Guan

home

Should Scotland be an independent country?

06 Sep 2014

“Between 7am and 10pm on the 18th of September,” SNP politician Jim Sillars told Scots, “we are totally sovereign. We have power in our hands for the first time in our history. Whether at one minute past 10 we remain sovereign and powerful or whether at one minute past 10 we’ve given it all away once again and we’re powerless, that’s the key question.”

It is a question I have been obsessing over for months, though I know next to nothing about Scotland. With the latest polls it seems the rest of the Internet has caught up. The referendum has been set up through a law passed by the Scottish parliament in 2013, following what is known as a Schedule 5 order. In addition to creating 28 new crimes, the law commits the further crime of suggesting that ballots be set in Arial. (If I were a Scottish voter who lives in an area with such a ballot, I would probably vote no.)

If a majority of Scots—and EU/Commonwealth citizens resident in Scotland—vote yes, then on 19th of September… well, officially, nothing happens. There is no immediate legal effect. There is only the symbolic effect is that a “yes” vote will be seen as the Scottish people expressing their clear desire for self-determination.

The supreme court of Canada ruled in 1998 that there is no right of unilateral secession in that country. The same is likely for Great Britain. The court also found that if the people of a province clearly expresses their desire to separate, then the government of Canada has to negotiate the terms in good faith. The British government will have to do the same.

In 2000 Canada asserted the right to decide whether a referendum question is sufficiently clear to express the desire to separate from Canada (something that can’t be said for the 1995 one), and to decide after the vote whether the majority was sufficiently large, suggesting that more than just 50% may be required. The UK did not do that for the Scottish referendum. It sure looks like a majority of one is all that is required.

This means that none of the details are settled today and everything you hear from either side is a campaigning and negotiating stance. It’s not great to have to vote on something without knowing exactly what you are voting for. The alternative, to pre-negotiate all the terms, is unworkable, because the British government has already demonstrated a willingness to be excessively inflexible in the hopes that Scots will vote no. In fact they would not be willing to negotiate at all.

Scots overwhelmingly elected the SNP to govern them and to negotiate independence on their behalf, and they will have to trust them to do it well. It’s not that the details of the terms of independence are not important and would be nice to know in advance, but barring exceptionally punitive terms, most of the effects can be changed by a sovereign Scotland in the long run. The binary question of independence is still most important. The whole point of independence is that you get to do whatever you want.

Should Scots vote yes? Yes. The reasons I, as an outsider, think so can be easily discounted. If you are interested, you could do worse than read two outsiders, Jon Worth and Matt Yglesias, on this issue. The key question is the one Jon states: Will Scotland be better governed from Edinburgh or London? Catherine Butler takes that question at face value and proposes moving the union capital to Glasgow to save the United Kingdom. Which is so crazy it just might work, but is unlikely at this stage.

Britain is weird. Every background article on Scottish independence will mention the bribes of 1706-7, empire (though Scots were complicit in that and worse), the perfidy of 1979, Maggie Thatcher and the poll tax. Even apart from how Scotland has been treated, Great Britain is financially one of the most centralized governments in Europe. Maybe the union could have been saved with more devolution and even federalism, much sooner, but it may be too late for that now. Britain has nuclear weapons and thinks of itself as a superpower. Britain is undemocratic: Alex Salmond likes to complain that for most of his life his country has been ruled by people he didn’t vote for; Brits can say the same thing. Britain is horrible.

Jon Worth quotes Paul Henri Spaak saying, “in Europe there are only small countries left. Those that know they are small, and those that do not know it yet.” (Is France an exception?) As Adam Ramsay argues, if Scotland becomes an independent country, it will be free to be a normal, small, northern european country. Being from such a country, one which even has insane, self-destructive currency arrangements, as an independent Scotland is likely to have initially, I know that such an entity can be viable and successful. SNP has a neoliberal streak, so it will fit right in with other dominant parties in the nordic countries, another one of which also has abysmal monetary policy. The party wants to increase public spending and preserve the post-war British welfare state. Its tuition-free universities exist alongside great inequality and gated communities in Aberdeen.

Alex Salmond says he wants a currency union with the rest of the UK. I’ve argued in the past that that was just a ploy to get out of its share of the UK’s debt; I was at least one-third kidding, but it seems that James Mirrlees takes that idea seriously. 18 other European countries, including one in the British Isles, have joined a currency union, with varying degrees of success. It was a bad idea, but with few exceptions, those countries still exist and should still be considered some of most successful in human history. None of them would prefer to be part of Great Britain. Having a stupid currency regime will simply put Scotland in the shoes of a majority of the EU it wants to remain part of.

Scotland has a huge banking sector compared to the size of its economy. If there is another financial crisis, the Scottish government may not be able to bail it out. A lot of banks will move to London before independence, which would be good. If they don’t, well, Iceland was in a very similar situation, and that was disastrous, but they’re still around and annoying us with their volcanoes, and GDP per capita similar to Scotland’s. Also, read this by Simon Nixon. He has nothing but contempt for the Scots, but his conclusion seems to be that in the event of a true disaster the UK may have to bail out Scotland anyway, just as they contributed to the Irish bailout in 2010.

When analyzing the British fiscal union, we also have to look at the likely alternatives to independence. It seems almost certain that some sort of devomax will be on the table. If Scotland has control over most taxes and spending, how inclined will the British government be to bail out Scotland—or subsidize it in any way—without extremely punitive measures? With devomax, the fiscal union is hollowed out too. (Or maybe devomax is an empty promise. That really makes you trust the English. “The core of Britain is England,” Churchill said in 1943. “There is the source of the recurring pestilence.” (I may have doctored that quotation.))

If Salmond does manage to negotiate a currency union, there will be strings attached. There is a weird tendency to suggest that the fiscal restrictions imposed would negate independence completely. If Westminster decides to allow a currency union on terms that are unacceptable, he may yet reject them; this is part of the negotiating process. I have no idea if Salmond is a master negotiator, but he has been freely chosen for the job.

Scotland in a sterling zone would certainly be less than fully independent. That is also true of Scotland in the European Union, and the EU is one of the most important reasons why an “independent” country the size of Scotland would even be viable in this day and age. Every EU country is subject to similar fiscal restrictions. None of those countries would give up their independence. And currency arrangements can be changed (easier in the sterling zone than the eurozone).

There’s some suggestion that EU membership on independence day is impossible. Again, that’s a negotiating stance. It’s inconceivable that 5 million EU citizens would be involuntarily stripped of their rights as union citizens; countries have left the EU before, always voluntarily. They will have to negotiate a sui generis solution. My own take is that Scotland will be an EU member on independence day, but there’s no way that happens by March 2016.

Some critics also argue that there will be no negotiation at all, that the rump of the UK can just dictate whatever terms it wants. The implication is that maybe Scotland will get zero North Sea oil revenues, and that Alex Salmond will not be able to get any of his demands met. These people are nuts. Mute, unfollow, block and report as spam.

Finally, there is the offensive notion that the people of England should get to vote on Scottish independence too before it goes forward, and that the referendum is illegitimate because David Cameron felt politically pressured to allow it because of Scottish nationalism. No Englishman should ever get to vote in a referendum on any question, no matter how important: he should lie in the bed he has made. Such a referendum would also render completely impossible the possibility of peaceful exercise of the right to self-determination.

Among the truly important unresolved questions are the national anthem of an independent Scotland. The consensus on Twitter seems to be that it has to be either this, this, this or this. I don’t see how anyone could vote without a resolution to this issue. We also need to know the name of the rump UK. My suggestion is simply “The United Kingdom.”

Yo SCYOTLAND to get a yo when Scotland votes for independence.

Scotland’s draft interim constitution. Robert Kuttner on Scotland. How many states will Europe split into? More on Scottish independence after the financial crisis; Scotland attempted a federal union with England in 1705-7. This is a detailed take on Scotland’s EU membership, but it loses credibility when it suggests Brexit is a remote possibility. BBC snowfalls the referendum. An even nuttier proposal for Scotland’s currency. John Swinney is calm. Gordon Brown says independent Scotland will have “neo-colonial” ties with UK. Scotland’s main export. War? Could Scotland join the Nordic Council? A monetary history lesson. What happens to the national lottery? Tactical kilt.

Scotland will probably miss the Rio Olympics because they will not be able to get their national olympic committee set up in time. Athletes who qualify may be able to compete as independent Olympic athletes, as happened after South Sudan was established and the Netherlands Antilles dissolved. The next Winter Olympics are in 2018, and the Scottish curling team should be able to participate then.

Should Scotland be an independent kintra? Result nae yet kent.

iCloud security

01 Sep 2014

There are rumors that the recent leak of nude photos of Jennifer Lawrence was due to either iCloud accounts or the iCloud service itself being compromised. We don’t have many details yet, let alone hard-ish evidence of what actually happened. We can speculate, though, and we can also think about how better to protect ourselves.

It’s possible that the attackers somehow obtained her password, or obtained access to her iCloud account. If she used iCloud Backup, that would then allow the attacker to restore all the contents of her phone onto one of their devices. An iCloud Backup includes app data, text messages and iMessage data (which is otherwise much better protected). The photos may have been attached to iMessages, which would be restored, or they might have been in her Photo Stream if they were among the last 1,000 photos she took.

Securing an iCloud account itself is easy these days: you should set up two-step verification. This requires either a code sent through text message or an existing iOS device to log in to your iCloud account.

But what if someone hacked into Apple’s systems, or compromised an Apple employee, or forced Apple to cooperate with them through legal process? What data could Apple reveal, willingly or unwillingly, without your iCloud password? (In the following, I’ll assume that Apple’s systems all work as designed. In reality they may well have unknown security holes.)

The two key documents to read to understand this are the iOS Security document from February 2014 and Apple’s Legal Process Guidelines for law enforcement. The latter is interesting because if Apple can provide something as a result of legal process, they can also provide it in response to extra-legal process, so to speak. (The converse is not necessarily true.)

End-to-end encryption

End-to-end encryption refers to a security model where data is protected all the way from the end producer to the end consumer.

For example, Dropbox data is not end-to-end encrypted: it’s encrypted between you and Dropbox, and it’s encrypted as it’s stored on Dropbox, but Dropbox has access to the data. (The encryption applied by Dropbox protects against scenarios where someone steals a hard drive from Dropbox, but receives no further cooperation from them.)

A lot of email these days is encrypted in transit and when you access it through webmail or encrypted IMAP, but the email provider still has access to the contents.

iMessage

iMessages are protected in transit with end-to-end encryption. This means that nobody, not even Apple, can intercept them. Only your devices can ever read them.

There is a potential vulnerability: how does iMessage decide which are “your devices”? That happens through a Public Key Infrastructure, which is a database at Apple that keeps track of the encryption keys associated with your devices. If an attacker can maliciously add a new key to that database, then any future messages you send may be read by the attacker.

As the system is currently designed, you will receive a warning on your devices when this happens. Apple’s documents imply that they will not add a key to their iMessage PKI in response to legal process, or modify their systems to remove that warning.

Your iMessage data is also part of each device’s backups, either a backup through iTunes or as part of iCloud Backup.

iCloud Backup

Don’t use iCloud Backup if you are worried about security. Instead, get enough disk space to do iTunes backups that you control yourself:

[iTunes backup]

Each file is encrypted with a key, that is encrypted with an asymmetric (Curve25519) key for each data protection class (page 23). Those keys are placed in the iCloud Backup keybag. The keybag is then protected with a random key, which is also stored with the backup set in the iCloud account.

All this means that Apple, or someone who has compromised Apple through legal or extra-legal process, can always access the contents of your iCloud Backup. Unless, of course, those contents are further protected.

(If you decide to use iTunes backups, make sure that the hard drive of the Mac or PC where you store those backups is itself encrypted. On a Mac, use FileVault 2. If your iOS device contains something important that you don’t want to lose, then make sure you have a backup of the backup, in case you lose both the iOS device and your Mac. In this day and age, you are the jerk if you don’t have a backup and lose important things.)

iCloud Keychain

iCloud Keychain is useful. I use it. Changes to iCloud Keychain are synced among your iOS and OS X devices. This syncing, which happens within what Apple calls a “circle of trust,” is end-to-end encrypted, and when a new device wants to join the circle, an existing device has to approve it.

There is a separate mechanism called keychain recovery for situations where you lose all your devices. This is on if you have enabled “Allow approving with security code”. If you do that, you should use a random security code:

[iCloud security code]

Apple also goes to great lengths to ensure that not just anyone can get the encrypted version of your keychain (page 25). The keychain is not part of the regular iCloud Backup.

Data on the device

What if the attacker has physical access to your device? What can they do?

Assuming your device is passcode locked (and it should be, with a strong password and not a 4-digit one), it depends on the data. Text messages, photos, videos and contacts can be recovered, because Apple will do that in response to legal process. The Mail app implements Complete Protection, which means that emails and attachments are not accessible as soon as you lock the device.

Some files are protected when the device is locked, unless they are open when you lock it.

Some files are only protected until first user authentication, which means that they cannot be recovered from a device that has been powered off. They can be recovered if you have entered your passcode once after powering on. Most app data is in this category. This still provides a lot of protection if your device is locked because the attacker may need to reboot your device.

Finally, some files are not strongly protected at all. Apps themselves would be in this category.

Page 12 of the iOS Security document has a list of how various keychain items are protected. Only Safari passwords and your home sharing password are in the category that is protected when locked.

If you have a weak passcode, or even a 4-digit one, Apple can always decrypt everything on your device because they can circumvent the feature that limits you to 10 incorrect password attempts.

Compromising your Apple ID

What can an attacker use to gain access to your iCloud account, if they don’t know the password and can’t use two-step verification? The biggest risk is that Apple has a phone number, 1-800-275-2273. (Please don’t tell anyone.) Whatever Apple’s procedures are or may be in the future, there is a human on that line, and that human has the power to give anyone access to your account.

The solution is to ban phone calls. Phone calls are a dangerous vector for social engineering and will compromise almost any security system. Don’t allow them in your organization, don’t call anyone, and don’t accept incoming phone calls.

I would require users who have lost their Apple ID password to go to an Apple store physically and present identification.

Capital shares

15 Jul 2014

Squarely Rooted wrote too much about “Capital in the Twenty-First Century”. I wrote the following comment to a section on how returns on capital is likely to decrease as you have more capital:

I like to think about what very low returns imply about the capital income share. Piketty hints that in the years before the French Revolution, capital’s share may have approached half of national income, and implies that this was an important economic cause of the revolution. I think that a very low capital share isn’t politically sustainable either: capitalists will revolt (Go Galt?).

In most countries, labor’s share of national income is between 60% and 70%. I think it’s widely understood, though rarely explicitly stated, that a labor share too far below 60% is politically unsustainable. Piketty cites Robert Allen for a British capital share of around 45–50% of national income in the middle of the nineteenth century, when Karl Marx wrote The Communist Manifesto.

My point in the comment is that whatever mechanism keeps the labor share over 50% can also work in the opposite direction. That is especially true in a world where the wealthy hold a lot of political power, which Piketty thinks is true with higher wealth/income ratios.

The capital share of income, which Piketty calls α, is equal to the rate of return times the wealth-to-income ratio. In an economy where wealth amounts to 6 years of national income, a return to capital of 3% means that capital only receives 18% of national income. That may be what you get from a neoclassical model, but it is politically unsustainable. When you have the political power that comes with possessing 6 years of national income, you will not be satisfied with only 18% of national income. You’ll want more.

At least that’s how I understand Piketty and Brad DeLong’s interpretation of Piketty, and particularly his Belle Époque equilibrium, with 4.2% return, wealth of 11 years of national income, and a capital share of 47%.

Microsoft steals No-IP domain names with help from Nevada court

30 Jun 2014

Microsoft obtained an ex parte temporary restraining order on June 26 from the U.S. District Court in Nevada giving them control over 22 domain names used by No-IP, a dynamic domain name service that I use. Ars Technica has a piece on it.

You can also read Microsoft’s statement and No-IP’s statement. According to No-IP, Microsoft cannot handle all the presumably legitimate traffic they have taken on, causing problems for all No-IP users.

From the latter statement and the court records, it’s clear that Microsoft did not contact No-IP about the alleged malware connection that motivated the theft and did not have an opportunity to defend themselves in court (that’s what the “ex parte” part means). Most of the docket is still sealed, so we can’t see exactly what arguments Microsoft made to the court to pull off the theft, but the earliest that No-IP can get their domain names back is July 10, which is Microsoft’s deadline for replying to No-IP’s response.

If they can do this to No-IP, they can do this to anyone. Even if you can afford to defend yourself against Microsoft’s lawyers, you won’t get an opportunity to do so before the theft is effected!

This incident is a very good argument for having at least one domain name with a TLD, registry and registrar that is outside the control of U.S. courts. Note that some country code TLD registries are operated by U.S. companies.

Update: If Microsoft claims that legitimate No-IP users are not affected, they’re lying. In addition to the reported downtime incidents, none of the No-IP addresses I am responsible for are resolving right now. I am getting empty responses from both ns7.microsoftinternetsafety.net and ns8.microsoftinternetsafety.net (returning only the .org TLD NS records).

Europe’s borders

30 Jun 2014

I frequently advocate changing European borders. Here’s a list, which I’ll try to keep up to date:

  1. Merge Germany and Austria, then divide into Northern Germany and Southern Germany.
  2. Dissolve Belgium. Brussels becomes a free city under EU protection.
  3. Scotland should be independent.
  4. Denmark to the Elbe.
  5. Dissolve Italy.
  6. Resolve this mess (possibly by merging Flanders into the Netherlands).