Open Letter re: Hennepin Avenue Redesign

I attended the second public meeting regarding the reconstruction of Hennepin Avenue last night (April 25th) and was quite happy with the way the planning is coming along. I’m excited that Hennepin Avenue has a chance at a makeover, as it’s one of the most important streets in our downtown core.

Personally, I’d like to see some traffic-calming features on Hennepin, such as narrower lanes and bump-outs at the intersections (to make a shorter crossing distance when walking on Hennepin). I also think we should look closely at lowering the speed limit on Hennepin so make this street more appealing to pedestrians, cyclists, and businesses like cafes and bars that want a more pleasant street for outdoor seating.

I’d also like to see physical protection for cyclists in the protected bike lanes, perhaps in the form of rectangular planters on either side, which would help prevent pedestrians from wandering into the bike lane and provide better protection for cyclists from motor vehicles. I like the idea of gradual curbs, but am worried cars or delivery vehicles will climb up on them for short-term parking and block the bike lane. I’d rather not have the ugly “plastic sticks” that seem to be synonymous with protected bike lanes in our city, especially on an important street like Hennepin.

Come to think of it, the protected bike lane design for the 3-lane proposal on 3rd Avenue South (which did not pass city council) would be something that I would support. That design called for planters to protect the bike lanes.

I’d also like some assurance that what happened with the 3rd Avenue design process will not happen to Hennepin Avenue. Plans were developed for a 3-lane design on 3rd Avenue, presented to the Bicycle and Pedestrian Advisory Committees, then it seems that city staff was directed to push forward a 4-lane design plan at the last moment by CM Lisa Goodman. Is that going to happen here as well?

I’m cc’ing CM Goodman on this email to remind her that this has been the second public meeting regarding Hennepin Avenue that has taken place, and that local business owners are welcome to provide feedback. The feedback I have heard at both meetings indicates that the community is supportive of cycling, pedestrian, and transit improvements in this corridor. I want to make sure businesses are part of this process too, as past experience tells me that they haven’t always been “engaged” early enough in the process.

If the plan is to create a “feel-good” design experience for the community only to have the plans altered at the last second by the unknown demands of local businesses, please let me know so I don’t waste my time with this process. Thank you,

Anton Schieffer

Data Privacy Day and Practical Online Security

Today is Data Privacy Day, where we bow our heads and give thanks to the benevolent corporations that so closely guard all of our data. Without these titans of industry, data breaches would be routine and your private accounts could be accessed by nefarious hackers wearing ski masks.

don't let this guy win
don’t let this guy win

But just in case you don’t feel these companies always have your best interests in mind, there are a few simple things you can do to protect yourself online. Obviously this is not a comprehensive list and will not protect you against all adversaries, but you’ve gotta start somewhere.


Put a passcode on your phone, seriously. If you’ve followed the “debate” over the use of encryption in iPhones and Android devices, you know that certain groups (like the FBI and more local law enforcement) are very upset that encryption is now the default on modern devices. Encryption means that the data should be inaccessible to anyone who is not you, but it does you no good unless you enable it with a passcode. If you don’t want to use a passcode, don’t bother reading the rest of this post. Anyone with physical access to your phone can get at the data inside.

Additionally, if you feel like you could be in a situation where you could be physically coerced into unlocking your phone, turn off the fingerprint or face-recognition unlocking features. Don’t reveal your password to anyone without something that’s been signed by a judge.

Also, pick a GOOD passcode. Don’t pick 1234, 0000, 2580, or your birthdate. And just like a password, don’t tell it to ANYONE. Not your lover, not your boss, not your pastor. Also, wipe your phone’s screen regularly because I can probably guess your passcode based on the Dorito cheese your greasy fingers leave behind.

Password Manager

Speaking of passwords, you should never reuse them! If you use the same password on your Google, Facebook, and Amazon accounts, anyone who guesses that single password has access to all those accounts.

I recommend using a password manager to keep track of all these things. The way a password manager works is that you remember one master password, which is used to unlock an encrypted database of the passwords you use on other sites.

I personally use 1Password, which costs money (though I think there’s a free trial), or LastPass, which is free. Both can generate new secure passwords for you when you sign up for a new site, but all you need to remember is the master password. Both options above have browser extensions and mobile apps, which reduce the amount of hassle it takes to start using passwords more securely.

Install Signal

If you have a smartphone, this is a necessity. It’s currently the most secure text-messaging app on the market, and it’s free. Messages between you and other Signal users will be encrypted, so even an adversary using IMSI-catchers (aka Stingrays; when they’re in planes they’re sometimes called Dirtboxes) won’t be able to view them.

Of course, using Signal does not mean you’re completely secure if the other person does not have it installed. Signal gives you an indication if the other party has it. You can also use the app to make secure phone calls with other Signal users.

Apple’s iMessage also provides fairly good security, in that it encrypts your conversations, but only works for conversations between iPhone users.

Enable Two-Factor Authentication on Everything

This is probably the most “cumbersome” step but will also provide the greatest security against attempts to access your accounts. It’s called two-factor authentication (sometimes multi-factor authentication) and the basic idea is that it should take more than just a username and a password to log in to an account. Since a username and password are things you know, we want to require something else to prove your identity. Typically this is something you have (like a smartphone) or something you are (like a fingerprint).

By enabling two-factor authentication, the next time some masked hacker guesses your username and password for a website, the site will send a verification code to an app on your phone or as a text message to you. Without that code, they won’t be able to log in and see all your secret messages and cat pictures! However, you’ll need to go through some configuration steps to enable this. I recommend starting by enabling two-factor authentication on your Google account first.

If you are able, I suggest installing Google Authenticator (or Authy) on your phone rather than getting verification codes via text message. Not all services use two-factor authentication and some only use codes sent as text messages rather than using Google Authenticator. Here is a handy chart of sites that support it – I recommend enabling on all that you can, particularly Facebook (they’re called “Login Approvals”) and Twitter.

I’m sure I forgot something, so feel free to ask questions or drop knowledge in the comments. I’m available to give presentations and assist with security at a discounted rate (if I like you), or at my usual hourly rate (if I have no idea who you are). Stay safe out there!

Hennepin County Library Resources

I really enjoy learning, so naturally I’m a big fan of the library. The kids that I’m chasing off my lawn these days think that Google invented knowledge, but there are some great and underused resources available through Hennepin County Library. (And if you think about it, we’re lucky to have libraries at all. Can you imagine the outcry from book publishers if the concept of a library was new? “Wait, you’re going to take my book, and loan it out to people…FOR FREE?!?”)

A complete list of online library resources is available here, but I’ll highlight a few particularly fun and useful tools. has been doing software tutorials for years, but they were typically expensive to purchase. Thanks to your library card, access is free. Lynda’s bread and butter seems to be tutorials for popular software, and with any tutorial the instruction quality depends on the instructor. It’s still a more reliable and professional resource than watching YouTube videos, especially if you like learning via instructional video. I personally think videos are a great way to learn software suites, especially if you have dual monitors, as you can have both the software and the instructional going at the same time.

Through the library, you can access the New York Times archives all the way back to 1857. I love digging through historical newspapers and that’s not always possible online, especially if you want to read anything published after 1922 (which is the last year that copyrighted works entered the public domain, greatly reducing access to these materials).

If you’re more locally-minded, you can get the full images of the Minneapolis Tribune from 1867 to 1922 thanks to the Minnesota Historical Society (no library card needed). It’s searchable too! If you want anything between 1923 and 1986, you’ll have to go and plop yourself in front of some microfiche, which of course is not searchable. If you’re wondering, copyrighted works from 1923 will enter public domain in 2019, unless the Copyright Term Extension Act is extended again (which I expect will happen). After all, who would bother to write articles or produce movies if their great-great grandchildren won’t be able to profit from them 95 years down the road?

Rosetta Stone Advantage offers self-paced language lessons. Like Lynda’s materials listed above, these used to cost a significant amount of money, but are now available for free. (Companies like Duolingo also offer free online language lessons if you’re interested. The more options, the better.)

Zinio offers access to magazines that can be downloaded and stored on your computer indefinitely (DRM-free). Consumer Reports, Cosmo, Foreign Policy, The Economist, the New Yorker, and more are all available. Many of these magazines put their articles online but behind a paywall, so this is a great way to get around that restriction and get access to some of those stories you might be missing. The back issue archives seem to be restricted to the last few months, depending upon the magazine (which is awful because I wanted to read some 1990s-era National Enquirer, but alas).

Social Explorer offers census data and data visualization tools. This tool is a little overwhelming at first due to the sheer amount of data available, but the data is organized well. Really a great tool and wonderful use of library resources to provide access to it.

SAMS Photofact Online offers technical schematics and repair information for electronic parts.

Posters of World War II. Searchable by subject.

Minneapolis High School Yearbooks. Again, only up until 1922, but there are some hidden gems within:

Yearbook Photos

I really could do an entire post on these yearbooks, honestly.

JSTOR. Mostly academic journals, but hard to find otherwise. EBSCOhost is also available, which is similar.

There are many more resources available that I won’t list, including quite a few for middle and high school students, and some that are only available on-premises at a library. Browse their online resources you’ll probably be surprised at what’s out there!

CISA is a terrible cybersecurity law

In what has become an annual tradition, Congress has renewed their efforts to pass some type of cybersecurity legislation. For the past four years, privacy advocates and security experts have consistently opposed these bills due to inadequate protections of American civil liberties, and this year’s offering, the Cybersecurity Information Sharing Act (CISA), is no exception.

CISA greatly expands the scope of government surveillance at the expense of American civil liberties. The bill would allow private companies to share any data they’ve created and collected with the government, who could then use it for their own purposes.

Data sharing can be useful, of course. To combat cyberthreats, private companies already share data with each other, and refer to this type of sharing as “threat intelligence.” Threat intelligence isn’t perfect, but helps companies identify dangers online in order to mitigate risks and secure their networks.

But this bill goes much further than that. CISA makes all information-sharing easier between the private sector and the government, not just for information relating to threats. For example, the federal government could use data collected from Google or Facebook during a criminal investigation. This violates the principle of due process, which suggests that courts should have oversight into how government agencies conduct investigations.

In this sense, CISA provides a clear way for the government to get around warrant requirements.

In exchange for providing this information, the bill grants legal immunity to private companies who break the law or who have poor network security. Thanks to this provision, it’s no surprise that industry groups like the Chamber of Commerce and the Financial Services Roundtable have been lobbying for this bill. CISA would also create a new exemption to Freedom of Information laws, preventing Americans from discovering what data about them is being shared with the government.

This immunity means that the government will be unable to prosecute companies who do not adequately protect their customers’ data. This is likely to lead to fewer resources being dedicated to cybersecurity threats, as the threat of a fine or lawsuit is reduced.

The growing volume of data that private companies gather on Americans makes this legislation more problematic. Google knows the contents of your email, as well as your search history, videos you’ve watched, and even where you’ve been. Facebook knows who your friends are, what type of articles you like, and whose profile you’re most likely to click on. To grant the government access to this information with no oversight on how it is used is not only unconstitutional, but also morally objectionable.

CISA advocates claim that there are adequate privacy protections to “scrub” personal data before it reaches the FBI or NSA. But included in the bill are loopholes which allow for unfettered access to this personal data at the discretion of these same government agencies.

If Congress is serious about addressing the evolving threats posed by criminals online, there are a number of proactive steps that should be taken. The Computer Fraud and Abuse Act of 1986 is in need of an overhaul. It’s ridiculous that our primary law written to stop computer crimes was written when the chief threat to the United States was the Soviet Union. As currently written, the law prevents security researchers from doing their jobs, such as building tools that help mitigate threats before the bad guys exploit them.

Second, Congress needs to get serious about the threat posed by the ‘Internet of Things. We know that Volkswagen intentionally evaded emissions testing by writing a few extra lines of computer code. We need to know that our self-driving cars, voting machines, and medical devices are working properly and securely, and cannot do so without being able to audit the code that powers them. We shouldn’t wait until a criminal takes control of these devices to begin properly securing our infrastructure.

We need legislation that addresses current and future threats. There are few, if any, cybersecurity experts that believe this bill will improve overall security. Nothing in the bill would have prevented major data breaches like what occurred at the Office of Personnel Management, which exposed the personal details of millions of innocent Americans, some at the highest levels of government. To the contrary, this bill would put even more data on the same insecure government servers that have already been exploited by criminals.


I was hoping to have an edited version of the above published somewhere, but with the vote being likely to happen tomorrow, there isn’t enough time. That said, below are some accompanying notes for those who want to dig a bit deeper.

The first glaring hole with this bill are the lack of cybersecurity professionals who support this bill. I actually scoured the Internet to find someone respected within the industry who thought this was a good bill, and was unable to find a single one. On most other security-related issues, such as the potential regulation of 0day markets, there are a few different camps that security experts fall into. There is no such pro-CISA camp.

While I often side with the EFF on Internet-related issues, even experts that I usually disagree with politically are opposed to this. This letter in opposition to CISA features many respected information security experts (including Bruce Schneier), and Brian Krebs has also commented on why the bill is misguided:

So when experts are opposed to such a bill, who exactly is supporting it? As I mentioned above, the Chamber of Commerce and Financial Services Roundtable are two of the industry groups that support it, and the reasoning is obvious. Companies and banks that have poor information security practices become immune to cybersecurity-related lawsuits, provided they share their data with the government.

This incentive also makes data-sharing for companies less than the “voluntary” proposition that advocates claim. Instead of securing their networks, CISA creates a perverse incentive to reduce the impact of network security when doing a cost-benefit analysis. If this bill passes, there are two important ways to reduce the risk of a cybersecurity-related lawsuit: secure your network OR share your data with the government. While some companies like Facebook and Google will never share *all* their data with the government, they would be foolish to not share *just enough* data to keep themselves immune from lawsuits.

While often the backing of the financial industry is enough to pass legislation, they have a powerful ally in the intelligence community. Here’s some good reading on the intelligence community‘s potentially changed role if CISA passes.

But to me, the key reason I dislike this bill is deception. I don’t like that this is called a “cybersecurity” bill. It’s a surveillance bill. Snowden’s revelations have shifted the political landscape to largely oppose state surveillance, which makes it amazing that a bill which hands over large amounts of data to the state is close to passage.

As I briefly mentioned at the outset of my initial piece some of this has to do with issue fatigue. After witnessing the eventual passage of this bill (I consider it the successor of CISPA, first introduced in 2011), I am much more pessimistic about the future of American politics. The voice of industry professionals and civil liberties groups will never be as loud and sustained as those of industry groups who represent clients who all stand to benefit.

But the other reason I hate this bill is that it confuses real security with a false sense of security. The classic misdirectional dialogue applies:

“The situation is bleak, something must be done.”

“This is something, therefore this must be done!”

The Internet of Things presents an entirely new, and more immediate problem. We’re living in a world where new devices are not only running more code than ever, but are also reliant upon internet connections in new ways. Why does my thermostat need to be connected to the internet in order to keep my house’s temperature steady? Dick Cheney’s doctor disabled the WiFi on his patient’s pacemaker due to the threat posed by hackers, so why do the rest of American citizens accept such a risk?

They don’t, they’re just unaware of the reality of the threat. These threats will only increase as we push towards “modernization” without any thought for the consequences. I’ll write a bit more on the problems with the security of the Internet of Things in the coming months on my blog.

And finally, I’ve linked to her blog multiple times in this post, but there was another good post over at emptywheel which sums up why this is a bad bill.

A tiny project

So last weekend I realized that the City of Minneapolis maintains a lot of email lists (I think you need to enter an email address to see them after following that link, but it’s quite a few). I was curious to learn more about what was on them, but there wasn’t an obvious way to read the archives of each mailing list. And I surely wasn’t going to sign up for over 100 mailing lists just to get a taste of what they were sending out.

So I made a new website and twitter account in order to get a better sense of what’s going on in the city. Each email sent out by the city to any of their mailing lists is published online in a new post, and a link to that post is tweeted out. Simple!

I apologize for the Geocities-esque aesthetics of the website, but the emails don’t use consistent HTML and my email parsing utility was pulling some crazy shenanigans with nesting and CSS, so this is the best I cold make it look in about an hour’s worth of time. (I work in infosec, not web design.) Got a better idea? Tweet me or send an email.

Obviously in the future I’d love to have a calendar, and the ability to only see messages from one particular mailing list. Even better, I’ve asked the city to look into doing this for me. Hopefully the folks at GovDelivery can get this simple problem taken care of and increase online engagement between the City of Minneapolis and its residents.

Open Comment regarding the Blueprint for Equitable Engagement

Note: this is a comment I sent to the city of Minneapolis regarding the proposed Blueprint for Equitable Engagement.

The current model for Minneapolis neighborhood organizations needs significant changes in the coming years in order to remain both relevant and responsive to the needs of city residents.

I live in the Whittier neighborhood, where over 80 percent of residents are renters. As of today’s date, there are few, if any, renters on the Board of the Whittier Alliance, which is one of the most heavily-funded neighborhood organizations in the city. As you know, the NRP funding for our neighborhood organizations has historically been determined by factors like poverty rate and the number of renters a neighborhood has.

Over the past year or two, I have participated in several Whittier Alliance Community Issues meetings. (Whittier residents are not allowed to speak at meetings of the Board of Directors, which obviously discourages attendance.) After more restrictive bylaws were passed earlier this year, making it more difficult for renters to run for the board (among other things), I have chosen to stop attending Whittier Alliance meetings and to spend my time as an activist in a more constructive manner. I have no interest in contributing my time and energy towards a neighborhood organization that actively makes it more difficult for renters and newcomers to participate. I hear many of my peers, in Whittier and other parts of the city, express similar frustrations, who decide the process is not worth their time.

The lack of renter representation on the Whittier Alliance board leads to negative outcomes. As a recent example in July of 2015, both the Executive Director and Board Chair of the WA were quoted in the Southwest Journal as requesting higher rents for a proposed “workforce” apartment complex. As a renter in an 83% renter neighborhood, it’s beyond infuriating to have my own neighborhood organization attempting to raise the rents for new housing projects. Of course, I do understand how pushing for higher rents might increase the property values for property owners who routinely dominate the Whittier Alliance board.

Of course, renters are not the only viewpoint lacking in this neighborhood. Census data shows that 20 percent of Whittier does not speak English, and that half this neighborhood is white and half is of color. Is this reflected in the membership on the board?  Has this been addressed by the Whittier Alliance? The WA is in denial when it comes to equity, stating in its June 2015 meeting minutes regarding the Blueprint for Equitable Engagement, “The WA board is diverse but they (meaning the city) don’t see it as diverse.”

Some city initiatives overlook the residents of Whittier, yet the Whittier Alliance does nothing. For example, Minneapolis recently rolled out their curbside organics program, allowing residents to compost organic matter. But it is only deployed at buildings with 4 units or fewer, and 73 percent of Whittier residents live in buildings with more than 4 units. Where was the Whittier Alliance to raise this issue with the city?

I don’t have all the answers, but engagement is something the city, and by extension city-funded neighborhood organizations, should take more seriously. A committee that addresses renter issues would help, as would utilizing more methods of online participation. Not everyone has the time to sit through a 3-hour meeting, and more importantly, that should no longer be a barrier to participation in local politics. Most importantly, if neighborhood organizations refuse to include and advocate for the renters and minorities who dominate their neighborhoods, rather than the property owners who dominate their boards, they should lose their funding.


Ever tried to file a Minnesota Government Data Practices Act Request with the MN Department of Public Safety? I just did, and it’s impossible to find the email address of the Responsible Authority for the request. I’m sure this is for good reason: once you start publishing email addresses for people who respond to data practices requests, people start requesting data!

Anyway, save yourself some time and send those data request emails to mona.dohman at state dot mn dot us, and cc joseph.newton at state dot mn dot us. Mona Dohman responded to my email and said my request would be taken care of.