Re: A Step in the Right Direction
I share your pessimism but I sense we have an opportunity to get the right arguments a fair hearing for the next few months at least. I've just got my campaign started. I look forward to yours...
130 posts • joined 2 May 2007
With David Anderson's report, we finally look like we may be moving in the right direction.
However, prior authorisation by his proposed new judicial body, while useful and often necessary, is certainly not sufficient and occasionally impractical.
What is absolutely vital is complete and routine data-capture (to an immutable audit trail) of the entire surveillance decision-making process and subsequent implementation. This will allow us to rewind whatever they did, after the event, to see whether what they did was necessary and proportionate. Personally I would prefer that data to be available on demand to what we might call a Public Auditing Jury. This would render the process democratic, but I would accept his new judicial body as an interim compromise.
The most important point is that it's usually not what they do or who authorises an operation which matters. There will always be occasions in the field where actions are necessary prior to the possibility of consultation and authorisation. What matters is that everything they do is recorded, so we can review what was done in our name. Any material activity not found to be recorded on the Audit Trail would be an automatic criminal offence, as would any attempt to prevent access to the audit trail by the oversight body (be that Jury or Judges)
Hilarious. If we didn't have 10/10 cloud cover I bet we'd see the red glow of humiliated embarrassment from this side of the atlantic.
Remind me. Why would CENTCOM have a Twitter feed? Would there be any connection with PR motives?
Beautiful. Makes 2015 already a good year...
Well, good, if we can pretend, for a while, that we haven't already lost over 2,500 souls to the sociopathic kilers who sponsored this attack...
assuming the facts are as reported, any half decent prosecutor could make a strong case in the European Courts (probably also the UK Courts) that what the government has done amounts to "abuse of process" and would thus nullify their attempt at bypassing the EU legislation. If there are any concerned copyright holders with sufficiently deep pockets, you might want to consider funding such a prosecution...
Thanks David, I'll give it a try...
Fully agree. And your justifiable rant reminds me of the question I've been meaning to put to anyone more experienced with the windoze environment than I am.
Is it not possible to create either a registry setting or registry checker or firewall setting (etc etc) which simply and automatically blocks any attempt at installing not just Chrome but ANYTHING which we don't explicitly (and consciously - for example by being required to enter a randomly generated PIN rather than just clicking a button or pressing Enter) permit? AND, having said NO, will never permit any future attempt to ask us about the same app again unless we go in and re-enable the question for that particular application.
I'm very familiar with many of the registry change blocking shields (on my systems, ZoneAlarm blocks them, Avast blocks them and I've got Regwatcher alerting me to any changes) and even with those aids and few decades of windoze experience, some still get through. So I've acquired considerable expertise in removing the bastards, but prevention would be so much better than cure and protecting my clients, friends and family from such intrusions is virtually impossible.
Your post is extremely apposite and well re-engineered.
I would guess your downvotes result from ignorance and failure to recognise your parody of the famous translation of Martin Niemoller's 1946 poem which, for the benefit of those who've obviously never encountered it, I include here:
First they came for the Jews
and I did not speak out
because I was not a Jew.
Then they came for the Communists
and I did not speak out
because I was not a Communist.
Then they came for the trade unionists
and I did not speak out
because I was not a trade unionist.
Then they came for me
and there was no one left
to speak out for me.
tried to upvote your comment but my upvote seems to have disappeared.
In any case, I fully support your proposed approach (we can haggle over amounts but the principle is sound). In 2008, I created an authentication system for a security firm who were obliged to check the paperwork for any casual labour they hired to ensure they had employment rights in the UK. The only thing that forced the firm to take the matter seriously was the prospect of a fine for failure to demonstrate their checks had been carried out, as prescribed in law (we'll gloss over the Security Theatre involved). That fine was a non negotiable £10k PER INDIVIDUAL failure. That made them sit up and take notice...
Back in the 20th century, in a few comments I haven't been able to retrace, I made the point that there was a major upside to the activities of the then malware (mostly irritants produced by script kiddies et al). Viz, that it was forcing us to repair the gaping holes left in our online and offline security arising from the innocent design framework created by the architects of the intaweb who, initially at least, believed that it would be restricted to communications between respectable university folk and no one in their right mind would deliberately use the open doors to insert malicious software.
Now it is widely acknowledged that States have become malware producers and major security attackers, I'm feeling somewhat vindicated. The situation is bad, but consider what things would be like if we hadn't spent the last 20 years developing firewalls and malware protection...
Shouldn't that be Brownnose?
Ah, so this is what a Home Office Troll looks like
"We have no privacy concerns (etc"
Noone who understands data collection and data mining would make that statement.
If you need to ask why it's a privacy threat, you're probably not going to understand the answer, although, if you stick around these parts long enough, you will begin to absorb the painful truth
The wider social problem is that you are more representative of the "common herd" than the average Reg reader...
re: "Wildcard rename as in *.xxx to *.yyy is unique to DOS, so anyone who cut their teeth in another environment would not know about it."
I rarely plug commercial software but I'll make an exception for Explorer 2 (pronounced Explorer Squared) which I've been using (as a replacement for Windoze Explorer) without a glitch for about 10 years now. (http://www.zabkat.com/)
Wildcard replacement is one of their more trivial features and it's done within their GUI.
Your comment is so incredibly naive, it hurts.
Let's imagine that we conclude that such tactics constitute a legitimate and useful weapon.
The first consequence is that it justifies laws permitting the gathering of the relevant data on all potential targets. Which means mandating the infrastructure necessary to achieve the required monitoring.
The second consequence is that authoritarians everywhere will start using the attack against not just the "evil-doers" (terrorists, paedophiles etc) but against all dissenters and dangerously effective political campaigners.
The third consequence is that the authoritarians will recognise that they cannot predict where and when dangerous dissent will arise and observe that, if they wait till it has emerged, it may be too late to gather the embarrassing porn-crawling (or similar) data, so they will give themselves the permission to gather that data on ALL citizens "just in case".
The fourth consequence will be that any dissent and political campaigning will be restricted to those lily-white weirdos who have never ventured into the world of murky and mucky web based information.
We are, of course, a long way down that road, and the Americans already routinely use covert character assassination techniques against their dissenters and whistleblowers, but even they - currently - dare not use individuals private web history against them. But if they sniff public approval of such totalitarian tactics, they won't hang back from passing yet more constitution-proof legislation.
You sir are guilty of providing succour to the real enemy...
First off, major kudos to the AC who shared his own judicial nightmare with us.
this is actually a prediction I made before the turn of the century. (http://www.fullmoon.nu/articles/art.php?id=god)
Once VR is genuinely full immersive (a la "Matrix" rather than the cheesy VR helmets which we will sneer at in years to come) and operating at so called "gestalt" speeds (so we genuinely have no sensory means of identifying fact from fiction other than the ability to step back out of the fiction), human sexual desires of all kinds will be much more deeply fulfilled by the VR world than the real world could ever manage.
This will be equally true for paedophiles. They'll be able to whistle up whatever they need to satisfy their lust to a much greater level, in much greater safety and, importantly, with zero impact on any other human beings. A major consequence of this will be the end of the recruitment cycle which research tells us is responsible for the perpetuation of paedophilia. If "real" humans stop being abused in their formative years, they'll stop becoming paedophiles themselves and the problem will gradually fade away.
The only obstacle I see to technical progress to such a solution are the Authoritarians continuing down their road towards "thought crime" where they have begun to criminalise such things as creating your own images (even drawings or paintings based on your own imagination) if such images are of subjects which, in the real world, would involve child porn (http://tinyurl.com/npxvvh5). Taking such an extreme legislative position crossed the rubicon and defined the first legally recognised "thought crimes". We should have had riots in the street but, of course, we didn't because it was only those nasty peedos, so who gives a shit? The next steps will be the criminalisation of thoughts about blowing up Parliament and the like. Just the sort of thing which will make a lot of us want to blow up Parliament...
In any case, even if I'm right and VR eventually eliminates Paedophilia, other problems, of course, will arise in its place. Like: how is the human race going to procreate if everyone is getting their rocks off in VR? And, before you reject that option as wild speculation (also part of the same essay) check out what's happening in Japan right now even before we get the serious technology...
SOME of his stuff is Plausibly Deniable but quite a lot is sourced "on the record".
But that's not the point. If the Parker (et al) complaint is based on revelations of tradecraft, they're either lying (about that) or ignorant - of the existence of Bamford's exposures; which we know is untrue because for many years it was actually illegal to sell Puzzle Palace in the UK. So they definitely know what he's putting in the public domain and it's always been a lot more detailed (and potentially useful to the evil ones) than anything we've seen in the Grauniad.
Of course, Bamford isn't in the best seller lists, so I suppose they could have been counting on the old reliable: "security through obscurity"
apart from some of the program names (like PRISM), can someone please provide an example of any functionality or practice revealed by Snowden which we could not have picked up from James Bamford's "trilogy" (Puzzle Palace - 1983 , Body of Secrets - 2002 and Shadow Factory - 2009)
I ask out of genuine interest, I was 2/3rds of the way through Shadow Factory when Snowden outed himself and, so far, nothing he revealed has come as a surprise.
That being so, why aren't the authoritarians up in arms about Bamford's revelations? He's been at it long enough. Do they kid themselves that the "evildoers" wouldn't discover such sources?
Duncan appears to have made the same mistake I did.
I high fived anyone within range when I saw the slide confirming PRISM's skype access date as 2/6/11 because I'd blogged, when the news of Microsoft's acquisition went public, that I suspected that at least one of the reasons for their interest was in providing a back door for their US Government clients.
The slide appeared to confirm that sequence of events. My self congratulations were cut short, however, when my (American) wife pointed out that the date on the slide would be in American date format and thus meant 6 Feb, not 2 June. Microsoft's acquisition date was 11 May.
I'd also take issue with Duncan's assessment that because the PRISM numbers are "too small" they can't be connected with the "peering points" (which, incidentally, although owned by the likes of AT&T, are shared with all the other major US Telecom providers). I suspect the PRISM numbers reflect only the "interesting" fruit harvested from the petabytes of data which the Narus STA 640s are more than capable of "reassembling".
I recommend James Bamford's "Shadow Factory" (2008) for anyone nerdy enough to want the gritty detail but Wired were the first to publish Klein's exposure and they cover this detail here:
..of the ban on Chinese telecoms contributing to the infrastructure of the Western World. Does it not amount to an admission that they believe the Chinese could use their access to our communications systems to implant undectable surveillance even while under the kind of surveillance we could mount against them?
If they sincerely believe that this is even possible, I suggest that such confidence can only reasonably be based on experience...
ah, they've cheated!
the first sentence did read (until a couple of minutes ago)
"Space boffins have suggested the supermassive black hole at the centre of our Universe..."
apparently, according to the article, astronomers have identified the Milky Way as the centre of our universe. That's MUCH bigger news than a black hole sucking in a gas cloud...
the technique which will preserve your anonymity and allow you to preserve all your sock puppets (at least for the time being) is to create your draft in your native language, mince it through one or more translators and then back into your native language. Correct the errors. Post. That's how I did the other posts on this page without anyone spotting me. Oops.
On a more semi serious note, has anyone got around to running Shakespeare's texts through this software to see if Christopher Marlow (or any other contenders) show up as suspects?
The problem with so caledl "liberty" campaigners is that they lack imagination. The existence of these cameras is a major opportunity to begin taking control BACK from the Police. All we need is a a Law which makes any interaction between them and the public illegal UNLESS it IS recorded by such cameras. Citizen Innocent Until Proved Guilty; Authority Guilty Until Proved Innocent.
In addition, we need to introduce immutable audit trails and robust laws mandating the storage of and access to the data. With these measures in place, body cameras will begin to be seen as protection rather than oppression. This is a major example of how and why Trusted Surveillance needs to be implemented...
It's a horrible thought and nobody's mentioned it, so I thought I'd better at least ask the question.
As I understand it, O2 have no idea what caused the outage. And I believe they are the network provider (via their "Airwave" service) for the UK Emergency Services.
Could this have been a trial run by someone who wanted to see what the effects on the Emergency Services communications would be? And do we know if they were affected at all?
given the complete absence of any business case for the scale of this acquisition, I am minded to cynicism.
One of earlier (Anon Coward) commenters on this story suggests they might want it for access to their encryption "or perhaps the NSA do".
That may not be that far fetched. We know that the various security services have expressed concerns at their inability to eavesdrop Skype calls. Perhaps they figure if a friendly co-operative new owner can let them look under the hood..
now go to http://www.grahamhancock.com/archive/underworld/ where you will find Graham Hancock's been promoting this idea since 2002 or earlier and has been trying to get archaeologists to look under the water. Major vindication of his ideas...
that's what I was told.
No names, no pack drill as they say, but as part of one of my contracts, I was required (only this week in fact) to prepare a list of 400 names for CRB vetting in blocks of 50 in excel spreadsheets. I pointed out that sending these as attachments to an email was like sending them on the back of a postcard and asked how we should encrypt them and pass them the key separately.
The answer was don't bother, just send the data. "We aren't set up to deal with encrypted messages". I'd say that IS a (fairly major) System Design flaw...
If I were an active facebook member (which thank the lord I'm not sir) I would start a facebook campaign in which every member, at least once a day, pressed the panic button "accidentally" and flooded the CEOP twats with a manual DDoS, until they beg facebook to take the button off...
Above my pay grade but the only potential solution I've contemplated in regard to DDOS is what I call "Grand P2P" where - say - a thousand google scale organisations (if there are that many - let's say organisation big enough to pay a $Million dollar sign up fee without whingeing) form a dedicated "distributed master net" which hosts (for example) the authentication keys we'd need to run a Trusted Surveillance system, or the black and whitelists we'd need to eliminate SPAM.
The idea being that not even the most widely distributed botnet could generate sufficient traffic to pull down such a GP2P network.
Does the GFS2 concept achieve similar protection or would there still be a single point of failure (eg the ip address or dns) which would leave the system vulnerable to attack? (a GP2P system shouldn't have that vulnerability because it would have a thousand access points)
Can someone enlighten me?
I'm with the Judge on this one. But neither he nor the Reg seem to understand why the use of these weapons should be seriously restricted if not banned.
It's nothing to do with additional cruelty. The track record of the so called laser guided weapons delivered by manned aircraft is far worse than anything so far managed by the Hellfires.
The real issue is "reduced cost/risk" to the attacker and the problem which arises from that is that it makes it much easier for them to make a lethal decision. And that makes it far more likely that the weapons will be used in increasingly trivial or dubious circumstances.
The protection offered by manned flight is that, if we run the risk of losing a pilot, we'll take a lot more care in assessing whether the target really does need to be destroyed.
It's really in the same vein as I've hinted elsewhere. I'd like to get back to our "Leaders" taking the lead position into any future military conflicts. It's likely to make them much less likely to start their wars in the first place...
Seems to me that there's already enough support here for a class action by any of us who find our detail are held by these jokers without our explicit permission. I'd happily cough a £100 quid. If a couple of hundred of us are prepared to club together we could legally club them into submission. ...and teach the other bastards (who prefer opt out to opt in) a useful lesson
Yeah, I know everybody's having a good giggle, but, though his actions are rather amusing and being caught was humiliating, who, apart from himself, has been in the slightest bit harmed by his embarrassing actions?
Had he been doing this in the middle of a school playground, I might be somewhat more sympathetic to the punishment, but all we know from this story is that a neighbour reported "suspicious" behaviour. I doubt if the neighbour felt threatened by the behaviour and once the local forces of internal repression had check the man out and found him not to be a physical threat, they should have told him to conduct his sexual games indoors and moved on to more important matters.
This is the kind of Police State behaviour which is almost more threatening than the more obvious Tasing and bully boy tactics we encounter more often. Why more threatening? Because nobody bats an eyelid. It's just accepted that a prison sentence for this aberrant but harmless behaviour is perfectly acceptable. Well it isn't.
Very ambitious claims being made for this project. It will fail. But version 15 or 16 should be pretty good and by the time we get to v 20, we genuinely will not be able to distinguish between real and virtual; not without contextual clues at least...
Why's this version going to fail? Primarily because it's an external device. V 15 (or thereabouts) will be internal. But also if the developers agree with this report that "sight is easy" then they don't yet understand the problem. Why d'you think VR helmets haven't already taken off? Because anyone using them for more than about 20 minutes tends to throw up or get a massive headache. Why? Because sight aint easy at all. The problem is that they insist on presenting prefocussed images to each eye at about 3 inches.
The brains "accommodation" algorithm knows it's focussed on an image 3 inches away, but the data in the image only makes sense to the brain if the objects are several feet away (or more). This produces real cognitive dissonance and the nasty side effects.
Solving that problem aint easy; it requires abandoning prefocussed images and somehow presenting the eye with exactly the same data it would get in real life, forcing the eye to focus naturally instead of too short. There's a fortune waiting for whoever cracks that little conundrum...
Classic instance of how Privacy is intimately connected with Security.
Publishing hi res aerial reconnaissance images of buildings makes them much easier to attack. But why has it not occurred to anyone else that this same risk applies to the private homeowner?
Particularly if you include "street view", the potential burglar and other attackers can now "case the joint" without even taking the nominal risk of being seen on the street in the days leading up to the attack. Sauce, goose, ganders etc...
Can someone point me to a formal statement by the government (and/or its contractors) to the effect that this will be a secure database?
I ask because - if such a statement exists - I would argue that we have the basis for a legal suit of criminal negligence and/or fraud (depending who is making the statement) and I for one would be happy to donate a hundred quid to a class action to sue the arse off the bastards.
Anyone doing serious security needs to factor in a 1% risk PER PERSON of security breach by "professional trained security aware" staff in any given year. Thus with 100 properly trained staff you are typically going to get one breach a year.
With 1000 having access, you'll get 10 a year and so on.
With 330,000 we can guarantee approximately 10 a day and that's if they're "professional trained security aware" staff. At a million we're up to 30 breaches a day.
In fact though, probably less than 1000 of that million will be "professional trained security aware" staff, so it is reasonable to scale up the breach rate by a factor of 5 to 10.
So it really doesn't matter. Once you give more than about 50 "professional trained security aware" staff access, regular breaches are inevitable. Under no circumstances can such a database be described as secure...
I find this kind of prosecution deeply disturbing.
MUCH More disturbing than the distorted views the victim is apparently guilty of holding. Do I care that people still deny the Nazi guilt for the holocaust? Of course (my own family lost over 60 members to the Nazis) but these baseless beliefs do no more harm (on their own) than, for example, the conviction held by Creationists that the Theory of Evolution is a conspiracy to destroy religion. Are we going to start locking them up too? If so it's a shame we didn't make that decision before the Americans elected one...
It might have been called Project Saruman...
This is one of those instances where everybody makes the same mistake. They fall into the binary trap. EITHER freedom of the press, OR decent privacy laws. Here's a possible solution. Bring a Jury into the picture. (this is an example of the kind of thing I'm talking about here: http://stottle.blogspot.com/2006/02/shortcut-to-democracy.html)
viz: Any time a paper is about to publish a story which contains a potential breach of privacy, it submits the story to a standing jury established for that purpose alone. It can even be a jury of its own readers, providing they can be shown to represent a reasonable cross section of the community. In practice this would be an online "advisory panel" whose job is to answer the single question, "Does the public interest in this case outweigh the private interest?" Their decision would be considered advisory only (leaving the editorial decision firmly in the hands of the publisher, where it belongs). BUT:
In any subsequent court case, the defendant would be able to use the Jury's endorsement as mitigation and, should the plaintiff win, the penalties would take into account the involvement of a jury and its decision.
For example, if a Jury has pronounced in favour of publication, the penalty would be minimised. If the Jury had advised against publication, the penalty would be maximised. If the Jury hadn't even been consulted, the penalty would be maximised, then doubled.
This would allow Juries to protect the public interest and, where reasonable, the private interests of individuals. It would encourage the media to take responsible, rather than merely commercial decisions.
doesn't work in Sandboxie. Binned it...
And I have had about 2 dozen of my users and clients using it without major incident for about 3 months. What I particularly like about it is the configurability (like being able to give access rights selectively to trusted programs) and the option to run ANY program inside the sandbox - which means you can test for nasty side effects before it screws up your system.
Only last night, ferinstance, I used it to test what RealPlayer 11 wanted to install on my system before I let it do so for real. (Answer: 1217 files in about 100 new locations, most of which were utterly unnecessary)
and the question they haven't answered (as usual) is "what is the absolute mortality rate?" It may well be that the risk of cancer has doubled but that others have reduced, leaving to no overall change in mortality, or even, (as now hinted by several strands of cannabis research) a small overall benefit...
Well said sir.
A number of comments have focussed on introducing/increasing "criminal" penalties for data loss. This would be neither effective or realistic. Furthermore it does no more than reinforce the ill-IT-irate approach of the Government's existing incompetent attempts at Security Theatre. They THINK you can impose security with rules constraining humans. Wrong.
As Dunstan puts it:
"As far as I'm concerned, the problem isn't that the data was put onto a USB stick, it is that the data *could* be put onto a USB stick."
The reason The Law cannot possibly help is that it is quite impossible to create a "proportionate" penalty. Why not? Because the point of penalties is to act as a deterrent and whether a penalty is a deterrent depends on the value of the data to the attacker - which is not something under our control.
Yes, we might deter casual theft or incompetence with a fine of a few thousand quid, or a prison sentence. But if the purpose of the theft is serious enough (obvious example terrorism) then no penalty is going to have the required deterrent effect and it's THAT kind of attack we should be most concerned about. And the ONLY protection against that kind of attack is to make it physically impossible for attackers to get at the data. Dunstan again:
"We come back to the basic shortfall: legitimate users shouldn't have access to the data, they should have a view of the data."
And, in cases like the present example, they shouldn't even have a view of the "real" data. For the purposes of research, there is no obvious reason why they cannot have an anonymised view of the data, where any sensitive identifiers have been replaced with pseudo-data.
...is that they give the Police State the one plausible argument they need for "Total Surveillance". Even Terrorism doesn't attract as much support for its countermeasures as does Paedophilia. Hence, if we want to keep the State out of our lives, we're going to have to figure out for ourselves what we do to prevent Paedophiles abusing this medium (the web). And then, do it.
it exists, but I've just wasted half an hour of my all too precious time looking for it and I can't find it. Somewhere out there, though, is a web page where EMPLOYEES can rate their employers in order to pre-inform potential job applicants.
What the Trade Unions should do, in response to this nonsense, is formalise that approach and create a national - or even international - database of bad employers with verifiable examples of their practices...
been using it for about a month now on a dozen or so web active machines. Seems pretty faultfree, stable and let's me sleep better at nights knowing that it no longer matters what "infects" my users' machines because it all disappears when they close their browsers. 'course, I can't do anything to stop them handing over sensitive data to phishing sites but that's a horse of a different feather...
I've long argued that kids shouldn't be allowed to use calculators in school until they've demonstrated a reasonable grasp of mental arithmetic. Why? Because if you perform the calculations mentally - at least to an approximation - then you have some idea of whether what the machine is telling you is likely to be correct.
The same obviously applies to idiots with Satnavs. They shouldn't be allowed near them until they've demonstrated at least rudimentary map reading skills so they've got a chance of spotting the fact that the machine is leading them astray...
I can't be the only one who spotted "Suprise"?
More seriously, the case for allowing such "flexibility" is made by Sean Groarke's sample above: "There books - there there."
How would you cope with that sentence if spoken rather than written? Answer "context"; and it's not wildly unreasonable to apply the same logic to the written word. But that only applies to that kind of example - where we're dealing not so much with mis-spelling as with wrong choice of words which sound identical.
Permitting things like "wierd" instead of "weird", however, just muddies the water and ultimately slows down communication.
Interesting. And how did they acquire their "assets" in the first place?
After this, we want to see the Native Americans suing the American State for the theft of their land and genocide from the late 16th century through to the early 20th...
the deep point that the vast majority of the population seem to be completely blind to is that breaches of Privacy can lead to very serious breaches of Security.