Stuart Breckenridge

The personal blog of Stuart Breckenridge

European Parliament Committee Recommends End-to-End Encryption For All Electronic Communications

In a rare sign of complete competence, the European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs recommendation on end-to-end encryption makes total sense. By Lucian Armasu, Tom’s Hardware:

The European Parliament’s (EP’s) Committee on Civil Liberties, Justice, and Home Affairs released a draft proposal for a new Regulation on Privacy and Electronic Communications. The draft recommends a regulation that will enforce end-to-end encryption on all communications to protect European Union citizens’ fundamental privacy rights. The committee also recommended a ban on backdoors.

Interestingly, the Committee also believe that metadata associated to data is within the scope of end-to-end encryption:

The metadata includes the numbers called, the websites visited, geographical location, the time, date and duration when an individual made a call etc., allowing precise conclusions to be drawn regarding the private lives of the persons involved in the electronic communication, such as their social relationships, their habits and activities of everyday life, their interests, tastes etc.

The protection of confidentiality of communications is also an essential condition for the respect of other related fundamental rights and freedoms, such as the protection of freedom of thought, conscience and religion, and freedom of expression and information.

I wonder how this would affect a company’s ability to comply with law enforcement requests for metadata? My assumption is they simply won’t be able to. Earlier this month, Tim Cook confirmed that Apple had provided metadata to UK authorities (via The Telegraph):

“Encryption doesn’t mean there’s no information,” said Cook. “Because metadata probably exists and metadata, if you’re putting together a profile, is very important.”

I don’t think this would be possible under the new recommendation.

Bringing the focus back to the Strong and Stable™ UK Government, there is still total incompetence when it comes to end-to-end encryption. Jonathan Haynes (via The Guardian):

She [Amber Rudd, Home Secretary] said she supports end-to-end encryption for families (presumably those using WhatsApp?), for banking and for business. But she insisted: “We also need to have a system whereby when the police have an investigation, where the security services have put forward a warrant signed off by the home secretary, we can get that information when a terrorist is involved.”

Ridge challenged Rudd that this was “incompatible with end-to-end encryption”. Rudd said it wasn’t. But Ridge is right: it is incompatible. As Cory Doctorow wrote when Cameron was suggesting the same thing: “It’s impossible to overstate how bonkers the idea of sabotaging cryptography is to people who understand information security.” A lot of things may have changed in two years but the government’s understanding of information security does not appear to be one of them.


FeedPress Adds Experimental JSON Feed Support

From the FeedPress blog:

There is nothing FeedPress customers need to do in order to get JSON compatible feeds. Simply append the ?format=json parameter to the end of your RSS feed.

So simple. I’ve been testing it and it seems to be working well. My experimental feed is here.


Apple's Lower Priorities

An interesting series of articles regarding Apple’s lower priorities. First, David Sparks on the text and screen effects in Messages:

We have now had text and screen effects on iOS for eight months. Are you using them? Perhaps more importantly, does Apple remember they exist?

Dr. Drang followed up with:

  • The iPad features introduced in iOS 9 were followed up with… nothing in iOS 10
  • TV
  • The one-and-a-half-year refresh for the late 2016 MacBook Pro
  • The over-four-years betweek iWork releases

Nick Heer at Pixel Envy:

  • Remember Live and Dynamic wallpapers? Neither has been updated since their introductions in 2015 and 2013, respectively.
  • Remember the “Learn to Play” feature in GarageBand? It was introduced in 2009, and hasn’t been updated since 2010. The artist lesson store is exactly the same as the day it launched nearly eight years ago.

I’d also posit that FaceTime video calling is due for an update. It’s essentially the same product today as it was when it was released six years ago and could do with some new features, for example, group calling1.

  1. There was an episode of Modern Family that used some nifty video editing that made it look like FaceTime had this feature implemented. It was very, very clever. 


Feedly Responses to JSON Feed Questions

Question: will Feedly be supporting JSON feed anytime soon?

Responses:

I think these are shameful tweets. Asking about JSON feed support is a fair question and doesn’t deserve such a dismissive non-response.

Feedbin, on the other hand, does support JSON feed. Ben Ubois, on the Feedbin company blog:

One of the criticisms I’ve seen of JSON Feed is that there’s no incentive for feed readers to support JSON Feed. This is not true. One of the largest-by-volume support questions I get is along the lines of “Why does this random feed not work?” And, 95% of the time, it’s because the feed is broken in some subtle way. JSON Feed will help alleviate these problems, because it’s easier to get right.


Reducing Bundle Size and Improving Extension Performance

The today extension of The FFI List displays the number of registered FFIs broken down by their entity type. It’s fairly simple, but I made a few mistakes when putting it together:

  1. I copied the sqlite database into both the main app and the extension; and,
  2. The code to run queries on the database to obtain statistics was part of the extension.

The net effect was that the bundle size was approaching 180MB (two 80MB databases). In addition, performance of the extension was haphazard: I had reports, and had seen myself, instances where the extension returned a seemingly random count of total database entries. What’s worse was that I couldn’t debug the problem. No errors were raised, the underlying data was intact, and I couldn’t reproduce the problem with any regularity. It also took around upwards of four seconds for the queries to run.

In the upcoming v2.1 release, I’m happy to say these issues are fixed.

First, the sqlite database is longer embedded in both the main application and the extension. The bundle size is once again under 100MB.

Second, to make sure that the extension was able to show statistics like it did before, I created a Statistics.plist file and as part of the build process, I run some sqlite queries and then populate the data into the plist file like so:

sponsors=$( sqlite3 _YOUR_DATABASE_ "select count(ZENTITYTYPE) from ZFFIENTITY where ZENTITYTYPE = '01SP'")
/usr/libexec/PlistBuddy -c "Set 01SP $sponsors" "${TARGET_BUILD_DIR}/FFI.app/Statistics.plist"

When the main app runs, it will copy the Statistics.plist file into the shared container:

let container = FileManager.default.containerURL(forSecurityApplicationGroupIdentifier: "group.ffiinfo")?.appendingPathComponent("/Statistics.plist")
let stats = Bundle.main.path(forResource: "Statistics", ofType: "plist")
        
guard let containerURL = container else {
    return shouldPerformAdditionalDelegateHandling
}
        
guard let statsPath = stats else {
    return shouldPerformAdditionalDelegateHandling
}

if FileManager.default.fileExists(atPath: containerURL.path) {
    do {
        try FileManager.default.removeItem(atPath: containerURL.path)
        try FileManager.default.copyItem(atPath: statsPath, toPath: containerURL.path)
    } catch {
        print(error)
    }
} else {
    do {
        try FileManager.default.copyItem(atPath: statsPath, toPath: containerURL.path)
    } catch {
        print(error)
    }
}

The extension then displays the available data from the plist when it exists in the container. This improves performance from several seconds to instantaneous as the extension is no longer running any database queries.


JSON Feed

Manton Reece and Brent Simmons:

We — Manton Reece and Brent Simmons — have noticed that JSON has become the developers’ choice for APIs, and that developers will often go out of their way to avoid XML. JSON is simpler to read and write, and it’s less prone to bugs.

So we developed JSON Feed, a format similar to RSS and Atom but in JSON. It reflects the lessons learned from our years of work reading and publishing feeds.

I try to avoid XML when I can, so I’m obviously very pleased to see a JSON standard appear for feeds.

I’ve created a JSON feed for this site which is available here. I’ve also uploaded my current Jekyll template to GitHub.

Now I just need to find a reader that supports the JSON feed spec!


An Unexpected Win

Via the BBC:

A security researcher has told the BBC how he “accidentally” halted the spread of ransomware affecting hundreds of organisations, including the UK’s NHS.

The man, known online as MalwareTech, was analysing the code behind the malware on Friday night when he made his discovery.

He first noticed that the malware was trying to contact an unusual web address - iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com - but this address was not connected to a website, because nobody had registered it.

So, every time the malware tried to contact the mysterious website, it failed - and then set about doing its damage.

MalwareTech decided to spend £8.50 and claim the web address. By owning the web address, he could also access analytical data and get an idea of how widespread the ransomware was.

But he later realised that registering the web address had also stopped the malware trying to spread itself.

Stopping the spread of the ransomware was an incredibly lucky side effect of purchasing the domain name. However, any win in this scenario — it’s the largest ransomware spread I can recall, and certainly the most shameless (attacking a health service) — is a win worth taking.