* Posts by Graham Cobb

236 posts • joined 13 May 2009

Page:

Microsoft and pals re-write arms control pact to save infosec industry

Graham Cobb

Re: I won't sell you a weapon...

I see your point but I don't think it is as hard to draw the line as you think.

Wassenaar is not about stopping a gangster buying a gun. It is about stopping nation states buying extremely high-level weapons to use against other nations or their own people.

So, it really doesn't need to be about preventing access to knowledge of vulnerabilities (after all, any information available in the US will be easy to get hold of elsewhere). Nor is it about stopping crooks building new attacks. It isn't even about stopping "bad" nations from creating their own "Hacking Team" -- as long as they are having to do their own development they will be some distance behind us. It is really about stopping commercial entities (such as the real Hacking Team) from developing and selling weapons to anyone who can pay.

I think the issue will be over defensive uses: does Wassenaar really want to stop Microsoft, etc selling defenses against our weapons.

1
0

Thermostat biz Nest warms to home security, touts cam with cloud storage subscription

Graham Cobb

Does it register with the Information Commissioner’s Office?

Two questions:

1) Is it secure or can hackers watch it like with most internet-connected cameras?

2) Does it come with automatic registration with the Information Commissioner’s Office as a CCTV operator? And does Nest handle Subject Access Requests to allow people to see the CCTV images you record of them?

8
0

UK gov says new Home Sec will have powers to ban end-to-end encryption

Graham Cobb

Re: A suggestion

The "safe spaces" aren't going away, whatever the government might do. That cat is well out of the bag. And it is a good thing too: it is a small step towards restoring law enforcement's powers back to historical norms. The last decade has been a complete aberration in police/spook intrusion.

But, even if they don't agree, there is nothing they can do except make life hard for ordinary people. All this will do is massively reduce the UK's international competitiveness -- great idea at the time of Brexit!

34
0

Salesforce bins all Android phones bar Nexii and Galaxies

Graham Cobb

Re: I believe they've made the correct choice

business users ... up to date with a relatively rigorous older version retirement scheme

Ha, ha! I think more and more companies are extending their mobile lifetimes to reduce cost (my employer is large and has just recently extended it again).

But the SFDC decision will please sales people everywhere! They now have an unbeatable business justification to ignore the company policy of "no replacements until 36 months, and even then only if it is broken". New handsets every 6 months -- and only the highest-end models!

0
0

Comms intercept commish: There were some top secret orders

Graham Cobb

Department for Business, Innovation and Skills?

The only reason I can think of would be industrial espionage, presumably directed at foreign companies.

And presumably the reason the PM blocked the commissioner from investigating it, and is busy rapidly cancelling it, is because he discovered some of it was directed against the US.

2
0

Theft of twenty-somethings' IDs surges

Graham Cobb

Don't lie -- just refuse to do business

I wish that more people would just refuse to do business with companies that want intrusive information.

If a company asks for date of birth, or a phone number when they don't need it, I refuse to do business with them. I don't make something up. More often than not, I tell them that I would have done business with them but am not because of their nosy data gathering.

I started this when I got my first bank account in the 1970's. In those days, some shops wanted me to put my address on the back of a cheque, even if it was guaranteed (young'uns can ask their parents about something called "cheque guarantee cards"). I refused and, if necessary, walked away from the transaction.

If fewer companies were asking for personal data it would improve general "data hygiene" and people would be less willing to share.

2
0

Tor onion hardening will be tear-inducing for feds

Graham Cobb

Re: Jacob should fork Tor

Unfortunately it is very hard to make useful security tradeoffs. We all know that there is no perfect security and we are used to the idea of a need to tradeoff between security and cost (how valuable is the item you are trying to secure? No point on spending more money than that on securing it).

What we very often forget about is usability. If you increase security by reducing usability (ease-of-use, performance, etc) then you are reducing the number of people who will use that security. So, your choices here will depend on whether you are aiming at committed, hardcore, tinfoil-hat-wearing security geeks or Facebook-loving grandmothers or where in between.

Some things (like the move to https: instead of http:) have so little impact on usability that they are no-brainers. However, the decisions made by the Tor project, including the controversial ones (like whether or not to enable Javascript in the Browser, whether to support UDP, whether to add background traffic, etc) are really hard as they have considerable impact on usability and hence real-world takeup.

@AC may have preferred different choices. And I think that some Tor developers and researchers are moving towards some changes, as the threat environment and usage has changed. But I think the Tor developers have generally made pretty good choices and I certainly acknowledge that these are hard decisions with no right answers.

@AC can go ahead and fork Tor/TBB with different choices, and then try to build up enough usage to get useful levels of anonymity. But I think the better choice is to work within the Tor environment, discuss potential changes, conduct (or sponsor) research and development and operate (or fund) relays.

Ranting on El Reg is not likely to help (yes, I know I am guilty of it as well!).

0
0
Graham Cobb

Re: don't get it

There are really two ways to break Tor-based anonymity. One is to break the Tor anonymity itself (which seems like it may be possible for nation-state-level players, although it may be expensive and/or they may be reluctant to share the data with other players like law enforcement). The other is to break the anonymity above the Tor level: get the user (or, in this case their browser) to tell you who they are without ever having to break Tor!

It is the latter which is addressed in this article. This is about making the "Tor Browser" (not really anything to do with Tor itself but a browser with Tor access conveniently built in) more secure. Like any other browser, Tor Browser has bugs which could be exploited (and have been) to run code on the user's system. That code can make the system report its real name and IP address to the adversary -- allowing law enforcement to know who has accessed what pages, for example. This article is about helping to make the Tor Browser more secure by making those bugs harder to exploit.

0
0

'Nobody cares about your heart-rate'

Graham Cobb

Re: Rush to judgement much?

I think that a robust on-premise gateway/firewall/IoT manager is a good idea. It would be a good idea even if the devices had decent security (for managing them all, storing historical data, etc). It just must not be:

1) Off-site -- it must always be under the full control of the user

2) Locked-in to the devices -- I should be able to choose my gateway vendor independently of the IoT devices it controls

3) Closed, or patent-protected protocols/interfaces -- I want a wide selection of gateways to choose from. I want to see Apple, Google, Facebook, etc competing for that business (yes, even with their cloud-based data slurping). And I want to see open-source versions as well for those of us who value privacy.

Why can't I find an open initiative to develop this that I could join?

0
0

Snoopers' Charter 'goes too far' says retired Met assistant commish

Graham Cobb

renaming internet connection records as browsing history is a good first step

Yes. And we need to explain how this means everyone has a permanent police tail on them 24 hours day. Adapted from my post almost exactly 2 years ago... http://forums.theregister.co.uk/forum/containing/2225266

Collecting internet connection records is exactly the same as placing a police tail on you: the tail can't hear what you are saying but they track exactly where you go, who else is nearby, who you talk to (and for how long), what posters you stop and read, what shops and other buildings you go into. If the Snooper's Charter was in effect, the tail can even follow you inside the buildings and video everything you do there.

Having a permanent police tail on everyone seems like the clearest example of a police state that I have seen.

1
0

Brexit: More cash for mobile operators or consumers? Pick one

Graham Cobb

Re: Scaremongering

And now my own positive reasons to remain. Please discuss these as well...

1) The EU provides a brake on our government's fawning give-away of our rights to assist their friends in big business. The Tory government are doing this with TTIP -- they will sign it instantly if we leave the EU but are currently constrained by the EU who are (fortunately for us all) concerned about the ISDS clauses. But Labour are no better: they handed the copyright cartels all they asked for, but that is also somewhat constrained by EU work on copyrights.

2) Remaining, and keeping free movement, will gradually reduce the xenophobia, intolerance and racism that drives the extreme right and tricks some people into supporting them. It will take many more years but it will happen. Note that nowadays even Liverpudlians are allowed to live in London without being attacked :-) Seriously, not only have "No Dogs or Irish" signs disappeared for legal reasons but in fact the casual hate behind them has mostly gone.

10
2
Graham Cobb

Re: Scaremongering

all I have so far asked is for a positive reason to remain. I am still waiting.

No, you are not waiting. The GDP issue was posted earlier and is a positive reason to remain.

You may not agree it is important, or you may not even believe it. But it is certainly a positive reason to remain and has been provided. So, over to you to discuss it...

5
2

UK.gov is about to fling your data at anyone who wants it. How? Why? Shut up, pleb

Graham Cobb

Re: One way for plebs to be heard

I have written to my MP several times. On no occasion have I had a reply I agreed with, and in many cases I received an obviously stock reply. In one case, I sent an email and the assistant tasked with responding accidentally copied me on their email to Conservative Central Office asking for the stock reply :-)

However, I continue to do it on occasion. Not so much because I think my MP will actually read it or even hear my carefully argued points, but because they measure public opinion by weight. Getting lots of letters on a subject does put the wind up ministers (why else did the PM overrule the proposals on the BBC?).

11
0

Curiosity find Mars' icecaps suck up its atmosphere

Graham Cobb

Re: New Orderly World Orders AI …. for Live Operational Virtual Environments ‽

Better to have the ability to haul any potential asteroid-mitigating technology inro orbit, and / or wirk towards a self sustaining extraterrestial colony.

Genuine question: Why?

Of course, I don't want humanity destroyed but I am not that bothered. If it happens, it will make no difference to the universe. Nor will it mean anything to all of us who die.

Also, it is extremely unlikely to happen any time soon. So unlikely that attempting to "assure our survival" is a pointless waste of time. Better to spend the resources on faster scientific progress and being able to do a better, and more efficient job, some time in the future.

1
5

Google open sources Thread in bid to win IoT standards war

Graham Cobb

None of these sound like what consumers want

What we need is an open standard for local (in the home) connectivity, with many competing implementations of the home hub with different features and capabilities. Some might be really simple to use but restrictive, for example provided by Apple and fully integrated with their ecosystem for people who use that. At the other extreme, some might be really geeky: running on OpenWRT and configured by editing text files with vi. In between, there would be some which integrate well with other ecosystems (Samsung, Xbox, etc) and have various levels of controllability, security and privacy.

Within the home, it must be possible to have devices (IoT devices and controllers like phones) talk to each other, without any information passing outside (like using DLNA to control your home media today).

In some cases (for example for remote access when travelling) it may be useful to have internet servers to co-ordinate and secure access -- but those must be able to be chosen independent of the hub manufacturer and selected by the user just as they choose email services today. In the same way as for email, these must also be able to be self- or community- hosted, not just owned by big internet companies.

None of that will stop Apple, Google, Samsung, etc being big players in IoT -- many people will choose their products, just as they choose their phones, TVs, and email services today. But the discerning or privacy-conscious consumer should be free to choose alternatives which match their requirements, lifestyle, language, community norms, etc.

Who is representing consumers (and geeks) in these discussions?

6
0

Brits still not happy about commercial companies using their healthcare data

Graham Cobb

Re: Any room left in that 17%

I would extend Ben's prison sentences and ban from access to data to include anyone attempting any form of de-anonymisation, wherever performed, whether successful or not, for whatever reason (however noble), and whether it would lead to actual identification (name, address, email, etc) or just a description of a unique person.

And whistle-blower protection/reward needs to be explicitly provided for in the law.

With that I would probably be willing. But the opt-out still needs to be there for those who will not accept the remaining risk (which is mainly that even if someone is punished, the leaked information will still have been leaked).

2
0

Knackered Euro server turns Panasonic smart TVs into dumb TVs

Graham Cobb

Off topic: you might want to read the "separated by a common language" blog. Although I don't think she has really addressed this jarring with words which do have the same meanings but where the most frequently used senses are different.

1
0

GCHQ: Crypto's great, we're your mate, don't be like that and hate

Graham Cobb

Re: Goodwill?

They were surprised by the vehemence of my concern and by my proposed solution: massive budget cuts to bring them under proper control and focus their minds on the things that are really important. Needless to say, they did not agree. Not that they were in a position to do anything about it anyway (as far as I know, of course).

2
0
Graham Cobb

Re: Goodwill?

That is what I said to someone I know who works at GCHQ just after the Snowden leaks. GCHQ have, by their actions over the last 20-30 years, voided our trust. They will never again be allowed, by my generation, to have the same power again.

Until those of us who remember their crimes are gone they can beg, whine, scream, threaten or corrupt as much as they like but they will be fighting the population.

The abuse had been going on since the 70s: completely illegal and dis-proportionate abuse of powers to monitor legitimate political parties (including the Labour party!) and trade unions. Later, helping the police to drive towards a police state for anyone who dares to protest (see the John Catt case). Finally their "climate of fear" pushing of a serious but very infrequent crime (terrorism) as if it was a serious threat to life or liberty.

The actual threat to liberty is the abuse of extremely dangerous powers which should be being used maybe once a year, not on the whim of a politician or police officer.

37
0

No tit for tat, or should that be tat for tit ... Women selling stuff on eBay get lower bids

Graham Cobb
Facepalm

Could be a useful study

Next time I bid for something on eBay I will decide how much I am willing to bid and then make sure I only bid on auctions posted by women. If they get lower prices I am less likely to have to go to my top bid! Sounds great to me.

On the other hand, maybe the study is just crap.

2
0

Why Tim Cook is wrong: A privacy advocate's view

Graham Cobb

Re: Not even wrong...

Perhaps you'd be happy flying on a plane knowing no one had bothered to check the luggage because the 200 or so of you on there is less than the daily roadkill so who cares if you die?

Absolutely yes. Without a doubt. Unless the stats had changed so that the risk of flying came near to the other risks -- which would happen after a while, of course, if we stopped checks which are actually useful.

If some check has little impact on the risk numbers (for example, if it is ineffective, like much security theatre) then I have no problem going without it. A few hundred deaths a year won't worry me, until it gets to be comparable with other risks I take every day (like driving to the airport).

2
1

UK to stop children looking at online porn. How?

Graham Cobb

Re: Gubmint knows this will fail, it's just a way to move further along to their ultimate goal...

You would almost think our legislators have shares in the VPN business.

Not the VPN business... the Media business (and not just shares: very lucrative donations, revolving doors and cosy relationships). I assume this is being pushed by Big Media, who are very annoyed at the censorship of films in cinemas, on DVD, and on TV which is bypassed by porn sites.

Of course it helps that it plays well with the authoritarian wing of the Tory party, but there is no money in that so that can't be the real driver.

0
0

Apple must help Feds unlock San Bernardino killer's iPhone – judge

Graham Cobb

...it may be that they're going to be regularly exposed as having given offenders the means of committing their crimes. Now that's not going to look good in the papers.

Why? It doesn't seem to do car companies, electricity companies, or grocery stores any problem that they are used by criminals as well as non-criminals. What makes you think it would be a problem for Apple?

0
0

Gmail growls with more bad message flags to phoil phishers

Graham Cobb

Re: WTF?!!

The reason to have all email using TLS is to make it normal. Pre-Snowden, all email was in the clear and spooks could just sweep up everything by tapping a few links. You could even, easily, see whether the mail was end-to-end encrypted and, even if it was, the addresses of both sender and receiver. At that time, anything which was encrypted was a red flag that this was likely to be worth looking at.

Over time, much email is now TLS encrypted. It cannot be just swept up "just in case it is useful one day". And it is impossible to see which are the interesting messages, which messages are encrypted, and who they are to and from. To make that stronger, even the most boring messages should be encrypted. I am looking forward to being able to turn off all non-TLS email receiving on my personal servers.

In today's world, encryption isn't about protecting YOUR messages, it is about protecting EVERYONE ELSE'S messages.

0
0
Graham Cobb

Re: Value depends depends on implementation

While you are right, anything which names and shames the players who don't use TLS in the hop to/from gmail would be welcome. Use of TLS on that hop doesn't mean that the mail was secure but it, at least contributes to making TLS use not suspicious. When we, eventually, have certificate checking as well (using DANE or something else) then TLS may actually start to make a useful contribution to security.

On my personal mail server I already flag all incoming mail which has not been received using TLS. Unfortunately my emails to the senders to complain are invariably ignored.

0
0

TTIP: A locked room, no internet access, two hours, 300 pages and lots of typos

Graham Cobb

Re: Who knows? Really?

@philthane

So what do we do about it? I have much the same experience -- I tear my hair out over how to get TTIP onto people's awareness. At the moment, if I write to my MP about TTIP, he treats me like a green ink nutter.

Campaign suggestions on a postcard...

3
0

Are Indians too stupid to be trusted with free Internet?

Graham Cobb

Re: Some Way, Some How.

Isn't there some way to support free internet for India's poorest, while not turning them into fodder for the Facebook and Google machines?

To be honest, I am amazed that Zuck hasn't done this. I am certain that he could come up with a subsidy offer that does not require a walled garden, was (at least) financially break-even and which would gather him MASSIVE positive support, and a billion new customers, in the world's largest democracy.

Why not just sponsor (limited speed) internet access, with no site restrictions but with massive advertising and promotion of facebook, and (financially contributing) partner sites. Completely neutral and advertising subsided. The way things work in other markets!

6
0
Graham Cobb

Re: It would be the same anywhere

Demonstrably, they are. Basics is live in 37 countries and has been shut down by the elites in just two.

Many, but by no means all, countries have legislation preventing the sale of physical goods at below-cost prices, to help prevent monopolisation. Just as in this case, whether to make that illegal is a national decision, taking into account their own national circumstances and their national approach to regulation. Does that mean that the poor in Belgium, Canada and South Africa are being treated unfairly?

8
1

Privacy advocates left out of NHS care.data 'oversight' board

Graham Cobb

Re: A note on "anonymous" data

if this could be done well it really would be invaluable for research, which really could bring material benefits to people

So, we need a two pronged approach: good anonymisation (but leaving data useful for research) combined with extremely strong privacy enforcement. There must be strong legal penalties against any deanonymisation attempt (however much it might help the research), starting with prison time for managers who allow it on their watch -- a very effective deterrent against white collar criminals, as the H&S industry has demonstrated. This must specifically criminalise any use of the data in marketing, insurance assessment, discrimination (housing, jobs, etc) or for any purpose other than the approved clinical research (with both criminal and civil penalties).

The third leg of this stool has to be that individuals can still opt-out. If I am paranoid (clinically or otherwise), or I have a lot to lose (in the public eye?), or I just have a different trade-off between my risk and the benefit to society, then I must be able to opt-out of being included in any released data.

Why is this so hard?

3
0

Cops hate encryption but the NSA loves it when you use PGP

Graham Cobb

Re: Ah, Traffic Analysis

But I think I'm right in saying that if that email is sent to a foreign (**) email server via a STARTTLS-ed SMTP session, the spooks probably can't even tell whether it uses PGP or not because the metadata was encrypted in that case too

You are right that TLS encryption of SMTP exists and hides the metadata from easy interception. On the other hand, it has numerous weaknesses, including:

1) In most cases, TLS is set up opportunistically -- most servers do not insist on TLS and will drop back to sending without it if the receiver doesn't (appear to) accept it. Most servers prefer not losing email to link security. My personal servers insist on TLS for submitting mail for sending but are forced to accept incoming mail from anyone (although I do add a header to tell me it arrived without using TLS -- and I sometimes complain to the sender that they should turn it on).

2) In many cases no certificate validation is done, so it is easy to MITM. For example at international gateways.

3) It is not end-to-end, it is link-by-link, so if the receiving system is compromised, or if it can be convinced to forward the message on to another system without using TLS (see 1) then the metadata is exposed.

4) There are some attempts to help with problems 1 & 2 by setting up information that says "my mail server always wants to see TLS -- if you try to connect to me and don't get TLS then don't send" and "my certificate looks like this -- if you don't see that certificate don't send". But it is hard to do and fragile and, in practice, no one implements it (search for DANE TLS for more info).

1
0
Graham Cobb

Re: Light things up?

Sadly, statistically few people will use it, because so few people understand the need for privacy all the time, not just some of the time.

More importantly, the problem is that so few people understand that it is nothing to do with your need for privacy: by using all the available privacy tools all the time you are protecting the people who do need privacy and who are important to you. That may be journalists, campaigners, battered wives, or even politicians.

1
0

Five reasons why the Google tax deal is imploding

Graham Cobb

Re: Think about it...

Eh? Tax isn't about taxing some piece of money, it is about taxing transactions. Otherwise, every time the government printed a pound it could only tax it once!

Of course we paid tax when we earn't the money, then paid tax when we spent it, then the company needs to pay tax when they earn it and should also pay tax when they spend it (in fact, companies do not -- mostly they pay tax only on profits, apart from employers NI and some transaction costs, but certainly not on revenues). And the shareholders and employees get taxed when they receive it, and round we go again. That is how tax works.

1
0

GCHQ spies quashed this phone encryption because it was too good against snoopers

Graham Cobb

Re: Lawful interception gateway

Yes, but the days of LI are over. I have several end-to-end encrypted and uncrackable communications systems on my PC today (PGP email, Bitmessage, pgpphone, Tor, ...), and that is without installing any of the apps the terrorists are apparently writing for themselves!

GCHQ has some really, really smart people. We need their out-of-touch bosses (and the never-in-touch politicians) to let those smart people work on risk management in the new reality. Let them work on the problems of how you do targetted SIGINT to protect us, without LI.

All LI provides now is a way to intercept law-abiding people. Only dictatorships need that.

0
0

Facebook Messenger: All your numbers are belong to us

Graham Cobb

Re: Dear Bill, that report is NOT free..

No thanks. Why should I lie? I just choose not to do business with people under terms that are not acceptable to me. When possible I tell them that that is why I am not doing business with them.

We should all do more of that: lying about date of birth, email address, phone number, etc just makes it appear that collecting such data is acceptable.

0
0

UK universities unveil £28m hub for Internet of Things

Graham Cobb

I wish they would add "social policies" to their list of critical issues. I am all for creating technical standards, and certainly in favour of sorting out privacy and security, but I think a really important issue about IoT is to get it out of the hands of major corporations and into the hands of open-source developers, community projects, peer-to-peer services and garage-based entrepreneurs.

That would help with many of the issues such as privacy and ethics and would really allow British innovation to flourish. The UK has nothing to gain by buying into the perverse definition of IoT as something done by big cloud providers: Google, Amazon, Samsung, LG, etc are not British companies.

I would quite like an intelligent thermostat. However, I have no interest in buying one which sends any data outside my home, nor in paying for it as a service or with advertising. Sell me a box to replace the box which is my current thermostat, but which I can configure to receive weather forecasts and can control remotely. That is the sort of IoT which would be worth paying for.

0
0

Library web filtering removes info access for vulnerable, says shushing collective

Graham Cobb

But the mobile phone companies' block lists are even worse!

https://www.blocked.org.uk/

0
0

LogMeIn adds emergency break-in feature to LastPass

Graham Cobb

PwSafe

Personally I use a PwSafe format file and various different PwSafe-compatible programs to access it on different devices (Password Gorilla on my main desktop). The file is automatically synced to a location in the web so I can easily access it from elsewhere when needed.

0
0
Graham Cobb

Does anyone need it? After all, apparently the whole advertisement has been reproduced as an article by a formerly reputable, interesting and independent IT news site.

0
0

Are you the keymaster? Alternatives in a LogMeIn/LastPass universe

Graham Cobb

PwSafe

I am quite surprised that no one mentions the Gran'daddy of them all: PwSafe. It uses a local database (which you sync yourself) and has been around a long time. It is open, and free, so there are many different clients available which can read and write the PwSafe database format.

I have used PwSafe (both with the original client and several other clients) for a long time. What do these other (local, not cloud) apps do that PwSafe clients don't? Which of them are open source?

5
0

Sneaky Microsoft renamed its data slurper before sticking it back in Windows 10

Graham Cobb

Anyone got a VM config guide for isolating Windows?

I am a Linux and open source guy. All my personal machine are Linux (although my employer supplies a Win 7 system for work).

One day I will retire, and I acknowledge that I may need a Windows system occasionally. In fact, I acknowledge the unfortunate fact that Outlook is a great PIM -- and much better than any of the free alternatives (including Kdepim and Evolution). I will probably decide that I find Outlook sufficiently useful to be willing to pay Microsoft for a licence for it and for the OS to run it on. I don't begrudge them their licence fee but I don't want to find, after the fact, that MS have been snooping on me because I hadn't heard about some new privacy violating service they have installed.

So, does anyone maintain a script to configure a Linux VM that can be used to run Windows in a limited environment, with the network config for the VM set up to go through a firewall blocking anything but a few whitelisted sites? I know it isn't rocket science but it seems like others must have done this already.

4
0

Brits learning from the Continent? Authority, digi gov wheezes and the Autumn Statement

Graham Cobb

Distrust

I think the mistrust is based on much more serious abuses than those you mention. It is things like: using the police to infiltrate political campaign groups and unions (since the 1970's and probably before), trying to replace the rule of law with arbitrary power for politicians (statements like "It would be totally irresponsible of government to allow the legal system to dictate to us on matters as important as terrorism", and "For too long, we have been a passively tolerant society, saying to our citizens 'as long as you obey the law, we will leave you alone'"), stop-and-search, giving private companies their own police (CoLP), etc.

11
0

Who's right on crypto: An American prosecutor or a Lebanese coder?

Graham Cobb

The answer is proper resourcing of the police

The reason the politicians want this is because they are busy trying to save money by cutting numbers of police. Their wet dream is reducing police "investigation" to remote, back-office research (and then maybe outsource it to the lowest bidder?). So, they want everything available electronically -- and what better source than the phone everyone carries with them?

If terrorism is becoming more of a real threat (it was great while it was just a justification for repressive actions -- such as raising the "threat level" just before important parliamentary votes!) then it is going to be really hard to keep cutting police jobs. That is what is motivating these outbursts.

What we need, is proper funding of the police, combined with good management that will prioritise putting actual officers on the street for important investigations (including a reasonable number of small investigations such as burglary). Get rid of the culture of cutting police numbers, fund the police appropriately, and appoint good managers as senior policemen.

3
0
Graham Cobb

Re: Is a compromise possible?

Alternatively, you could set up a second encryption gate where the fuzz have the other key, but the interface to this second gate is only accessible physically.

But which fuzz? If I am a UK citizen, in the UK, I am subject to UK laws. Why should US or Chinese or Saudi Arabian or Indian or Russian fuzz be able to access my data (particularly if it is important to the economic wellbeing or security of the UK)? It isn't possible to have a system where law enforcement access can be permitted for some countries and not others. It is either physically possible to legally compel access or it isn't -- and not all legal systems are, in reality, equal.

If no compromise is found, the powers that will be will just stomp all over device-end encryption with their jack-boots to the point where even owning a device capable of running an app on it that performs that function could become a crime.

No, they won't. Major IT countries (including the US and Western Europe) won't because (as described in the article) it will sign the death warrants for their economically important major IT companies (users will go elsewhere). Other countries, with a less developed IT industry may try it but they will find massive bypassing of the rules.

10
0

Yes, GCHQ is hiring 1,900 staffers. It's not a snap decision

Graham Cobb

Re: Values? Country?

Freedom, liberty, individual rights, individual responsibility, democracy, the rule of law.

It used to be. When I was a small child we lived in East Anglia, with many USAF and RAF bases around. I had worked out that we must be targets for Russian nukes. This worried me a lot -- I even used to draw up designs for a nuclear shelter we could build in our garden. The reaction of my parents wasn't to tell me not to worry: it was to tell me why we were standing up against the Communists. It was because you couldn't walk outside in those countries without papers and you could be stopped by the police for no reason.

I don't think many people think we stand for those values any more.

35
3

UK's super-cyber-snoop shopping list: Internet data, bulk spying, covert equipment tapping

Graham Cobb

Re: Security Theatre and/or Snooping

In the end, all it will do is weaken the security of the normal person. The real targets will still encrypt in such a way as to deny the police/security services access.

And the first sentence will make the second MUCH, MUCH easier!

Because of the "war on ordinary plebs" nature of this bill, there will be a much larger market for easy-to-use real security. Many ordinary people will be looking for a way to be secure. And those products will then be much more common and much more used by the "real targets".

If terrorists (etc) are the real targets of this bill, it would be MUCH better to reduce mass surveillance to the extent that ordinary people do not feel any need to protect their day-to-day activities. It would not weaken the surveillance of targets but it would increase their complacency and the likelihood that some of them (particularly the new, inexperienced or those on the fringes of the cell) would not bother with real encryption.

But, that would only be the cases if they were the real targets. They are obvously not. The real targets are normal people, protesters, campaigners, activists, journalists, whistle-blowers, etc. And providing a way to further cut police numbers and costs by replacing real police work with computerised fishing expeditions.

10
0

In-a-spin Home Sec: 'We won't be rifling through people's web history'

Graham Cobb

Bitmessage

Well, at least this means that Bitmessage will get some of the TLC it needs. Plenty of UK-based coders will become interested in helping improve and test it.

0
0

Hi, um, hello, US tech giants. Mind, um, mind adding backdoors to that crypto? – UK govt

Graham Cobb

Re: Are they that stupid, or who are they really after ?

I think the real main driver is that this is a way to reduce the cost of policing -- in order to make more cuts. I think it is driven entirely by the same thinking as the tax credits cuts, not by any goals about security.

Being able to read all (ordinary peoples, and small time crooks) messages obviously makes policing much easier (and remotable -- no need for anyone to knock on doors and talk to people). Making policing easier obviously saves money, but at the cost of moving us significantly towards a police state. Having police capabilities and resources limited, and prioritised to serious crime, is crucial to the underlying social contract that means the public generally approve of and support the police. Giving the police completely new powers like this breaks that social contract and risks a serious backlash against the police.

3
0
Graham Cobb

Bitmessage

Programs like bitmessage already exist. It is open, distributed, non-commercial. There are no key managers to put any pressure on. All communications are encrypted with keys known only to the two endpoints. Even traffic analysis is pretty hard, and message contents appear to be secure.

Bitmessage may or may not be any good. It appears to be secure, but has never really been seriously reviewed or tested. But even if it isn't, someone else can, and will, create something better.

This is security theatre at its worst. This will have NO effect on the serious criminals being used to justify it. All it would do is make it easy to monitor ordinary people, and small time crooks.

Personally, I have become convinced that all the Investigatory Powers Bill is really about is reducing the cost of routine police investigations so that the government can cut the police even more heavily.

4
0

KeePass looter: Password plunderer rinses pwned sysadmins

Graham Cobb

Still better than a password-protected MS Office document!

This is a good wake-up call to those of us who use password managers. The password manager is only as secure as the system it runs on.

So, when deciding whether to use a web-based or local password manager you have to assess whether your machine or the web company is more likely to be compromised. It is a hard call: the web company have a lot more resources available to protect things, but is a MUCH more valuable target so is under lots of threats; I am careful on my machines but some of them are likely to have significant zero-day vulnerabilities (such as phones).

It is certainly a reminder to make sure you separate information into separate databases as much as possible, possibly on different systems/services. Certainly keep really critical passwords (personal bank account, maybe domain administrator account) either in your head or, at least, in small databases, so it is less likely you have opened them before you discover the machine/service has been compromised.

0
0

Page:

Forums