know that I have a much harder time judging the speed of moving vehicles at night when it’s just two headlights, than I do during the day. And so, yeah.

AUDREY: What I was trying to say is that I overcompensate. And I know I overcompensate. And so, like I said, I don’t know how her comfort level was there. But it does make it seem like she didn’t feel like she was in an unsafe situation. And another piece of information that I read that kind of fit into that was that people, random people in Arizona, didn’t know this was being tested around them.

CHRISTIE: Right. And that, I added to the show notes after we talked this piece in The Guardian about how the governor’s office really made space for Uber to be there. And they kind of pushed back on it, “Well, it wasn’t secret,” but it also, it wasn’t really well-publicized.

AUDREY: Well, and her risk assessment, it couldn’t have included a really important piece of information – that there…

CHRISTIE: That there’s autonomous vehicles riding around? Yeah.

AUDREY: Yeah.

CHRISTIE: Yeah, and we already know that one of the things Uber does, and I don’t necessarily think this is unique to Uber, but that they – when they’re not outright flouting regulations, they cozy up to government and try to make inroads there in whatever way they can. They hired Obama’s former campaign manager, David Plouffe, something like that. And yeah, so part of what they do is they court local officials.

AUDREY: It reminds me a little bit of the discussion we had the other week about Palantir and New Orleans, that companies can have these ways of circumventing all kinds of oversight. And Arizona’s laws don’t really cover this situation anyhow. But there’s lots of ways to step around whatever kind of oversight might have made things visible, made concerns visible, and given people a chance to talk about it.

CHRISTIE: Right, yeah. So, Uber has settled with the woman’s family. That was very quick. I think that happened within days. And there was still, I don’t remember exactly where it was, but there was phrasing that still kind of gives me the chills a little bit when it says like – and it’s the same thing we see in other circumstances – but the car struck the pedestrian or the cyclist or whatever. As if there was no agency.

AUDREY: Yeah, local news will say this all the time. Like, an SUV killed a child on a bicycle. And you’re like, “It wasn’t the SUV.”

CHRISTIE: Right.

AUDREY: And our understanding of liability is that the driver is responsible. And I was trying to understand that a little bit more about this, too. Whether or not it’s still in the testing period, the driver must have some amount of – obviously I feel like they have a lot of moral responsibility. But they must have some legal liability here, if their role is to provide safety oversight.

CHRISTIE: Yeah. And I don’t know that that’s been worked out. One of the things that has been covered in this reporting is that both Uber and Waymo have at some point in the last couple of years, or more recently than that, gone from having two safety drivers to one. And one of the things that – I was watching that video and I was just thinking about, driving is already boring enough. Let alone when you’re relegated to an even more passive position. The more passive you are in an activity, the harder it is to maintain focus.

AUDREY: Yeah, absolutely.

CHRISTIE: And you can really see that with the driver. He’s kind of looking – he looks more like he’s going for a ride than actually operating the vehicle. So, I just thought that was interesting that it’s part of the standard to only have one driver.

AUDREY: Right. And I read a little bit more about the different practices that companies are testing with this, in terms of the safety drivers. Are they looking at the tablet? Are they looking at the dashboard? Are they able, I forget which one it was now, but one of them, they have an audio system built into the steering wheel. So that it doesn’t require looking away from the road to file a report, to say, “Hey, it ran into a bug,” as opposed to looking down away from the road to do it.

CHRISTIE: And it’s not just bugs. The way – I read that too and it was, basically if you have to intervene, you can then hit a button on the dashboard or on the steering wheel.

AUDREY: And say, “Hey, I had to brake. I had to steer.”

CHRISTIE: Right.

AUDREY: Yeah. Yeah, and that seems like a reasonable interface. And just in general, there must be a huge body of work on safety design, right? Like how to keep people’s attention doing this stuff. And it feels like another – the way that these really out there startups want to reinvent everything, it’s to avoid looking at that.

CHRISTIE: Another thing that stood out for me was, and I didn’t go so far as to verify this with multiple sources so I’m not 100% convinced of the veracity – but that Waymo is much further along in terms of the vehicles operating without needed intervention. They’re using some rating that’s like miles in between intervention needed. And Uber is struggling to reach the 1.3 miles or something. And the thing that made me question if I was really understanding the two statistics is that Waymo was reporting 1500 miles between or something, which just strikes me as…

AUDREY: A lot.

CHRISTIE: A really big difference, yeah.

AUDREY: Yeah. Maybe they’re doing longer highway tests. And so, they’re able to kind of – I mean, highway driving and in-town driving. Kind of different in terms of how regular or predictable they are.

CHRISTIE: Right, and how quickly you’re going to rack up miles versus having to – yeah.

AUDREY: But yeah, it did sound like this is one of the links that we have that Uber really is not doing very well in this competition between car companies to be the first one to get the technology out there.

CHRISTIE: I thought it was interesting. One of the articles had this bit about, I guess a lot of the companies are using NVIDIA graphics processors for their technology, which makes sense because those are used in all kinds of machine learning. But that NVIDIA’s also working on a self-driving technology. And one of the articles was like, “NVIDIA was very clear to distance,” like, “Uber is using their chips, not their autonomous driving system.”

AUDREY: Oh geez, yeah. Yeah, I missed that part. But that definitely makes sense. Like you said, GPUs are used for a lot of different purposes.

CHRISTIE: Including Bitcoin mining, which is why they’re so expensive. And I get annoyed about this every time I think I’m, “Oh, maybe I can build a cheap gaming computer.” No.

AUDREY: Probably not.

CHRISTIE: I think my thought was that it’s been so long since I did it, computers must be cheaper. And it’s no, computers really haven’t gotten cheaper. They’ve just gotten faster, like the baseline.

AUDREY: You get more for the same price.

CHRISTIE: Right. Yeah, so Tesla had a crash this week.

AUDREY: Yeah.

CHRISTIE: Or within the last week.

AUDREY: Yeah, we also wanted to talk about that, because it does seem to have involved the autopilot system.

CHRISTIE: Yeah. And I think that was where I read that they could tell the driver who died, their hands were not on the wheel in the six seconds before the crash or something. And they had several alarms. And I think that might have been where I read that drivers are supposed to have their hands hovering above the steering wheel, which I don’t understand how that’s possible to do for long periods of time.

AUDREY: Probably isn’t.

CHRISTIE: I never drive like that.

AUDREY: [Inaudible] like resting in your lap, yeah.

CHRISTIE: Yeah, which is not hovering above the steering wheel. Like, when I drive for long periods of time, I’ve got a hold of the steering wheel with one hand or both. But they’re still at rest. They’re like, holding onto the steering wheel in some way and some of the weight of them is – because if you’re just hovering above, you’re having to support the entire weight of your arms.

AUDREY: Well, somebody must have tested the relative reaction time on that. Like, how quickly are you able to grab the steering wheel to intervene?

CHRISTIE: Right. And I thought about that. That if they were just in my hands, six seconds is actually a pretty long time. Because if your laps are – if your laps are in your hands – if your hands are in your laps. Whatever, you know what I’m trying to say. You need, I know how long, but it’s not six seconds to reach. So, I just feel like there’s such a huge body of study of human attention and cognition and response to stimuli. I want to know where all that is in this research.

AUDREY: Yeah. Yeah, for sure. It isn’t just about getting the car to steer correctly. It’s about creating a car-human interaction that’s safe enough, right?

CHRISTIE: Right. Because there’s such a huge difference, categorical difference, between being a driver and being a passenger. Every now and then you get a passenger who’s like hyper alert and is basically backseat driving for your the entire time. But for the most part, that’s not how passengers behave. And I just, I don’t know how you maintain the categorical assignment of driver so that you can maintain the alertness, if you’re so passive. Anyway, I’m harping on that, but…

AUDREY: Yeah. No, there are some circumstances where I think passengers are more alert. I know that I was in a car once with some family members and everyone but the driver saw a deer. You know, because the person driving was just fixated on the wrong part of the road.

CHRISTIE: Right.

AUDREY: And so yeah, there are definitely circumstances where as a full-time passenger I pay more attention. But yeah, it’s nice to be able to talk and look out the window and not be…

CHRISTIE: Or sleep or yeah.

AUDREY: Sure.

CHRISTIE: I hear some people can actually read while they’re in a car. I cannot.

AUDREY: Yes. I can. Yeah. Well, and a friend of mine does, what do they call it, time-speed-distance rallies. And so, to be a navigator for that, you really need to be able to read in the car at different speeds while turning.

CHRISTIE: Yeah. I couldn’t do it. I can maybe get a few seconds to look at a phone and read texts, and that’s it, before I start to get carsick. It sucks.

AUDREY: Yeah. It doesn’t sound pleasant or very advantageous.

CHRISTIE: Okay. Anything more on the autonomous vehicles stuff?

AUDREY: Just, I’m still thinking about the liability issue and how if we’re expecting cars to be regulated effectively and every car company wants to go for this, they feel like this is a good future direction, then what we really should be expecting is something safer than current cars, current driving, right? For both the passengers and the bystanders. And I just – it really bugs me that there doesn’t seem to be a lot nationally that covers this, that Arizona is apparently so lax with the regulation. And that it just, I don’t know, it doesn’t seem like we have a system designed for this yet.

CHRISTIE: No, and I think it was the article on the Tesla crashed that mentioned giving current statistics, autonomous vehicles are much safer. Like, how they have [many] fewer incidents. But I don’t think you can compare that to a time when there’s a lot more of them on the road.

AUDREY: And I mean, there are parts of Portland near me that have a very high rate of pedestrian fatalities. So, having vehicles that made things safer in that way would be a really big deal. But the kinds of changes that we’re looking for to get there aren’t about the cars. They’re about the roads. They’re about the safety of crossings. They’re about narrowing things so that people go slower. And you know, with the Tesla crash too, I don’t think we mentioned that the car went straight into a safety barrier that should have actually been quite visible for everything. So yeah, it’s a lot of different components.

CHRISTIE: Yeah, it was not clear to me how that happened, exactly. It looked like the sort of concrete barriers you see dividing highways. It did mention that the barrier was already damaged and its damaged state made the damage to the car even more. But yeah, so I don’t know if its damaged state means that there’s something else problematic about that section in the road. But the Guardian article didn’t go into it.

AUDREY: And you can’t have car systems that only work under perfect circumstances. Road maintenance is not a completely even and perfect system.

CHRISTIE: No, that’s one big thing I have noticed moving from one state to another and just traveling, is that municipalities have vastly different road upkeep.

AUDREY: Yeah, people talk about crossing the county line even, and seeing the difference. Or again, out in my part of town, we have side streets that aren’t paved. And so, there’s quite a bit of variety in terms of what you might encounter.

CHRISTIE: Oh, and weather and climate plays a huge role. Like, I was shocked at the seasonal degradation of the roads here when I moved here from California. We don’t get – at least when I lived in California in the bigger cities – we didn’t get the kind of giant potholes we get here towards the end of the winter. [Inaudible] due to rain and stuff.

AUDREY: Right, yeah. Because we get cold, wet weather. Yeah.

CHRISTIE: Yeah. So, okay. One other thing I’ll mention is that one of the articles mentioned that there’s sort of this – as far as having the safety driver intervene – there’s a threshold for safety and there’s also a threshold for passenger comfort. And I thought that was kind of interesting. Like, where that line is, especially as someone who gets motion sick very easy. How a person drives absolutely affects that for me. And so, being motion sick isn’t necessarily a life-threatening situation if it’s temporary. But it’s very unpleasant.

AUDREY: Well, and I mean yeah, how much do you want a car that makes you sick?

CHRISTIE: Right. Yeah, this happens to me just riding in taxis. It’s actually one of the reasons why I don’t like Uber. Because an Uber is much more likely to show up with a freaking SUV, which is higher up and is much more likely to give me motion sickness. Anyway, it also reminded me of a recent X-Files episode. I haven’t really been into the reboot, but do you know which episode I’m talking about? It’s the only one I’ve actually watched.

AUDREY: I haven’t watched any of the recent ones.

CHRISTIE: Well, I started seeing tweets about Scully’s vibrator and I was like, “I have to investigate this.” And I would actually encourage people, and I don’t know the name of the episode because it has some long – it looks like a hash of something – but it’s basically just, it’s just Molder and Scully and autonomous devices. Basically going after them, because Mulder basically didn’t tip enough. But there’s a scene where Scully’s in an autonomous vehicle and it’s not a very pleasant ride.

AUDREY: Nice.

CHRISTIE: So, okay. Bitcoin? Blockchain. So, there’s this article in The Guardian: ‘Child abuse imagery found within Bitcoin’s blockchain’. It’s very short and it’s basically covering a paper that was presented at this conference which we have quoted from last year’s proceedings of this conference. And it reminded me. I was like, “Oh yeah, this is a good source of information. I should book this for later.” But I read through the paper. And basically, did you know that blockchain can accept not just information about financial transactions but arbitrary…

AUDREY: Arbitrary data? I did not know that until I read the Guardian article. Yeah.

CHRISTIE: And it can be like text or even files. And so, these researchers basically looked at the different ways it was possible to record arbitrary blockchain content that wasn’t about financial transactions and then went out and looked at the blockchain to kind of analyze how much of this arbitrary content was in the blockchain. And they tried to classify it.

One of the things I thought was interesting – the exact methods, I’ll leave people who really like technical stuff to go through that paper, because that was getting into the nitty-gritty. But the – I’m sorry, I’m scrolling down because I didn’t copy it into the notes. They actually gave numbers. So for one thing, this arbitrary data has substantially increased since about 2015. And it’s not a whole lot. It’s – okay, so ‘Table 2: Distribution of blockchain file types according to our content-insertion service and suspicious-transactions detectors’. So they were about, at 87% were text files, and that’s about 1400 files. And then about 150 images, 45 HTML pages, about 10 source code, and then a few archives, a few audio files, a few PDFs. And so, among – and then they looked at what the content was. They found copyright violations. So, there were some things that were intellectual property.

Sorry, software update message. Remind me later. I forgot how to turn those off.

Malware. So, they didn’t find actual malware. They said, “However, an individual non-standard transaction contains a non-malicious cross-site scripting detector. A security researcher inserted this small piece of code which, if interpreted by an online blockchain parser, notifies the author about the vulnerability.” I thought that was interesting. Privacy violations. So, they found someone’s wedding photos, public chat logs, emails, forum posts. The forum posts included discussion of topics of money laundering. They found at least two incidents of doxxing with complete disclosure of an individual’s personal information. Potentially sensitive content, which they’re basically using to describe whistleblower content. They said they found complete backups of the Wikileaks Cablegate data. And then illegal and condemned content, which is porn including child porn. And there weren’t a lot, let’s see – mostly that was in the form of links to websites. 274 links to websites, 142 of which refer to Tor hidden services. There was a single image – and they said they didn’t investigate further because of the – what did they say? They’re not including the reference.

Anyway, so part of why they’re bringing this up is because in order to make use of blockchain, you have to have a whole copy of it. And so, people potentially have copies of data that is not legal for them to have, or causes other privacy concerns or security concerns. So, I thought it was pretty interesting.

AUDREY: Yeah. I really had no idea that that was possible. I just sort of assumed that nothing other than what was needed to record a transaction would be in there. And I can see under a controlled system, the merits of it could be really interesting, all the things that can be communicated. But in actual real-world conditions where cryptocurrency is used for some really awful things, it’s not surprising that there would be this overlap of what data is being shared.

CHRISTIE: Yeah.

AUDREY: Have you read any more to find out what the impact of this discovery is?

CHRISTIE: No. It was just presented at the – It’s the Financial Cryptography and Data Security 2018. So, February 26th to March 2nd. So, it was like a month ago. The paper itself was funded by the German Federal Ministry of Education and Research. Yeah, and they basically say, their conclusion, it says, “The possibility to store non-financial data on cryptocurrency blockchains is both beneficial and threatening for its users. Although court rulings do not yet exist, legislative texts from countries such as Germany, the UK, or the USA suggest that illegal content such as child pornography can make the blockchain illegal to possess for all users.” So, yeah. I haven’t heard of particular – more fallout. I think like with everything – it’s only in the last five years I’ve really been hearing about Bitcoin. I know it’s been around a little longer than that. But I think the law, all the regulatory systems, are still figuring out how to respond.

AUDREY: Sure. I just mean that if it’s data that’s illegal for you to have, it doesn’t really matter whether it’s encoded in a blockchain or not.

CHRISTIE: That’s what I think they mean by – that we don’t really have court precedent on this yet. But what exists suggests that yeah, you would be in trouble for having that content. But again, how many people have a copy of blockchain? You have to look at what is reasonable too, and how can that possibly be enforced?

AUDREY: Right. I mean, it would affect at least, what do they call it? Not brokers, but like major exchanges, right?

CHRISTIE: Potentially, yeah.

AUDREY: If what the blockchain for Bitcoin has is illegal where you are, then it could cause more of them to get shut down.

CHRISTIE: Yes. And then we talked about SESTA last week, too, which sort of applies, I think.

AUDREY: Right. What kinds of things can be seen as participating in commerce around prostitution? I guess.

CHRISTIE: What this also told me is that this felt like proving the concept. It says, “Our quantitative analysis shows that 1.4% of the roughly 251 million transactions in Bitcoin’s blockchain carry arbitrary data.” So, that’s not nothing.

AUDREY: Right. Yeah, and now that they’ve looked at it, I’m sure that more people will dig into it, too, and verify the information. Look at what different organizations would want to respond, too.

CHRISTIE: That’s also only one blockchain. There’s other cryptocurrencies that have their own blockchains, right?

AUDREY: Yeah.

CHRISTIE: So, yeah. Basically – and I know people are making money in Bitcoin trading, but every time – it just sets off my like, “I’m just going to stay away from that.” I don’t know [inaudible], yeah.

AUDREY: It does seem like for a long time, it was just sort of this weirdo thing, sort of a fringe thing. Although somebody did put up fliers in my neighborhood offering a class to learn about it a couple of years ago, which was sort of interesting. But it went from being this fringe thing to being much more widespread quite quickly. And I think that we’re seeing a lot of stuff come out of that because of mainstreaming, because it’s putting – more people are becoming aware of it and so they’re poking at it from more angles. And more people are doing things with it, which means that they’re maybe not abusing it but using it in contexts that aren’t very generally accepted.

CHRISTIE: So, kind of on the Bitcoin continuum, cryptocurrency continuum, there’s this Coinhive thing. You found this, Audrey. Tell us about this.

AUDREY: Oh. So, we talked the other week about – at least I think this made in on the podcast – about Salon and how they were offering people a choice between having ads and having cryptocurrency mining. And so, I’ve kind of been just keeping an eye out for other cases of in-browser mining. Because I think it’s much like Spectre and Meltdown, how we talked about how deeply exploits can happen, I just thought it was an interesting example of the interface between the web browser, the way that we use it, and what it actually can do on the system. So, I saw this article about Coinhive. And I hadn’t heard of it before. But, just of what I’d seen originally, it was just that this was a way that not only were websites doing a cryptocurrency mining but they are sometimes doing it through malware. So, sites can be mining where the site owner doesn’t actually know what’s going on. And I could see how that would be quite profitable. There’s lots of other kinds of malware out there in advertising, for example, that profit somebody.

And so, Coinhive specifically, I think as we got into this article, it turns out to be even weirder than that would just suggest. Because let’s see. The program itself, it’s sort of a service. Not just that it mines a particular cryptocurrency but it provides a service for doing so. So, he Coinhive hooks get a certain percentage of every transaction, regardless of whether those are malicious, malware installations, or not. And so, Brian Krebs dug into this more to find out who is benefitting from it. And it turns out to be this really convoluted thing involving a German image board and a bunch of different spammer type people that have been involved. And yeah, I don’t know. Christie, you put a quote in here that I think kind of – like it’s at the bottom of the rabbit hole about some of the people that are involved.

CHRISTIE: Right. It’s the pattern we’re seeing with this stuff is that it can be hard to track down ultimate ownership and therefore accountability. So, that was basically what Krebs is doing. Well, he introduced this Coinhive and then he said, “Okay. Who are the people behind this?” And…

AUDREY: Because it’s interesting. When we’re talking about exploits, it’s useful to know who benefits, right? Who profits. It can tell us a lot about what they’re going to try to do with it.

CHRISTIE: And it sounded like ownership of the idea for Coinhive might have been a little contentious. And it’s also another one of those things where ownership may have transferred. Like someone came up with the original code and proof of concept and then found another person to steward it or whatever.

AUDREY: Right. And the image board that this stuff had maybe originally come off of had changed hands, in addition to maybe Coinhive also getting sold off to someone else.

CHRISTIE: And this doctor – I have trouble with this German phrasing.

AUDREY: Probably Moench.

CHRISTIE: Moench. Yeah, even though I should know how to say it because it’s basically in my name. Really, and the quote I put in here was somewhere. So, this guy went to prison as a juvenile for having his parents murdered. And then when he got out, it said he had found religion in juvenile detention and wanted to become a priest. But then it says, “Somewhere along the way, however, Moench ditched the priest idea and decided to become a spammer instead.”

AUDREY: Which is where he comes into the Coinhive story. Because apparently not only was he a prolific spammer, but he also encouraged other people to use his domains and some of the stuff that he’d set up for spamming purposes. And so, there’s a little bit of Spartacus thing going on here in terms of, which one’s the original guy and which of these things are just other people under that umbrella?

CHRISTIE: Right, and not just his domains, but he encouraged people to use his personal information to set up their own stuff. So, that’s why ownership of this is a little hard to track.

AUDREY: Yeah.

CHRISTIE: Because his name kept coming up, but he probably didn’t’ really have much to do with it. The other thing that stuck out for me with Coinhive is that if they get an abuse complaint, Coinhive, what they do is revoke the key of the customer. And then in that case, they get 100% of the mining.

AUDREY: Right. So yeah, since Coinhive is a service built around a split where Coinhive provides the software for 10% of the transaction, I think?

CHRISTIE: It’s 30.

AUDREY: 30%?

CHRISTIE: Yeah.

AUDREY: So yeah, instead of cutting off all transactions, they just cut off the rest that goes to whoever installed it.

CHRISTIE: So, they basically have no incentive to weed out code, their code, that’s been maliciously installed.

AUDREY: Well, and they control everything except to the extent that they’ve out it out here for everyone to use. I mean, they control the entire financial side of it. And anybody could take it and hack it and do more.

CHRISTIE: Okay, fun times.

AUDREY: I really appreciate that Brian Krebs digs so deeply into this stuff, you know?

CHRISTIE: Oh, yeah.

AUDREY: Because like we were saying, it can be very deeply obscured. Cryptocurrencies sort of encourage this. And if you want to understand what’s happening and why it’s happening, you do need to understand who.

CHRISTIE: Yeah. There’s this pretty amazing mind map in here that just, even if you don’t read through it all, just looking at it at a glance you can tell the layers of obfuscation. So, and I think Coinhive is Monero, right?

AUDREY: Yeah. That’s why I’d kind of thrown both of these links in here. Coinhive uses a cryptocurrency called Monero that I don’t know a lot about other than it seems to be even more deeply obscured in terms of tracing transactions to original owners. And so, again just talking about malicious mining and how the profit motive does all sorts of things. I saw this thing about malware on Android that will basically just mine Monero until the whole thing melts.

CHRISTIE: Yeah, literally. It sounded like you had to have admin access, which I think means you have to have a rooted Android device, I think. And then it just basically grinds all the phone resources until the phone shuts off or the battery overheats.

AUDREY: Yeah. And fortunately, this hasn’t been spotted through any what, official app channels, or maybe even particularly mainstream ones, for our listeners. But third-party app stores can have all sorts of things in them, including infected software. And Android apparently does not have controls on this.

CHRISTIE: Yeah. That doesn’t [inaudible]. And it might be Android 6. I don’t know what version of Android we’re up to. But there’s a lot of Android devices out there on supported versions.

AUDREY: Sure. Right. It’s been around a while and it’s always been so fragmented with every carrier having their own Android to some extent. And that definitely makes security issues a lot harder to resolve.

CHRISTIE: Oh yeah. Okay. So, I guess don’t use a third-party app store unless you really need to.

AUDREY: Unless you have some other way of knowing whether you can trust the software.

CHRISTIE: So, we talked about SESTA/FASTA on the last podcast, which I still need to edit. But if you listened live last week, you heard it. We talked a little bit – there was already fallout happening. But now Skype or Microsoft released an update for a bunch of their services talking about offensive language. This seemed really preemptory to me.

AUDREY: And I think it must have been in the works for other reasons, you know? It happened so soon after that I doubt it was just about this. But what they did announce was that there’s a pretty wide range of stuff that they could cut off from Skype, from online chat, other things that come through their services.

CHRISTIE: Right.

AUDREY: Including basically anything that counts as adult content, right? It seems like there was a pretty big umbrella.

CHRISTIE: Right. So, if you’re having – I’m like, it’s not sexting over Skype. If you’re having sexy talk over Skype, that could potentially count.

AUDREY: Which, I’m sure lots of people are, you know?

CHRISTIE: Sure.

AUDREY: People use it as a phone service.

CHRISTIE: Right. And there were lines about that if basically if they received complaints, they could look at your communications to sort of investigate.

AUDREY: Which I thought was definitely something to be aware of, that Microsoft has the ability to look at that stuff.

CHRISTIE: Right. And this shouldn’t be entirely new information about Skype. Was that a couple of years ago when all the warnings came out about: Don’t use Skype for really sensitive conversations? The thing that’s tricky, is if this is supposed to apply to XBox Live. There’s lots of swearing and violent content on the video games. And gamers are not known to have the cleanest language, either.

AUDREY: Yeah. I am really curious about – unfortunately what we know about overly broad rules is that they tend to be selectively applied. So, I am curious what the actual impact will be.

CHRISTIE: And then I saw a bunch of tweets saying that pornographic videos and other content is being taken off Google Drive.

AUDREY: Or being sort of locked out for access.

CHRISTIE: Okay. I guess it’s the same difference, right?

AUDREY: Yeah. What I mean is like you can see the files there but nobody can use it.

CHRISTIE: Right. Which leads me to believe they must be doing some kind of fingerprinting, right?

AUDREY: Yeah. It would make sense. And I don’t know. This wave of complaints makes it seem like they must have rolled out some kind of an update that detects things in a different way than it had before.

CHRISTIE: Yeah, I wasn’t able to find a lot of information about this. Just [inaudible] some stuff.

AUDREY: No, just really the tweets that I think we’d both seen originally.

CHRISTIE: Yeah. And someone was talking about alternatives. And I guess there’s not a lot, given how much free space Google Drive provides. Again, we get back to this becoming reliant on free services. And I’m not criticizing that. People are going to use what’s available to them. But that there’s an effect. And I wish that there were more things. I wish we could build more services that were affordable. Although…

AUDREY: Well, and with better Terms of Service, too. I wouldn’t be surprised if the Terms of Service on Google Drive are just completely similar to anything else you could pay for that would give you a similar service.

CHRISTIE: And to me, it also reinforces the importance of zero-knowledge services, like SpiderOak is one of those, where they – I don’t think they could do this because from their point of view, your content’s entirely encrypted. And it doesn’t make it as user-friendly as something like Dropbox. And if you lose those keys, you lose access to your data. Again, it’s always that trade-off, right?

AUDREY: Between the access, the security, usability, and to come back to our bitcoin discussion, the safety, right? Anything that you make that’s handling all of those things well enough for people that are marginalized also does it for activities that should be marginalized.

CHRISTIE: Yeah. I was looking to see if SpiderOak still did a free – they do not still have a free plan. But you get 150 gigabytes for $5 a month. Anyway, it’s clunky compared to Dropbox, which is why I am using both simultaneously because I am never able to totally switch. It’s very embarrassing.

AUDREY: You know, after last year, remember when we talked about Dropbox and their software? The permissions over each that they had? I took it off of all my computers and unfortunately I installed something recently where the only way to synchronize is through Dropbox. And so, I’m back to having to look at it again and go, “Okay, well did they deal with those concerns? Do I have other concerns? How much do I care if I can synchronize?” But it just – these single points suck so much when there just aren’t alternatives. There aren’t other ways of doing things.

CHRISTIE: Yeah. That was the blocker for me and also getting whole – because the whole household would have needed to move. And I just, we couldn’t figure that out.

So, okay. I’m very excited to talk about our next topic because I read this entire report from the Office of the Inspector General.

AUDREY: Nice. I see that you excepted quite a bit of it.

CHRISTIE: I did – not only – well, yeah. Not only that, but you notice this has acronym soup? I made a chart. We don’t do video, but I may take a picture of this hand-drawn chart that I did to figure out these two – what this acronym soup was.

AUDREY: Okay. So, what we’re talking about is how the FBI maneuvered to force Apple to help them get into an iPhone. And whether or not they actually needed the technical assistance or just wanted – why am I not thinking of the word – legal outcome that would allow them to do it again.

CHRISTIE: Basically, yeah. And we’re getting close to the top of the hour. So, I’ll make the retelling kind of short. But basically in the OTD which is the – I can’t remember. Okay, actually let me take a step back. So, the San Bernardino shooter, they both died? Or were they arrested? I can’t remember. I think they both died. Why do I not remember? Anyway, there was an iPhone that was locked. The FBI wanted to get into it. James Comey who was still Director at the FBI at that time gave testimony in front of congress saying, “We don’t have the technical capability to break the encryption on this iPhone and we really need Apple’s help.” And they started a court case against Apple to compel them to help break this encryption. A little bit after that, like very shortly within a week or two, they withdrew the case and said, “Oh, just kidding. We have a solution.” The Executive Assistant Director somewhere in the FBI was a little uneasy about how this all went down. So, the Office of the Inspector General got involved, which is like, the oversight.

So, they did this investigation. And basically what happened is that there’s a department at FBI called OTD. And I’m forgetting – I didn’t actually write down what that stands for. That’s some – it does tech stuff. And then within that, well I’m sure there’s multiple sub-departments. But the two in question are basically the Digital Forensics, which tends to work with criminal proceedings, criminal legal proceedings, and then the Technical Surveillance, which tends to work with national security. And there’s a key difference there. And the key difference is that the TSS, the Technical Surveillance, tends to work with classified technologies and processes and tends to work on national security stuff. And that the Digital Forensics team works with unclassified, like more legal methods of doing things. And that…

AUDREY: Okay, which is more relevant to the San Bernardino iPhone.

CHRISTIE: Right. And that the things they do, they need to produce evidence that can actually be used in court.

AUDREY: That makes sense.

CHRISTIE: Versus what the national security people are doing, which is…

AUDREY: Whatever

CHRISTIE: Fuck, whatever they want, I guess. So basically, and there’s this Cryptography and Electronic Analysis Unit that’s under the Digital Forensics. That’s the legal, criminal side. And then the Remote Operations Unit. And so, it was the CEAU side that was like, “We’ve exhausted all of our technical things. We need to compel Apple.” But they never really checked with ROU, the Remote Operations Unit. And the Remote Operations Unit had more access to – they basically had access to a vendor that like, had a 90% there solution. And that was a solution that they ended up using, after Comey gave testimony to congress.

AUDREY: Saying that they had absolutely no way of doing this.

CHRISTIE: Right. And so, basically the gist of the OIG report was that basically that the FBI didn’t really do anything wrong. But that they need to have better communication between the two units. And that some of the communication breakdown was existing policy that there was a line between the TSS/ROU side and the DF/CEAU side that really ought not be crossed. And also, that the Chief of the Cryptography and Electronic Analysis part, where’s his quote? Because this was really good. She said, “She became concerned that the CEAU Chief did not seem to want to find a technical solution, and that perhaps he knew of a solution but remained silent in order to pursue his own agenda of obtaining a favorable court ruling against Apple. According to EAD Hess, the problem with the Farook iPhone encryption was the “poster child” case for the Going Dark challenge.” And then a footnote off the report explains that “Going Dark” is basically this frustration that law enforcement has when evidence goes dark because it’s behind encryption or otherwise not – can’t be subject to surveillance. So, it’s basically saying that the CEAU Chief had sort of like a political motivation for the court ruling, or for seeking a court ruling.

AUDREY: Right. And it’s interesting because they spent a couple of weeks trying to make Apple look really bad, trying to really push on this, “Well, if there was ever a time that Apple should let us into their hardware, it should be now.” And making it seem like Apple was against national security and law enforcement and all these kinds of things. And I remember a lot of discussion that if the FBI got to do this once, they would do it over and over and over.

CHRISTIE: Right. And so, the Inspector General concluded that Comey gave testimony that was accurate as he knew it at the time, that basically there was not good communication between the units at the FBI, and that it took a while to sort that out. So, part of its recommendations with the FBI, like figure out how to improve that communication. But also at the end it says, “During the course of our inquiry, we were informed that the FBI intends to add a new section in OTD to consolidate resources to address the “Going Dark” problem and improve coordination between the units that work on computer and mobile devices.” So, there’s going to be a new team that’s specifically going to work more against “Going Dark”.

AUDREY: Against encryption.

CHRISTIE: Basically, yeah.

AUDREY: Against all of our uses of encryption.

CHRISTIE: So, I thought this whole thing was fascinating. I woke up this morning not realizing I would spend that much time reading 17 pages of strangely all very bold font. It seemed to alternate. There was one page that wasn’t bold, but the rest of it was. The amount of bureaucracy at the FBI which I guess I kind of knew that, but just having it – having such a specific example. Because the OTD is like, “OTD is responsible for providing technical assistance and support to the FBI’s intelligence, national security, and law enforcement operations.” So like, I don’t even know what level in the FBI that is. Anyway. And then just the fact that they have these two separate teams, which it makes sense why they would be separate, but it’s sort of interesting that – just the ramifications of that. And then, yeah. Now they’re having to re-org.

AUDREY: Yeah. You know, it makes me thinks a little bit about the issue of parallel construction in law enforcement. You know, where sometimes they get a piece of information through illegal means or at least not allowed in court kind of means. And so, then they sit there and they find another way to get the same info.

CHRISTIE: Right.

AUDREY: But, law enforcement never would have gone down that path of inquiry without the thing that they weren’t supposed to use. And we just, we really don’t know. We don’t have visibility into how often that happens. But I imagine that there are a lot of cases like this where that’s a component.

CHRISTIE: Right. And I think in that case where the perpetrators are dead, I think because of the – if there’s any kind of perceived link to ISIS or Islamic terrorism, then I think they justify using the extralegal national security route, right?

AUDREY: Well, because in this case, they’re not taking anything to court.

CHRISTIE: Right.

AUDREY: They’re not going to have to make a case.

CHRISTIE: Right. Or if they are, they’re going to use laws that allow that to happen, not in the normal way.

AUDREY: It’s worthwhile being skeptical.

CHRISTIE: Yeah. Are we two things we liked on the internet this week?

AUDREY: I believe we are.

CHRISTIE: What you got, Audrey? There’s a YouTube link in here.

AUDREY: Yeah, I have a video. And there’s audio, but the audio doesn’t matter. I mean, it’s cute.

CHRISTIE: Oh. Are you saying I should click on it, then?

AUDREY: You can click on it, yeah.

CHRISTIE: I’m clicking.

AUDREY: So, the reason for this particular YouTube video being my favorite thing is I couldn’t speak for about three days last week. That’s why we had to reschedule the podcast. And during those three days, trying to communicate with my partner, I was kind of bugging him that at least I can finger spell in American Sign Language and he can’t. And I also just signed up for an ASL class, so I’m going to learn more. So, he works at a cafe and there’s a least one regular there who is deaf and uses sign language. And so, I was kind of bugging him like, “Okay, if you could finger spell, then we can talk.” But also, it would be really good to pick up some cafe language skills that way. And so I said, “Okay, I’ll find you some videos.” And what I discovered was that for ASL classes, like for kids’ ASL classes, a popular assignment is to make a cooking video. And so, to pick a recipe and to make the thing and to explain it all using sign language. No talking. And so, I found this really cute one where a couple of girls are making Smores bars. And they just walk you through the recipe and demonstrate it.

CHRISTIE: Nice. This kitchen appears to have a window in the granite countertop to the backyard. Have you noticed that?

AUDREY: I did not notice that.

CHRISTIE: There’s like, wall skylights. Anyway.

AUDREY: No, I was trying to…

CHRISTIE: You were probably paying attention to the sign language.

AUDREY: I was, yeah. My ability to shoot – there are different words for speak and read, right? My ability to do finger spelling is way better than my ability to read finger spelling. So, I was trying to catch the ingredient names.

CHRISTIE: Right. Cool. Alright. My thing I liked on the internet this week is Sieve and FastMail. And the fact that FastMail supports Sieve. And Sieve allows you basically to write mail filtering rules. And it’s how FastMail powers their filters. But they also allow you to write your own, if you’d like to put in your own custom Sieve code. And so, you can do all kinds of stuff with your email, including – they have a Sieve notify plugin that you can, if an email matches rules that you set up, you can get an SMS or send a Slack message, or use a couple of other different services. And I was just updating my rules recently and I was just – it made me very happy because it’s something you cannot do on Gmail. And it’s nice to have to it all server-side. And I want to write a blogpost about it soon.

AUDREY: Cool.

CHRISTIE: But we’ll link to the FastMail docs on it, I think. And yeah, I think with the ubiquity of Gmail, people don’t even know what is possible to do. You know what I mean? Because Gmail sets the standard. And I just like sharing alternatives.

AUDREY: And email is an old system. It has a lot of capabilities.

CHRISTIE: It does. And Gmail does not implement them all. Alright. I think that’s our show this week.

AUDREY: Cool.

CHRISTIE: Thanks everyone for listening. And I think we’re going to sign off now.

AUDREY: Alright, bye.

CHRISTIE: And that’s a wrap. You’ve been listening to The Recompiler Podcast. You can find this and all previous episodes at RecompilerMag.com/podcast. There you’ll find links to individual episodes as well as the show notes. You’ll also find links to subscribe to The Recompiler Podcast using iTunes or your favorite podcatcher. If you’re already subscribed via iTunes, please take a moment to leave us a review. It really helps us out. Speaking of which, we love your feedback. What do you like? What do you not like? What do you want to hear more of? Let us know. You can send email feedback to podcast@recompilermag.com or send feedback via Twitter to @RecompilerMag or directly to me, @Christi3k. You can also leave us an audio comment by calling 503 489 9083 and leave in a message.

The Recompiler podcast is a project of Recompiler Media, founded and led by Audrey Eschright and is hosted and produced by yours truly, Christie Koehler. Thanks for listening.