Commentary Archives - Page 2 of 4

Category Archives: Commentary

Getting Back 2 Good

If you’ve been following my inane tweets and non-technical blog posts for any length of time since 2015, you likely know the 2016 election cycle broke me more than just a tad, with each subsequent month of the Trump presidency adding a bit more breakage. My brain is constantly trying to make sense of the systems of the world, from the micro (small personal/home things) to the macro (global-scale things). There’s a Marvel character (no, this isn’t about “Cap”), Karnak, who’s chief ability is that he can see the flaws in all things, and it’s the closest analogy I can make to how deep down the rabbit hole my brain goes with this global-systems analysis. There’s always been a deep seated need to grasp the “why”, and “how” of any “what” (which, combined with being adept with silicon-laced glowing rectangles, explains the gravitation towards cybersecurity, though all my research scientist mates out there have that same Columbo-esque desire to get to the bottom of things).

I really thought I knew the histories and trajectories of a decent percentage of the “what”s in these world systems, believing that a slew of modern critial events, like Obama’s two-term presidency (to point to just one), were clear signs of the progress society had been making, despite the laundry list of overt divisions and inequities that remain. Even though we’ve lived in a rural Maine town for many years, I was blindsighted by the massive public support and normalization of hate, largely based on fear. For some reason, it was easy to dismiss partisan games in Congress as just the way things get done in a suboptimal system. It was too easy to compartmentalize the fact that supposedly decent folks, like my in-laws, hung on every word influencers like Rush Limbaugh and FOX News hosts spewed, thinking that it’s just a fringe element feeding off of such tainted information flows.

When signs of the then-impending pandemic first emerged, I naively thought it was going to be a catalyst for positive change. I thought even someone as narcissistic as Trump and his minions would see the need to unite folks under a banner of helping to ensure we protected as many people from the ravages of Covid as possible, and lead a coordinated, global effort to create and distribute treatments and vaccines as quickly as possible. I believed I knew how solid our CDC was, and saw so many talented scientists use their skills to model and explain various outcome paths, based on how we approached the handling of thie virus. I knew Bush helped orchestrate an initial modern pandemic playbook and that Obama built upon it, and that it was actually quite good.

Then I saw that we, collectively, just don’t care if scores of people are sickened and/or die. I heard so-called leaders say that the economy is more important than human life; heard entitled citizens that wearing a piece of cloth or paper over your mouth and nose was too much of a sacrifice to make; read countless stories from even so-called faith leaders that refraining from large indoor gatherings for a while, and periodically, to help ensure we don’t overwhelm our emergency medical systems and crush the healthcare workers in them was Nazi-like oppression. And, I saw the last leader of the free world (since we’ve now permanantly ceded that position to random agents of chaos) actively downplay and subvert the crisis, leading millions to follow his lead, which ultimately leads to the impending 1 million needlessly lost lives.

When those signals emerged in March of 2020, the break got a bit worse (picture one of those window or lake-ice cracks that spider out with each additional vibration), as it did with the drumbeat of terrible event of 2020 (of which there were many).

Like I suspect was the case with many readers (assuming there are many readers), I plain-up cried (the good kind) when Biden officially won the 2020 election. I foolishly thought, like so many others, that the sinking ship was at the start of being righted, and we’d be on a slow path towards sailing again.

Then, January 6th, 2021 happened. Since then, I’ve seen state, after state vie for the “Most Failed State” top spot. I’ve seen faith leaders and communities give their all to see who can be the worst possible verison of themselves. And, I’ve seen even the most stalwart among us declare the pandemic over because they’ve no stamina left to make any effort into caring for or about the least of us and those who provide medical care to our communities.

Talk about being broken.

We have this term in cybersecurity called “fuzzing”. It’s a technique where you send inputs into an application that it is not really designed to handle (e.g. imagine sending the entirety of Webster’s dictionary to a simple date field), and then doing this repeatedly to see if you can get the application to crash, change expected behavior, or end up in a state where you can compromise it. The events of 2015 through this very day feel like this has been/is one massive fuzz against the all the clear-thinking, decent members of society; and my human operating system just plain crashed.

In the spirit of “I can do this all day”, I may have been/be broken, but was/am not content to remain that way.

I’ve read more tomes than you would possibly believe if I were to list them out.
I’ve listened to so many podcasts that I was expecting Apple’s Health app to counsel me to, perhaps, shut off all audio devices for a month or two.
I’ve filled my RSS reader with feeds from exceptionally gifted humans who, too, have been trying to make sense of what has happened and where we are going.
(I’ve also prayed, walked, rode (bike), de-screened, socmed sabbaticaled, read more fiction than ever before, and intensified healthy cooking/eating to try to balance out all the bad inputs.)

I’ve done all this because I feel compelled to not only just understand (I actually need to understand), but also help fix this situation we’re in. Selfishly, a large part of that desire to leave a better world behind for my kids and our new grandson.

Of late, I’ve seen most of my input sources devolve into the same thing: chronicling the end of America as most modern folks know it. They’ve gone from working to make sense of why/how we got here and what can be done about it to doing the same thing we all pretty much did during 2016-2019: shaking our heads at every bad news item and noting how bat guano crazy the individual behind the bad news was. Not exactly hope-filling. In fact, I could sum up things up with two lines from Matchbox 20’s “Back 2 Good”

“And everyone here’s to blame
And everyone here gets caught up in the pleasure of the pain”

A recent entry into the aforementioned tomes was Jeremy W. Peters’ book “Insurgency: How Republicans Lost Their Party and Got Everything They Ever Wanted”. I’ve been a bit more choosy in what “Jan 6” analysis tomes I toss coin at, and was dismayed yet-another reporter was releasing a book, but I listened to the little voice, and dropped an Audible credit on it and I has been a literal Godsend.

A big reason for remaining broken is that there were many missing (key) system components. You can’t identify the failure modes without seeing the complete system, and Jeremy managed to fill in (most of) those gaps. He did an amazing job going back far enough, and walking through the event trees paintakingly enough that I could actually feel the puzzle pieces fitting into place. Where there were once clouds, there is now clear sky. Items with chasms between them now have bridges.

Having the systems functionally and nearly fully documented has been immensely theraputic. It’s astonishing to realize just how many personal mental processing cores had been dedicated to this problem. It’s also all kinds of amazing to have to have some of the cognitive processor faculties back to do things like code for fun, again.

Since this is not a book review (nor a book itself), I won’t go into each and every component that was made clear. That’s not really the point of this post.

I guess the first point is that if 2015-2022 also broke you in some way, realize you’re not alone. I don’t think anyone was fully (or even partially) prepared for what we all ended up enduring and continue to endure. Hopefully knowing you’re normal, and that there we broken folk are legion will help quell at least that part of being broken.

The second point is that there was a rhyme and reason to how we got to where we are now. It is, perhaps, more of a crass limerick than poetic rhyme, and the reasons aren’t great, but events weren’t random and they did not emerge from nowhere.

The third and last point is that knowing there are “why”s and “how”s to the “what”s means it is possible to work on forging compensating controls (i.e. there can be concrete actions we can take to make things better and setup hedges to prevent us from heading down similar chaotic paths). We’re still not on a great collective path forward, and there’s no magic wand we can wave to make things better. But, we all can make individual and incremental progress in our own ways. For some, like me, it may mean breaking out of some comfort zones to do things you would not normally do. For others, it may be applying aligned talents to triaged areasm, doing what you can to make even the smallest thing a tiny bit better. We’re not going to A-bomb our way out of this conflcit. It’s going to take a long period of incremental, positive change.

If you’re still working on figuring out what went awry, I highly recommend Jeremy’s book. You can also reach out if you need some personal reassurance that all is not, in fact, lost. Unlike the hopeless ending of the aforenoted Matchbox 20 song, I do, in fact, believe there is a way of “getting back to good” and, for me, that journey starts now.

I close with a heartfelt thank you for the patience and kindness many folks have shown and expressed over this period. You’ve done more than you can possibly know.

Parler Whack-a-Mole

(this is an unrolled Twitter thread converted to the blog since one never knows how long content will be preserved anywhere anymore)

It looks like @StackPath (NetCDN[.]com redirects to them) is enabling insurrection-mongers. They’re fronting news[.]parler[.]com .

It seems they (Parler) have a second domain dicecrm[.]com with the actual content, too.

dicecrm[.]com is hosted in @awscloud, so it looks like Parler folks are smarter than Bezos’ minions. Amazon might want to take this down before it gets going (again).

They load JS via @Google tag manager (you can see in the HTML src). The GA_MEASUREMENT_ID is “G-P76KHELPLT“

BGP Info for the IPs associated with the domain

In site source screenshot in the first tweet there’s a reference to twexit[.]com. DNS for it shows they also have leftwexit[.]com (which is a very odd site).

"Twexit" is being enabled by @awscloud @GoDaddy and @WordPress/@automattic plus @StackPath.

While the main page has (unsurprisingly) busted HTML, they’re using their old sitemap[.]xml — https://carbon.now.sh/mdyJbvddCvZaGu2tOnD6 — which has a singular recent (whining) entry: http://dicecrm[.]com/updates/facebook-continues-their-confusing-hypocritical-stifling-of-free-speech-

Looks like @Shareaholic is also enabling Parler. Their “shareaholic:site_id” is “f7b53d75b2e7afdc512ea898bbbff585“.

One of the CDN content refs is this (attached img). It’s loading content for Parler from free[ ]pressers[.]com, which is a pretty nutjob fake news site enabled by @IBMcloud (so IBM is enabling Parler as well). the free[ ]pressers Twitter is equally nutjob.

I suspect Parler is going to keep rejiggering this nutjob-fueled content network knowing that AWS, IBM (et al) won't play whack-a-mole and are rly just waiting for our collective memory and attention to fade so they can go back to making $ from divisiveness, greed, & hate.

protip: perhaps not spin up a new FQDN with such hastily-crafted garbage behind it when you know lots of very technically-resourced 👀 are on you.

Originally tweeted by (@hrbrmstr) on 2021-01-29.

Nos Autem Non In Antebellum; Bella Iam Inceperat

(Leading this with the periodic warning/reminder that this blog occasionally breaks from technical content and has category-based RSS feeds which can be used to ensure one never see non-technical content.)

Every decent human (which excludes 74,222,958 🇺🇸 who voted for this, now 100% undeniable, traitor) with knowledge of this past week’s tragic events is likely still processing — and will be for a while — what happened; I am no exception. The Feedly board I set up to save content I’ve been pouring over has 113 articles in it, so far.

Different aspects of the costume-clad, treasonous chaos have hit me daily, if not hourly.

Two newspaper paragraphs, each one about a different victim, have bubbled up to surface thoughts more often than much of the other stories of the week.

One is about Erin Schaff, a brave, talented journalist from the New York Times:

Grabbing my press pass, they saw that my ID said The New York Times and became really angry. They threw me to the floor, trying to take my cameras. I started screaming for help as loudly as I could. No one came. People just watched. At this point, I thought I could be killed and no one would stop them. They ripped one of my cameras away from me, broke a lens on the other and ran away. [NYTimes]

No one came.

People just watched.

While I am deeply shocked, outraged, and saddened by what happened to Erin, I am not surprised, given that the President of the United States wants journalists to be executed for regularly giving his 2017-2020 reality show bad reviews by stating undeniable facts. Furthermore, he has continually cultivated disdain and hatred for the media in his regiment of cult followers.

Erin is lucky to be alive, even if that means living in the ruins of a failed, so-called democracy.

President Trump is responsible for Erin’s assault, and he is going to get away with it.

The other is about Ashli Babbitt, the troubled insurrectionist who died assaulting the Capitol:

With help from someone who hoisted her up, Babbitt began to step through a portion of the door where the glass had been broken out. An officer on the other side, who was wearing a suit and a surgical mask, immediately shot Babbitt in the neck. She fell to the floor. [WaPo]

After the February 2020 impeachment proceedings failed to do anything substantive, the President boasted of feeling “untouchable”; and, in at a campaign rally in 2016, then Republican presidential candidate Trump boasted that he could “shoot somebody and not lose any voters.”

Trump has taken the lives of hundreds of thousands of Americans. And, while the gun wasn’t in his stubby hand, he is fully responsible for this woman’s shooting and death.

So, Trump was right: he is going to get away with it.

Mike Pence, Ted Cruz, Josh Hawley, Lindsey Graham, Susan Collins, Mitch McConnell, and a few hundred other evil, self-serving, elected cowards are all unindicted co-conspirators to Erin’s assault and Ashley’s death, as are countless “news” and talk show hosts.

Beyond what happened to these two women, this traitorous cabal also helped orchestrate this week’s current crescendo to Trump’s term in office.

I say “current” because there’s a non-zero chance of increased violence and bloodshed before January 20th despite Trump being deplatformed.

I have lost all hope that Trump will face any tangible consequences for his actions, which will only serve to embolden other wanna-be dictators like Cruz and Hawley.

What’s worse is that even after Biden’s victory was finally 100% sealed and one of America’s most cherished institutions was ransacked, the Trump supporters near me (rural-ish Maine) still, proudly, have their 2020 Trump campaign signs up and were very likely laughing and cheering the insurrection while Erin was being assaulted and Ashley’s life was ebbing away.

Even the Court Evangelicals have doubled-down in their support of Trump.

I (literally) pray I’m wrong, but it seems inevitable that the violence and bloodshed will continue through and after the 20th. As Biden tries to (also, literally) heal America by bringing science-fueled, centralized, enforced standards to quell the carnage of Covid, we will very likely and regularly see regional repeats of this week’s contemptible acts. As he and his administration attempt to right the many, many wrongs of the past four years (and more), these necessary actions will further push the ilk of this week to regularly manifest their entitlement-fueled rage.

Nos autem non in antebellum; bella iam inceperat.

It’s [Almost] Over; Much Damage Has Been Done; But I [We] Have A Call To Unexpected Action

NOTE: There’s a unique feed URL for R/tech stuff — https://rud.is/b/category/r/feed/. If you hit the generic “subscribe” button b/c the vast majority of posts have been on that, this isn’t one of those posts and you should probably delete it and move on with more important things than the rantings of silly man with a captain America shield.

The last 4+ years — especially the last ~10 months — had taken a bigger personal toll than I realized. I spent much of President-Elect Joseph R. Biden Jr.’s and Vice President-elect Kamala Harris’ first speeches as duly & honestly selected leaders of this nation unabashedly tear-filled. The wave of relief was overwhelming. Hearing kind, vibrant, uplifting, and articulately + professionally delivered words was like the finest symphonic production compared to the ALL CAPS productions that we’ve been forced to consume for so long.

The outgoing (perhaps a new neologism — “unpresidented” — should be used since so much of what this person did was criminally unprecedented) loser did damage our nation severely, but I’m ashamed to admit just how much damage I let him and those that support and detract him do to me.

President-elect Biden said this as part of his speech last night:

And to those who voted for President Trump, I understand your disappointment tonight.

I’ve lost a couple of elections myself.
But now, let’s give each other a chance.

It’s time to put away the harsh rhetoric.

To lower the temperature.

To see each other again.

To listen to each other again.

To make progress, we must stop treating our opponents as our enemy. We are not enemies. We are Americans.

The Bible tells us that to everything there is a season — a time to build, a time to reap, a time to sow. And a time to heal.

He went on to say:

Let this grim era of demonization in America begin to end — here and now.

The refusal of Democrats and Republicans to cooperate with one another is not due to some mysterious force beyond our control.

It’s a decision. It’s a choice we make.

And, still, further on:

We stand again at an inflection point.

We have the opportunity to defeat despair and to build a nation of prosperity and purpose.
We can do it. I know we can.

I’ve long talked about the battle for the soul of America.

We must restore the soul of America.

Our nation is shaped by the constant battle between our better angels and our darkest impulses.

It is time for our better angels to prevail.

What President-elect Biden did was socially engineer a Matthew 18:21-35 on me/us since what he’s calling on us (me) to do is forgive.

Forgive the Resident in Chief.

Forgive his supporters.

Forgive the right and left radicals whose severely flawed agendas have brought us to the brink of yet-another antebellum.

Forgive the Evangelicals who sold out American Christianity for a chance to be court evangelicals and wield even greater earthly power than they already did.

Forgive owners of establishments and organizations that showed support for MAGA and the outgoing POTUS.

Forgive the extended family on my spouse’s side who proudly supported and still support what is obviously evil.

And, forgive myself for — amongst a myriad of other things — just how un-Christ-like my hate, disdain, and despair has increasingly consumed myself and my words/actions over the past 4+ years.

I wish I could say I’m eager to do this. I am not. The self-righteous, smug, superior hate and disdain feels pretty good, doesn’t it? It’s kinda warm and fiery in a wretched country bourbon sort of way. It feels soothingly justified, too, doesn’t it? I mean, hundreds of thousands of living, breathing, amazing humans in America died directly because of “these people” (ah, how comforting acerbic tribal terminology can be), didn’t they? How can I possibly forgive that?

Fortunately — yes, fortunately — I have to, and if you’re still reading this and feel similarly to the preceding paragraph, I would strongly suggest you have to as well.

I have to because it is the foundation of my Faith (which I seem to have let evil convince me to forget for a while) and because it’s a cancer that will eventually subsume me if I let it (and I already beat physical cancer once, so I’m not letting a spiritual, emotional, and intellectual one win either).

We all have to — on all sides, since “right” and “left” are far too large buckets — if Joe and Kamala have even a remote chance to lead America into healing.

Now, I am not naive. The road ahead is long and fraught with peril. We are a deeply divided nation. Repair will take decades if it happens at all.

I’ll start by striving to take Colossians 3:12-17 more seriously and faithfully than I have ever taken it before and be ready to perform whatever actions are necessary to help this be a time for myself and our nation to heal.

I say “strive” as I had planned to conclude with some “I forgive…”s, but I quite literally cannot type anything but ellipses after those two words yet. Hopefully it won’t take too long to get past that for most of the above list. I’m not sure forgiving the last item on it will happen any time soon, though.

Stay safe. Wear a mask. Be kind.

The Avatar Is Blue

I’ve changed my years-long avatar to the blue Cap’ shield because the colors of our flag have no business being displayed in any venue until Donald Trump is no longer President (one way or another). The red/white/blue triad has been coopted by an authoritarian, sociopathic puppet and is now a symbol of fear, greed, hate, and evil. I refuse to be associated with it until the principles it is supposed to stand for are even remotely embodied by those who serve our country. I would like to hope that is in mid-January 2021, but I’m not optimistic we’ll have a peaceful change of power.

Be safe. Be well. Be an ally.

GDPR Unintended Consequences Part 1 — Increasing WordPress Blog Exposure

2018-05-24 – 15:31
Posted in Commentary, Compliance, Cybersecurity, Information Security
Comments (4)

I pen this mini-tome on “GDPR Enforcement Day”. The spirit of GDPR is great, but it’s just going to be another Potempkin Village in most organizations much like PCI or SOX. For now, the only thing GDPR has done is made GDPR consulting companies rich, increased the use of javascript on web sites so they can pop-up useless banners we keep telling users not to click on and increase the size of email messages to include mandatory postscripts (that should really be at the beginning of the message, but, hey, faux privacy is faux privacy).

Those are just a few of the “unintended consequences” of GDPR. Just like Let’s Encrypt & “HTTPS Everywhere” turned into “Let’s Enable Criminals and Hurt Real People With Successful Phishing Attacks”, GDPR is going to cause a great deal of downstream issues that either the designers never thought of or decided — in their infinite, superior wisdom — were completely acceptable to make themselves feel better.

Today’s installment of “GDPR Unintended Consequences” is WordPress.

WordPress “powers” a substantial part of the internet. As such, it is a perma-target of attackers.

Since the GDPR Intelligentsia provided a far-too-long lead-time on both the inaugural and mandated enforcement dates for GDPR and also created far more confusion with the regulations than clarity, WordPress owners are flocking to “single button install” solutions to make them magically GDPR compliant (#protip that’s not “a thing”). Here’s a short list of plugins and active installation counts (no links since I’m not going to encourage attack surface expansion):

WP GDPR Compliance : 50,000+ active installs
GDPR : 10,000+ active installs
The GDPR Framework : 6,000+ installs
GDPR Cookie Compliance : 10,000+ active installs
GDPR Cookie Consent : 200,000+ active installs
WP GDPR : 4,000 active installs
Cookiebot | GDPR Compliant Cookie Consent and Notice : 10,000+ active installations
GDPR Tools : 500+ active installs
Surbma — GDPR Proof Cookies : 400+ installs
Social Media Share Buttons & Social Sharing Icons (which “enhanced” GDPR compatibility) : 100,000+ active installs
iubenda Cookie Solution for GDPR : 10,000+ active installs
Cookie Consent : 100,000+ active installs

I’m somewhat confident that a fraction of those publishers follow secure coding guidelines (it may be a small fraction). But, if I was an attacker, I’d be poking pretty hard at a few of those with six-figure installs to see if I could find a usable exploit.

GDPR just gave attackers a huge footprint of homogeneous resources to attempt at-scale exploits. They will very likely succeed (over-and-over-and-over again). This means that GDPR just increased the likelihood of losing your data privacy…the complete opposite of the intent of the regulation.

There are more unintended consequences and I’ll pepper the blog with them as the year and pain progresses.

A Word About Tracking On This Site

Since I just railed against Congress for being a bit two-faced about privacy I thought some rud.is site disclosure would be in order.

At present, third-party tracking is limited to:

Something in my WordPress configuration adding a DNS pre-fetch for fonts.googleapis.com. There are a few more other DNS pre-fetches that I’m also going to try to eradicate (but that aren’t showing up in my uBlock Origin likely to to /etc/hosts blocks);
Gravatar (which displays logos near comment author names). I’m torn on this one but Gravatar is owned by Automattic (who owns WordPress). See next bullet on that;
WordPress. Vain site stats tracking, JetPack uptime warnings and some other WordPress pings happen (including some automatic short-linking) as well as the previous bullet bits. I’m not likely going to do the site surgery necessary to stop this but you have full disclosure and can easily avoid pings to those sites via uBlock Origin site-specific rules;
SendPulse; I’m running an experiment on user behaviours when it comes to authorizing web notifications (and I just kinda ruined said experiment). I’ll be disabling it later this year (after a full year of it being on so I can have more than just a few sentences to say).

The above came from an in-browser uBlock Origin report.

I ran a splashr::render_har() — which is how I measured things for the Congressional privacy post — on one of my pages and this is the result:

tld                 n
1 rud.is           67
2 wp.com           21
3 gravatar.com      6
4 wordpress.com     3
5 w.org             3
6 sendpulse.com     2

Props on WordPress capturing w.org! I’m still ticked Microsoft stole bob.com from me ages ago.

As you can see, most resources load from my site and none come from Twitter, Facebook or Google Plus.

I run WordPress for a ton of reasons too long to go into for this post, so I’m likely not going to change anything about that list (apart from the DNS pre-fetching).

Hopefully that will abate any concerns visitors might have, especially after reading the post about Congress.

Does Congress Really Care About Your Privacy?

I apologize up-front for using bad words in this post.

Said bad words include “Facebook”, “Mark Zuckerberg” and many referrals to entities within the U.S. Government. Given the topic, it cannot be helped.

I’ve also left the R tag on this despite only showing some ggplot2 plots and Markdown tables. See the end of the post for how to get access to the code & data. R was used solely and extensively for the work behind the words.

This week Congress put on a show as they summoned the current Facebook CEO — Mark Zuckerberg — down to Washington, D.C. to demonstrate how little most of them know about how the modern internet and social networks actually work plus chest-thump to prove to their constituents they really and truly care about you.

These Congress-critters offered such proof in the guise of railing against Facebook for how they’ve handled your data. Note that I should really say our data since they do have an extensive profile database on me and most everyone else even if they’re not Facebook platform users (full disclosure: I do not have a Facebook account).

Ostensibly, this data-mishandling impacted your privacy. Most of the committee members wanted any constituent viewers to come away believing they and their fellow Congress-critters truly care about your privacy.

Fortunately, we have a few ways to measure this “caring” and the remainder of this post will explore how much members of the U.S. House and Senate care about your privacy when you visit their official .gov web sites. Future posts may explore campaign web sites and other metrics, but what better place to show they care about you then right there in their digital houses.

Privacy Primer

When you visit a web site with any browser, the main URL pulls in resources to aid in the composition and functionality of the page. These could be:

HTML (the main page is very likely HTML unless it’s just a media URL)
images (png, jpg, gif, “svg”, etc),
fonts
CSS (the “style sheet” that tells the browser how to decorate and position elements on the page)
binary objects (such as embedded PDF files or “protocol buffer” content)
XML or JSON
JavaScript

(plus some others)

When you go to, say, www.example.com the site does not have to load all the resources from example.com domains. In fact, it’s rare to find a modern site which does not use resources from one or more third party sites.

When each resource is loaded (generally) some information about you goes along for the ride. At a minimum, the request time and source (your) IP address is exposed and — unless you’re really careful/paranoid — the referring site, browser configuration and even cookies are even available to the third party sites. It does not take many of these data points to (pretty much) uniquely identify you. And, this is just for “benign” content like images. We’ll get to JavaScript in a bit.

As you move along the web, these third-party touch-points add up. To demonstrate this, I did my best to de-privatize my browser and OS configuration and visited 12 web sites while keeping a fresh install of Firefox Lightbeam running. Here’s the result:

Each main circle is a distinct/main site and the triangles are resources the site tried to load. The red triangles indicate a common third-party resource that was loaded by two or more sites. Each of those red triangles knows where you’ve been (again, unless you’ve been very careful/paranoid) and can use that information to enhance their knowledge about you.

It gets a bit worse with JavaScript content since a much stronger fingerprint can be created for you (you can learn more about fingerprints at this spiffy EFF site). Plus, JavaScript code can try to pilfer cookies, “hack” the browser, serve up malicious adverts, measure time-on-site, and even enlist you in a cryptomining army.

There are other issues with trusting loaded browser content, but we’ll cover that a bit further into the investigation.

Measuring “Caring”

The word “privacy” was used over 100 times each day by both Zuckerberg and our Congress-critters. Senators and House members made it pretty clear Facebook should care more about your privacy. Implicit in said posit is that they, themselves, must care about your privacy. I’m sure they’ll be glad to point out all along the midterm campaign trails just how much they’re doing to protect your privacy.

We don’t just have to take their word for it. After berating Facebook’s chief college dropout and chastising the largest social network on the planet we can see just how much of “you” these representatives give to Facebook (and other sites) and also how much they protect you when you decide to pay them[†] [‡] a digital visit.

For this metrics experiment, I built a crawler using R and my splashr? package which, in turn, uses ScrapingHub’s open source Splash. Splash is an automation framework that lets you programmatically visit a site just like a human would with a real browser.

Normally when one scrapes content from the internet they’re just grabbing the plain, single HTML file that is at the target of a URL. Splash lets us behave like a browser and capture all the resources — images, CSS, fonts, JavaScript — the site loads and will also execute any JavaScript, so it will also capture resources each script may itself load.

By capturing the entire browser experience for the main page of each member of Congress we can get a pretty good idea of just how much each one cares about your digital privacy, and just how much they secretly love Facebook.

Let’s take a look, first, at where you go when you digitally visit a Congress-critter.

Network/Hosting/DNS

Each House and Senate member has an official (not campaign) site that is hosted on a .gov domain and served up from a handful of IP addresses across the following (n is the number of Congress-critter web sites):

asn	aso	n
AS5511	Orange	425
AS7016	Comcast Cable Communications, LLC	95
AS20940	Akamai International B.V.	13
AS1999	U.S. House of Representatives	6
AS7843	Time Warner Cable Internet LLC	1
AS16625	Akamai Technologies, Inc.	1

“Orange” is really Akamai and Akamai is a giant content delivery network which helps web sites efficiently provide content to your browser and can offer Denial of Service (DoS) protection. Most sites are behind Akamai, which means you “touch” Akamai every time you visit the site. They know you were there, but I know a sufficient body of folks who work at Akamai and I’m fairly certain they’re not too evil. Virtually no representative solely uses House/Senate infrastructure, but this is almost a necessity given how easy it is to take down a site with a DoS attack and how polarized politics is in America.

To get to those IP addresses, DNS names like www.king.senate.gov (one of the Senators from my state) needs to be translated to IP addresses. DNS queries are also data gold mines and everyone from your ISP to the DNS server that knows the name-to-IP mapping likely sees your IP address. Here are the DNS servers that serve up the directory lookups for all of the House and Senate domains:

nameserver	gov_hosted
e4776.g.akamaiedge.net.	FALSE
wc.house.gov.edgekey.net.	FALSE
e509.b.akamaiedge.net.	FALSE
evsan2.senate.gov.edgekey.net.	FALSE
e485.b.akamaiedge.net.	FALSE
evsan1.senate.gov.edgekey.net.	FALSE
e483.g.akamaiedge.net.	FALSE
evsan3.senate.gov.edgekey.net.	FALSE
wwwhdv1.house.gov.	TRUE
firesideweb02cc.house.gov.	TRUE
firesideweb01cc.house.gov.	TRUE
firesideweb03cc.house.gov.	TRUE
dchouse01cc.house.gov.	TRUE
c3pocc.house.gov.	TRUE
ceweb.house.gov.	TRUE
wwwd2-cdn.house.gov.	TRUE
45press.house.gov.	TRUE
gopweb1a.house.gov.	TRUE
eleven11web.house.gov.	TRUE
frontierweb.house.gov.	TRUE
primitivesocialweb.house.gov.	TRUE

Akamai kinda does need to serve up DNS for the sites they host, so this list also makes sense. But, you’ve now had two touch-points logged and we haven’t even loaded a single web page yet.

Safe? & Secure? Connections

When we finally make a connection to a Congress-critter’s site, it is going to be over SSL/TLS. They all support it (which is ?, but SSL/TLS confidentiality is not as bullet-proof as many “HTTPS Everywhere” proponents would like to con you into believing). However, I took a look at the SSL certificates for House and Senate sites. Here’s a sampling from, again, my state (one House representative):

The *.house.gov “Common Name (CN)” is a wildcard certificate. Many SSL certificates have just one valid CN, but it’s also possible to list alternate, valid “alt” names that can all use the same, single certificate. Wildcard certificates ease the burden of administration but it also means that if, say, I managed to get my hands on the certificate chain and private key file, I could setup vladimirputin.house.gov somewhere and your browser would think it’s A-OK. Granted, there are far more Representatives than there are Senators and their tenure length is pretty erratic these days, so I can sort of forgive them for taking the easy route, but I also in no way, shape or form believe they protect those chains and private keys well.

In contrast, the Senate can and does embed the alt-names:

Are We There Yet?

We’ve got the IP address of the site and established a “secure” connection. Now it’s time to grab the index page and all the rest of the resources that come along for the ride. As noted in the Privacy Primer (above), the loading of third-party resources is problematic from a privacy (and security) perspective. Just how many third party resources do House and Senate member sites rely on?

To figure that out, I tallied up all of the non-.gov resources loaded by each web site and plotted the distribution of House and Senate (separately) in a “beeswarm” plot with a boxplot shadowing underneath so you can make out the pertinent quantiles:

As noted, the median is around 30 for both House and Senate member sites. In other words, they value your browsing privacy so little that most Congress-critters gladly share your browser session with many other sites.

We also talked about confidentiality above. If an https site loads http resources the contents of what you see on the page cannot but guaranteed. So, how responsible are they when it comes to at least ensuring these third-party resources are loaded over https?

You’re mostly covered from a pseudo-confidentiality perspective, but what are they serving up to you? Here’s a summary of the MIME types being delivered to you:

MIME Type	Number of Resources Loaded
image/jpeg	6,445
image/png	3,512
text/html	2,850
text/css	1,830
image/gif	1,518
text/javascript	1,512
font/ttf	1,266
video/mp4	974
application/json	673
application/javascript	670
application/x-javascript	353
application/octet-stream	187
application/font-woff2	99
image/bmp	44
image/svg+xml	39
text/plain	33
application/xml	15
image/jpeg, video/mp2t	12
application/x-protobuf	9
binary/octet-stream	5
font/woff	4
image/jpg	4
application/font-woff	2
application/vnd.google.gdata.error+xml	1

We’ll cover some of these in more detail a bit further into the post.

Facebook & “Friends”

Facebook started all this, so just how cozy are these Congress-critters with Facebook?

Turns out that both Senators and House members are very comfortable letting you give Facebook a love-tap when you come visit their sites since over 60% of House and 40% of Senate sites use 2 or more Facebook resources. Not all Facebook resources are created equal[ly evil] and we’ll look at some of the more invasive ones soon.

Facebook is not the only devil out there. I added in the public filter list from Disconnect and the numbers go up from 60% to 70% for the House and from 40% to 60% for the Senate when it comes to a larger corpus of known tracking sites/resources.

Here’s a list of some (first 20) of the top domains (with one of Twitter’s media-serving domains taking the individual top-spot):

Main third-party domain	# of ‘pings’	%
twimg.com	764	13.7%
fbcdn.net	655	11.8%
twitter.com	573	10.3%
google-analytics.com	489	8.8%
doubleclick.net	462	8.3%
facebook.com	451	8.1%
gstatic.com	385	6.9%
fonts.googleapis.com	270	4.9%
youtube.com	246	4.4%
google.com	183	3.3%
maps.googleapis.com	144	2.6%
webtrendslive.com	95	1.7%
instagram.com	75	1.3%
bootstrapcdn.com	68	1.2%
cdninstagram.com	63	1.1%
fonts.net	51	0.9%
ajax.googleapis.com	50	0.9%
staticflickr.com	34	0.6%
translate.googleapis.com	34	0.6%
sharethis.com	32	0.6%

So, when you go to check out what your representative is ‘officially’ up to, you’re being served…up on a silver platter to a plethora of sites where you are the product.

It’s starting to look like Congress-folk aren’t as sincere about your privacy as they may have led us all to believe this week.

A [Java]Script for Success[ful Privacy Destruction]

As stated earlier, not all third-party content is created equally malicious. JavaScript resources run code in your browser on your device and while there are limits to what it can do, those limits diminish weekly as crafty coders figure out more ways to use JavaScript to collect information and perform shady or malicious deeds.

So, how many House/Senate sites load one or more third-party JavaScript resources?

Virtually all of them.

To make matters worse, no .gov or third-party resource of any kind was loaded using subresource integrity validation. Subresource integrity validation means that the site owner — at some point — ensured that the resource being loaded was not malicious and then created a fingerprint for it and told your browser what that fingerprint is so it can compare it to what got loaded. If the fingerprints don’t match, the content is not loaded/executed. Using subresource integrity is not trivial since it requires a top-notch content management team and failure to synchronize/checkpoint third-party content fingerprints will result in resources failing to load.

Congress was quick to demand that Facebook implement stronger policies and controls, but they, themselves, cannot be bothered.

Future Work

There are plenty more avenues to explore in this data set (such as “security headers” — they all 100% use strict-transport-security pretty well, but are deeply deficient in others) and more targets for future works, such as the campaign sites of House and Senate members. I may follow up with a look at a specific slice from this data set (the members of the committees who were berating Zuckerberg this week).

The bottom line is that while the beating Facebook took this week was just, those inflicting the pain have a long way to go themselves before they can truly judge what other social media and general internet sites do when it comes to ensuring the safety and privacy of their visitors.

In other words, “Legislator, regulate thyself” before thy regulatists others.

FIN

Apart from some egregiously bad (or benign) examples, I tried not to “name and shame”. I also won’t answer any questions about facets by party since that really doesn’t matter too much as they’re all pretty bad when it comes to understanding and implementing privacy and safey on their sites.

The data set can be found over at Zenodo (alternately, click/tap/select the badge below). I converted the R data frame to ndjson/streaming JSON/jsonlines (however you refer to the format) and tested it out in Apache Drill.

I’ll toss up some R code using data extracts later this week (meaning by April 20th).