Skip to main content
 

"Strong encryption for everyone is a national security advantage." - @DavidGewirtz
http://www.zdnet.com/article/encryption-is-not-the-enemy-a-21st-century-response-to-terror/

 

A horrifying story of free web hosting with a side of bad security (and subpar customer service): http://www.troyhunt.com/2015/10/breaches-traders-plain-text-passwords.html

 

Smartphone Cryptogeddon

3 min read

After yesterday's Senate committee hearing on encryption, wherein both [FBI Director James Comey](http://arstechnica.com/tech-policy/2015/07/fbi-chief-tells-senate-committee-were-doomed-without-crypto-backdoors/) and [New York County District Attorney Cyrus Vance Jr.](http://arstechnica.com/tech-policy/2015/07/this-is-the-most-outrageous-government-tirade-against-ios-8-encryption/) made some pretty nasty comments about strong encryption on smartphones and the end of the world potential problems it could bring, I thought it might be a good idea to remind everyone of what [Representative Ted Lieu of California said back in April](http://arstechnica.com/tech-policy/2015/04/irate-congressman-gives-cops-easy-rule-just-follow-the-damn-constitution/) about why some users wanted smartphone encryption in the first place:

> Why do you think Apple and Google are doing this? It's because the public is demanding it. People like me: privacy advocates. A public does not want an out-of-control surveillance state. It is the public that is asking for this. Apple and Google didn't do this because they thought they would make less money. This is a private sector response to government overreach.
>
> ...
>
> [T]o me it's very simple to draw a privacy balance when it comes to law enforcement and privacy: just follow the damn Constitution.
>
> And because the NSA didn't do that and other law enforcement agencies didn't do that, you're seeing a vast public reaction to this. Because the NSA, your colleagues, have essentially violated the Fourth Amendment rights of every American citizen for years by seizing all of our phone records, by collecting our Internet traffic, that is now spilling over to other aspects of law enforcement. And if you want to get this fixed, I suggest you write to NSA: the FBI should tell the NSA, stop violating our rights. And then maybe you might have much more of the public on the side of supporting what law enforcement is asking for.
>
> Then let me just conclude by saying I do agree with law enforcement that we live in a dangerous world. And that's why our founders put in the Constitution of the United States—that's why they put in the Fourth Amendment. Because they understand that an Orwellian overreaching federal government is one of the most dangerous things that this world can have.

It might be worth point out that Rep. Lieu is one of four House members with computer science degrees, is a Lieutenant Colonel in the United States Air Force Reserves, *and* served for four years as a member of the Judge Advocate General’s Corps, making him (IMHO) someone knowledgeable in this area.

And it just so happens that [fourteen of the world's top computer security experts](http://dspace.mit.edu/bitstream/handle/1721.1/97690/MIT-CSAIL-TR-2015-026.pdf) agree with him, but who's counting.

 

The Web is Dead! Long Live the Web!

4 min read

In browsing through some of the fallout from the arrival of [Facebook's Instant Articles](http://instantarticles.fb.com/), I stumbled across a couple of great pieces by Baldur Bjarnason ([@fakebaldur](https://twitter.com/fakebaldur)) that go a long way to explain how we got into [the situation we're in](http://www.newser.com/story/206784/facebook-instant-articles-a-tectonic-shift-in-news.html), and why it's us [web developers](http://blog.itsericwoodward.com/2015/developing-the-web) who are responsible.

In the first, he takes on [the ongoing debate about apps vs. the web](https://www.baldurbjarnason.com/notes/media-websites-vs-facebook/), and makes the assertion that it isn't "the web" that's broken, it's how (we) web developers are using it that's broken (emphasis his):

> Here’s an absolute fact that all of these reporters, columnists, and media pundits need to get into their heads:
>
> The web doesn’t suck. Your websites suck.
>
> _All of your websites suck._
>
> You destroy basic usability by hijacking the scrollbar. You take native functionality (scrolling, selection, links, loading) that is fast and efficient and you rewrite it with ‘cutting edge’ javascript toolkits and frameworks so that it is slow and buggy and broken. You balloon your websites with megabytes of cruft. You ignore best practices. You take something that works and is complementary to your business and turn it into a liability.
>
> The lousy performance of your websites becomes a defensive moat around Facebook.

In other words, if the [mobile web is dead](http://www.zdnet.com/article/the-mobile-web-is-dead-long-live-the-app/), it's because we developers killed it.

On a side note, I wonder if this isn't alot of the reason that millennials have increasingly [preferred using apps to browsers](https://www.siliconrepublic.com/play/2010/11/24/mobile-ads-shock-millennials-prefer-apps-gen-x-browsers) - because mobile browsing is, for many, a needlessly painful experience.

In the [second piece](https://www.baldurbjarnason.com/notes/new-age-of-html/), he even goes so far as to explain why people can't seem to get on the same page about how "the web" should be: Because they're all talking about different versions of it:

> Instead of viewing the web as a single platform, it’s more productive to consider it to be a group of competing platforms with competing needs. The mix is becoming messy.
>
> 1. Services (e.g. forms and ecommerce, requires accessibility, reach, and security)
> 2. Web Publishing (requires typography, responsive design, and reach)
> 3. Media (requires rich design, involved interactivity, and DRM)
> 4. Apps (requires modularity in design, code, and data as well as heavy OS integration)

Just to drive this point home, he makes reference to the Apple Pointer issue from [earlier this year](http://studiotendra.com/2015/03/01/the-web-has-covered-the-basics):

> This is just one facet of the core problem with the web as an application platform: we will never have a unified web app platform.
>
> What Apple, Google, Microsoft, and Mozilla want from web applications is simply too divergent for them to settle on one unified platform. That’s the reason why we’re always going to get Google apps that only work in Chrome, Apple Touch APIs that are modelled on iOS’s native touch model, and Microsoft Pointer APIs that reflect their need to support both touch and mouse events on a single device at the same time. There really isn’t an easy way to solve this because standardisation hinges on a common set of needs and use cases which these organisations just don’t share.

A more conspiracy-minded individual might even believe most of the major vendors would be better off if the standards never really do work out, since it would prevent "native-esque" web apps from cutting into their bottom-lines in their respective app stores. But I digress.

Speaking for myself, I know that I had never really considered this point when talking / ranting about "the web". What's more, I wonder if half of our inability to come to agreement on some of these issues is simply a matter of terminology getting in the way of having meaningful conversations. I mean, apps aren't "better" than "the web", because they are essentially part of (one form of) it: they use the same web protocols (HTTP / HTML) as the rest of the "browsable" web, they just use them on the back-end before glossing it over with a pretty "native" front end.

In fact, one might argue that this is the reason that the one area of web standards that has actually seen some progress in the past few months is the [HTTP2 spec](https://http2.github.io/) - an update to how data is transmitted on-the-wire, which should bring notable speed and security improvements to anyone that uses HTTP (including all of those native apps I mentioned earlier). After all, improving this part of "the web" is the one thing that all of the players involved can agree on.