No It's Not

A 'smurf attack' not especially nasty, that is.  It is, however, old news. 

The attack consists of a flood of ICMP echo reply packets generated by exploiting the "broadcast address" feature of the Internet Protocol.  It is defended against by dropping packets aimed for such addresses outside of local networks (i.e. at routers).  See here, as well as the CERT-CC advisory.

The 'fraggle attack' is a similar concept but using the UDP protocol rather than ICMP (after many people just started blocking ICMP at the firewall.)

Smurfs, on the other hand, are truly hideous.

The Future of "Intrusion Prevention"?

Bruce Schneier has been one of the influential thinkers in the information security profession for much of its existence.  A professional cryptographer (he designed the common Blowfish algorithm and the Twofish algorithm that was one of the five finalists in the AES competition), he wrote what is still a key work in the field, "Applied Cryptography", but has been working in the wider security arena for some time - running his own intrusion detection outsourcing company - Counterpane - now part of BT.

In a recent CSO Magazine interview, he answered a number of questions on the changes in security, mostly concentrating on the anti-terror / airport security situations he castigates in his most recent book, "Beyond Fear".

However, much to my delight, he then said this, talking about security ideas from the insect world:

But the neatest story I've found is about how lima bean plants defend themselves. When two-spotted spider mites attack them, the plants emit a chemical distress signal. The distress signal helps in three distinct ways. One, it gets other, nearby lima bean plants to start sending out the same distress signal, even if they're not being attacked yet. Two, it repels other two-spotted spider mites. And three, it attracts carnivorous mites to land on the lima bean plants and prey on the herbivorous two-spotted spider mites. Yes, the plants have evolved to call in air strikes against their attackers.

My emphasis.  Yes, one of the gurus of computer incident response seems to have proposed active response by ground attack aircraft on suspected computer criminals.  Now, if we could just get this added to the Council of Europe Cybercrime Convention then incident response will become a lot noisier!

BT Phorm Trial Report Leaked

The report is available here and Alexander Hanff has an analysis up here.  I'm not sure the Security section (3.7) is adequate but this does seem to refer to a much older version of the malware.  Equally, as this is a 'Technical Validation', there is little treatment of the legal, regulatory or ethical issues which, it has to be frank, are the biggest problem with this appalling idea, although there is a minimal mention in Section 4 (Broadband Terms & Conditions).

I particularly like this apposite (we say 'security', we mean 'Revenue Share') typo from the "Success Criteria" section:

An interesting iota of excrement from the great { Phorm / Webwise / 1-2-1 Media / evil spyware b*stards } debacle.

For the Want of a Nail

It seems that the downfall of Lee Jasper, the world guru of PC and yet another example of the encouraging truism that the only qualification for seeking political office (even his pre-fall un-elected status) in London is excessive and extra-marital shagging, was brought about by one of the axiomatic failures of personal information security - the password on the post-it note.

If you had wondered how the Evening Standard got hold of the emails, the answer is in today's Indefensible.

Bigwigs at City Hall, paranoid about the leak that led to Jasper's messages reaching the journalist Andrew Gilligan, held an inquiry to find the culprit. The police would have been called had illegal hacking activity been unearthed. The inquiry was short. It soon established that Jasper kept his email log-in password on a Post-it note near his computer, so a temp could check his mail.

More fool him.

What Aren't They Saying?

Have a look at this very interesting response, from the less than universally popular Government of the People's Republic of China, to this Businessweek article:

After saying that, I should say that the Chinese government has on various occasions expounded its position on this global issue of cyber intrusion or hacking. The Chinese Government always opposes and forbids any cyber crimes including "hacking" that undermine the security of computer networks. Chinese laws and regulations are explicit in this regard.

As it is, China's cyber space and internet systems are frequently intruded and attacked by hackers from certain countries. As a victim of hacking attacks, China attaches great importance to cracking down on various cyber crimes including hacking activities.

China follows a path of peaceful development, and unswervingly adopts a national defense policy which is defensive in nature. China would never do anything to harm sovereignty or security of other countries. In conformity with such national policies, the Chinese government has never employed, nor will it employ so-called civilian hackers in collecting information or intelligence of other countries. Allegations against China in this respect are totally unwarranted, which only reflect the dark mentality of certain people who always regard China as a threat. Of course, there are some other people who are misled into believing that China is engaged in hacking activities, which is more than wrong.

(My italics.)

Now, I have worked in the past with the good people at CN-CERT/CC, the official computer incident co-ordinating centre for the PRC and they are keen and helpful when you are trying to knock out fraudulent web-sites and I am sure they are just as helpful in other similar circumstances.  But ...

Although it is not unknown for Intelligence Agencies to outsource the gathering of sensitive information to 'so-called civilian hackers', it is much more common for them to employ the appropriate resource directly - either via the military or as government employees.  Which may be, as well as having some of their billion-plus population being up to no good entirely on their own cognisance, how some of all these APNIC IP addresses are appearing in people's security logs.

Or, there are another couple of alternatives.  The "Press Counselor & Spokesperson Of the Chinese Embassy to the United States" may not have a complete picture of his government's intelligence activities or, and I know this may come as a complete shock, may be knowingly telling a slight fib.

Security Shitstorm

While I am perfectly happy that it appears unlikely that Poole Council passed the necessary tests in S.28(3) of RIPA for the authorisation of directed surveillance (see al-Beeb, the Torygraph and the Gruniad):

(3) An authorisation is necessary on grounds falling within this subsection if it is necessary—

(a) in the interests of national security;

(b) for the purpose of preventing or detecting crime or of preventing disorder;

(c) in the interests of the economic well-being of the United Kingdom;

(d) in the interests of public safety;

(e) for the purpose of protecting public health;

(f) for the purpose of assessing or collecting any tax, duty, levy or other imposition, contribution or charge payable to a government department; or

(g) for any purpose (not falling within paragraphs (a) to (f)) which is specified for the purposes of this subsection by an order made by the Secretary of State.

unless the evil shits that run this country have made an Order defining school entrance as so enabling, I must object to the tenor of the BBC coverage this morning and the other journalistic nonsense.  RIPA is not just for terrorists (as the mother apparently alleges) and serious crime - it covers many, many things.  For example, there has been directed surveillance for years by the DWP and its predecessors checking that invalidity benefit (and its predecessors) claimants are not working on the side, running marathons, entering martial arts competitions, etc.

Note that this is not interception (S3, 4 & 5) or 'intrusive surveillance' in S32, which aside from the limited exceptions for interception (consent, the owner of a private system etc), the requirements for justifying both of which are more severe.

While I agree with Liberty that this may be disproportionate (I am not sure using your current address on a school application and then later moving a mile counts as criminal, whatever Tim Martin thinks) but the challenge has to be on that basis, not that 'it isn't terrorism'.

Phorm, for example, mendacious charlatans that they may be, are not 'terrorists', and we certainly want RIPA to apply to them.

Did you have 'Phorm'?

Well, more than 18,000 of you (i.e. 18,000 accounts with an unknown number of subscribers behind those) did, BT customers to a man, woman and Bassett Hound. But you'll never know. BT didn't keep the records of who they subjected to this dubious privilege. (Ed notes: Well, unless you check your browser for Webwise¹ cookies.)

So the great Phorm saga continues with a significant presence on this morning's BBC Breakfast show, with quite a concentration of attention on the BT trial - was it legal? Was it moral? Did it work?

Kudos to the female presenter for giving the latest mendacious Phorm apologist, Emma Sanderson from BT, a hard time.  Fewer brownie points, however, to the reporter, Julia Caesar, for an unconvincing and inaccurate description of Phorm.  It doesn't record your search terms, I am afraid, it processes, analyses and records summaries of everything it can get its dirty mitts on (which is pretty much everything, folks.)

Okay, so we don't know quite a lot about how this works, yet, and I am really looking forward to Richard Clayton's report following the Open Rights Group's meeting with Phorm last week.

What do we know?

• Phorm redirects your HTTP requests (apparently via some horrid proxy redirects² or some DNS chicanery³), and looks for a Webwise cookie.   If you don't have one, you get one (possibly not if you are a Talk-Talk customer).


• It intercepts the returning webstream and processes it, unless you have opted out, to see into which of their advertising categories the page falls.  It then records this data against your cookie value.
• If the target website is an OIX customer, you will get an add inserted.  If you have not opted-out, this will be based on your previous surfing history, if you are opted-out, it will be randomly selected.

What are the concerns?

• Phorm, themselves, have form - they used to be 121 Media Inc.  121 Media produced a product that placed ads on your system and used rootkit technology, apparently this, to stop it being easily removed.  They say 'adware', many say 'spyware'.  They say 'potatoe', many say 'potato'.


• Phorm is potentially (i.e. it cannot stop itself from) processing personal data under the meaning of the First Principle of the Data Protection Act 1998 and therefore must justify the conditions in Schedule 2 of the Act.


• Phorm cannot prevent itself from capturing, analysing and, therefore, processing, sensitive personal data under Section 2 and Schedule 3 of the Act.


• The interception of the HTTP stream is, itself, clearly in breach of Section 1(1)(b) of the Regulation of Investigatory Powers Act, 2000 (see also s2(2)(b) for a definition of interception).  Unless BT (not Phorm - the ISP are doing the interception, I suspect) have 'lawful authority'.  This is hard - especially as they are a public telecommunications provider, therefore don't have access to the exclusions in 1(6).  So how can this be legal?  There are two options, 


• s3(1) - consent - which requires both parties (browser and server).  There are also concerns that even if the subscriber consented in a contract, that they cannot provide the appropriate explicit consent for anybody who uses that service (we, for example, have an old laptop in our guest room for visitors to use.)


• s3(3) "it takes place for purposes connected with the provision or operation of that service". I'll let the lawyers argue about that one but it certainly isn't clear that it is legal - it would be difficult to argue that provision of adverts was a vital part of the service but they may argue that the limited anti-phishing capability counts.

We'll see how this one pans out in public and, but hopefully not, in the courts.


• Phorm claim that their stored data is not personally identifiable and have gone to significant trouble to get 80/20 Thinking (not Privacy International although the staff lists are fairly congruent) to do a Privacy Impact Assessment.  The determiner is whether anybody holds a list that associates the Phorm cookie identifier with an individual.  As Ben Laurie points out, this would be trivial for the ISP to do, especially with the Phorm monitoring kit already installed.

This is I have to say, enough for me to consider changing ISP - if Virgin Media do implement Phorm, I will shift from cable to broadband, probably for my phone service too. As well as LightBlueTouchPaper, for the forthcoming technical analysis, can I also recommend BadPhorm, for more background (and a list of ISPs who have pledged not to go near this mendacious spyware with the proverbial bargepole) and Dephormation for a Firefox plugin that will help you avoid damage iff (Ed notes: yes, that is not a spulling mistook) you end up subjected to Phorming.

Update: And this in from el-Reg.


1. As a (NTL / Blueyonder / Virgin Media / whoever it is today) customer, it is nice to see that their logo is no longer on the home page of this site.

2. See this /. comment.

3. But as an ex-BT customer, I run my own DNS servers? Would they still manage to capture my (and my family's) browsing?

Reality Check for Sgt McHenry.

Crime? ✓

Dangerous? ✓

Reasonably punished by a jail sentence? Probably.

Terrorism, cyber or otherwise? No, please, no!

"It didn't take a lot of technical hacking skills," said McHenry. "All
it required was knowledge of certain services that he used for the wrong purpose. I hope this deters other people emulating Mr. Ellis. I would hope they think twice before engaging in cyber terrorism."

Ed notes: For those using IE7 - those blocks you can see on the first two lines are rendered as 'ticks' in real browsers.

Wrong, Wrong, Wrong

Another Clarkson related post:

"I opened my bank statement this morning to find out that someone has set up a direct debit which automatically takes £500 from my account," he said.

"The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again.

"I was wrong and I have been punished for my mistake."

No, no, no. Whoever has done this is committing an offence. There is nothing in the DPA which prevents the investigation of alleged offences. Some company's (I assume a telephone company here) DPA policies make it more difficult - they need to determine who you are and why you have a right to the information before they release it outwith their declared disclosure policy but it is not "cannot". Inform the police and they have the powers to obtain the data.

And he was correct in his initial point about the widespread knowledge of your basic account details - every cheque, direct debit or standing order contains the same sort of bank information that was on the HMRC CDs. Those, also contained your address and other details (of which we have yet to be informed?) as well. And I blogged about the ease of setting up direct debits some time ago.

Malice of Some Sort

I followed the link on Theo's post to the "Real Clarkson Manifesto" in the Sun. He makes some sense. But anyway ...

The web page tried an advertising pop-up (irritating but they need to make money) which contained 'Trojan-Downloader.SWF.Gida.a':

http://v0zemili0garan0n.com/statsg.php?u
=1199391035&campaign=z00latrymy

(if you really want to try it, don't. If you really, really want to try it, I've replaced some of the letters.)

And the domain? Reasonably newly registered, through Yesnic in Korea - a company I remember well from my days in the incident response trenches. No registrant details:

Domain Name: VOZEMILIOGARANON.COM
Registrar: YESNIC CO. LTD.
Whois Server: whois.yesnic.com
Referral URL: http://www.yesnic.com
Name Server: NS1.VOZEMILIOGARANON.COM
Name Server: NS2.VOZEMILIOGARANON.COM
Name Server: NS3.VOZEMILIOGARANON.COM
Name Server: NS4.VOZEMILIOGARANON.COM
Status: ok
Updated Date: 05-dec-2007
Creation Date: 23-nov-2007
Expiration Date: 23-nov-2008

This seems to be one of the usual small bits of malware (downloaders) that then go off and fetch tons of shit that really fucks your computer. Well done, Kaspersky.

A high status advertiser for Britain's most popular daily comic? Nil out of 10 to News Group Newspapers Ltd. Hope you've made sure the cheque cashes properly.

Interpreting the Law

Many of you will not realise quite how fluffy and vague the whole legal process is, even if we stick to the criminal law. Interpretation occurs at many stages of the construction, prosecution and disposal of any case, hence there is widespread ability to deviate from the strict intent of the framers of the statute (if we even have any idea what that was.)

Let's take a look at the process (I am assuming here, just for the purposes of this traipse through the system, a lack of both error and of deliberate malice):

• Once something has happened, it may or may not appear high enough up the priority list the police are given by the Government to be investigated. (Actually, it may not even be recorded, or be recorded as something else with a higher or lower, depending on how the ubiquitous 'they' wish to massage the stats.)
• The investigation, assuming it happens, will try to collect evidence - there may simply not be enough left behind. Witnesses may be mistaken (they very often are), may not come forward (through ignorance, fear or loyalty to a presumed suspect) or may appear unreliable.
• If there is some evidence (I am not a cop but, by repute, there is some leeway here for less serious alleged crimes) a report may be written, summarising the evidence, for presentation to the prosecuting authorities. They also have their government imposed priorities (like the current concentration on the low rate of rape convictions) and may decide not to proceed as "not in the public interest" or they may decide that there is insufficient for any charge or that a lesser charge is more appropriate (which causes all the aggro in (death by) dangerous driving / careless driving type cases). Appropriate here hopefully meaning more likely to gain a conviction of a presumed guilty party (as opposed to providing 'suitable' vengeance for a victim or their family) but quite possibly meaning "a more politically attractive (or, far worse, better for my career^*)charge.
• Normally, there will be a long wait. Evidence may be lost, or damaged (including contaminated.) Memories often fade, stories become blurred. People sometimes become less certain, sometimes irrationally sure in their convictions (Ed notes: apols for the pun.)
• Court. Lawyers get to play clever games. The judge may decree no case to answer or direct the jury to convict.
• Jury. 12 or 15 or however many you are entitled to. They certainly interpret.
• Sentencing. Judges, certainly in the UK, have less flexibility than they used to but there is everything from unconditional discharge to life without parole (and the death sentence if your mileage varies.)
• Appeal. And round the process again.

Why all this? Well, the CPS have finally released their guidance on the Computer Misuse Act, 1990, as amended by the Police and Justice Act, 2006. Richard has some things (mostly derogatory) to say about it. Now, apart from the fact that it does not apply in the civilised world (we have the Prosecutor Fiscal up here), hence the references to things southern such as the Fraud Act 2006, there is quite a lot to comment on here.

• The bit about DPP v Bignell is really quite interesting. If I am allowed to do something on a computer, provided you present me with the right justification / bit of paper / whatever, and you con me into doing it - forgery, "I'll get it signed as soon as the boss is back", or straightforward lying - then neither you nor I have committed a CMA offence. This seems reasonable.
• Using Section 55 of the Data Protection Act 1998 (Unlawful obtaining etc. of personal data) rather than CMA Section 1 (Unauthorised Access) seems a good thing, especially if the current raft of highly public data breaches results in a strengthening of the penalties above the current fine (Section 60, para 2, if you are interested.) Of course, this is restricted to an albeit important subset of illegal access.
• There is very little about CMA Section 2 offences - this is not surprising as placing of charges under Section 2 seems very rare to me (never mind convictions.)
• There is a little about the new (or, at least, specific) criminalisation of DDoS, with some interesting vague stuff about intent.
• Of course, the most interesting is the guidance on the new Section 3A offences, "Making, supplying or obtaining articles for use in offence (sic?) under section 1 or 3".

There is some really good stuff here, never mind Richard's points re grammar and language:

• There is explicit recognition of the legitimate computer security industry, thankfully, and a requirement for prosecutors to "ascertain ... criminal intent".
  
• There is more useful discussion of "likely", as in "he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence", than there was with the Home Office's incredible (no, actually, credible but outstandingly incompetent) 50% usage figure.
• Although there is a clear bias towards commercial as in pay-for use as determining legitimacy, there is also mention of "widely used for legitimate purposes."

Overall, I think this is good guidance which, unfortunately, is not capable of completely fixing bad law. The last bullet is the one I would hang my hat on, hypothetically, if I was being prosecuted under Section 3A(2) - which is the difficult bit.

Expect briefings on the Computer Misuse Act, at least on paper, for pen-testing courses in England and Wales - but, then, those have always been a good idea, especially around the "Who do I need to get permission from" aspects of the law.

Update: Just realised that the first paragraph didn't make sense. Reworded, sorry.

* Thankfully, as British prosecutors are appointed not elected, we don't have the dance to please the baying mob that seems such a feature of American trials.

Oh, for fucks sake!

Can the turkeys at HMRC not stop embarrassing the country for a couple of weeks, at least? Now, losing a couple of CDs is relatively easy - I have no idea where mine of the Berlin Philharmonic performing the 1812 overture is. They're not big and they're weren't being handled "securely". But this:

Contraband seized by customs officers has gone missing from a secure depot close to Coventry airport.

Police have been called in to search for the goods which disappeared from the HM Revenue and Customs (HMRC) store before last weekend.

A HMRC spokesman refused to comment on claims drugs, firearms and passports may have gone missing.

Utterly useless cunts. The mind boggles. Let me see, perhaps, "A junior official forgot to lock the door". Still, no chance of any minister resigning over this, or any other, fuck-up.

Why would anyone?

I was unsubscribing from receiving ITV spam (and, for reasons best left unsaid, using Internet Explorer to do so) when I saw this:


Now, what would possess anybody to "click here"?

Update: if you click on the picture it does become readable.

Control Freak states Obvious

Well, well. We didn't know that, did we:

Prime Minister Gordon Brown ... told Commons committee chairmen that public and private firms had to come to terms with IT security issues.

But, just remember, deh Gubbinmunt does it better.

WTFF?

Were CAB doing with 60,000 records on a sodding laptop? I thought these were local centres, managed by experienced volunteers. Why aggregate the case records? Why on a laptop?

'Tis claimed the data was encrypted. That may be a saving grace but it is not an excuse. Morons.

Email is not the only way

To transfer data across a network. Honestly.

Data Loss - Part Ye Third

Yesterday, I opined:

the poor bod who actually did this is likely to be some form of IT or audit minion

Yes, indeed - an IT minion. And in preventative custody. That is, preventing him from telling the truth until the spin has been properly sorted out. Poor bugger.

Update: Oh, and the Information Commissioner's press release has been stealth updated again, and now mentions PWC. Again, without mentioning that they got it wrong. If that's how the openness and transparency watchdog behaves, admittedly for a completely trivial mistake, then God help us (as we are seeing) when things go badly wrong.

Data Loss - Reprise

Okay, so we seem to have (from the best figures I can glean), approximately 25 million sets of personal data. Within that, it appears to be (this will be updated as I can):

• 11 million families Update: not sure now whether this is the number of adults or the number of household records (you can have child benefit paid split between carers if the child spends time living in more than one household, and you can also change who it is paid to ...)
  
• 14 million children
• 7¼ million bank accounts. Update: Sandra Quinn, APACS spokes-weasel, said on MoneyBox (Sat 24 Nov) that there were 7.3 million accounts notified to the banks through APACS. I'll take that as confirmation of this figure.
  

Now, of its self, those figures are interesting - it's free money, not means tested, paid to mum and not strongly audited (at least, Mrs S-E's never has) so there seems little incentive to fib - the average family with children under 16 (or slightly older) has 1.27 of them and 34% of mums really don't want the money paid into a bank account. But, security questions:

• Why on God's green Earth did the NAO need, or think they wanted, the entire database? I appreciate that they have a duty to ensure that public funds are properly managed but surely that could have been done with summary data and some spot checks? Update: Apparently, they didn't want the personal data - but that still makes it even more dubious why they couldn't use summary data (i.e. I can think of reasons why they would want the personal data, just not ones legitimate to the NAO role.) Update 2: from Hansard - seems to be a proper explanation to me - Edward Leigh hairs the public accounts committee - h/t Roger Hird - (Ed notes - except, of course, that under the DPA, your NI number is, contrary to Mr Leigh's assertion, personal data, because somebody has the database to turn that back into a reference to you):

Mr. Edward Leigh (Gainsborough) (Con): I am grateful to the Comptroller and Auditor General and to the Chancellor for briefing me this morning. May I just make one or two things clear from the CAG’s briefing? He requested this information—the national insurance numbers—to create a sample to enable him to carry out the audit. It is clear that the CAG specifically asked that all personal details, bank account details and all that sort of information should be removed before this was sent. That is the most important thing. The National Audit Office simply asked for the national insurance numbers; this had nothing to do with personal details.

• Ross, on Newsnight last night, said that the database should have been classified as "SECRET". Can't comment on that, because the definitions of UK protective markings are themselves protectively marked :). It would be interesting to find out what the Accreditation Documentation Set rated the system as (I can guess) and how this relates to the new Impact Levels ... (Will post an IL definition table if I can find it on the web).
• Was backup software involved? If so, why was this not set to decrypt by default?
• Why was this not transferred over the GSI or xGSI (Government Secure Intranet)?
  
• What involvement, if any, did Aspire (the Cap Gemini SPV that runs HMRC's IT) have in this saga?
• Why all the delays? (Ed: Actually, I know the answer to this one - the "shoot the messenger" culture endemic in modern Britain - private as well as public sectors.)

Security red herrings (IMNSHO):

• "Junior official" - the poor bod who actually did this is likely to be some form of IT or audit minion, almost certainly not an Oxbridge classics grad (or even, horrible to have an almost job-relevant qualification, a PPE grad), acting on the commands of their superiors.
  
• Lost in the post - yes, it went in the Government internal mail. Why? Have you ever tried to get first class posting, never mind recorded / registered post from a large bureaucracy? Generally, the only way to do it is to go to the Post Office yourself and try to claim the cost back on expenses.
• Quibbles about refunds of any fraud or suing the taxman. The former will happen, the latter can't - see here.
• Fines for HMRC - the large fines against banks were levied (IIRC) by the FSA, who have no authority over HMRC, as opposed to the Information Commissioner, who has a different penalty regime (largely, and reasonably effectively against large organisations, name and shame).
  

More news:

• The Information Commissioner speaks:

Richard Thomas, Information Commissioner, said:

“This is an extremely serious and disturbing security breach. This is not the first time that we have been made aware of breaches at the HM Revenue and Customs – we are already investigating two other breaches. Incidents like these illustrate that any system is only as good as its weakest link. The alarm bells must now ring in every organisation about the risks of not protecting people’s personal information properly. As I highlighted earlier this year, it is imperative that organisations earn public trust and confidence by addressing security and other data protection safeguards with the utmost vigour.

• But why does he mention a KPMG review? Jane Kennedy said (on Newsnight which I caught online) PWC? Do we really need them both? Update: Seems to be a typo in the IC press release - Kieron Poynter, mentioned as leading the study for KPMG, is Chairman of PWC UK. Update 2: And the KPMG mention has been removed from the online press release (without acknowledging the change).
  

HMRC and their CDs

I would watch here and here.

Update: And I wouldn't listen to Mark Serwotka who said "this is proof that civil servants do very valuable jobs." No. I don't think so. Screwing up so publicly is hardly a "valuable job".

Update 2: Mrs S-E has just told me that PWC are going in to do the investigation. So we can all sleep easily. Where are the Met CCU or SOCA?

Mark Ward talks (security) bollocks

RIPA Part III. You have been warned about it for some time. It is now in the mainstream news. However there are some small accuracy issues ... Well, we can't ask those loyal public servants at the BBC to get everything right:

If those receiving the letters do not comply with the request or a formal S49 notice they can be imprisoned for up to two years.

Err. No. Complete bollocks, in fact. The penalty for failing to comply with a formal S49 notice can be up to 5 years imprisonment if the case relates to nation security under s15 of the Terrorism Act 2006 (thanks, Richard), with 2 years and a fine, as the maximum for other cases.

However, that is just pedantry. Your egregious failing is not pointing out the maximum penalty for failing to comply with a request from the CPS (or anyone else, for that matter) for key disclosure (or just decrypting the data) is that you then get issued with a formal S49 notice. With the previously mentioned penalties. FFS it's not hard.

And, as the activists in question appear just to have had letters from the CPS as opposed to formal notices, the whole thrust of your article is wrong. And, as walking on a cycle path can be spun as terrorism, I'm sure that animal rights activism (some of whom have history with mail-bombs and other violence) can be readily pigeon-holed as national security, so your numbers are crap too. Well done, the main-stream media. Perhaps, Mark, you might want to get a job as a facts-researcher for Polly?