What happened?
- ❤️❤️❤️ I revisited some parts of my professional story, questionning the actual reasons for me to leave the computer science field. The "I wanted to do something with my own hands" narrative seem to cover for something else!
- ❤️❤️ Held a code walk-trough session, explaining how we've implemented a feature. I really enjoyed preparing beforehand, having notes to help navigate the presentation — that might end up in a blog post — was useful. No stress, and hopefully a clearer path for folks attending.
- ❤️❤️ Attended a meeting showcasing a lot of care. Trying to find-out what worked and what didn't, opening a space for discussions to happen was really heart-warming, especially for a new-born collective.
- ❤️ As part of my work-story explorations, I revisited the notes in this blog. Found it fun to see how I was thinking a few years back, shedding some light on past decisions
- ❤️ Found some other folks to prepare learning material about security best practices for citizens, as a follow up from last week disapointment.
- ❤️ Some surprise evenings and lunch breaks. My brain is functioning way better when there is some dynamics during the day — in the musical sense: having time for different types of things.
- 💔 The week was too packed, and I really missed having an evening to exhale.
Resources
- I went to "Écoutez battre, de Klaire fait Grrr", a feminist concert with "not-singed songs". A very nice moment. Her ability to play with words and doing poetry was heart-warming and fun.
- I've seen The Princess and the Frog, by surprise, after discussing about New Orleans music with a friend. One of the last 2D animation by Walt Disney, and also the first one (I've seen at least) featuring black characters.
- I've started to watch "Can You Hear Me?" by Florence Longpré (the author of the series Empathie, if you haven't seen it, it's amazing!). Another way to discuss about social issues without being too drown down by it. I'm starting to be a fan.
Quotes
Lighthouse reported on an investigation they did on a dataset linking phone numbers with location data. A dataset containing 1.5 million records, more than 14,000 unique phone numbers, and people surveilled in over 160 countries. Surveilled people contained environmental activists, journalists and high profile people. The technical details are interesting, and show that the company was exploiting the network to gather this data, without having to install anything on the phones themeselves:
In contrast to top-tier spyware like Pegasus, First Wap’s Altamides can’t infect a phone, but operates entirely at the level of the telecom network. First Wap’s late founder, Josef Fuchs, realized before almost anyone that by exploiting an antiquated communication system he could trick phone networks into revealing the locations of their users.
Signalling System 7, or SS7, is a decades-old set of protocols that allows phone networks to communicate with one another, routing messages and calls across borders. It was never designed with security in mind, and while operators have moved to more secure evolutions with 4G and 5G, they still need to maintain backwards compatibility with SS7. This is likely to remain the case for years if not decades to come. Phone networks need to know where users are in order to route text messages and phone calls. Operators exchange signalling messages to request, and respond with, user location information. The existence of these signalling messages is not in itself a vulnerability. The issue is rather that networks process commands, such as location requests, from other networks, without being able to verify who is actually sending them and for what purpose.
I didn't know lighthouse and, I found that some other articles were interesting, here are some quotes:
Tens of thousands of people attempt the crossing from the nearby Comorian Island of Anjouan each year in search of better work opportunities, healthcare and education on the French Island, which is situated off the east coast of Africa. It’s estimated 10,000 people have drowned while trying to make this journey since 1995. They hit us and watched us drown
Our investigations have found evidence that these systems discriminated against vulnerable groups with oftentimes steep consequences for people’s lives. [...] People without Dutch citizenship were 30 percent more likely to be wrongly selected than people with Dutch citizenship and people with non-Western nationality were almost twice as likely to be wrongly selected than people with a Western passport. Overall, the initial model showed greater bias against vulnerable groups than the analogue process.
How we investigated Amsterdam’s attempt to build a ‘fair’ fraud detection model
In the mean time, in the US, trump classifies "Anti-Capitalism" as a political Pre-Crime, after going after "Antifa".
"Extremism on gender" is another one that reall sounds bad, because of course it can mean very different things depending on how you read it.
In this real-world case, the “indicia” (indicators) of future political violence listed in the report are:
- anti-Americanism
- anti-capitalism,
- anti-Christianity,
- support for the overthrow of the United States Government,
- extremism on migration,
- extremism on race,
- extremism on gender
- hostility towards those who hold traditional American views on family,
- hostility towards those who hold traditional American views on religion, and
- hostility towards those who hold traditional American views on morality.
Mozilla Foundation did a privacy review of the Signal messaging app, and are highlighing mainly two things about it:
The biggest issue with Signal is that it requires a phone number to register an account, even if you’re just using the desktop version. Asking Signal to hand over the data it holds on you shows that the phone number you’re using is associated with each device you’ve used to log into Signal.
As a result, Signal must hand this information over when requested to by U.S. law enforcement. The scope of what an investigator could learn is limited, but at the bare minimum they would be able to confirm when you last connected to the service.
This is not news, but of course still a concern. What I found more insteresting was this section:
While most of Google’s analytics are turned off in the Signal app, it still uses the Google Maps API to handle location data. Calls to Google Maps turn over a bunch of metadata, including the IP you’re connecting from. For a project that’s so invested in privacy, it’s surprising that Signal doesn’t use an open source alternative such as Open Street Map.
That's something that the Molly signal fork is solving, but only if you're using the "Molly FOSS" variant.