The security disaster that is IoT

Bruce Schneier, writing at Motherboard:

Much has been written about how the IoT is wildly insecure. In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can’t get fixed on its own.

Our computers and smartphones are as secure as they are because there are teams of security engineers working on the problem. Companies like Microsoft, Apple, and Google spend a lot of time testing their code before it’s released, and quickly patch vulnerabilities when they’re discovered. Those companies can support such teams because those companies make a huge amount of money, either directly or indirectly, from their software—and, in part, compete on its security. This isn’t true of embedded systems like digital video recorders or home routers. Those systems are sold at a much lower margin, and are often built by offshore third parties. The companies involved simply don’t have the expertise to make them secure.

Even worse, most of these devices don’t have any way to be patched. Even though the source code to the botnet that attacked Krebs has been made public, we can’t update the affected devices. Microsoft delivers security patches to your computer once a month. Apple does it just as regularly, but not on a fixed schedule. But the only way for you to update the firmware in your home router is to throw it away and buy a new one.

This is going to be a really big problem for a really long time.

FBI blames Black Lives Matter for increase in murder rate

Newly released FBI data show that the homicide rate in the United States increased meaningfully in 2015, marking the end of a historic 20 year decline. The overall homicide rate increased 11% in the United States, which is the biggest percentage increase in homicides since 1971.

Make no mistake: this is a big deal. The 20 year macro trend of decreasing homicides and other violent crime is ending. The cycle is ending and a new one is beginning. The new cycle isn’t nearly as nice as the old one.

Murders are up 11%. All forms of violent crime are up 3.9%. This isn’t just a case of increased gun homicides. More rapes occurred in 2015 than in 2014.

And this is not just an isolated trend. It’s nation-wide. It’s true that Chicago which has become a war zone, but while the increase in violent crime in America is largely an urban phenomenon, it’s broad-based. Just as cities led the decline in homicides they’re also leading the resurgence. The New York Times has a great analysis piece highlighting key trends in the data that was just released by the FBI.

Some cities are much worse than others. Chicago, Baltimore, St. Louis and Las Vegas stand out as having the worst increases but the trend is broad-based. While New York City’s homicide rate didn’t change meaningfully in 2015 even cities like Anchorage, Alaska saw increases.

From the article:

The [FBI’s] findings confirm a trend that was tracked recently in a study published by the National Institute of Justice. “The homicide increase in the nation’s large cities was real and nearly unprecedented,” wrote the study’s author, Richard Rosenfeld, a criminology professor at the University of Missouri-St. Louis who explored homicide data in 56 large American cities.

It’s hard to explain a change in a macro trend if you didn’t understand what was driving the trend in the first place. There’s still no consensus about why the murder rate began falling in the late-nineties.

Steven Pinker even argues in the excellent Better Angels of our Nature that the decline in violence is just part of one great human pacification megatrend. The guys who wrote Freakonomics argue that the decline in violent crime was a delayed effect of the Safe Drinking Water Act of 1974.The decline might have been spurred by a change in police strategy introduced by Bill Bratton and his focus on broken windows theory. Still others go further and argue that it was a result of “proactive policing,” a euphemism for a bundle of aggressive police tactics that include the infamous Stop and Frisk practices pioneered by the NYPD.

Since no one can agree about what caused the decrease and because the trend reversal is relatively new there aren’t really any good theories about what’s going on.

But James Comey, Director of the FBI, claims to know what’s going on. 

Almost exactly a year ago Comey gave a speech at the University of Chicago in which he claimed to have the answer:

Maybe it’s the return of violent offenders after serving jail terms. Maybe it’s cheap heroin or synthetic drugs. Maybe after we busted up the large gangs, smaller groups are now fighting for turf. Maybe it’s a change in the justice system’s approach to bail or charging or sentencing. Maybe something has changed with respect to the availability of guns.
These are all useful suggestions, but to my mind none of them explain both the map and the calendar in disparate cities over the last 10 months.
But I’ve also heard another explanation, in conversations all over the country. Nobody says it on the record, nobody says it in public, but police and elected officials are quietly saying it to themselves. And they’re saying it to me, and I’m going to say it to you. And it is the one explanation that does explain the calendar and the map and that makes the most sense to me.
Maybe something in policing has changed.

In today’s YouTube world, are officers reluctant to get out of their cars and do the work that controls violent crime? Are officers answering 911 calls but avoiding the informal contact that keeps bad guys from standing around, especially with guns?

I spoke to officers privately in one big city precinct who described being surrounded by young people with mobile phone cameras held high, taunting them the moment they get out of their cars. They told me, “We feel like we’re under siege and we don’t feel much like getting out of our cars.”
I’ve been told about a senior police leader who urged his force to remember that their political leadership has no tolerance for a viral video.

Comey is saying three things here: that he believes the “proactive policing” explanation for the macro decrease in violent crime, that Black Lives Matter has caused police officers to change their behavior, and that this behavioral change is ending the error of proactive policing and that the end of the proactive policing era is causing the end of the pacifying trend in America.

Comey’s argument is lazy, irresponsible and disquieting.

The proliferation of cameraphones and social media and Black Lives Matter have shown a spotlight on a troubling pattern of police manslaughter — and perhaps homicide — that’s probably been going on for centuries. Police manslaughter and homicide are inexcusable and it is the public’s rightful duty to hold its law officers to account for the misuse and abuse of the power that has been invested in them.

To suggest that holding those who unlawfully kill the people they are sworn to protect accountable for their actions is causing the murder of Americans is incendiary and wrong. The FBI should be seeking to understand the true drivers of the increase in violent crime and working with police forces around the country to reverse the trend.

Encouraging police officers to persist in aggressive, racist and dangerous tactics because they “protect” the public doesn’t accomplish anything. We are never going back to a pre-Black Lives Matter world. That is a good thing. It’s Comey’s and the law enforcement community’s job to continue to protect American lives, even if they must now do so under increased scrutiny.

The data is troubling. America is a much safer place today than it has been in decades. But the trend is now going in the wrong direction. We must rally and fix the problem quickly, and these kinds of distractions will not help us.

 

Apple Super Cycles

The iPhone will be ten years old next year. More than a billion iPhones have been sold, making it the best-selling consumer product in history. To put that in some perspective: it took 25 years for all makers of PCs, combined, to sell a billion PCs. By any measure the iPhone has been a fantastic success. It has defined a decade of computing. The iPhone has defined a decade-long super cycle for Apple and for the broader industry.

I bought an iPhone 7 even though it’s really an iPhone 6s+. Many won’t. The iPhone’s reign is coming to an end. Its super cycle is ending. Apple is killing it.

I’d bet real money that Apple Watch Series 3 will have an Apple SIM and be able to independently connect to LTE networks. It will work seamlessly with AirPods, and it will use a hybrid of voice and visual/tactile interaction to accomplish key tasks. The small screen will be okay because it will be supplemented — and perhaps at some point supplanted — by the auditory interface. Double tapping on AirPods to interact with the world will become second nature. Or maybe you’ll speak. It won’t matter.

Over time your phone will become something you might leave at home. Like an iPad. Or a MacBook.

This is despite the fact that iPhone 8 — the tenth anniversary edition — will likely be a stunning piece of art. The platform will go out with a bang.

Computing will fade into the background. It will be accessed through ubiquitous voice interfaces and unobtrusive screens. You’ll wear some of your computing resources. Some of your computing resources will become furniture. Everything will fade away until you’re living in a new kind of future where screens are much less a part of our lives than they are now.

And during this time the iPhone will change, but not as much as it used to. The best and brightest at Apple will shift to new projects. The iPhone cycle will increasingly resemble that of the Mac.

There’ll be a revenue hiccup. There’ll be the opportunity for challengers to unseat Apple as it changes its core offering. There will be risk.

But also promise. And Apple will strive, as it always has, to disrupt itself before someone else can. It’ll move to a loose constellation of devices: Apple TV, a Siri Home device of some kind, a Watch that can act on its own and with AirPods, a phone, a home computer. All linked together and enmeshed by Apple’s new services infrastructure.

And the iPhone will fade, just as the iMac has.

One super cycle ends, another begins.

Zika: a growing threat, and still no action from Congress

Zika is spreading. There are 56 known cases in Singapore. The European Center for Disease Prevention and Control has named Thailand a “red alert” country.Huge swaths of Africa are at risk.

US States have now seen 2,722 cases of which 35 were locally transmitted. US Territories, including Puerto Rico, are much worse off: the Centers for Disease Control report more than 14,000 locally acquired cases.

1,035 pregnant women in Puerto Rico have acquired Zika.

Zika can be transmitted by mosquitos with broad global range — they reach as far north as New Hampshire in America — and by sexual contact. Zika’s initial symptoms are mild and only manifest in 20% of cases. This means that most people with Zika probably never get tested and diagnosed. They become silent carriers. The silent carriers then get bitten by mosquitos or have unprotected sex and infect new people.

It’s likely that only a very small fraction of Zika cases have been identified by world health authorities. And yet there are so many cases already being reported.

In Brazil:

In an outbreak that started mid-2015, more than 1.5 million people have been infected with Zika in Brazil, and more than 1,600 babies born with abnormally small heads and brains. Seventy countries and territories have reported local mosquito-borne Zika transmission, with Brazil by far the hardest hit.

The Pope has already suggested that God might be okay with contraception in areas impacted by Zika. Now most of the world is impacted by Zika. What happens when families decide to postpone childbirth because of the risk of microcephaly? What happens when a generation of babies with microcephaly are born? What happens when most of the world is a Zika hot zone?

Advice from the CDC isn’t very reassuring:

There is no vaccine against the Zika virus. Efforts to make one have just begun, and creating and testing a vaccine normally takes years and costs hundreds of millions of dollars.

Because it is impossible to completely prevent mosquito bites, the C.D.C. has advised pregnant women to avoid going to regions where the virus is being transmitted, and has advised women thinking of becoming pregnant to consult doctors before going.

Travelers to these countries are advised to avoid or minimize mosquito bites by staying in screened or air-conditioned rooms or sleeping under mosquito nets; wearing insect repellent at all times; and wearing long pants, long sleeves, shoes and hats.

The race for a vaccine — and treatment — is on but Congress still hasn’t approved funds to fight the virus. The funds were originally requested by the Obama Administration months ago.

It might be time for us all to rewatch Children of Men. Maybe a mandatory viewing for members of Congress would loosen the purse strings and free the CDC to do their work and work to stop this epidemic before it profoundly affects global fertility rates.

The Zika threat in America 

I’ve been following the Zika story relatively closely and recently learned that five new cases of Zika have been diagnosed in Miami Beach. These transmissions were not the result of travel or sexual transmission. They were transmitted by mosquitos in Miami Beach to people in Miami Beach.

Zika usually doesn’t harm adults but it affects unborn babies in a profound way. Zika-caused microcephaly is truly terrifying. Even in adults, though, Zika can cause Guillain-Barré Syndrome, which is sometimes fatal. At least one adult in Puerto Rico has died from Zika.

Zika is spread by the Aedes albopictus and Aedes aegypti mosquitos. CDC maps show that these mosquitos have range as far north as New Hampshire, and as far west as California. If we were to overlay these maps on maps that show US population density we would show that most of the US population lives in the same places the Zika-carrying mosquitos do.

These maps are of the continental United States. They do not include Puerto Rico, where health officials already estimate that thousands of pregnant women will become infected with Zika and that hundreds of babies will be born with microcephaly.

Initial symptoms of Zika are mild, and a large percentage of infections are asymptomatic. Tests for detecting Zika are expensive and complicated, meaning that most people who do have the mild symptoms associated with Zika but who aren’t considered “high risk” probably never get tested for the virus.

This means that Zika has probably already traveled further and infected more people in the United States than has been reported.

The CDC has already said as much:

Dr. Thomas R. Frieden, the C.D.C. director, warned at a news briefing on Friday that more cases of local Zika transmission are likely to emerge in the other parts of the county. The agency he leads said in a statement that because so many people infected with Zika have no symptoms, because the virus can incubate for two weeks and because diagnosis of cases can take several weeks, “it is possible that other neighborhoods in Miami-Dade County have active Zika transmission that is not yet apparent.”

It seems as if the CDC would maybe like to issue a more sweeping health warning, but finds it politically and legally difficult to do so.

The New York Times writes, asking us to read between the lines:

“What we’re doing is stepping back and saying there have been now multiple areas of individual transmission,” he said. “It’s a large county. There are more than two million people there, more than 20,000 pregnant women. We would always err on the side of caution.”

The C.D.C. generally must defer to state officials to decide where to set the boundaries around an area of potential disease transmission and what travel warnings to issue, federal officials and health experts said.

“The state has authority within its borders and it takes advice and counsel from the C.D.C.,” said Dr. William Schaffner, head of preventive medicine at Vanderbilt University’s medical school.

Incredibly, the CDC didn’t detect the Florida outbreak. It was actually discovered by Taiwanese public health officials:

The realization that Miami Beach was a zone of Zika transmission was triggered by a news release from Taiwan that C.D.C. officials noticed on Wednesday, Dr. Petersen said. Taiwan’s Center for Disease Control reported that a 44-year-old woman who visited Miami for business in early August, sought medical treatment for a rash on her legs and abdomen. The woman, who is not pregnant, tested positive for Zika.

“We tried repeatedly to get in touch with Taiwan the minute we heard about this,” Dr. Petersen said. With the time difference, C.D.C. officials were not able to talk to Taiwanese officials until 6 a.m. Thursday. What they learned, he said, “ provided pretty strong evidence that these other people who had gone to multiple places” including Miami Beach, had probably been infected there.

It’s likely that Zika has already spread to more parts of the continental United States than the US government is saying. Public health warnings from the CDC are being controlled at least in part by governors who want to preserve their tourist economies.

The Zika threat is severe, and vaccines are still a long way off. It’s likely that the American public health system will be able to prevent many microcephalous births through aggressive prenatal scans and early termination of affected pregnancies. But the impact on American birth rates, happiness and economics could be severe.

Congress has allowed politics to interfere with federal funding for the fight against Zika, and this must stop immediately. The parties need to come together and approve money for the fight against Zika, and must do it immediately.

The Zika epidemic must get no additional health from American government dysfunction. It’s time for competent, non-partisan leadership. Harry Reid has called for Congress to return from recess to approve the funds. This should be done today.

Congress should also act to ensure that CDC is free to combat the virus in the way it sees fit: the governor of Florida should not be dictating the geographic area of the CDC’s travel warnings. Politics and protection of tourist economies have no place in the fight against Zika.

The primary macroeconomic policy challenge of our generation 

Larry Summers

Everything we know about business cycle history suggests an overwhelming likelihood that there will be downturns in the industrial world sometime in the next several years. Nowhere is there room to cut rates by anything like the normal 400 basis points in response to potential recession. This is the primary monetary and indeed macroeconomic policy challenge of our generation. I hope it will be very much in focus at Jackson Hole.

Technology for the sake of it

I’ve recently been reading a lot about payment systems. I’ve been struck by the number of Bitcoin companies which emphasize the technology they’re based on rather than emphasizing concrete consumer benefit.  There are Venmo clones whose sole differentiation is that they allow you to exchange BTC instead of USD or GBP or EUR.

One bitcoin-based payment platform boasts:

We’ve been around the blockchain. Send to any bitcoin address. Free.

Seriously, who cares? People want to transfer money to each other. They want to exchange money for goods and services. The vast majority of people couldn’t care less what that money is, as long as it’s accepted as a medium of exchange. They certainly don’t care about Bitcoin. They’ve probably never heard of it, and if they have they probably think it’s only used to buy drugs.

If you build software to improve the exchange of money for goods and services and that software happens to be built on Bitcoin or on blockchain technology, that’s awesome. The cypherpunks and goldbugs who care will figure it out and love you for it. But don’t muddy your value proposition to muggles with jargon. Just tell them it’s a better money system. And if it isn’t a better money system and your only differentiation is that you’re building your system on cryptocurrency rails? You may as well just close your doors now. No one cares.

The key here is backwards compatibility. People are used to transferring dollars, pounds and euros. Let them! Then offer special, amazing features on top of that basic and familiar functionality that’s only possible because of your underlying technology. For example, make your system work just like cash. Vendors should like that. And they don’t need to know that the blockchain makes it possible. They just need to know that if they use your product, which is a lot like what they already use, they won’t be hit by chargebacks if they use your system. For instance.

Siri’s winning personality

I think Alexa’s lack of personality is one of its biggest problems. Unlike Alexa, Siri has personality in spades. She’ll even make jokes about Pokémon GO:

Look, there’s Jigglypuff behind you! Oh wait, it’s Wigglytuff. I always get those two mixed up.

I don’t expect that Google Home will have a great personality, either. Siri’s personality is a big deal, and so is SiriKit.

I wouldn’t count Apple out of the AI assistant game yet. This game is in its earliest innings, and it’s Apple’s style to sit back and watch everyone else flail for a while before deciding on a (frequently excellent) approach. Such is the incumbent’s luxury.

Marketplaces come and go, but sellers maintain their reputation

Joel Monegro’s Deep Web Marketplaces is an excellent read.

I was struck by these three points:

  • A seller’s brand and reputation are extremely important in a system where the intermediary (the marketplace) does not guarantee trust and safety.
  • This is largely decentralized in deep web marketplaces, as vendors make sure their brand is spread across multiple websites and forums.
  • Marketplaces come and go (or get seized by the FBI) but sellers need maintain their reputation.

I recently got a profile on Onename, which is powered by Blockstack’s blockchain identity product. I suppose this is meant to be the pan-marketplace identity and reputation system, at least in USV’s blockchain portfolio. I don’t have much use for it right now (Facebook is fine and will even store your PGP public key for you) but I can certainly see how, if I were selling drugs on a “dark” marketplace, I would want something like Onename to keep my identity safe as the Feds play whack-a-mole.

The deeper question is whether  law abiding citizens who aren’t cypherpunks might want such a thing as decentralized identity maintenance. If and when they do, it won’t be because it’s “decentralized identity maintenance.” They’ll care about the blockchain about as much as they care about http, which is to say not at all.