Memex 1.1

The disintegration of the Brown government is almost painful to watch. here’s the latest example of the replacement of policy by well-intentioned but fatuous gestures:

LONDON (AP) — The British government wants to ban convicted pedophiles from using social networking Web sites such as Facebook, the Home Office said Friday.

The plan involves forcing sex offenders to give any e-mail address they use to police, who will then ask the Web sites to block their access, Home Secretary Jacqui Smith said.

Smith said the proposal is aimed at sending out the message that the Internet is ”not a no-go area when it comes to law enforcement.”

”We are changing the law … so that we have got better control over the way in which child sex offenders are able to use the Internet,” Smith said on GMTV.

The government wants to prevent pedophiles from using social networking Web sites to groom children to be sexual abuse victims, according to the Home Office.

Under the proposed legislation, it would be a crime punishable by up to five years in prison for a convicted child sex offender to use an e-mail address that has not been registered with police, a Home Office spokesman said on condition of anonymity in line with government policy.

However, the report goes on to say that “the government acknowledges it has yet to work out the details of how the plan would work.”

Yep. That’s the Broonies for you.

From BBC NEWS…

Technical analysis of the Phorm online advertising system has reinforced an expert’s view that it is “illegal”.

The analysis was done by Dr Richard Clayton, a computer security researcher at the University of Cambridge.

What Dr Clayton learned while quizzing Phorm about its system only convinced him that it breaks laws designed to limit unwarranted interception of data…

Richard says, in part:

Phorm assumes that their system “anonymises” and therefore cannot possibly do anyone any harm; they assume that their processing is generic and so it cannot be interception; they assume that their business processes gives them the right to impersonate trusted websites and add tracking cookies under an assumed name; and they assume that if only people understood all the technical details they’d be happy.

Well now’s your chance to see all these technical details for yourself — I have, and I’m still not happy at all.

More here on the BT spokeswoman’s attempt to defend on TV the company’s covert experiment with Phorm.

From The Register…

BT secretly intercepted and profiled the web browsing of 18,000 of its broadband customers in 2006 using advertising technology provided by 121Media, the alleged spyware company that changed its name to Phorm last year.

BT Retail ran the “stealth” pilot without customer consent between 23 September and 6 October 2006. The technology was approved, pending a further trial*.

Documents seen by The Register show that the companies used the secret profiles to target advertising at broadband customers when they visited certain popular websites.

Phorm had purchased commercial space on these websites, although their URLs are not included in the documents. The groups targeted included people interested in finance (for an Egg credit card campaign), weight loss (a Weight Watchers campaign), and jobs (a Monster.com campaign).

The technical report drawn up by BT in the wake of the 2006 trial states: “The validation was made within BT’s live broadband environment and involved a user base of approximately 18,000 customers, with a maximum of 10,000 online concurrently.

“The customers who participated in the trial were not made aware of this fact as one of the aims of the validation was not to affect their experience.”

The cant implicit in that last sentence is breathtaking. But the more important question is whether BT has committed a criminal offence. Effectively all 18,000 test subjects were ‘opted-in’ without their knowledge.

BT has not answered The Register’s question, posed on Friday morning, over whether it believes intercepting and profiling the web traffic of 18,000 customers without telling them was a lawful act.

BT also refused to reveal where in the national broadband network the thousands of guinea pigs were sourced from.

One senior source in the broadband industry we spoke to was appalled by BT’s actions. “This is extremely serious,” he said. “Data protection errors are generally viewed as a potentially bad thing by the industry, but not a real threat to an ISP’s reputation. This seems like a breach of criminal law, which is much, much worse.”

Meanwhile, Don Foster, the Liberal Democrat shadow secretary of state for culture, media and sport, has written to the chairman of BT asking him to explain his firm’s secret trial of Phorm’s advertising technology last summer. And William Hague, the Conservative’s shadow foreign secretary, has written to the Department for Business, Employment and Regulatory Reform, voicing constituents’ opposition to the deals signed by BT, Virgin Media and Carphone Warehouse to spy on the web browsing of millions. It’ll be interesting to see what happens next.

If you’re thinking of signing up to a new ISP, you know which ones to avoid.

Intriguing column by Danny Westneat in the Seattle Times

The unsettling thing about living in a surveillance society isn’t just that you’re being watched. It’s that you have no idea.

That’s what struck me about a story told last week by a border agent at a meeting of 200 San Juan Islanders. He was there to explain why the federal government is doing citizenship checks on domestic ferry runs.But near the end, while trying to convince the skeptical audience that the point is to root out terrorists, not fish for wrongdoing among the citizenry, deputy chief Joe Giuliano let loose with a tale straight out of “Dr. Strangelove.”

It turns out the feds have been monitoring Interstate 5 for nuclear “dirty bombs.” They do it with radiation detectors so sensitive it led to the following incident.

“Vehicle goes by at 70 miles per hour,” Giuliano told the crowd. “Agent is in the median, a good 80 feet away from the traffic. Signal went off and identified an isotope [in the passing car].”

The agent raced after the car, pulling it over not far from the monitoring spot (near the Bow-Edison exit, 18 miles south of Bellingham). The agent questioned the driver, then did a cursory search of the car, Giuliano said.

Did he find a nuke?

“Turned out to be a cat with cancer that had undergone a radiological treatment three days earlier,” Giuliano said.

He added: “That’s the type of technology we have that’s going on in the background. You don’t see it. If I hadn’t told you about it, you’d never know it was there.”

Think again. Ed Felten has made an interesting discovery:

Today eight colleagues and I are releasing a significant new research result. We show that disk encryption, the standard approach to protecting sensitive data on laptops, can be defeated by relatively simple methods. We demonstrate our methods by using them to defeat three popular disk encryption products: BitLocker, which comes with Windows Vista; FileVault, which comes with MacOS X; and dm-crypt, which is used with Linux. The research team includes J. Alex Halderman, Seth D. Schoen, Nadia Heninger, William Clarkson, William Paul, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, and Edward W. Felten.

Our site has links to the paper, an explanatory video, and other materials.

The root of the problem lies in an unexpected property of today’s DRAM memories. DRAMs are the main memory chips used to store data while the system is running. Virtually everybody, including experts, will tell you that DRAM contents are lost when you turn off the power. But this isn’t so. Our research shows that data in DRAM actually fades out gradually over a period of seconds to minutes, enabling an attacker to read the full contents of memory by cutting power and then rebooting into a malicious operating system.

Interestingly, if you cool the DRAM chips, for example by spraying inverted cans of “canned air” dusting spray on them, the chips will retain their contents for much longer. At these temperatures (around -50 °C) you can remove the chips from the computer and let them sit on the table for ten minutes or more, without appreciable loss of data. Cool the chips in liquid nitrogen (-196 °C) and they hold their state for hours at least, without any power. Just put the chips back into a machine and you can read out their contents.

This is deadly for disk encryption products because they rely on keeping master decryption keys in DRAM…

Bet this won’t stop Gordon Brown & Co confidently asserting that our data are safe in their laptops.

From The Register…

The head of the UK government’s secret electronic spying and codebreaking agency, GCHQ, has said that his organisation’s ability to intercept conversations and messages is seriously undermined by internet-protocol (IP) communications. The digital spook’s comments may come as a blow to British and European politicians who have sworn to eradicate terrorism from the internet.

The revelations came as part of the annual parliamentary oversight report into the doings of the UK intelligence community, which was released today. The report is compiled by the specially-vetted MPs and lords of the Intelligence and Security Committee (ISC), who are allowed to review secret data and grill important mandarins from the shadowier parts of Whitehall…

Just because the government has been shown to be disgracefully casual in its handling of confidential personal data doesn’t mean that the Brown administration is proposing to do anything radical about it. That’s not just an uninformed, cynical take on what’s happening. It’s also the view
of Rosemary Jay, Head of the Information Law team at Pinsent Masons (the law firm that publishes OUT-LAW.COM)

Interesting documents on Wikileaks. Basically, it seems that the Bavarian authorities have been looking for contractors to install Trojans on target machines which run Skype. Slashdot explains:

The first document is a communication by the Ministry of Justice to the prosecutors office, about the cost splitting for Skype interception. The second document presents the offer made by Digitask, the German company secretly developing Skype interception, and holds information on pricing and license model, high-level technology descriptions and other detail. The document is of global importance because Skype is used by tens or hundreds of millions of people daily to communicate voice calls and Skype (owned by Ebay, Inc) promotes these calls as being encrypted and secure. The technology includes interception boxes, key forwarding trojans and anonymous proxies to hide police communications.

Bah! Looks as though those of us who suspected Vladimir Putin of testing cyberwarfare techniques on plucky little Estonia were wrong. At any rate, this ArsTechnica report says that the DDoS attacks were the work of a single disaffected individual.

Last May, the web sites of a number of high-ranking Estonian politicians and businesses were attacked over a period of several weeks. At the time, relations between Russia and Estonia were chillier than usual, due in part to the Estonian government’s plans to move a World War II-era memorial known as the Bronze Soldier (pictured below at its original location) away from the center of the city and into a cemetery. The country’s plan was controversial, and led to protests that were often led by the country’s ethnic Russian minority. When the cyberattacks occurred, Estonia claimed that Russia was either directly or indirectly involved—an allegation that the Russian government denied. Almost a year later, the Russian government appears to have been telling the truth about its involvement (or lack thereof) in the attacks against Estonia. As InfoWorld reports, an Estonian youth has been arrested for the attacks, and current evidence suggests he was acting independently—prosecutors in Estonia have stated they have no other suspects. Because the attacks were botnet-driven and launched from servers all over the globe, however, it’s impossible to state definitively that only a single individual was involved…

Charles Arthur has a rueful post on this too.

Tim Wu has an intriguing piece in Slate Magazine in which he ponders the implications of AT&T’s announcement that it is seriously considering plans to examine all the traffic it carries for potential violations of U.S. intellectual property laws. (A similar idea is about to be foisted on UK ISPs by Gordon Broon & Co.)

“No one knows exactly what AT&T is proposing to build”, he writes. “But if the company means what it says, we’re looking at the beginnings of a private police state. That may sound like hyperbole, but what else do you call a system designed to monitor millions of people’s Internet consumption? That’s not just Orwellian; that’s Orwell.”

That’s just the civil libertarian aspect of the idea. The interesting thing is that the commercial downsides could be catastrophic — for AT&T.

The most serious problems for AT&T may be legal. Since the beginnings of the phone system, carriers have always wanted to avoid liability for what happens on their lines, be it a bank robbery or someone’s divorce. Hence the grand bargain of common carriage: The Bell company carried all conversations equally, and in exchange bore no liability for what people used the phone for. Fair deal.

AT&T’s new strategy reverses that position and exposes it to so much potential liability that adopting it would arguably violate AT&T’s fiduciary duty to its shareholders. Today, in its daily Internet operations, AT&T is shielded by a federal law that provides a powerful immunity to copyright infringement. The Bells know the law well: They wrote and pushed it through Congress in 1998, collectively spending six years and millions of dollars in lobbying fees to make sure there would be no liability for “Transitory Digital Network Communications”—content AT&T carries over the Internet. And that’s why the recording industry sued Napster and Grokster, not AT&T or Verizon, when the great music wars began in the early 2000s.

Here’s the kicker: To maintain that immunity, AT&T must transmit data “without selection of the material by the service provider” and “without modification of its content.” Once AT&T gets in the business of picking and choosing what content travels over its network, while the law is not entirely clear, it runs a serious risk of losing its all-important immunity. An Internet provider voluntarily giving up copyright immunity is like an astronaut on the moon taking off his space suit. As the world’s largest gatekeeper, AT&T would immediately become the world’s largest target for copyright infringement lawsuits….

Tim Wu is a great commentator on this stuff, and this is an especially good piece.