I’ve been reminded of this ancient history a lot in the last year or two as I’ve looked at news around abuse and hostile state activity on Facebook, YouTube and other social platforms, because much like the Microsoft macro viruses, the ‘bad actors’ on Facebook did things that were in the manual. They didn’t prise open a locked window at the back of the building – they knocked on the front door and walked in. They did things that you were supposed to be able to do, but combined them in an order and with malign intent that hadn’t really been anticipated.
It’s also interesting to compare the public discussion of Microsoft and of Facebook before these events. In the 1990s, Microsoft was the ‘evil empire’, and a lot of the narrative within tech focused on how it should be more open, make it easier for people to develop software that worked with the Office monopoly, and make it easier to move information in and out of its products. Microsoft was ‘evil’ if it did anything to make life harder for developers. Unfortunately, whatever you thought of this narrative, it pointed in the wrong direction when it came to this use case. Here, Microsoft was too open, not too closed.
Equally, in the last 10 years – that is is too hard to get your information out and too hard for researchers to pull information from across the platform. People have argued that Facebook was too restrictive on how third party developers could use the platform. And people have objected to Facebook’s attempts to enforce the single real identities of accounts. As for Microsoft, there may well have been justice in all of these arguments, but also as for Microsoft, they pointed in the wrong direction when it came to this particular scenario. For the Internet Research Agency, it was too easy to develop for Facebook, too easy to get data out, and too easy to change your identity. The walled garden wasn’t walled enough.
.. Conceptually, this is almost exactly what Facebook has done: try to remove existing opportunities for abuse and avoid creating new ones, and scan for bad actors.
Microsoft Remove openings for abuse Close down APIs and look for vulnerabilities Close down APIs and look for vulnerabilities Scan for bad behavior Virus and malware scanners Human moderation
(It’s worth noting that these steps were precisely what people had previously insisted was evil – Microsoft deciding what code you can run on your own computer and what APIs developers can use, and Facebook deciding (people demanding that Facebook decide) who and what it distributes.)
- .. If there is no data stored on your computer then compromising the computer doesn’t get an attacker much.
- An application can’t steal your data if it’s sandboxed and can’t read other applications’ data.
- An application can’t run in the background and steal your passwords if applications can’t run in the background.
- And you can’t trick a user into installing a bad app if there are no apps.
Of course, human ingenuity is infinite, and this change just led to the creation of new attack models, most obviously phishing, but either way, none of this had much to do with Microsoft. We ‘solved’ viruses by moving to new architectures that removed the mechanics that viruses need, and where Microsoft wasn’t present.
.. In other words, where Microsoft put better locks and a motion sensor on the windows, the world is moving to a model where the windows are 200 feet off the ground and don’t open.
.. Much like moving from Windows to cloud and ChromeOS, you could see this as an attempt to remove the problem rather than patch it.
- Russians can’t go viral in your newsfeed if there is no newsfeed.
- ‘Researchers’ can’t scrape your data if Facebook doesn’t have your data. You solve the problem by making it irrelevant.
This is one way to solve the problem by changing the core mechanics, but there are others. For example, Instagram does have a one-to-many feed but does not suggest content from people you don’t yourself follow in the main feed and does not allow you to repost into your friends’ feeds. There might be anti-vax content in your feed, but one of your actual friends has to have decided to share it with you. Meanwhile, problems such as the spread of dangerous rumours in India rely on messaging rather than sharing – messaging isn’t a panacea.
Indeed, as it stands Mr Zuckerberg’s memo raises as many questions as it answers – most obviously, how does advertising work? Is there advertising in messaging, and if so, how is it targeted? Encryption means Facebook doesn’t know what you’re talking about, but the Facebook apps on your phone necessarily would know (before they encrypt it), so does targeting happen locally? Meanwhile, encryption in particular poses problems for tackling other kinds of abuse: how do you help law enforcement deal with child exploitation if you can’t read the exploiters’ messages (the memo explicitly talks about this as a challenge)? Where does Facebook’s Blockchain project sit in all of this?
There are lots of big questions, though of course there would also have been lots of questions if in 2002 you’d said that all enterprise software would go to the cloud. But the difference here is that Facebook is trying (or talking about trying) to do the judo move itself, and to make a fundamental architectural change that Microsoft could not.
The world is a very dangerous place!
The country of Iran, as an example, is responsible for a bloody proxy war against Saudi Arabia in Yemen, trying to destabilize Iraq’s fragile attempt at democracy, supporting the terror group Hezbollah in Lebanon, propping up dictator Bashar Assad in Syria (who has killed millions of his own citizens), and much more. Likewise, the Iranians have killed many Americans and other innocent people throughout the Middle East. Iran states openly, and with great force, “Death to America!” and “Death to Israel!” Iran is considered “the world’s leading sponsor of terror.”
On the other hand, Saudi Arabia would gladly withdraw from Yemen if the Iranians would agree to leave. They would immediately provide desperately needed humanitarian assistance. Additionally, Saudi Arabia has agreed to spend billions of dollars in leading the fight against Radical Islamic Terrorism.
After my heavily negotiated trip to Saudi Arabia last year, the Kingdom agreed to spend and invest $450 billion in the United States. This is a record amount of money. It will create hundreds of thousands of jobs, tremendous economic development, and much additional wealth for the United States. Of the $450 billion, $110 billion will be spent on the purchase of military equipment from Boeing, Lockheed Martin, Raytheon and many other great U.S. defense contractors. If we foolishly cancel these contracts, Russia and China would be the enormous beneficiaries – and very happy to acquire all of this newfound business. It would be a wonderful gift to them directly from the United States!
The crime against Jamal Khashoggi was a terrible one, and one that our country does not condone. Indeed, we have taken strong action against those already known to have participated in the murder. After great independent research, we now know many details of this horrible crime. We have already sanctioned 17 Saudis known to have been involved in the murder of Mr. Khashoggi, and the disposal of his body.
Representatives of Saudi Arabia say that Jamal Khashoggi was an “enemy of the state” and a member of the Muslim Brotherhood, but my decision is in no way based on that – this is an unacceptable and horrible crime. King Salman and Crown Prince Mohammad bin Salman vigorously deny any knowledge of the planning or execution of the murder of Mr. Khashoggi. Our intelligence agencies continue to assess all information, but it could very well be that the Crown Prince had knowledge of this tragic event – maybe he did and maybe he didn’t!
That being said, we may never know all of the facts surrounding the murder of Mr. Jamal Khashoggi. In any case, our relationship is with the Kingdom of Saudi Arabia. 1 They have been a great ally in our very important fight against Iran. The United States intends to remain a steadfast partner of Saudi Arabia to ensure the interests of our country, Israel and all other partners in the region. It is our paramount goal to fully eliminate the threat of terrorism throughout the world! 2
I understand there are members of Congress who, for political or other reasons, would like to go in a different direction – and they are free to do so. I will consider whatever ideas are presented to me, but only if they are consistent with the absolute security and safety of America. After the United States, Saudi Arabia is the largest oil producing nation in the world. 3 They have worked closely with us and have been very responsive to my requests to keeping oil prices at reasonable levels – so important for the world. As President of the United States I intend to ensure that, in a very dangerous world, America is pursuing its national interests and vigorously contesting countries that wish to do us harm. Very simply it is called America First!
democracies draw upon the disagreements within their population to solve problems. Different political groups have different ideas of how to govern, and those groups vie for political influence by persuading voters. There is also long-term uncertainty about who will be in charge and able to set policy goals. Ideally, this is the mechanism through which a polity can harness the diversity of perspectives of its members to better solve complex policy problems. When no-one knows who is going to be in charge after the next election, different parties and candidates will vie to persuade voters of the benefits of different policy proposals.
Contrast this with an autocracy. There, common political knowledge about who is in charge over the long term and what their policy goals are is a basic condition of stability. Autocracies do not require common political knowledge about the efficacy and fairness of elections, and strive to maintain a monopoly on other forms of common political knowledge. They actively suppress common political knowledge about potential groupings within their society, their levels of popular support, and how they might form coalitions with each other. On the other hand, they benefit from contested political knowledge about nongovernmental groups and actors in society. If no one really knows which other political parties might form, what they might stand for, and what support they might get, that itself is a significant barrier to those parties ever forming.
This difference has important consequences for security. Authoritarian regimes are vulnerable to information attacks that challenge their monopoly on common political knowledge. They are vulnerable to outside information that demonstrates that the government is manipulating common political knowledge to their own benefit. And they are vulnerable to attacks that turn contested political knowledge — uncertainty about potential adversaries of the ruling regime, their popular levels of support and their ability to form coalitions — into common political knowledge. As such, they are vulnerable to tools that allow people to communicate and organize more easily, as well as tools that provide citizens with outside information and perspectives.
.. For example, before the first stirrings of the Arab Spring, the Tunisian government had extensive control over common knowledge. It required everyone to publicly support the regime, making it hard for citizens to know how many other people hated it, and it prevented potential anti-regime coalitions from organizing. However, it didn’t pay attention in time to Facebook, which allowed citizens to talk more easily about how much they detested their rulers, and, when an initial incident sparked a protest, to rapidly organize mass demonstrations against the regime. The Arab Spring faltered in many countries, but it is no surprise that countries like Russia see the Internet openness agenda as a knife at their throats.
.. Democracies, in contrast, are vulnerable to information attacks that turn common political knowledge into contested political knowledge. If people disagree on the results of an election, or whether a census process is accurate, then democracy suffers. Similarly, if people lose any sense of what the other perspectives in society are, who is real and who is not real, then the debate and argument that democracy thrives on will be degraded. This is what seems to be Russia’s aims in their information campaigns against the US: to weaken our collective trust in the institutions and systems that hold our country together. This is also the situation that writers like Adrien Chen and Peter Pomerantsev describe in today’s Russia, where no one knows which parties or voices are genuine, and which are puppets of the regime, creating general paranoia and despair.
.. In other words, the same fake news techniques that benefit autocracies by making everyone unsure about political alternatives undermine democracies by making people question the common political systems that bind their society.
- .. First, we need to better defend the common political knowledge that democracies need to function. That is, we need to bolster public confidence in the institutions and systems that maintain a democracy.
- Second, we need to make it harder for outside political groups to cooperate with inside political groups and organize disinformation attacks, through measures like transparency in political funding and spending. And finally,
- we need to treat attacks on common political knowledge by insiders as being just as threatening as the same attacks by foreigners.
Flask-Security is an opinionated Flask extension which adds basic security and authentication features to your Flask apps quickly and easily. Flask-Social can also be used to add “social” or OAuth login and connection management.
Flask-Security allows you to quickly add common security mechanisms to your Flask application. They include:
- Session based authentication
- Role management
- Password hashing
- Basic HTTP authentication
- Token based authentication
- Token based account activation (optional)
- Token based password recovery / resetting (optional)
- User registration (optional)
- Login tracking (optional)
- JSON/Ajax Support