Tuesday, April 29, 2008

Grovelling Apology

In recompense for my recent appalling behaviour on Our Hero's blog, as chronicled on TerryWatch, may I direct you to a beautifully civilised rant in today's Torygraph, by Andrew Roberts on the egregious Vera Baird:

It is also worth contemplating Mrs Baird's typical New Labour arrogance in dismissing the Royal Family for not already being part of "the human race".

She obviously considers herself to be a functioning member of it, despite having been a lawyer for 33 years and a Labour MP for seven, two professions that the public regards as about as cut off from reality as it is possible to be in modern Britain.

I would be prepared to wager that every single member of the Royal Family in receipt of the Civil List - even those in their eighties - has in the past year visited more hospitals, met more ordinary people, travelled the country more and generally proved their membership of the human race far better than Mrs Vera Baird QC, MP.

The point about the Kaiser, as well as many others, is also beautifully made. My day would have seemed less damp if I had got to page 21 at breakfast rather than before bed.

Wednesday, April 16, 2008

For the Want of a Nail

It seems that the downfall of Lee Jasper, the world guru of PC and yet another example of the encouraging truism that the only qualification for seeking political office (even his pre-fall un-elected status) in London is excessive and extra-marital shagging, was brought about by one of the axiomatic failures of personal information security - the password on the post-it note.

If you had wondered how the Evening Standard got hold of the emails, the answer is in today's Indefensible.

Bigwigs at City Hall, paranoid about the leak that led to Jasper's messages reaching the journalist Andrew Gilligan, held an inquiry to find the culprit. The police would have been called had illegal hacking activity been unearthed. The inquiry was short. It soon established that Jasper kept his email log-in password on a Post-it note near his computer, so a temp could check his mail.

More fool him.

Monday, April 14, 2008

What Aren't They Saying?

Have a look at this very interesting response, from the less than universally popular Government of the People's Republic of China, to this Businessweek article:

After saying that, I should say that the Chinese government has on various occasions expounded its position on this global issue of cyber intrusion or hacking. The Chinese Government always opposes and forbids any cyber crimes including "hacking" that undermine the security of computer networks. Chinese laws and regulations are explicit in this regard.

As it is, China's cyber space and internet systems are frequently intruded and attacked by hackers from certain countries. As a victim of hacking attacks, China attaches great importance to cracking down on various cyber crimes including hacking activities.

China follows a path of peaceful development, and unswervingly adopts a national defense policy which is defensive in nature. China would never do anything to harm sovereignty or security of other countries. In conformity with such national policies, the Chinese government has never employed, nor will it employ so-called civilian hackers in collecting information or intelligence of other countries. Allegations against China in this respect are totally unwarranted, which only reflect the dark mentality of certain people who always regard China as a threat. Of course, there are some other people who are misled into believing that China is engaged in hacking activities, which is more than wrong.

(My italics.)

Now, I have worked in the past with the good people at CN-CERT/CC, the official computer incident co-ordinating centre for the PRC and they are keen and helpful when you are trying to knock out fraudulent web-sites and I am sure they are just as helpful in other similar circumstances.  But ...

Although it is not unknown for Intelligence Agencies to outsource the gathering of sensitive information to 'so-called civilian hackers', it is much more common for them to employ the appropriate resource directly - either via the military or as government employees.  Which may be, as well as having some of their billion-plus population being up to no good entirely on their own cognisance, how some of all these APNIC IP addresses are appearing in people's security logs.

Or, there are another couple of alternatives.  The "Press Counselor & Spokesperson Of the Chinese Embassy to the United States" may not have a complete picture of his government's intelligence activities or, and I know this may come as a complete shock, may be knowingly telling a slight fib.

Friday, April 11, 2008

Security Shitstorm

While I am perfectly happy that it appears unlikely that Poole Council passed the necessary tests in S.28(3) of RIPA for the authorisation of directed surveillance (see al-Beeb, the Torygraph and the Gruniad):

(3) An authorisation is necessary on grounds falling within this subsection if it is necessary—

(a) in the interests of national security;

(b) for the purpose of preventing or detecting crime or of preventing disorder;

(c) in the interests of the economic well-being of the United Kingdom;

(d) in the interests of public safety;

(e) for the purpose of protecting public health;

(f) for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department; or

(g) for any purpose (not falling within paragraphs (a) to (f)) which is specified for the purposes of this subsection by an order made by the Secretary of State.

unless the evil shits that run this country have made an Order defining school entrance as so enabling, I must object to the tenor of the BBC coverage this morning and the other journalistic nonsense.  RIPA is not just for terrorists (as the mother apparently alleges) and serious crime - it covers many, many things.  For example, there has been directed surveillance for years by the DWP and its predecessors checking that invalidity benefit (and its predecessors) claimants are not working on the side, running marathons, entering martial arts competitions, etc.

Note that this is not interception (S3, 4 & 5) or 'intrusive surveillance' in S32, which aside from the limited exceptions for interception (consent, the owner of a private system etc), the requirements for justifying both of which are more severe.

While I agree with Liberty that this may be disproportionate (I am not sure using your current address on a school application and then later moving a mile counts as criminal, whatever Tim Martin thinks) but the challenge has to be on that basis, not that 'it isn't terrorism'.

Phorm, for example, mendacious charlatans that they may be, are not 'terrorists', and we certainly want RIPA to apply to them.

Monday, April 07, 2008

Sacreligious Publishing

Okay, I guess that unlike the 25,0001 ravening bigots whipped into a fury of "peace and tolerance for their fellow man"(TM), I have watched 'Fitna' and read 'Infidel'. There is some utter crap2 around concerning these.

Now, it has to be said that all religions have their utter wackos. Ask any family planning clinic in the US 'Bible Belt'. Or somebody after a drink (or a game of golf) on the Western Isles on a Sunday. However, modern Islam does have its nutters more than a wee bit closer both to the mainstream and to the hairy edge than, for example, Tibetan Buddhists. (Ed notes: And a happy non-violent continuing anti-Olympic protest beating to you in the gulag near Lhasa! And best of British for your protest in SanFran - you ought to have a more favourable policing atmosphere than you did in the Euro-statist capitals of Paris or London.)

Well, Infidel was not a nice story. Ayaan Hirsi Ali has not had a quiet and easy life. An impoverished upbringing of tribal brutality in exile. A violent mother out of place in modern3 society. Endless misogyny and female circumcision4. Much of this seemed to be post hoc justified in Islam - but like just the burka, these are tribal customs enforced through female acquiescence to patriarchal stupidity. I was cured of this by reading Germaine at a suitably impressionable age. Islam didn't come out of her childhood too badly - her adults came out appallingly - mother, grandmother (especially) father, brother - a fairly uniform bunch of oxygen thieves. Now, once she was a free adult in the Netherlands, then the 'Religion of Peace' showed its real (ugly) form. It is a good, albeit fundamentally disturbing (especially, I suspect, if you are a sexually active female) book - buy it or borrow it, but read it. If it doesn't make you think then you are probably a nu-Lab PPS.

'Fitna' was a damp squib. Nothing new, nothing particularly interesting. A simple documentary on fundamentalist extremism in Europe would have done the trick, without the political kudos. No mention of Saudi (although I did spot at least one Saudi sheik amongst the rabid), Salafism or Wahabbi. 15 minutes of the best of the Quran, the successful amongst Islamist terrorists and crowds incited to foaming-at-the-mouth anti-Semitism. We get that on the news - even al-Beeb carries that sort of hysteria. Watch it - just because people want to ban it and that is, of itself, a bad thing5. Many thanks to Liveleak for carrying it - I appreciate the sheer aggro you went through with all the mindless nut-jobs and the intimidation.

The last word.

1. It's nice to see there are some commonalities in modern policing - 100,000 according to the organisers.

2. Exodus, Samuel, Psalms. And this is an angry response about Christians. Well educated in the 'good book', then. New covenant, anybody? 'Sermon on the Mount', going cheap?

3. Geek moment. Mine is /was an AS400 Sysadmin. Zero cool points for the Tux generation!

4. This is the wrong word. Male 'circumcision' involves removing a small bit of skin on the end of your knob that, frankly (and I speak as one with one) doesn't seem to serve that much of a purpose. And I get the hygiene point. As opposed to removing the clitoris, the labia (various) and whatever else gets in the way of the knife. 'Castration' isn't the right word either. But it's closer.

5. I've read 'Mein Kampf'. It's a terrible book - huge, turgid and vile. The 'John Prescott' of literature. But it is an important book - it shaped a large part of the last century and is still significant now. Which is why it should be available to be read. Along with "Animal Farm', 'One Day in the Life of Ivan Denisovich'. Both of which are (much) shorter and (vastly) better written.

Random News

The good, the bad and the ugly.

Oh, and the 'no surprises there, then' and the downright wierd.

Friday, April 04, 2008

New Coins

I am, in my (very limited) richer moments a non-obsessive collector of UK coins. And I like these new ones:

I think the idea is good, I think the use of the traditional heraldry is good (although there clearly should be a Scottish version with the proper arrangement of the Royal Arms for use in Scotland - this being different from the Royal Arms of Scotland). And I will buy a set, when they come out in silver Piedfort.

And for those bemoaning the loss of Britannia, can I please direct you to the 2008 design:

Got the Royal Mint catalogue through this morning. £11k for the two (old & new) sets in platinum. A mere £6k for the new lot. :) My dearly beloved thinks not.

Thursday, April 03, 2008

An Early Christmas

Remember "Santa's Little Helper"? The tangerine hero of Protestantism?

Well, we now know his real name. Not Charles Clarke, not even John Parker. It is (why is the blink tag depreciated the one time you really need it?):

Diamond Dan the Orangeman

After rejecting "Sash Gordon" and "the Boyne Wonder", you really have to worry about these bigots. Especially at 7 years old. I suppose we should congratulate Mr and Mrs Mitchell for bringing up young Steven in the best traditions of warped Christianity, religious intolerance and mindless stupidity your island is so famous for. Possibly a year-out scholarship at a Taliban madrassa beckons once he can grow enough bum fluff for an acceptable beard?

Stat Pin Ups

While the big boys of the (UK political) blogosphere whip each other senseless in a Mosely-esque frenzy (but without the dungeon, call girls or Nazi uniforms): here, here (and here, here & here, Ed notes: but let's not call Tim 'obsessive', instead we'll just point out that he might need a cause or two to take his mind off of the fags)here, here and here (with a very good analogy between website stats and the wholly fallacious 'JustForeignPolicy' extrapolation of the decidedly dodgy Lancet "Iraq Casualties guesstimate), I thought I would trivialise the situation and update you on my minnow's experience of 'Hello Kitty Hell'.

MonthHello KittyArchive (HK)Front PageArticles > 1%
Apr (to date)36%41%10%1 (old!)

Oh when will it end!

Did you have 'Phorm'?

Well, more than 18,000 of you (i.e. 18,000 accounts with an unknown number of subscribers behind those) did, BT customers to a man, woman and Bassett Hound. But you'll never know. BT didn't keep the records of who they subjected to this dubious privilege. (Ed notes: Well, unless you check your browser for Webwise1 cookies.)

So the great Phorm saga continues with a significant presence on this morning's BBC Breakfast show, with quite a concentration of attention on the BT trial - was it legal? Was it moral? Did it work?

Kudos to the female presenter for giving the latest mendacious Phorm apologist, Emma Sanderson from BT, a hard time.  Fewer brownie points, however, to the reporter, Julia Caesar, for an unconvincing and inaccurate description of Phorm.  It doesn't record your search terms, I am afraid, it processes, analyses and records summaries of everything it can get its dirty mitts on (which is pretty much everything, folks.)

Okay, so we don't know quite a lot about how this works, yet, and I am really looking forward to Richard Clayton's report following the Open Rights Group's meeting with Phorm last week.

What do we know?
  • Phorm redirects your HTTP requests (apparently via some horrid proxy redirects2 or some DNS chicanery3), and looks for a Webwise cookie.   If you don't have one, you get one (possibly not if you are a Talk-Talk customer).

  • It intercepts the returning webstream and processes it, unless you have opted out, to see into which of their advertising categories the page falls.  It then records this data against your cookie value.
  • If the target website is an OIX customer, you will get an add inserted.  If you have not opted-out, this will be based on your previous surfing history, if you are opted-out, it will be randomly selected.
What are the concerns?
  • Phorm, themselves, have form - they used to be 121 Media Inc.  121 Media produced a product that placed ads on your system and used rootkit technology, apparently this, to stop it being easily removed.  They say 'adware', many say 'spyware'.  They say 'potatoe', many say 'potato'.

  • Phorm is potentially (i.e. it cannot stop itself from) processing personal data under the meaning of the First Principle of the Data Protection Act 1998 and therefore must justify the conditions in Schedule 2 of the Act.

  • Phorm cannot prevent itself from capturing, analysing and, therefore, processing, sensitive personal data under Section 2 and Schedule 3 of the Act.

  • The interception of the HTTP stream is, itself, clearly in breach of Section 1(1)(b) of the Regulation of Investigatory Powers Act, 2000 (see also s2(2)(b) for a definition of interception).  Unless BT (not Phorm - the ISP are doing the interception, I suspect) have 'lawful authority'.  This is hard - especially as they are a public telecommunications provider, therefore don't have access to the exclusions in 1(6).  So how can this be legal?  There are two options, 

    • s3(1) - consent - which requires both parties (browser and server).  There are also concerns that even if the subscriber consented in a contract, that they cannot provide the appropriate explicit consent for anybody who uses that service (we, for example, have an old laptop in our guest room for visitors to use.)

    • s3(3) "it takes place for purposes connected with the provision or operation of that service". I'll let the lawyers argue about that one but it certainly isn't clear that it is legal - it would be difficult to argue that provision of adverts was a vital part of the service but they may argue that the limited anti-phishing capability counts.

    We'll see how this one pans out in public and, but hopefully not, in the courts.

  • Phorm claim that their stored data is not personally identifiable and have gone to significant trouble to get 80/20 Thinking (not Privacy International although the staff lists are fairly congruent) to do a Privacy Impact Assessment.  The determiner is whether anybody holds a list that associates the Phorm cookie identifier with an individual.  As Ben Laurie points out, this would be trivial for the ISP to do, especially with the Phorm monitoring kit already installed.

This is I have to say, enough for me to consider changing ISP - if Virgin Media do implement Phorm, I will shift from cable to broadband, probably for my phone service too. As well as LightBlueTouchPaper, for the forthcoming technical analysis, can I also recommend BadPhorm, for more background (and a list of ISPs who have pledged not to go near this mendacious spyware with the proverbial bargepole) and Dephormation for a Firefox plugin that will help you avoid damage iff (Ed notes: yes, that is not a spulling mistook) you end up subjected to Phorming.

Update: And this in from el-Reg.

1. As a (NTL / Blueyonder / Virgin Media / whoever it is today) customer, it is nice to see that their logo is no longer on the home page of this site.

2. See this
/. comment.

3. But as an ex-BT customer, I run my own DNS servers? Would they still manage to capture my (and my family's) browsing?
HTTP Error 403: You are not authorised to access the file "\real_name_and_address.html" on this server.

(c) 'Surreptitious Evil' 2006 - 2017.