Category Archives: Security

Copyright thuggery: the next move?

Posted on by

Woner how reliable this report is…

A TOP-SECRET DEAL being ironed out by G8 nations will give the Music and film industry a state-paid force of copyright cops with the same powers of customs officials.

The copyright police can seize your mp3 player or laptop to see if it contains pirated content and can order ISPs to turn over personal data without the need for proof.

G8 members, at the request of those wonderful examples of humanity at the RIAA, are agreeing to turn tax-payer paid customs officers into boot boys for the record and music business.

The Anti-Counterfeiting Trade Agreement (ACTA), will be discussed at the next G8 meeting in Tokyo, in July.

The Ottawa Citizen claims that the moves are part of a package of laws to govern private copying and copyright laws.

When you arrive in the country the copyright police would be given the job of checking laptops, Ipods, phones and other personal devices for content that ‘infringes’ copyright laws.

If you have any ripped CDs or DVDs you could be in deep in poo as the customs officials can define on the spot what they think constitutes copyright infringement.

Entropy reduction and its consequences

Posted on by

From Technology Review

In technical terms, a programming error reduced the amount of entropy used to create the cryptographic keys in a piece of code called the OpenSSL library, which is used by programs like the Apache Web server, the SSH remote access program, the IPsec Virtual Private Network (VPN), secure e-mail programs, some software used for anonymously accessing the Internet, and so on.

In plainer language: after a week of analysis, we now know that two changed lines of code have created profound security vulnerabilities in at least four different open-source operating systems, 25 different application programs, and millions of individual computer systems on the Internet. And even though the vulnerability was discovered on May 13 and a patch has been distributed, installing the patch doesn’t repair the damage to the compromised systems. What’s even more alarming is that some computers may be compromised even though they aren’t running the suspect code….

Two machines are better than one

Posted on by

This morning’s Observer column

If you’ve signed up for a new web service recently, you may have noticed that a final stage of the enrolment process presents you with an indistinct image of a number of letters and numbers, often in a wavy line, and sometimes displayed against a confusing background. You are asked to identify the sequence and type it accurately into a text box. You have just encountered a Captcha…

AT&T: Internet to hit full capacity by 2010

Posted on by

From ZDNet

U.S. telecommunications giant AT&T has claimed that, without investment, the Internet’s current network architecture will reach the limits of its capacity by 2010.

Speaking at a Westminster eForum on Web 2.0 this week in London, Jim Cicconi, vice president of legislative affairs for AT&T, warned that the current systems that constitute the Internet will not be able to cope with the increasing amounts of video and user-generated content being uploaded.

“The surge in online content is at the center of the most dramatic changes affecting the Internet today,” he said. “In three years’ time, 20 typical households will generate more traffic than the entire Internet today.”

Cicconi, who was speaking at the event as part of a wider series of meetings with U.K. government officials, said that at least $55 billion worth of investment was needed in new infrastructure in the next three years in the U.S. alone, with the figure rising to $130 billion to improve the network worldwide. “We are going to be butting up against the physical capacity of the Internet by 2010,” he said.

He claimed that the “unprecedented new wave of broadband traffic” would increase 50-fold by 2015 and that AT&T is investing $19 billion to maintain its network and upgrade its backbone network.

Cicconi added that more demand for high-definition video will put an increasing strain on the Internet infrastructure. “Eight hours of video is loaded onto YouTube every minute. Everything will become HD very soon, and HD is 7 to 10 times more bandwidth-hungry than typical video today. Video will be 80 percent of all traffic by 2010, up from 30 percent today,” he said…

Security mania targets amateur snappers

Posted on by

Extraordinary story on BBC News Magazine.

Misplaced fears about terror, privacy and child protection are preventing amateur photographers from enjoying their hobby, say campaigners.

Phil Smith thought ex-EastEnder Letitia Dean turning on the Christmas lights in Ipswich would make a good snap for his collection.

The 49-year-old started by firing off a few shots of the warm-up act on stage. But before the main attraction showed up, Mr Smith was challenged by a police officer who asked if he had a licence for the camera.

After explaining he didn’t need one, he was taken down a side-street for a formal “stop and search”, then asked to delete the photos and ordered not take any more. So he slunk home with his camera…

This is ludicrous. It’s also unlawful.

“If you are a normal person going about your business and you see something you want to take a picture of, then you are fine unless you’re taking picture of something inherently private,” says Hanna Basha, partner at solicitors Carter-Ruck. “But if it’s the London Marathon or something, you’re fine.”

There are also restrictions around some public buildings, like those involved in national defence.

But other than that, you’re free to click.

There’s some very helpful advice in the comments on this post:

Take some photos of the police who are trying to stop you taking photos. Then tell them you are within your rights to do so and you will not delete them and if they arrest you then you will pursue a case of wrongful arrest. They really hate that.

Thanks to James Miller for spotting it.

City council spies on family using RIPA

Posted on by

One of the things that astonished me in 1999 when I was campaigning against the Regulation of Investigatory Powers Bill was the way it would grant sweeping powers of surveillance not just to genuine security authorities, but effectively to every jobsworth in the country. And lo! so it has proved. Here’s a fascinating Telegraph report on the latest abuse.

A council has used powers intended for anti-terrorism surveillance to spy on a family who were wrongly accused of lying on a school application form.

For two weeks the middle-class family was followed by council officials who wanted to establish whether they had given a false address within the catchment area of an oversubscribed school to secure a place for their three-year-old.

The “spies” made copious notes on the movements of the mother and her three children, who they referred to as “targets” as they were trailed on school runs. The snoopers even watched the family home at night to establish where they were sleeping.

In fact, the 39-year-old mother – who described the snooping as “a grotesque invasion of privacy” – had held lengthy discussions with the council, which assured her that her school application was totally in order.

Poole borough council disclosed that it had legitimately used the Regulation of Investigatory Powers Act (RIPA) to spy on the family.

Ludicrously, the Council is correct. See here for a pdf of some of the snoopers’ logs.

Cyber risk ‘equals 9/11 impact’

Posted on by

There’s something very comforting when someone in authority starts to say what one has been saying for a while. This from BBC NEWS today…

The US homeland security chief has made a heartfelt plea to Silicon Valley workers to stand up and be counted in the fight to secure the cyber highway.

Michael Chertoff invoked the attacks of 9/11 as he sought to galvanise IT professionals and security experts.

He told the world’s biggest IT security conference that serious threats to cyberspace are on “a par this country tragically experienced on 9/11”.

Gesture politics

Posted on by

The disintegration of the Brown government is almost painful to watch. here’s the latest example of the replacement of policy by well-intentioned but fatuous gestures:

LONDON (AP) — The British government wants to ban convicted pedophiles from using social networking Web sites such as Facebook, the Home Office said Friday.

The plan involves forcing sex offenders to give any e-mail address they use to police, who will then ask the Web sites to block their access, Home Secretary Jacqui Smith said.

Smith said the proposal is aimed at sending out the message that the Internet is ”not a no-go area when it comes to law enforcement.”

”We are changing the law … so that we have got better control over the way in which child sex offenders are able to use the Internet,” Smith said on GMTV.

The government wants to prevent pedophiles from using social networking Web sites to groom children to be sexual abuse victims, according to the Home Office.

Under the proposed legislation, it would be a crime punishable by up to five years in prison for a convicted child sex offender to use an e-mail address that has not been registered with police, a Home Office spokesman said on condition of anonymity in line with government policy.

However, the report goes on to say that “the government acknowledges it has yet to work out the details of how the plan would work.”

Yep. That’s the Broonies for you.

The legality of Phorm

Posted on by

From BBC NEWS

Technical analysis of the Phorm online advertising system has reinforced an expert’s view that it is “illegal”.

The analysis was done by Dr Richard Clayton, a computer security researcher at the University of Cambridge.

What Dr Clayton learned while quizzing Phorm about its system only convinced him that it breaks laws designed to limit unwarranted interception of data…

Richard says, in part:

Phorm assumes that their system “anonymises” and therefore cannot possibly do anyone any harm; they assume that their processing is generic and so it cannot be interception; they assume that their business processes gives them the right to impersonate trusted websites and add tracking cookies under an assumed name; and they assume that if only people understood all the technical details they’d be happy.

Well now’s your chance to see all these technical details for yourself — I have, and I’m still not happy at all.

More here on the BT spokeswoman’s attempt to defend on TV the company’s covert experiment with Phorm.

So did BT break the law?

Posted on by

From The Register

BT secretly intercepted and profiled the web browsing of 18,000 of its broadband customers in 2006 using advertising technology provided by 121Media, the alleged spyware company that changed its name to Phorm last year.

BT Retail ran the “stealth” pilot without customer consent between 23 September and 6 October 2006. The technology was approved, pending a further trial*.

Documents seen by The Register show that the companies used the secret profiles to target advertising at broadband customers when they visited certain popular websites.

Phorm had purchased commercial space on these websites, although their URLs are not included in the documents. The groups targeted included people interested in finance (for an Egg credit card campaign), weight loss (a Weight Watchers campaign), and jobs (a Monster.com campaign).

The technical report drawn up by BT in the wake of the 2006 trial states: “The validation was made within BT’s live broadband environment and involved a user base of approximately 18,000 customers, with a maximum of 10,000 online concurrently.

“The customers who participated in the trial were not made aware of this fact as one of the aims of the validation was not to affect their experience.”

The cant implicit in that last sentence is breathtaking. But the more important question is whether BT has committed a criminal offence. Effectively all 18,000 test subjects were ‘opted-in’ without their knowledge.

BT has not answered The Register’s question, posed on Friday morning, over whether it believes intercepting and profiling the web traffic of 18,000 customers without telling them was a lawful act.

BT also refused to reveal where in the national broadband network the thousands of guinea pigs were sourced from.

One senior source in the broadband industry we spoke to was appalled by BT’s actions. “This is extremely serious,” he said. “Data protection errors are generally viewed as a potentially bad thing by the industry, but not a real threat to an ISP’s reputation. This seems like a breach of criminal law, which is much, much worse.”

Meanwhile, Don Foster, the Liberal Democrat shadow secretary of state for culture, media and sport, has written to the chairman of BT asking him to explain his firm’s secret trial of Phorm’s advertising technology last summer. And William Hague, the Conservative’s shadow foreign secretary, has written to the Department for Business, Employment and Regulatory Reform, voicing constituents’ opposition to the deals signed by BT, Virgin Media and Carphone Warehouse to spy on the web browsing of millions. It’ll be interesting to see what happens next.

If you’re thinking of signing up to a new ISP, you know which ones to avoid.