Memex 1.1

Good column by Bill Thompson…

Different calculations apply when it comes to dealing with people who already use its products, where Apple’s unwillingness to divulge details of security flaws or even the specifics of how flaws are fixed leaves customers confused, ignorant and possibly exposed to attacks that could be avoided.

Patches are simply distributed through Software Update, with little detail about the problems they address or the changes they make, and discussion of security is severely restricted.

We have seen this recently, as two Apple-related talks at the 2008 Black Hat hacker convention were pulled at short notice. A discussion of flaws in the Mac OS disk encryption system FileVault by Charles Edge was withdrawn because he has signed confidentiality agreements with Apple…

Might be worth considering this from Good Morning Silicon Valley.

If you’re looking to get outraged by a government’s intrusion into the electronic lives of its citizens, you don’t need to look all the way to China. The U.S. Department of Homeland Security recently revealed its current border policy on laptops, iPods and other gadgets carried into the country by returning travelers or foreign visitors, and it boils down to this: Without explanation, we can seize your laptop or any device capable of storing information (including cell phones, thumb drives, video tapes, and old-fashioned analog paper). We can keep it as long as we want. We can look through the contents, and we can share them with other agencies or private entities. And we can do all this whenever and to whomever we want — no reasonable cause needed, not even a vague suspicion of wrongdoing. And, of course, this is all OK because we are protecting our treasured American freedom.

Answer: probably yes. I’ve long suspected that anyway. Now comes this interesting report from an Austrian online news site…

According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations.

This has been confirmed to heise online by a number of the parties present at the meeting. Skype declined to give a detailed response to specific enquiries from heise online as to whether Skype contains a back door and whether specific clients allowing access to a system or a specific key for decrypting data streams exist. The response from the eBay subsidiary’s press spokesman was brief, “Skype does not comment on media speculation. Skype has no further comment at this time.” There have been rumours of the existence of a special listening device which Skype is reported to offer for sale to interested states.

There has long been speculation that Skype may contain a back door. Because the vendor has not revealed details of its proprietary Skype protocol or of how the client works, questions as to what else Skype is capable of and what risks are involved in deploying it in an enterprise environment remain open.

Last week, Austrian broadcaster ORF, citing minutes from the meeting, reported that the Austrian police are able to listen in on Skype connections. Interior ministry spokesman Rudolf Gollia declined to provide heise online with a comment on the matter. He did, however, offer general comments on the meeting, which were, however, contradicted by other attendees…

I use Skype quite a lot and find it very useful for family stuff etc. But I wouldn’t use it for anything that was commercially sensitive.

Skype would be able to charge quite a hefty fee to governments for this, er, feature.

Also, I wonder how this latest speculation squares with an earlier report that I logged claiming the German police were unable to crack Skype encryption. Perhaps the Germans weren’t willing to pay Skype the required fee for entry to the back door?

Bet this wouldn’t happen in the US. The Register reports that:

Dutch researchers will be able to publish their controversial report on the Mifare Classic (Oyster) RFID chip in October, a Dutch judge ruled today.

Researchers from Radboud University in Nijmegen revealed two weeks ago they had cracked and cloned London’s Oyster travelcard and the Dutch public transportation travelcard, which is based on the same RFID chip. Attackers can scan a card reading unit, collect the cryptographic key that protects security and upload it to a laptop. Details are then transferred to a blank card, which can be used for free travel.

Around one billion of these cards have been sold worldwide. The card is also widely used to gain access to government departments, schools and hospitals around Britain.

Chipmaker NXP - formerly Philips Semiconductors - had taken Radboud University to court to prevent researchers publishing their controversial report on the chip during a the European computer security conference in Spain this autumn. Spokesperson for NXP Martijn van der Linden said that publishing the report would be “irresponsible” - understandably, the company fears criminals will be able to attack Mifare Classic-based systems.

However, the judge today ruled that freedom of speech outweighs the commercial interest of NXP, as “the publication of scientific studies carries a lot of weight in a democratic society”.

The researchers have always said they don’t intend to include details of how to clone the card and that publications could prevent similar errors occurring in the future. NXP says it is disappointed with the ruling…

I bet they are.

Osama bin Laden’s campaign to eliminate civil liberties in the West has notched up another victory — this time in Sweden, formerly a paragon of sweetness and light in these matters.

Sweden this evening voted in favour of its controversial snoop law, after the proposal was amended earlier today.

Under the new law, all communication across Swedish borders will be tapped, and information can also be traded with international security agencies, such as America’s National Security Agency.

A total of 143 members of parliament voted to pass the bill into law, with 138 delegates opposed.

Earlier today, prime Minister Fredrik Reinfeldt failed to win the backing of his four-party coalition: the draft was sent back to the committee for revision. Key members of parliament who were likely to vote against the proposition were put under pressure by their parties, according to some reports.

Despite receiving copies of George Orwell’s book 1984 from protesters earlier this week, MPs from Sweden’s ruling party believe the law does not constitute the final nail in the coffin of democracy.

Here’s a good journalistic rule: whenever you find a consensus, look out for rodent smells. When David Davis stunned the Westminster village with his resignation on Thursday, I watched and listened to most of the mainstream broadcast coverage that evening. It was scarily uniform, which didn’t square at all with my own hunch that Davis’s move is a game-changer. Which is very welcome, because it’s clear that the great British public is sleepwalking into an authoritarian nightmare and something very dramatic is needed to provide a wake-up call. My hope is that the hoo-hah which will surround the by-election might provide such a call.

It’ reassuring to find that my Observer colleague, Henry Porter, sees it the same way, not least because he was been a forceful critic of Labour’s creeping authoritarianism from the beginning. In a terrific column this morning he observes that

The political classes don’t like this sort of thing. There’s too much raw emotion involved. Like nervous prefects, they dismissed Davis as vain, egotistical, narcissistic and irresponsible. He was, said one commentator of my acquaintance, suffering from a mid-life crisis and probably knew he didn’t have the brains to be Home Secretary, which is why he had bailed out.

That very much captures what is wrong with the Westminster village, which is so consumed with the talk of power, the jockeying for power, the acquisition and loss of it, that there is very little space left in the minds of journalists and politicians for principles and ideas. Yet that was what so much of last week in the House of Commons was about. Let us not forget that the Prime Minister won 42 days pre-charge detention by buying votes from nine hard-faced men from Northern Ireland, while 36 members of his own party stood up for the fundamental freedoms of our country. This was a moral defeat, not for Labour, but for Gordon Brown.

Then the unthinkable occurred. Davis appeared like Cyrano de Bergerac with his sword drawn at St Stephen’s entrance to the House of Commons - a venue occasioned by Speaker Martin’s undemocratic refusal to allow him to address the chamber - and challenged anyone and everyone…

Like Henry, I am sending Davis a cheque and a letter of support.

Woner how reliable this report is…

A TOP-SECRET DEAL being ironed out by G8 nations will give the Music and film industry a state-paid force of copyright cops with the same powers of customs officials.

The copyright police can seize your mp3 player or laptop to see if it contains pirated content and can order ISPs to turn over personal data without the need for proof.

G8 members, at the request of those wonderful examples of humanity at the RIAA, are agreeing to turn tax-payer paid customs officers into boot boys for the record and music business.

The Anti-Counterfeiting Trade Agreement (ACTA), will be discussed at the next G8 meeting in Tokyo, in July.

The Ottawa Citizen claims that the moves are part of a package of laws to govern private copying and copyright laws.

When you arrive in the country the copyright police would be given the job of checking laptops, Ipods, phones and other personal devices for content that ‘infringes’ copyright laws.

If you have any ripped CDs or DVDs you could be in deep in poo as the customs officials can define on the spot what they think constitutes copyright infringement.

From Technology Review…

In technical terms, a programming error reduced the amount of entropy used to create the cryptographic keys in a piece of code called the OpenSSL library, which is used by programs like the Apache Web server, the SSH remote access program, the IPsec Virtual Private Network (VPN), secure e-mail programs, some software used for anonymously accessing the Internet, and so on.

In plainer language: after a week of analysis, we now know that two changed lines of code have created profound security vulnerabilities in at least four different open-source operating systems, 25 different application programs, and millions of individual computer systems on the Internet. And even though the vulnerability was discovered on May 13 and a patch has been distributed, installing the patch doesn’t repair the damage to the compromised systems. What’s even more alarming is that some computers may be compromised even though they aren’t running the suspect code….

This morning’s Observer column…

If you’ve signed up for a new web service recently, you may have noticed that a final stage of the enrolment process presents you with an indistinct image of a number of letters and numbers, often in a wavy line, and sometimes displayed against a confusing background. You are asked to identify the sequence and type it accurately into a text box. You have just encountered a Captcha…

From ZDNet…

U.S. telecommunications giant AT&T has claimed that, without investment, the Internet’s current network architecture will reach the limits of its capacity by 2010.

Speaking at a Westminster eForum on Web 2.0 this week in London, Jim Cicconi, vice president of legislative affairs for AT&T, warned that the current systems that constitute the Internet will not be able to cope with the increasing amounts of video and user-generated content being uploaded.

“The surge in online content is at the center of the most dramatic changes affecting the Internet today,” he said. “In three years’ time, 20 typical households will generate more traffic than the entire Internet today.”

Cicconi, who was speaking at the event as part of a wider series of meetings with U.K. government officials, said that at least $55 billion worth of investment was needed in new infrastructure in the next three years in the U.S. alone, with the figure rising to $130 billion to improve the network worldwide. “We are going to be butting up against the physical capacity of the Internet by 2010,” he said.

He claimed that the “unprecedented new wave of broadband traffic” would increase 50-fold by 2015 and that AT&T is investing $19 billion to maintain its network and upgrade its backbone network.

Cicconi added that more demand for high-definition video will put an increasing strain on the Internet infrastructure. “Eight hours of video is loaded onto YouTube every minute. Everything will become HD very soon, and HD is 7 to 10 times more bandwidth-hungry than typical video today. Video will be 80 percent of all traffic by 2010, up from 30 percent today,” he said…