Little fanfare has been given to the story of a glitch in an experimental AI game from 2019, but the results seem rather poignant to me. TL;DR, the AI decided that committing suicide at the beginning of the game was the best strategy because the game was too hard, and it meant fewer points off. For any kid growing up in the 80s, the idea of a computer learning the concept of futility should seem a rather significant accomplishment. The characteristic of learning futility had seemed exclusively a human trait to me that computers would never grasp, at least until I read this story. As the author of the piece put it, “it’s hard to predict what conditions matter and what doesn’t to a neural network”. Its implications in computer science are quite fascinating, though, and a good object lesson for those contemplating the Trolley Dilemma in technology.
What more is there for their Expected One to do when he comes? To call the heathen? But they are called already. To put an end to prophet and king and vision? But this too has already happened. To expose the God-denyingness of idols? It is already exposed and condemned. Or to destroy death? It is already destroyed. What then has not come to pass that the Christ must do?
Athanasius, On the Incarnation
As a typical secular teenager, Christianity introduced me to a God who’d interacted with humanity throughout history to offer a life greater than myself. This made a lot of sense to seventeen-year-old me. It still does. Christianity in America comes with a lot of baggage, though. Along with the powerful message of the gospel were a lot of strange ideas about the creation and destruction of the world. Depictions of a violent and terrifying end are often portrayed both in Hollywood fiction and from the pulpits of American churches. Christianity seems to, at some point, have conflated faith with magic.
Interpretations of end times prophecy have become increasingly more embellished and bizarre over the years, divorcing the pattern of a historical Jesus who advocated non-violence with one now seemingly the perpetrator of pointless violence, judgment, and terrifying death. The end times scenarios that play out in many churches have attracted fringe groups such as QAnon by providing a foundation for oracle-sourced conspiracy theories that lead to violent, anti-establishment outcomes. The obvious contradiction of a Christianity asserting a struggle that is “not against flesh and blood” somehow ending up with a literal war against flesh and blood is paradoxical. Yet to not have faith in a brutal and imminent end times means, in many churches, that you don’t have a Christian faith at all. This left many Christians of my generation to either go along with the weirdness and ignore the obvious oddities of Christian doctrine, or – worse, to fully embrace them and make one’s Christian identity based on the willingness to blindly accept outrageous theories as fact. The latter was often socially rewarded as “faith”. This was a package deal, though, for many young Christians – who are now adults with a literal end times engrained in them.
Many Christians are still stuck here, as it is still the only thing many American churches teach today, and in an increasingly embellished and political way. The vast majority of church going Christians have zero academic training in interpretation of scripture, nor want it, but this hasn’t stopped them from embracing whatever they read on the Internet, or the popular movements within their church – up to and including QAnon, which has now consumed up to 25% of white American evangelicals. Denominationalism, while having some benefits, has also become one of the greatest vehicles of confirmation bias in the church, allowing for tribal systems of beliefs to flourish and go unquestioned by parishioners. This has become more extreme as a result of the social dysfunction created by COVID and the social unrest caused by deep divisions in politics. It is not uncommon to hear, within otherwise normal Christian circles, that masks take us one step closer to Sharia law or that COVID vaccines and W.H.O. closer to a one world government, to the mark of the beast, or any number of other themes in Revelation. It is also not uncommon to encounter opinions that Joe Biden is the Antichrist (or demonic in some form), or that believing the pandemic exists at all is Satan’s plan to deceive Christians en masse. Meanwhile, extremist groups spent several months planning – on public message boards – to assassinate the incoming president to usher in a new heaven and earth, based on many of the same beliefs. While the more extreme of these beliefs may be relegated to fringe cults, misguided end-times theories about masks, vaccines, and the Antichrist run deep in mainstream Christian churches. As one evangelical pastor put it, “Right now QAnon is still on the fringes of evangelicalism… but we have a pretty big fringe.”
This end-times posture is the result of a century of theological error, and has led the evangelical church into all kinds of misguided conspiracy theories. Visions of four horsemen riding across the world, a sudden secret rapture, and seven years of hell on Earth rest upon theological pillars of highly questionably origin. Academics in Christian studies have long been far too reluctant to call out the problems in theology that led us here, and that has damaged Christianity greatly. Yet such end-times concepts have no support in historic Christianity, and could be dissociated from Christianity altogether. By failing to challenge the incorrect assumptions this belief system relies on, many Christians will deny COVID vaccines and literally die on the basis of the theological system under which they were taught. It is a flawed and unfalsifiable system of theology – not Christianity itself – that is to blame. This post will attempt to tease those two concepts apart.Continue reading “Modern Christianity and End-Times Conspiracy Theories”
I originally published this in 2016, and dust it off every time there’s a mass shooting in the news. This post has seen the top of my feed year after year, as politicians continue to offer nothing but thoughts and prayers.
I’ve been a long time responsible gun owner, by the old definition of what that used to mean. Like a majority of them, I’ve wanted more controls on semi-automatic rifles – particularly, assault rifles, for a long time. There’s idiocy on both sides of this debate, and both have some questionable notions about them. The extreme left seems to have developed an irrational fear and hatred of all guns and the extreme right believes the only solution to guns are more guns. Consider this more realistic perspective from someone who spent over a decade shooting and working on guns, held NRA certifications to supervise ranges and carry concealed weapons, and up until some years ago – when I sold the rights to it – produced the #1 ballistics computer in the App Store.
What much of the nation does not realize is that there is already a system in place to perform strict checks of individuals looking to own firearms categorized as highly lethal – but it isn’t being used to control most assault rifles. Introduced in the National Firearms Act legislation, this system was applied to machine guns, short barrel rifles, silencers, sawed off shotguns, and other types of firearms that individuals can still legally own today, but with more than the casual regulation of AR-15s and other such firearms. It could be changed to include semi-automatic rifles. In my opinion, it should be, and in this post I’ll argue why I’d like to see the President and legislators push for this.Continue reading “Reclassifying Semi-Automatic Rifles under the National Firearms Act”
All have turned aside, they have together become corrupt; there is no one who does good, not even one.
I’ve devoted much of the past 30 years as an evangelical Christian “layperson” to Christian studies to try and become an educated one. Greek, theology, patristic authors, and Christian history should be in the wheelhouse of every Christian. Even still, what Christianity has become in America is entirely alien to me and what I’ve studied. I don’t recognize the church in the midst of the racism, hostility, and lies that Christians proliferate today. I’m frankly ashamed and embarrassed to have to share the label. Last year brought some of the worst out in us. I’m referring to the mainstream evangelical church – relatives, friends, and people I’ve grown up with – who were once a much-needed example of Christianity to me – have severely disappointed in how they’ve conducted themselves, causing me to question if they ever truly understood their own faith.
Every Christian’s example par excellence – Jesus – was abundantly clear in having nothing to do with the wicked. He literally turned tables on those whose agenda didn’t align with his. Scripture is chock full of warnings about the dangers of aligning with wicked people, or compromising one’s values to an end. Christianity teaches of a savior who demonstrated sheer disinterest in politics, from “Render unto Caesar” to his markedly uninterested appearance before an irrelevant Pontius Pilate. Christians wielded no political clout until the third century, yet today are obsessed with power – even to the degree of aligning with white nationalists who condone hate and murder, or expressing blind, cult-like loyalty to demagogues. We have become enablers of hate, violence, racism, and division through our alliances, our funding, and trafficking in misinformation to convince ourselves it’s moral. The church sacrificed her reputation for the kind of influence and power that Jesus would yawn at.
Yet Christianity celebrates a meek savior who saw intrinsic value in people regardless of their race, their past, or their status. He called for the lifting up of those who were downcast and mistreated by society. He called for sacrificial love of the disenfranchised. To reflect compassion. Generosity. Selflessness. He thought mankind was valuable enough to sacrifice for. Christianity should be, by definition, a mirror image of Christ’s sacrificial love for humanity, and an example of integrity and truth, even to one’s own detriment. I don’t see the character of Jesus Christ in today’s American Christians. Christians couldn’t even bother wearing a mask for their brother.
In retrospect, this has been a long time coming. It is of little surprise that Christians support racist leaders, as the church has become the most segregated institution in the country. White Christians have spent generations basking in the privilege of not having to think or preach about racism and inequality, while black and brown Christians in churches down the road are haunted by it daily. The ability to remain blissfully ignorant of racism has been the darling sin of every white suburban Christian church since history was first tormented to create a white Jesus. And is it any surprise that Christians have become extreme anti-science in the wake of infectious disease? The church’s historical inability to grasp our own God as chief architect with any tools other than magic has caused otherwise intelligent people to become modern-day imbeciles – even in the broad daylight of mass graves and outdoor crematoriums resembling hell on Earth.
Christians, we are called to be innocent of evil, not to align ourselves with it. How can we support the immorality of those we elect to govern us, or crowd fund for murderers and white supremacists when it so clearly has borne the fruit of evil? As Christians and human beings, this should grieve us, not excite us. This manufactured reality doesn’t represent the God that I worship, study, and aspire to be more like.
Our actions are not without accountability in the next life, I fear, much to the pains of those who don’t care who they align themselves with, who they infect, or what atrocities they help fund. God knows every hair we’ve harmed through our indifference. The famous words Jesus uttered, “I stand at the door and knock” in Revelation was directed at the church, who often left their own savior out in the cold. Church, who has bewitched you?
The Biden administration is having a little Twitter fight about whether or not to reset the followers of the @potus account. While followers were rolled over from the Obama administration to Trump’s, the Trump administration, who views Twitter followers as if they represented actual voters-who-love-Donald, doesn’t think the incoming president should get to inherit all of those bots and disenfranchised twelve-year olds. Let us stop and reflect on the stupidity and pettiness of this argument. What the Biden administration really should be thinking about is whether to close @potus and get the White House off of Twitter completely.
Social media, especially Twitter, has year after year been on a steady course of devolving into one of the most toxic and unpleasant public gatherings on the Internet. Long before Trump took office, social media was the leading source of disinformation, threats, harassment, toxicity, and division. Combined with a platform that adopts thought-terminating loaded language hash tags (e.g. #StopTheSteal) and abbreviated messaging that lacks critical thought, Twitter has long been a platform designed to capitalize on the cult phenomenon. Twitter has been not only markedly complicit, but in a position to profit off of the toxicity, disinformation, and abuse it allows by the Trump administration and other public officials who’ve started emulating the behavior.Continue reading “Biden Should Take the White House off of Twitter”
Over the past few months, a small group of individuals have been impersonating me online using fake email addresses, shell accounts, and other mediums. These individuals are skilled at social engineering, and are also criminally dangerous. So far, the purpose seems to be attempts to gain access to confidential information, and to create proxied (MiTM’d) trust relationships between parties. They have also created fake websites to intentionally spread technical disinformation for their own purposes, falsely claiming to be authored by other respected researchers.
If you receive any unexpected communication from me, especially from an unknown email address, phone number, or another medium, please reach out to me on a trusted form of communication to verify if it is me. Please note, I do not presently have any social media accounts.
I have been working with an attorney and with the district attorney’s office. We do know who the individuals are, and the situation is being closely monitored. Please reach out to the Riverside County, CA District Attorney’s Office at (951) 955-5400 with any information if you suspect you have been contacted by someone falsely claiming to be me.
If you watched yesterday’s senate judiciary hearings with CEOs from Twitter and Facebook, two things would have stuck out to you. First, why is Jack Dorsey addressing the senate from the kitchen department at an IKEA? Second, how did a judiciary hearing about misinformation campaigns somehow turn into a misinformation campaign itself? At the heart of this hearing were social media companies making tools and information available to users to combat misinformation through the use of labels and interstitials; why weren’t any senators interested in examining the facts surrounding such policies, I wonder? Rather, senators demonstrated an eye-rolling indifference to truth and instead took the opportunity to peddle their own conspiracy theories, including partisan bias and mind control by robber barons using project management software. The entire thing ended up one big partisan temper tantrum, and was an embarrassment to the American people, frankly.
Truth and facts – regardless of topic, have never been, and never will be a matter of partisan perspective, and anyone who tells you differently is a politician. Truth doesn’t work in reverse – it is impossible to start with a narrative, and then create facts to accommodate it, yet that’s how our terribly dysfunctional political system has worked for the past four years. One can only draw a perspective out of an interpretation of truth based on the facts, wherever they fall. Without accurate facts, narrative ends up where it is today – anything you want it to be, if you’re willing to torture truth to be what you wish it was. But facts don’t change just because you “believe” something different, and when genuine facts disagree with your narrative, you just look like an ass trying to wage war against it.
Alas, politicians aren’t known for operating in truth. Quite the contrary, politicians are known throughout history to excel at lying. Were this not true, there would be little need for fact checkers in this country. It was quite ironic to see the people doing the fact checking getting roasted by the very reason we need fact checking in the first place. What hubris there must be, in those who govern by our consent to consider themselves ones to lord over the watchers.
As the angst and stir-craziness start to set in from the world suddenly being forced into lockdown, I’ve seen a lot of articles about working from home, by people in all walks of life, from programmers to astronauts. Most of them offer practical beginner advice, like go outside, plan a schedule, etc. etc. That’s all good advice to take in, but after a few weeks, you’re probably realizing there’s a lot more to making this work well. As the reality of our predicament is starting to sink in, it’s important to start thinking about the psychological demands of working from home. I’ve spent the better part of my 25 year career working from home, and when I started thinking about what, if any, wisdom I could share on how to make it work well, found that I’d come up with a lot of the same things I’d already shared in a post two years ago, Living With Depression in Tech. Working at home has some fantastic benefits, but also challenges that go far beyond basic discipline development. Being productive and successful at home comes down to changing your perspective – focusing on the impacts you’re having, believing in what you’re doing, and finding ways to grow and thrive on your own so that you can maintain your drive over the long haul.
Is anyone surprised the Obama-era whistleblower directive put into place actually worked? I bet Edward Snowden is. Not only did it work, but Congress wouldn’t have given it such weight had the information been otherwise leaked in a Snowden or Manning-esque style, nor would the IG have had the chance to acknowledge the information as “credible and urgent”. Historical treatment of whistleblowers has been deplorable, but we also didn’t have these protections in the 70s, when Ellsberg or others could have used them, so the comparison is also irrelevant. Congress, the IC, and the press are taking “extreme measures” to protect the anonymity (and safety) of the whistleblower, and most acknowledge how crucial it is to do so in order to keep a democracy. This is a very different outcome than what Snowden predicted would happen if he’d made an attempt at the proper channels first. While the jury is still out on the hero vs. traitor debate, the fact that these whistleblower procedures undeniably succeeded in bringing things to light can’t be helping Snowden’s image.
Joshua Harris, the author of “I Kissed Dating Goodbye”, recently renounced his faith and apologized for his awful book. I remember when it came out in the late 90’s, and still see the lasting damage it inflicted on two generations of young men and women. Harris ended up creating a toxic culture inside the mainstream church that would take two generations of Christian men back into the dark ages of devaluing women based on their level of sexual indiscretion, and helped fan the flames of homophobia and exclusion. His “sexual prosperity gospel”, as it’s been called, led to a life of guilt and shame for many, and created lasting scars that caused some to abandon their faith or their marriages later on in life.
Christianity teaches that a person’s worth has nothing to do with their sexual history (or orientation), but from Jesus, who was willing to die to reconcile humanity to God. We’re not defined by our sins, and we’re not defined by our past; we are defined by Christ. This is a far cry from the cultish fundamentalist legalism that Harris’s church taught for decades; the purity movement amounted to nothing more than a way for Christians to measure themselves and others up. It’s no surprise that Harris renounced his faith; if the faith he was practicing was grounded in such a flawed understanding of grace and intrinsic human worth, then by any measurement it was not Christianity. The truly sad part is that he convinced millions of Christians to adopt this same world view for more than 20 years, allowing it to hurt a lot of people before it became popular for leaders to finally speak out against it. Sorry, Josh, but an apology doesn’t let you off the hook.
But this failure wasn’t just of Harris’s own making: It was the complete failure of church leaders everywhere in elevating Harris’s status to a Christian leader. Harris was a mere 21 years old, and hadn’t even been to seminary yet when he wrote the book. Rather than rightfully dismissing his book as yet more of the trash writing of that era, the inexperienced youth leaders of that time (many of whom also lacked formal training) saw a way to get kids to act responsibly, without considering the consequences of his legalism. From piecing together accounts online, Harris’s own church reeked of a world of deep-seated problems, including sexual abuse coverup, abuses of power, control and manipulation of their congregation, and legalism running rampant. The church had become so damaging, much of his congregation ended up leaving, and there’s an entire blog dedicated to victims trying to recover from Harris and the rest of his church’s leaders. Indeed, it’s very telling to see the kind of culture his book came out of, and the horrifying fruits of it. When you read that Josh Harris has departed Christianity, this appears by all accounts to be a very good thing for Christianity.
There’s a long held belief in the concept of “leave no trace” when visiting a place, but there’s one very noticeable artifact western tourists have been leaving on Iceland that you unfortunately can’t simply pick up and throw away. With tourism growing 500% in Iceland over the past decade, western tourists have placed higher demands on the country than it’s been capable of adsorbing without affecting the country’s foundations. While the economy in Reykjavik has no doubt experienced a boost, this has come at the expense of cultural and geographical changes that are not necessarily welcome by many Icelanders.
In 2010, the number of international visitors to Iceland was 488,600. As of 2017, that number swelled to 2,224,600. As a result, Iceland built out infrastructure. Significant infrastructure including large excavation efforts to build attractions, tour bus companies, and expansion of roads and bridges. During this period, local economies also adapted by building out their own tourist infrastructure within previously rural, untouched cities. The end result has been a very large tourist industry that has both changed the culture and the face of Iceland to conform more closely to western tourist ideals. Much of this change has been driven from the western sense of tourist entitlement which has changed local economies in many ways that are foreign to Icelanders. Money is a powerful thing, and because the economy has become so dependent on tourism, rather than the fishing and farming industry that Iceland used to depend on, it’s become easy to manipulate a country into change that many otherwise wouldn’t want.
There’s nothing quite as magical as seeing a bright green and pink Aurora Borealis dancing in the sky. One of the world’s most dazzling natural light displays, the Aurora is produced when charged particles from solar winds encounter our atmosphere, penetrating the Earth’s magnetic field, exciting Oxygen and Nitrogen to produce green and pink Auroras, respectively. It’s not only amazing to look at, but occasionally you can even hear it’s static-like pulses. There’s nothing quite like observing the Northern Lights in person, so of course you’re going to want to capture some amazing memories of it. One of the neat things about Aurora photography is that it’s always changing; there’s always a new dance to capture, and plenty of foregrounds to shoot from. My wife and I have been Aurora chasing for several years now, and have captured her over many trips to Norway, Iceland, and New England, with trips to Labrador, Finland, and more of the world on our short list. Along the way, we’ve picked up a few tricks, and gotten some practice in taking astrophotography in between.
We’ve spent the past two years raising our little girl, Lily, so we hadn’t been traveling internationally for while. This past October, we got back out chasing again (with a junior explorer), so I’ve been brushing up on my skills including my skills at developing these photos, which I’ve updated.
I’ve been trying to avoid writing about depression for a while now. Almost nobody in tech wants to talk about things like this. A stigma still very much exists around mental illness, and in tech with all its flaming, trolling, and fragile manhood egos, people have learned to be thick-skinned. It’s taken me years to realize that I never stopped struggling with depression throughout my dysfunctional childhood, and I’ve carried it through my teens and adult life with me. I was diagnosed and medicated as a teen, but didn’t fully understand that it still haunted me, playing the same old record grooves in my brain in adulthood. As my thyroid disease began accelerating, I needed to work even harder to maintain balance or the world would come crashing in. Struggling through my career and relationships, things became easier after I understood what was going on inside of me. I feel a certain responsibility to bring to light what is likely a widespread issue in the tech community.
Depression can manifest itself in various forms for different people, and my story isn’t “everyone’s” story. I can only write from my own personal experiences. Most of this has had lifelong personal struggles unrelated to work, and while one can probably deduce this, the focus of this post is handling professional challenges. You might identify with some of these issues, and that’s great if this post helps, but it also shouldn’t be used for self-diagnosis. Depression has been far worse than the details I’m willing to share publicly, and if you think you may be depressed, you should seek professional counseling.
I have no background in psychology; I’m just sharing what works for me. I have no background in medicine either, and having been on and off medication, I can’t recommend one way or the other. I do know that all medication has its limits, so learning how to cope is an important part to having a complete life plan. At the end of the day, I can’t solve your depression (or mine), but I can share how I’ve coped with it, and won some victories. This is a survival story that hopefully might have some meaningful advice for others.
The current young generation will soon have grown up without ever knowing what it’s like to not have social media. They’re also growing up without a sense of how society was before social media came into play. Whether you use social media or not, it’s likely affected your life because it’s changed how people relate to one another – including you. While there are many good aspects of social media and the concept of bringing people together, there are also many negative changes it’s had on how we relate to one another.
I’ve spent a lot of time observing others and how social media has affected them online over time, and seen the problems it can create. For me personally, I’ve never been happier to be off of social media than the past year or so when I finally ditched Twitter for good. Twitter is a creepy and toxic place, which seems to be exactly what their CEO wants it to be. I found that I didn’t like the person I had to become in order to stay on it. Most social media is a dumpster fire, but Twitter was a particularly awful experience. It simply isn’t worth the stress and distraction in order to relate to a bunch of randos on the Internet whose only goal in life is to cause misery. Social media doesn’t deserve to have the power to change you, but they do. Getting back to the humanity of relationships is almost like waking up from a bad dream: you’d almost forgotten the goodness in what normal relationships with others (professional, friendships, etc.) feels like.
So at the risk of the next generation never knowing what it’s like to have a normal relationship with others, I’ve written down just a few of the things that are important in building friendships and other types of relationships – things social media seems to have endangered… at least, from the perspective of this old Gen-X’er. Writing all of this makes me really miss how people were before social media existed.
I’m pleased to announce that I’ve accepted a position with Apple’s Security Engineering and Architecture team, and am very excited to be working with a group of like minded individuals so passionate about protecting the security and privacy of others.
This decision marks the conclusion of what I feel has been a matter of conscience for me over time. Privacy is sacred; our digital lives can reveal so much about us – our interests, our deepest thoughts, and even who we love. I am thrilled to be working with such an exceptional group of people who share a passion to protect that.
As long as people can be tricked, there will always be phishing (or social engineering) on some level or another, but there’s a lot more that we can do with technology to reduce the effectiveness of phishing, and the number of people falling victim to common theft. Making phishing less effective ultimately increases the cost to the criminal, and reduces the total payoff. Few will argue that our existing authentication technologies are stuck in a time warp, with some websites still using standards that date back to the 1990s. Browser design hasn’t changed very much since the Netscape days either, so it’s no wonder many people are so easily fooled by website counterfeits.
You may have heard of a term called the line of death. This is used to describe the separation between the trusted components of a web browser (such as the address bar and toolbars) and the untrusted components of a browser, namely the browser window. Phishing is easy because this is a farce. We allow untrusted elements in the trusted windows (such as a favicon, which can display a fake lock icon), tolerate financial institutions that teach users to accept any variation of their domain, and use a tiny monochrome font that can make URLs easily mistakable, even if users were paying attention to them. Worse even, it’s the untrusted space that we’re telling users to conduct the trusted operations of authentication and credit card transactions – the untrusted website portion of the web browser!.
Our browsers are so awful today that the very best advice we can offer everyday people is to try and memorize all the domains their bank uses, and get a pair of glasses to look at the address bar. We’re teaching users to perform trusted transactions in a piece of software that has no clear demarcation of trust.
The authentication systems we use these days were designed to be able to conduct secure transactions with anyone online, not knowing who they are, but most users today know exactly who they’re doing business with; they do business with the same organizations over and over; yet to the average user, a URL or an SSL certificate with a slightly different name or fingerprint means nothing. The average user relies on the one thing we have no control over: What the content looks like.
I propose we flip this on its head.
With the current US administration pondering the possibility of forcing foreign travelers to give up their social media passwords at the border, a lot of recent and justifiable concern has been raised about data privacy. The first mistake you could make is presuming that such a policy won’t affect US citizens. For decades, JTTFs (Joint Terrorism Task Forces) have engaged in intelligence sharing around the world, allowing foreign governments to spy on you on behalf of your home country, passing that information along through various databases. What few protections citizens have in their home countries end at the border, and when an ally spies on you, that data is usually fair game to share back to your home country. Think of it as a backdoor built into your constitutional rights. To underscore the significance of this, consider that the president signed an executive order just today stepping up efforts at fighting international crime, which will likely result in the strengthening of resources to a JTTFs to expand this practice of “spying on my brother’s brother for him”. With this, the president also counted the most common crimes – drugs, gangs, racketeering, etc – as matters of “national security”.
Once policies that require surrendering passwords (I’ll call them password policies from now on) are adopted, the obvious intelligence benefit will no doubt inspire other countries to establish reciprocity in order to leverage receiving better intelligence about their own citizens traveling abroad. It’s likely the US will inspire many countries, including oppressive nations, to institute the same password policies at the border. This will ultimately be used to skirt search and seizure laws by opening up your data to forensic collection. In other words, you don’t need Microsoft to service a warrant, nor will the soil your data sits on matter, because it will be a border agent connecting directly your account with special software throug the front door.
I am not a lawyer, and I can’t provide you with legal advice about your rights, or what you can do at a border crossing to protect yourself legally, but I can explain the technical implications of this, as well as provide some steps you can take to protect your data regardless of what country you’re entering. Disclaimer: You accept full responsibility and liability for taking any of this information and using it.
Here are the slides from my talk at Dartmouth College this week; this was a basic introduction / overview of the macOS kernel and how root kits often have fun with the kernel. There’s not much new here, but the deck might be a good introduction for anyone looking to get into develop security tools or conduct security research in macOS. Note: Root kits aren’t exploits; there’s no exploit code in this deck. Sorry!
There are some 21,000 symbols in the macOS kernel, but all but around 3,500 are opaque even to kernel developers. The reasoning behind this was likely twofold: first, Apple is continually making changes and improvements in the kernel, and they probably don’t want kernel developers mucking around with unstable portions of the code. Secondly, kernel dev used to be the wild wild west, especially before you needed a special code signing cert to load a kext, and there were a lot of bad devs who wrote awful code making macOS completely unstable. Customers running such software probably blamed Apple for it, instead of the developer. Apple now has tighter control over who can write kernel code, but it doesn’t mean developers have gotten any better at it. Looking at some commercial products out there, there’s unsurprisingly still terrible code to do things in the kernel that should never be done.
So most of the kernel is opaque to kernel developers for good reason, and this has reduced the amount of rope they have to hang themselves with. For some doing really advanced work though (especially in security), the kernel can sometimes feel like a Fisher Price steering wheel because of this, and so many have found ways around privatized functions by resolving these symbols and using them anyway. After all, if you’re going to combat root kits, you have to act like a root kit in many ways, and if you’re going to combat ransomware, you have to dig your claws into many of the routines that ransomware would use – some of which are privatized.
Today, there are many awful implementations of both malware and anti-malware code out there that resolve these private kernel symbols. Many of them do idiotic things like open and read the kernel from a file, scan memory looking for magic headers, and other very non-portable techniques that risk destabilizing macOS even more. So I thought I’d take a look at one of the good examples that particularly stood out to me. Some years back, Nemo and Snare wrote some good in-memory symbol resolving code that walked the LC_SYMTAB without having to read the kernel from disk, scan memory, or do any other disgusting things, and did it in a portable way that worked on whatever new versions of macOS came out.
Last week, I live tweeted some reverse engineering of the Meitu iOS app, after it got a lot of attention on Android for some awful things, like scraping the IMEI of the phone. To summarize my own findings, the iOS version of Meitu is, in my opinion, one of thousands of types of crapware that you’ll find on any mobile platform, but does not appear to be malicious. In this context, I looked for exfiltration or destruction of personal data to be a key indicator of malicious behavior, as well as performing any kind of unauthorized code execution on the device or performing nefarious tasks… but Meitu does not appear to go beyond basic advertiser tracking. The application comes with several ad trackers and data mining packages compiled into it – which appear to be primarily responsible for the app’s suspicious behavior. While it’s unusually overloaded with tracking software, it also doesn’t seem to be performing any kind of exfiltration of personal data, with some possible exceptions to location tracking. One of the reasons the iOS app is likely less disgusting than the Android app is because it can’t get away with most of that kind of behavior on the iOS platform.