Implications of the Bulgarian National Anthem for Information Security

How did the Puerto Rican reggaeton mega-hit “Despacito” become the national anthem of Bulgaria? For at least a few days in October 2017, Apple’s digital assistant Siri offered this Luis Fonsi-Daddy Yankee collaboration as the answer to the query “What’s the national anthem of Bulgaria?” Somewhere deep down in Apple’s knowledge graph that powers Siri’s “intelligence” this erroneous key-value pairing was made available to millions of Siri users around the globe. Technical infrastructures of enormous scale and consequence like Siri depend on data of uncertain provenance and quality, but these data assuredly include peer production platforms like Wikipedia, WikiData, and OpenStreetMap. The under-acknowledged dependence upon and interoperability of peer production platforms’ data in other socio-technical infrastructures is a vastly under-appreciated threat vector: what goes into Wikipedia is uncritically refracted and amplified through a complex web of seemingly unrelated technologies.

I am writing this in mid-March as revelations about the relationship between Cambridge Analytica, Facebook, and foreign influence in the 2016 U.S. election raise questions about the technical and ethical boundaries of securing users’ private information on massive platforms. Twitter published a request for proposals to improve “conversational health” after admitting its platform has enabled “abuse, harassment, troll armies, manipulation, misinformation campaigns, and echo chambers.” YouTube CEO Susan Wojcicki announced at SXSW that Wikipedia content would appear as de-biasing attempts alongside conspiracy videos. Peer-produced data sources have been a boon for training the complex artificial intelligence infrastructures that power conversational agents like Siri, deep learning models used for translating text, and supporting basic data fusion and labeling tasks for data scientists everywhere. While Wikipedia has stronger norms around neutrality, verifiability, and civility and better governance models that other social platforms, it is far from perfect: its user base is profoundly unrepresentative which results in content that reproduces biases about gender, ethnicity, geography, and time.

Socio-technical systems like Wikipedia are designed around the assumption that the motivations and contexts for contributions are constant over time. But many social systems exhibit “burstiness” characterized by short timeframes of intense activity followed by long times of low activity. Activity bursts in systems like Wikipedia are not edge cases, but responsible for significant fractions of total information production and consumption. Who, what, when, where, why, and how peer-produced knowledge is produced and consumed around information-seeking bursts will enable powerful applications. However, WikiData can also be manipulated to destabilize technologies that are built upon it by injecting false information that is rapidly ingested and propagated. The pervasiveness and interoperability of peer-produced data in other socio-technical infrastructures are introducing new opportunities and risks. Understanding the practices and consequences of high-tempo collaborations will inform the design of “anticipatory infrastructures” to generate resilient responses against implicit biases of peer production systems as well as coordinated misinformation campaigns. Luis Fonsi sang, “tú eres el imán y yo soy el metal”; if peer production platforms are a magnet, who are the metals being attracted to them?

How to transfer Google’s 2-factor authentication to a new iPhone in 14 easy steps

I just got a new iPhone 7. It’s much faster, has eight times the space, and takes marginally better low-light photos compared to my 4-year old iPhone 5. Living a mile above sea level also leaves me wondering if I’ll ever need the water-resistant functionality.

Nevertheless, migrating all the settings and logins over is never fun, especially onerous but important security features like 2-factor authentication for important services like Google. Given the crucial importance of 2-factor for securing devices and accounts, Google’s current implementation of migrating two-factor to a new phone is simply unacceptable. I spent nearly an hour trying to match out-of-date documentation with important settings hidden in the user interface. With 79 million new iPhones forecast to be sold between September and December and I’d guesstimate that >50% of them have Google accounts as well, I am confident that most other people have neither the time nor the patience to figure this all out themselves. Why transitioning isn’t vastly simpler is a question best left to security usability experts, but Google’s current terrible implementation all but guarantees that there will be thousands or millions of people who will opt out of using 2-factor because this transition is simply too difficult and poorly documented.

How to migrate your Google Authenticator to a new iPhone 14 easy steps.

  1. You’ll need your Authenticator app on your old phone or backup codes to get into your account as well as a “real” computer (desktop or laptop) to do this. If you thought you could get away with managing this on just two mobile devices, that’s adorable.
  2. In any Google service, click on your name in the top right. In the drop-down, select “My Account”.
  3. At this point you’re scratching your head wondering where the “Security” button or “Settings” selections are as the documentation glibly intones. Don’t worry, they’re not anywhere to be found and your hold on reality hasn’t slipped yet! Select “Signing in to Google”.
  4. Select “2-step verification”. You’ll probably be asked to log in and enter a 2-factor code again from your old device or backup codes. Try not to tear up thinking about how this may be one of the last times you ever gaze upon this screen.
  5. Once you’re in, select the teeny tiny pencil on the right-hand side of the “Authenticator app (Default)” box to edit these settings. For the love of god, don’t click anywhere but the progress buttons in the subsequent screens or you’ll get to start over at square one right here.
  6. While the naive reader might expect where the documentation says “Move to a different phone”, there would be a button labelled “Move to a different phone.” This is not a valid assumption. You have to select “Change” instead. What does it change? We don’t know until we click on it!
  7. If you’re using an iPhone like me, select “iPhone”. I’m guessing if you use an Android you should select “Android”. I can’t rule out it also opening a portal into a hellscaped alternative timeline, so proceed with caution.
  8. Now a QR code will show up on the screen. You’ve probably seen these on low-rent billboards or dubious business cards before, but now you’re actually going to interact with one. Don’t you dare click on anything yet.
  9. On your new phone, launch the Authenticator app and select “Begin Setup” in tiny font at the bottom of the screen beneath the gigantic banner than conveys absolutely no information about this 14-step process you’re just over halfway through now.
  10. Select “Scan barcode” also in tiny font at the bottom. At this point you may also be barraged with requests for the app to use your camera, all of which you should accept just like you do for every other application. Unfortunately Authenticator will not notify you when you’ve matched with another hot single in the area.
  11. Now point your phone’s camera at your computer screen so it can capture the barcode. Yes, it’s simultaneously thrilling, infuriating, and will make you look like an idiot to any passers-by.
  12. A six-digit number should pop up on your phone if you’re successful. If you’re not, you always have the option of going back to Step 8 and figuring out how the “Can’t Scan” choose your own adventure option ends (hint: with you getting to manually enter a 16-digit alphanumeric key!).
  13. Going back to your desktop computer, enter the six-digit code on your phone into the field. Pretend you’re a spy since the number is only good for something like 30 seconds and flashes and turns red when you’re running out of time. It’s the small touches like this that makes this simple process so much less stressful.
  14. Assuming you didn’t make any errors in a process that involved you switching contexts between three different screens and entering time-sensitive random numbers into easily-closed dialogue boxes that reset the whole process, you should now be able to use Google Authenticator on your new phone!


Site hacked and rebuilding now

Bad: Thanks to a number of people who pointed out that my site got hacked and had links to unsavory topics popping up in Google.

Worse: I was overzealous in removing the previous install and inadvertently deleted the directories containing the data and papers I had previously made available.

Please bear with me over the next few days and weeks as I try to go through the process of trying to track all these files down and get them properly linked back to their posts and such. Please contact me directly if there’s some data or code you need in the interim. My apologies in advance for any inconveniences this may cause!