Posts by Ben Tasker 2250 publicly visible posts • joined 23 Oct 2007
> Are they a real body, or a bunch of busybodies ?
Both.
They're also pretty bloody incompetent. At one point I believe the IWF list (which, remember you have to strictly control access to because it's a list of illegal content) was just a text file. Not an authenticated API, or a set of hashes (so you could hash the requested URL/domain and compare), just a lousy plain text file.
That's the point XerxesPST is trying to make, those clients will not use your PiHole.
If for example, your laptop's OS sends queries to your PiHole (with the DNS server address either hard set or acquired via DHCP), but you then install Firefox with TRR (their name for DoH) turned on, DNS lookups from Firefox will not be passed off to the OS, but instead placed via DoH to the DoH server configured in Firefox (so, by default, Cloudflare - depending what region you're in).
With trr.mode 2, if that query fails (including NXDOMAIN) the query will the be passed off to your OS and sent onto the OS configured DNS server - so you'll still be able to access local shit in Firefox.
The way I addressed this was to set up my own publicly accessible (but authenticated) DoH server. So I've got always on pihole when out and about (for latencies sake used split-horizon DNS so that when I'm at home the queries hit a server on my LAN rather than having to go out over the WAN).
So I've configured Firefox and other DoH supporting applications to use my DoH server - with a DoH stub running at OS level to catch everything else. More or less the same on Android (using Jigsaw's intra to intercept normal DNS).
I could equally have just run the box at home and proxied 443 with the relevant name through, but I'm not short of infra anyway.
You're using too narrow a definition of Authoritarian states there really, in that you seem to be talking about China levels of state control.
There are countries within the Western World that fall (in the minds of some) into the target audience for DoH. Our sceptred Isle is one of those.
Just as people spin up Tor bridges on AWS (accessible via meek to help get via the firewall), it's fairly likely that DoH servers will also get spun up there too. Even China haven't yet gone so far as to outright block AWS, and the gamble being made is that that'll remain the case. Seems like a fairly safe bet for me, even with China, much less countries like the UK.
There will be lots and lots of noise made in the process, of course, but for many countries it's not as simple as saying "do it our way, or else". If it were we'd no longer be arguing about whether Spooks should be able to backdoor encryption or not
Nice.
Funnily enough, part of the reason this article caught my eye was because I was sorting through some stuff the other day and stumbled (back) across one of my articles from not-quite-as-far-back as that post complaining about the IWF and their haphazard approach to.. well, everything.
It's been more than a decade, and people are still trying to do the same stupid shit...
> It doesn't look to me the Great Firewalls would have issue to block a few big providers addresses.
As I understand it, Cloudflare's DoH service runs on every single one of their delivery appliances.
Client implementations vary, but Firefox's TRR functionality allows you to pre-load an IP for the DNS server name to resolve to so that you can skip looking up the name at startup.
At which point, with a properly set value, your great firewall is left with a choice of blocking all of Cloudflare (which might get political rather quickly), or accepting it will get through.
Google runs their service in most (if not all) PoPs too.
It's also pretty trivial to set up your own DoH server on the net, especially as - straight off the bat - you don't have to worry about being used for things like reflection attacks (there is other stuff you have to think about though), so it may well be new servers/services spring up quite widely. Whether they'll all be trustworthy is something else.
I run my own, using a location and provider I trust to host the system. It's a lot easier for me to move hosting provider than it is ISP or Government.
Until fairly recently, I preferred DoT and viewed DoH as being a side effect of the lack of uptake of DoT, but I've since changed my mind - in part because of DNS leakage happening at the OS level because my phone's OEM tried to be "clever" with their memory management. The result was an important component got evicted from memory, but the notification icon remained in place (as if it were running). Having applications handle name resolution at their level isn't such a bad safety net after all...
> And I'd have thought the authorities would have some pretty good web crawler technology, so they can find all this stuff by themselves? Also, the DNS part only gets you the server, not the URL, so unless the site has an obvious name like dodgy-images.com how are they discerning content from DNS lookups?
So, to answer your question, this is how the system works (or at least used to). This is based on BT's Cleanfeed, which was the original implementation (and the one first misused to block torrents as well as child abuse material).
Lets assume example.com/fine is legal and above board but example.com/secret contains illegal content.
- You try to visit example.com
- Your browser does a DNS lookup for example.com, which is intercepted by your ISPs DNS servers
- The ISP uses the IWFs list, and finds example.com on there
- They return you A record 1.2.3.4
- Your browser connects to 1.2.3.4 which is a proxy run by your ISP, it accepts your request and checks the path against the IWF list
- If you were requesting /nice, your request is just proxied through to the true origin
- If you were requesting /secret your request is dropped, alarm bells rung etc
A few years back (fuck... 11 years back, it was 2008), this setup led to all UK users being blocked from editing Wikipedia. The reason was they were all originating from an IWF filter box because the IWF had decided that an album cover was "potentially" illegal. It's an old post, but I've got examples of other IWF fuckups on this page.
Things are obviously a bit harder nowadays, because HTTPS adoption has increased significantly. I can only assume they handle it the way they handle things like The Pirate Bay which is to block the entire domain (because they can't provide a valid cert for the domain and therefore can't see the paths being accessed). With things like Torrent sites, they appear to use DPI to check SNI too, in an attempt to try and catch users that aren't using their ISPs DNS servers.
Some ISPs, by the way, intercept UDP packets destined for 8.8.8.8 port 53 (and others) and redirect them to their own DNS servers, so simply configuring to use another DNS server isn't sufficient.
> The domain is sent in the clear to the name server (as the article suggests) but any and all communication between you and the website is either clear under http or encrypted under https, depending on which is in use.
>
> Your ISP can see you are visiting www.example.com because of the DNS query.
>
> It can't see that you are visiting www.example.com/foo/bar/dodgyimages/01.jpeg if https is in use because that query is sent to www.example.com's servers in encrypted form.
That's *almost* correct.
The query is sent to the nameserver in the clear, so they can see it there, yes. But, when you connect out to the server for www.example.com, your SSL Client Hello will include "www.example.com" in the clear as part of the Server Name Indication (SNI) extension - basically so the server knows which cert to serve you.
If you're using < TLS 1.3, the servers cert will come back unencrypted, so names can also be extracted from there.
Encrypted SNI is coming (and cloudflare already have an implementation), but as a rule, the name can come from there.
> It can't see that you are visiting www.example.com/foo/bar/dodgyimages/01.jpeg if https is in use because that query is sent to www.example.com's servers in encrypted form.
This bit is correct, although there are some situations where it might not be. The main one being where the browser warns you about mixed content, and you choose to allow that content.
At which point, your browser will send out plain HTTP request to fetch whatever content it is you've just allowed, and your ISP will be able to see the referrer headers on that (assuming any are sent - depends on browser config and/or the referrer-policy header on the original site) which will give the full URL of the page you're using. I wrote a PoC script a little while back that essentially does this with PCAPs, to demo how easily you could extract what subreddits various reddit users on your network sub too.
> So i dont see how dns over https (tls surely??)
no, HTTPS.
DNS over TLS (DoT) is a different protocol. DNS over HTTPS is literally what it sounds like - if effect an API call placed to a HTTPS server (what you're actually doing is plonking the wireline DNS packet into a HTTP POST request).
> I set FF privacy blocking to "strict" by default, which blocks (what Firefox thinks are) trackers and 3P cookies and it breaks a fair number of sites.
Something amusing happened to me earlier.
I was clicking through a few sites earlier looking for domains to add to my adlists, and hit a few sites that are known to through up weird and wonderful shit.
3 of those are sites that are owned by the Daily Mail group - though the third one I hadn't initially realised was.
Now, I don't know if you know how EFF's Privacy Badger works, but basically it watches your requests and keeps track of calls for third party resources. If it seems the same third party being referenced by completely different domains it decides there's a good chance it's a tracker.
So, it seems that the Mail's lot have referenced mailonline content from some of their other sites (like Metro). Privacy Badger has now decided that dailymail.co.uk should be blocked, and I'm not inclined to tell it otherwise.
The reason I posted this little anecdote, is partly because it amused me, but also because I wonder whether Firefox is going to fall into similar traps (as I assume they're using similar logic under the hood, I've not looked).
So, 123-Reg did it too?
My registrar in this case is Heart Internet - thought that's basically the same company as 123 Reg, in the sense that they were both part of HEG, and are now both owned by GoDaddy.
I wonder if all the various GoDaddy ofshoots gave their customers the same "offer"?
My registrar "gifted" me bentasker.uk for a year (or perhaps it was 2) when they first launched, because I've got bentasker.co.uk.
Looking in the control panel now it's £8 a year to renew. Which isn't a lot of money, but it is money that shouldn't need to be spent on a domain that might come in conflict with my "proper" domain and only exists because Nominet are a bunch of self-interested money grubbing $#!?'s that seem determined to replicate the worst aspects of ICAAN.
.co.uk hit the 10 million milestone back in 2012, so if you assume about 1/4 of those were "gifted" the .uk and now auto-renew at £8/year that's an additional £20 million quid being paid out, every year, for no good reason.
Just like ICAAN with the gTLD's, the entire offering depends on fear of the new domain coming into conflict with the established one. And, to be honest, it's no real surprise seeing such a low approach coming out of Nominet - remember they were also the ones who turned off people's WHOIS privacy without advance notice based on a very spurious assessment that those sites were commercial, simply because they were carrying ads.
The theory in the US is that the Government can prevent speech (with a gagging order/National Security Order), but can't force speech.
So, it can stop you saying "We've been ordered to hand over some data", but can't stop you from not continuing to say "We've never been ordered to hand over some data".
There was an analysis a while back, though, which suggested that in the US it was perhaps questionable whether a canary could actually be removed. In the UK, it was fairly solidly agreed that canaries are useless because the Government orders you to avoid disclosure entirely, and removing your canary would be a breach of that that the courts wouldn't look too lightly upon.
So yeah, at the business level, the value of a canary is fairly questionable. And to be honest, I suspect if they were/are legally valid in the US, we'd have seen some legislation designed to cripple them.
At the individual level, they're even more laughable. Even if they're legally sound, you're then talking about an individual funding their defence against the Government, potentially spending some time in custody while the case gets resolved, and having to deal with appeals all the way up the chain. Many people talk a good game, but you'd have to be extraordinarily dedicated to your cause to go through all that.
> I personally won't be using them as I don't feel I can trust that company because of the Government control, and I would really strongly suggest none of you do either.
So you don't use Cisco or Juniper either, given the US has exactly the same sort of law as the Chinese one they're complaining about? The main difference is the US Govt is *known* to have sent things like NSLs.
Actually, probably shouldn't buy from home either, as the UK govt has also enacted the same powers under the IPA.
That goes for the economic espionage side of things too, although we've heard much less about that (I suspect, so far).
What the whole Huawei "scandal" stinks of is a country identifying an economic competitor that not only has the early mover advantage, but is also locked in a trade-war with that other country. Note how it seems to be US politicians making the noise, and we're hearing very little actual intelligence.
> The finding of several lines of server mainboards with camouflaged spy chips embedded
You seem to have missed the latter half of the story where the companies that were supposedly targeted (Apple, Dell, HP etc) very very publicly denied the story. Now, they could have been compelled to do so, but given the story was something of a stretch from the outset, it seems more likely it was part of a misinformation campaign that "just" happened to happen in the middle of a trade-spat.
The concerns about government access are very real, but they apply to kit from the US and UK just as much as from China. The difference is that pretty much everyone who'll see your post is in reach of the US and UK Governments, but not in reach of Beijing. I know which I'd be more concerned about.
If you read the thread, it wasn't the python script per-se that DO decided was malicious, but their workflow itself.
To run that python script they spin up ~10 new instances to run 10 copies of the script in parallel, and then once it's done the instances are killed.
DO decided that was unusual and locked out the account, asking for more information on their workflow to re-enable: Screenshot.
Which, in some ways, is actually worse than "we thought your python script looked dodgy".
One of the commonly touted "benefits" of cloud is that you can spin stuff up when you need it, and then kill it once the task is done. Which is exactly what they seem to have tried to do here, except that DO decided that was suspicious...
What I find worse, though, is DO's approach to it. I can just about buy that it's a change in behaviour, and might be suspicious. But, why in the name of all that's holy, would you lock a customer's entire account out because you don't recognise the use-case? Maybe at a stretch, kill the instances that are acting suspiciously, perhaps prevent creation of new instances, but don't fuck with existing instances that aren't exhibiting the behaviour you're concerned about.
That's not a customer service fail, that's an Ops fail. Do not fuck with production, especially other people's production.
I run some stuff on DO, but I do also have provider redundancy in place with automatic failover. I think I'm going to need to double-check that that's working as intended, and maybe move away from DO completely depending on what their post-mortem says once it's posted
> Your local browser can cache content that you have looked at, but an ISP for example would be unable to cache content that multiple customers are accessing
Except, most ISPs partner with and host the boxes of various large CDNs.
So, as long as the content you're accessing is served via one of those CDNs, you're still going to get served from an on-net device rather than having to hit a peering point.
And for "large CDNs" above you can substitute in the following names as a minimum
- Akamai
- Edgecast
- Netflix
- Cloudflare
Most have quite a few others too.
On-net caching is still very much a thing, what's changed (and this is pretty crucial) is that this model means the ISPs get the caching benefit, but none of the access to what your doing (preventing them from injecting ads, or profiling your viewing habits), because the boxes are controlled by the CDN providers and the ISPs just provide the connectivity
They're attempting to weasel around the terminology a bit.
What they're asking for isn't *technically* breaking the encryption. They want the ability to insert an unauthorised (by the victim... sorry, target) user into a conversation so that the software on the devices of the parties encrypts a second copy of the message using the public key of the eavesdropper and sends it on to them.
No encryption has been broken there. So technically they're not breaking encryption and (they hope) can wave away such foolish things as maths which might be used to argue against them.
But, at the same time they're completely ignoring the issues with that:
- I'd not use any application which had the ability to do that.
- You need the end-users device to "know" about (but not display) the ghost user, so that it knows to encrypt for the peeler. Which means someone will figure out a way to detect the presence of the eavesdropper
- The people they claim to care about catching will move onto a technology that isn't affected whilst we all get digitally raped by the rampant privacy abuse of our Government and it's organs
- Eventually, it'll leak just how much the ability was misused, the industry will refuse to co-operate and we'll be back where we are now, having fucked up a lot of lives along the way
They *are* though, going to keep pushing until they get what they want. They don't need 100% coverage, just to take a few big scalps so that most of the population are using at least one affected app.
That's exactly the route I went, though I set it up for DNS-over-HTTPS rather than running an open UDP resolver.
Means my mobile devices get ad blocking at the DNS level wherever they go as well as a modicum of privacy in the sense that no bugger on the local network can view (or change) my DNS lookups
> Why do the US telcos even have GPS data from user?
Technically it's A-GPS data (i.e. it doesn't just involve using GPS on your phone, but looks at nearby wifi SSIDs etc) rather than straight GPS.
That data gets sent to the carriers (by the firmware they load on the phone) to help locate you when you make an emergency call. As I understand it, they effectively ping your phone to have it return the data, rather than it constantly streaming that info to them (basically, there's an API at the phone company that emergency operators would make a request against to request your position).
The various radio chips (GPS, wifi, bluetooth etc) all pass through the baseband processor, so there's still the capability even if you flash your device with a vanilla OS.
> Does this also happen in Europe?
Yes. BT has worked long and hard on a solution for accurately locating people that have made an emergency call - https://www.networkworld.com/article/3088349/did-europe-just-fix-emergency-cellular-call-location.html
> It remains fundamentally the best and only realistic choice for the progress of humanity.
Ah, but not pure Capitalism. Capitalism suffers from weaknesses just as Communism or Socialism does. The US is an excellent example of what happens at the personal level when Capitalism isn't sufficient diluted, you find that people start dying because they can't afford healthcare.
Capitalism just like Communism and Socialism requires restraint to reduce the impact of human traits like greed and narcissism.
So what you actually want is a mix of Capitalism and Socialism, with robust controls on the market.
It's still not perfect, but it works far better than the approach that the US seems to favour.
> If they feel it's important to protect it for the future, then they could buy it
In the context of a bunch of countries that were pissed off with the US anyway, why the fuck would they want to put money into the coffers of a US organisation (ICANN) to buy a name that (in their view) shouldn't be up for grabs anyway?
Don't forget the beginning of this entire story isn't Brazil and co objection to .amazon. It's ICANN making a money grab and launching gTLDs.
I'm not saying they took the best route, just that the argument "they could just pay for it" is facile and ignores quite a few reasons why they may not be willing to do so.
Yes, there's something distinctly scary about the idea that the current shower could get to redefine Treason.
Half of them are incompetent so will probably bungle it and make the definition overly broad, whilst the other half appear to be more towards the fascist end of the scale, so will also make it overly broad.
And then they get the power to kick out "overly-sympathetic" jurors...
He's also resolutely failed to learn from existing industry.
Like his attempt to increase automation. The existing motor industry learnt about that the hard way quite some time back, which is why they don't do that. Sounds good on paper, doesn't work in practice and all that.
The problem is, the appetite of the censor tends to expand. By implementing the initial censorship you've also made the technology available for broader censorship.
The system you're referring to for filtering underage images - CleanFeed - is an absolutely prime example of this. It started as a system for filtering out child abuse material - an aim that I think we'd all agree with. Then, a court ordered BT to use that system to block access to Newzbin 2 (a torrent site).
So, Cleanfeed's purpose got perverted from it's original aim. Not even by a vote happy politician, but by the judiciary.
If you allow censorship then you also need to have extremely stringent laws governing *exactly* what can be censored. Otherwise, new things get tabbed on, and you reach the point we're at now where the Govt is threatening to censor porn sites if they don't comply with measures that will fuck over every visitors privacy.
The things we agree with having censored have a very nasty habit of turning out to be the thin end of the wedge. They're used to gain sufficient acceptance to get a system in place, and then slightly more controversial stuff is filtered until it becomes normalised.
Personally, I think it's important that technology stays ahead of the censors. Even if you trust the current Government, who knows what tomorrow's Government will be like? Or the one after that? At what point do you decide to draw the line? And what are the chances that when you reach that point it's actually too late to change anything?
What this means to me is that the attacker doesn't have the code and there's no threat of them going over the source code for sensitive data or of making the code public.
His conclusion doesn't actually follow on.
The fact they've simply munged head means he hasn't lost data (despite their attempt to make it look otherwise).
But, that has no bearing on whether they have or haven't walked off with a copy of the codebase. Assuming it was the client they compromised, it'd be fairly trivial for them to have a push actually
- push to their servers, with those servers dynamically creating a reponto house it in
- munge head
- Do a force fast-forward push to the original origin to push the munged head
- Remove references to their server
I'm not saying that has happened. But nothing mentioned in the article is evidence enough to conclude they don't have the code
It is more likely though that those affected have had their credentials to the various hosting services leaked.
I can live with people writing 20mbps as it's fairly obvious what their intention is. Unfortunately when they start capitalising, you start getting 20MBps (wow, 160 Mbps....) instead so then have to spend time clarifying what they mean (sometimes they do actually mean MBps because they tested with wget which reports MBps instead of Mbps)
> The main issue is that the law in China states that a company MUST give the state any and all information when requested
The US has exactly the same, along with gag orders to prevent those companies from telling anyone that they've received a National Security Letter.
The US has also been caught intercepting outgoing Cisco kit and tampering with it.
China, of course, had that Supermicro tampering scandal that turned out to very likely not be true, but inflicted some economic damage all the same.
If any government or organisation is simply trusting the network with their information rather than encrypting in flight, then they are the problem, not the supplier of that network infrastructure.
And all this is before you try and answer the question of exactly how the 5G kit could be exploited to China's advantage. We are, after all, still locking Huawei out of our sensitive and critical infrastruture, so we're essentially talking about 5G comms only.
They could, conceivably, deny 5G service. But attempts to exfiltrate intercepted comms are likely to be picked up on quite quickly, even if they were to risk doing some 'local' processing first (at which point the Telco's would start asking why the power bill has suddenly shot up for their 5G kit).
Even then though, the management side of this kit should be deployed in a hardened private network, if it isn't then there are competence questions to ask of the Telco themself.
Concerns about whether a company could be leant on by their government are valid, but they apply to all foreign companies. Particularly those who's governments have been caught in the past (i.e. the US).
If you ask me, the timing of all of this, when the US is fighting a trade-war with China, and is also arguably behind China in terms of developing and selling 5G kit is far more suspicious than the kit itself. Particularly given that the people who seem to make the most noise about this are the technically inept politicians, whilst those qualified *and in a position* to assess it seem to be signing off on use of the kit. It looks like FUD, smells like FUD and sounds like FUD.
> must have noticed that onion addresses aren't very helpful either
Completely off-topic, but...
They can actually be quite helpful on sites that are dual-homed onto both the darknet and the WWW though. At least when combined with an Alt-Svc header so that the user's browser makes its next request to https://abcdefghijk.onion but with SNI name and host header www.myoriginalsite.com and shows https://www.myoriginalsite.com in the address bar.
That way you get the benefits of Tor, without
a) consuming any exit node bandwidth
b) your users having to know you've got an onion, remember/record the address and go to that instead
Not that any of that really helps with discoverability of stuff that isn't on the WWW, and wouldn't help if you don't want to buy www.myoriginalsite.com anymore because of price hikes
That's really not a good indicator to go on. El Reg is served via a CDN (in this case Cloudflare), so you've a few issues there:
- If you're in the US, you should get a US located server
- If you're in India, you'll get an Indian server
- Cloudflare's IPs often geolocate to the US anyway, so that Indian server may still show a US flag
So instead, Google are proposing we all be at risk, all the time (and conveniently maintain their revenue stream).
Malicious extensions do pose a risk. But it's likely a much, much smaller cross section of users who are likely to install those than those who encounter ads and/or trackers - which is basically everyone.
It's also not a leak they're addressing. Extensions with permission to use that API can quite rightly access the data. The API is not leaking that data to extensions without the requisite permissions, nor to sites. The concern is that malicious extensions may use this permission to gather data. What will be a leak is if they get rid of this API and we can no longer effectively block ads and trackers
> I expect to still be able to read the articles on my favourite gentleman's sites on July 15th without need for workarounds.
Unlikely.
It's not the ISPs who'll be implementing this but the sites themselves. Your ISP may not implement blocks against non-compliant sites (though those won't be coming for quite some time), but if the site identifies you as being in the UK, you'll be asked to but your name to your.... uh... viewings.
The first 6 months or so are going to be prime hunting for scammers, putting fake "verify your age" systems onto honeytrap sites.
Wasn't there an american (Pompeo probably) in the news recently saying that if we used Huawei products on our phone network that could prevent them sharing information with us, because the data might need to encrypt those to reach GCHQ's/Government networks.
Because, you know, I'm sure the NSA and GCHQ just send all their data unencrypted over the internet routinely.
I'm fairly convinced the septics are running a misinformation campaign to help ensure that 5G kit is sourced in such a way that tax becomes due in the Land O' the free.
> We all know that the USA wants to lock Assange up for as long as possible to frighten anyone else who is thinking if lifting the lid on unsavory actions done by (or on behalf of) the USA.
Yes, that's why they've alleged he's committed an offence with a maximum term of 5 years... to send a message and scare people off.
I don't doubt that the peculiar US brand of justice could find a way to extend that, but opening with a 5 year threat is hardly message sending.
> However why did he break bail and refuse to answer the Swedish charges? They would not have extradited him to USA on a dubious charge
Well... here's the interesting point. Assange and his followers claimed that the Swedish charges were a pretext to get him back there so Sweden could then extradite him on, despite it actually being easier to extradite to the US from the UK.
So, if their claims were true, you'd expect that Assange's EAW would get re-instated and he'd get shipped to Sweden, only for the US to then ask for him.
Except, instead they've asked us directly - taking the easier route.
If you think about it, the whole "trumped up Swedish charges to get him to the US" is a conspiracy that involves the US deliberately making it harder for them to lay hands on Assange, in order to lay hands on him.
It was always bollocks. But in the ensuing time, he's helped a hardline administration get into power and they do want him
> In case you hadn't noticed, when he skipped bail the bail was from a warrant for extradition to Sweden
In fact, the story Assange claim was that the Swedish charges were a pretext to get him to Sweden where he could then be shipped onto the US.
Except, the US have now done exactly what they could have done once he entered the UK, and requested him direct from the UK.
> It was obvious the US would get him sooner or later for outing the Deep State dirty "little" operations.
Or, you know, it was obvious that meddling in the US elections (including taking data from the Russians) when the US may or may not want you is a bit of an imbecilic thing to do.
It's quite possible that the US wouldn't have bothered with him when this all started. But rather than holing up in his cupboard, he had to keep prodding the bear.
I think if you look at what they said about Snowden when they pardon'ed Manning, it gives an idea of the view that'd be taken (although there's been a change to a more hardline administration, that's only going to harshen not weaken the view)
“Chelsea Manning is somebody who went through the military criminal justice process, was exposed to due process, was found guilty, was sentenced for her crimes, and she acknowledged wrongdoing,” he said. “Mr. Snowden fled into the arms of an adversary and has sought refuge in a country that most recently made a concerted effort to undermine confidence in our democracy.”
> Keep in mind that the so-called victims of these sexual assaults never agreed to the arrest and a trail of Assange.
And your point is?
Here in the UK, if you mug someone and they forgive you, they don't get to say to the police "I don't want to press charges". This is real life not TV.
The police work with the Crown Prosecution Service to decide whether bringing the case is in the public interest (in the example, you're a mugger, so they'll likely decide yes).
Guess what, Sweden, like most other countries has a similar system. Once the legal system becomes aware of it, it's in their hands - largely because although a victim may not want to proceed, they have to consider the risk you pose to other people
> My view was that the then current US government would be smart enough to punish him by refusing to stroke his ego by pursuing him. An evolution of that position was that the current bull-in-a-china-shop administration would lack such finesse and that he'd missed his opportunity long ago.
Exactly my take on it too.
The smart thing for the US to do, as soon as he ran to Ecuador's embassy was always to let him make all his noise about the US's conspiracy to get him, and then when he became available, do nothing. He'd perfectly discredit himself by looking like a paranoid lunatic.
But, he's holed himself up for a long time, and in the process supported the election of a new administration who simply aren't that smart (and care more about looking like hardliners).
This is a rod he's made for his own back. There's a very good chance if he'd just faced the Swedish charges he'd be out and free again by now, with the US having show no interest.
Instead, now he's the guy who had to be officially warned to tidy up his cat's litter and to wash himself, and now is being pursued by a nationalistic US administration that he helped put into power.
No, as all I'm aiming to do is skip past the UK ISPs logging.
If they're going to the VM's ISP to check billing details then I'm being targetted and all bets are off. If they've the means to do that, then they can also get that ISP to monitor what IPs connect in.
I use a VPN for privacy, and not for anonymity. The two overlap a little on a venn diagram but are not the same aim and require very different efforts. If you want anonymity then you need to be using a mixer network, along with other measures
Why is this a big deal? VPNPro researchers note that with so much consolidation, users have far less choice than they think, and by hiding the owners of an app the chances of being exposed to surveillance increase dramatically.
This is a big part of why I run my own. It does mean, I don't get the benefit of having my traffic mixed in with that of other users, so it's "just" another endpoint for my traffic (meaning if I were individually targeted, they've still only got to look in one place).
But, it does mean I get my traffic out and past the logs the ISP's have to keep under the ISPA, as well as avoiding any name based filtering or throttling they might also be doing.
I can change the endpoint's IP at the click of a button, move to a new provider in minutes (thanks to ansible playbooks). Not quite as simple and transparent as clicking a button in a provider's app, but not a major headache all the same.
The problem with the VPN services really is transparency. There's so many options, run by a far fewer number of providers, some of whom may or may not be compromised. Ultimately, I'm just trying to avoid the trawling nets that our government is dragging through ISPs - whilst the VPN providers would allow me to do that, it means hopping to an endpoint which is almost certainly attracting a similar type of attention (and may also be keeping logs anyway). Out of the frying pan and into the fire and all that.
In fact, if you look at where Guido tweeted it, there's a lot of people taking responsibility for some of those votes - all British citizens living overseas: https://twitter.com/GuidoFawkes/status/1108680088793636865
So I think my initial instinct was right, Guido Fawkes is talking bollocks.... again
Taking a quick (heavily adblocked) look, they're relying on the JSON exposed on the petitions site.
It breaks down the number of signatures by country. For example, it's claiming 250 sigs from Finland
But, what Guido happily ignores is that British Citizens live across the world, or may be out of country on business.
But, ignoring that:
#!/usr/bin/env python# -*- coding: UTF-8
import json
import urllib2
url='https://petition.parliament.uk/petitions/241584.json'
response = urllib2.urlopen(url)
s=response.read()
p=json.loads(s)
print(p["data"]["attributes"]["signature_count"])
x=0
y={}
for country in p["data"]["attributes"]["signatures_by_country"]:
if country["code"] <> "GB":
x=x+country["signature_count"]
y[country["name"]] = country["signature_count"]
print x
Currently gives:
848031
34333
So that's 34,000 out of nearly 850,000. Ignoring the fact some of those probably are citizens, as well as the fact I've only factored in GB so may well have missed out some British Dependancies (like Gibraltar) who will be just as affected.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
