Feeds

* Posts by Graham Cobb

121 posts • joined 13 May 2009

Page:

GP records soon wide open again: Just walk into a ‘safe haven’

Graham Cobb

Re: Care.data opy out

Personally (others may differ), the issue is less about who has the data than what they are allowed to use it for. I don't care about the NHS (or even associated companies) using my data for caring for me, for planning and monitoring its own operations, for research into providing better care, etc. I don't even mind commercial companies using the data for research into new drugs/treaments or even for insurance companies to better plan their costs and become more profitable.

What I care about is that there has to be a legal requirement, with very strong penalties (fines of about 1% of global revenues and/or criminal prosecution of individuals, financial compensation to all individuals involved of several times any extra costs they incurred due to the offence) that the data cannot be used to discriminate between individuals, families, geographic areas. genetic makeup, etc in the provison or cost of products or services (such as insurance), nor for any purpose to do with marketing (such as targetting a person or ethnic group). The same thing goes for other data they may be able to find out (such as the rugby team membership an earlier commentator pointed out).

The purpose of both health insurance, and a national health service, is that the service is available to everyone, equally. Costs are shared, between the healthy and the sick, the old and the young, etc.

Ewan Robson's post talks about legal protections under the DPA, but it is not clear and unambiguous that all the things I mention above are prohibited. Also fines are extermely limited (the limits are small and in reality fines are usually non-existant), especially for a global drug company or insurer. If there is such protection, then I suggest they shout it from the rooftops before restarting this process. If not, abandon it.

1
0

Don't bother telling people if you lose their data, say Euro bods

Graham Cobb

Re: as long as

Sorry, Bronek, I think you are wrong. Whether "heavily encrypted data" is useless depends a lot on what other information the attacker has. In particular, if the attacker knows some of the plaintext then they may be able to break the encryption much more easily.

For example, a password database might be very securely encrypted. But if the attacker knows (or guesses, and can verify) some usernames and passwords that might lead to easier decryption of the whole thing. And inside information could also be very useful even if the keys themselves are not available.

In other words, the problem is not about how well encrypted the data is, it is about the whole circumstances of the breach. Most of that is not known (and certainly should not be evaluated by the company losing the data). The only reasonable behaviour is to notify everyone involved on every loss of personal data, no matter how well the data is encrypted.

0
0

Windows 10: Forget Cloudobile, put Security and Privacy First

Graham Cobb

If I have paid for the software, Microsoft should not collect any data at all

Basic things like "what programs are installed" and "what is the hardware configuration of your PC" are generally collected as part of operating system updates and/or automated troubleshooting systems because they provide clear technical benefits in solving technical issues. It would be pretty insane to say "don't collect this info, because NSA".

We will have to agree to differ. There is absolutely no excuse for sending any information about my computer, what I have installed on it, how often I use it, or what I use it for unless I have asked for help and explicitly understand that this information is needed (in which case I will carefully consider who I ask, like I would carefully consider who I take my PC to for servicing).

In this case, it isn't the NSA I am worried about -- why should Microsoft know? I don't tell Google what software I have installed, I don't tell Amazon where else I shop or what I buy there, I don't tell my car insurance company who I choose to use for home insurance or how many bedrooms it has. Why on earth would I provide any personal information to Microsoft just because I buy their product? This isn't Facebook offering me something for "free" in exchange for personal information.

0
0

Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE

Graham Cobb

Bad news for iPad

My (work supplied) iPad2 running iOS 7.1.1 is vulnerable (according to poodletest.com). I can't upgrade to iOS 8 (not only would I need to check all my demos still worked, general opinion seems to be that upgrading an iPad2 is not advisable) but presumably any fix will only be issued for iOS 8.

Must remember not to use it to access any important personal stuff (not just banking, but things like airline check-in).

Hmm, that raises an interesting question... will apps (like the BA app) inherit any fixes that may be supplied for iOS or Android or do the apps themselves need to be updated?

2
0

Get NAS-ty: Reg puts claws to eight four-bay data dumpsters

Graham Cobb

Open software on these boxes?

There have been many comments talking about building your own box and running your own software (from Windows, through special NAS distributions to generic linux). Very useful, thank you.

But what about running your own software (I would want a Linux variant) on any of these boxes? I can't help thinking that the hardware is probably chosen well for the NAS job, and I particularly want to reduce power consumption (my current file server is my previous desktop which pumps out a lot of heat -- I don't need graphics, or probably even the powerful CPU/memory it has). But I am not interested in their software -- I need to be able to run a modern Linux.

Can any of these boxes have the installed software replaced by open software? Is there a community around them which does that? I realise it will be more expensive than DIY but, given my background, I will find it easier just installing/using software.

0
0

Britain’s snooping powers are 'too weak', says NCA chief

Graham Cobb

Bristow is very dangerous

Bristow is clever and comes over as very reasonable. He is also very wrong. We need to be very firm and public about not letting him get away with assertions about losing capability.

As I mentioned last time he spoke, he is claiming he needs the power to put an electronic police tail on EVERY person, all the time, in advance, just in case someone does something bad. Collecting Communication Data is exactly the same as placing a police tail on you: the tail can't hear what you are saying but they track exactly where you go, who else is nearby, who you talk to (and for how long), what posters you stop and read, what shops and other building you go into. If the Snooper's Charter was in effect, the tail can follow you into the buildings and video everything you do there.

This is not some power they used to have which they lost due to modern technology. Previously they might have been able to put a tail on one or two people per county at any one time. So, they had to make actual decisions, allocate actual resources, get actual permission to do it.

Why does anyone let him get away with the claim that this is about "losing capability and coverage"? It is a complete transformation into a police state!

1
0

Adobe spies on reading habits over unencrypted web because your 'privacy is important'

Graham Cobb

So, I must be able to strip their DRM

I am planning to use this spyware as the basis of a complaint to the Secretary of State requesting that he gives permission for stripping Adobe DRM.

Clearly this is unacceptable behaviour by ADE, and ADE is the only (legal) way to read books I have purchased which are infected with Adobe DRM. There is nothing in the purchasing of the books which involves me agreeing to spyware. Also, it is well known that there is software easily available to remove Adobe DRM. So, the SoS clearly must give permission for that software to be used so that people can safely exercise their rights to read the books they have purchased.

This is exactly the sort of case of unacceptable TPMs for which the law gives the SoS the ability to grant permission to circumvent a particular TPM.

1
0

Linux systemd dev says open source is 'SICK', kernel community 'awful'

Graham Cobb

Re: Unpaid volunteers in a lot of cases @AC

Peter G is right that systemd is about weighing the advantages of the capabilities it provides vs the disadvantages of its deisgn and implementation. Debian struggled with this, with a public and acrimonious debate, and decided to go with systemd. Not because it was well liked but because it was useful.

There is no realistic prospect of anyone else implementing a (FOSS) alternative to systemd that is as useful. Not while the systemd team continues to exist. So, individuals may decide that they don't want to take on board the horrible design decisions made, but the large distributions are moving to it. Personally, I don't like it but I agree that it is the only viable option.

0
1

Marriott fined $600k for deliberate JAMMING of guests' Wi-Fi hotspots

Graham Cobb

Re: Ker-plunk

You are not alone.

Sony is not only on a last-resort list: they are on my never do business with them again list, for the same reason. I have not bought anything from any part of the Sony organisation since the rootkit.

HP are also on the same list, for their DMCA abuse (also over 10 years ago). The list is absolute for my personal purchases but I also do my best not to do business with HP in my professional life as well, as long as I am not damaging the interests of my employer, of course.

0
0

Business expects data retention will hit their bottom lines: survey

Graham Cobb

Depressing Oz data protection stat

The respondents were much more receptive to the idea of mandatory data breach reporting, with 89 per cent in favour of such a regime

That is very depressing. Not because I don't support mandatory breach reporting -- I do, very much. But because if 89% of businesses support it that means that they think it is something that will hurt their competitors and not them. Which means they don't understand anything about protecting their data. There is no way 89% of Oz businesses have even adequate data protection, let alone excellent protection.

And while management don't understand that they are massively at risk, they won't invest.

Still, maybe the first few mandatory breach reports will help them understand.

0
0

Hackers' Paradise: The rise of soft options and the demise of hard choices

Graham Cobb

PCs are not the battleground any more

Unfortunately this piece misses the point. PCs are not the important concern any more. It isn't even tablets and phones. The area to be concerned about is the Internet of Things.

The first reason is scale. PC's are well below one per person. Phones come in at around 1 per person. IoT devices will be tens per person or more. If you are worried about "Unfortunately, it seems that it is only after such an event that something gets done" then it is these devices which will have the most opportunity to cause chaos.

The second reason is that many (not all, of course) IoT devices are going to be in either safety-critical or, at least, seriously-inconveniece-causing environments. They may be controlling important household functions (locks, heating, lighting). More importantly, they will be working in offices, factories, railway stations, etc. Putting threatening messages up on the departure boards at Waterloo station in the rush hour may cause more loss of life than causing a car to crash.

The third, and most important, reason is that these devices need to be cheap. Really cheap. Designed and built down to a cost. And those which are not truly safety-critical (nuclear power station controllers) will not be regulated at all. Their hardware may be simple, their RTOS may not be designed for security, their interfaces will be wide open to simplify (make cheaper) integration, and their software will probably be crap -- more concerned about whether it is selecting and displaying ads correctly than whether it is functioning.

We already see serious security issues in SCADA controllers. We already see serious issues in vehicle engine management systems. Both those might get targetted by regulators. But will non-safety-critical IoT devices ever be safe to use?

0
0

Three floats Jolla in Hong Kong: Says Sailfish is '3rd option'

Graham Cobb

Re: Maturity is beginning to appear

I have a Jolla with a physical keyboard Other Half, which I use as my daily phone. A bit bulky but nice to have.

Unfortunately the keyboard was a limited run project by a community developer and hasn't been taken up by Jolla.

0
0

HTTP-Yes! Google boosts SSL-encrypted sites in search results

Graham Cobb

Re: Silly question

No, it isn't necessary to use SSL on sites which do not have logins. But it is the friendly thing to do. Part of the point is not just to protect your traffic, but to move to having most Internet traffic routinely encrypted to make the job of hoovering up all data by tapping backbone links harder. It also reduces the chance for the spooks to say "ah, his data is encrypted -- he must be a terrorist".

And, it makes it safer when you later decide to add a hidden page to Foofie's web site to make the Anarchist's Cookbook available -- no one can watch your traffic to see whether people are reading the poodle's page or the secret page.

3
0

UK.gov eyes up virtual currencies, fingers red tape dispenser

Graham Cobb

Re: The problems with bitcoin, as seen by governments

Sorry, Martijn Otto, you are fantasising. I am a strong proponent of privacy (see my other posts) and I am a strong supporter of both cash and bitcoin, but I am realistic about bitcoin.

1. The government most certainly can regulate it. As you said, they can regulate exchange. They can also require people to declare bitcoin usage -- and most legitimate users will comply. Bitcoin is much more traceable than cash (although it is easier to anoymise than other financial networks). Money laundering is a serious concern for governments and if large amounts of money are laundered through bitcoin, governments will get very heavy handed with it. You certainly can block a bitcoin transaction: put the participants in jail.

2. Financial institutions have plenty of opportunity to make money from bitcoin. Do you think that the needs for loans and savings accounts go away with bitcoin? Do you think that bitcoin credit cards will have transaction fees any lower than todays credit cards? Banks make a lot of money helping people and businesses handle cash today and they will make just as much money from bitcoin. The only people who could be disintermediated by bitcoin are money transfer networks: but they will find plenty of value to add in making transactions easy, handling taxation and reporting, providing escrow and insurance, etc.

3. You certainly can seize bitcoin. Most user's bitcoins are held in third party wallets, which are easy to seize. Even if they aren't, it is easy enough to order the holder to transfer the bitcoin to a government-controlled wallet.

Bitcoin is certainly very useful, but it doesn't undermine either governments or financial institutions!

5
0

UK.gov wants public sector to rip up data protection law

Graham Cobb

Surprisingly honest document

According to the article, the cabinet document says "Removing barriers to sharing or linking datasets can help Government to design and implement evidence-based policy – for example to tackle social mobility, assist economic growth and prevent crime".

Those seem like reasonable goals. However, the document then moves on to talk about the real goals... "checking if bus pass claimants are still alive, tackling illegal immigration or sharing information about teenagers involved in gangs". None of those are reasons to ask everyone in the country to sacrifice the right to privacy. None of those are at levels where they are causing the country serious problems, and there appears to be no evidence that they would be reduced by data sharing.

So much for "evidence-based policy".

10
0
Graham Cobb

Re: Not Good

I'm very sorry to hear about your friend's serious assault. However, why should social workers be treated specially? It could have been the milkman, or a neighbour, who was beaten up.

If a violent criminal is living there, and is likely to assault people, that is a matter for the police to deal with. Unfortunately, some people commit violent acts -- taking away everyone else's human rights is not the solution to that. Of course, we could virtually prevent that sort of thing by keeping everyone locked up under house arrest all the time, but we wouldn't have a functioning society if we did that. The same would be true if every local government official had access to everyone's criminal, health, social care and tax records!

16
1

Plug and PREY: Hackers reprogram USB drives to silently infect PCs

Graham Cobb

Re: Where's my Windows update to fix this?

It's a bit harder than it might appear. Adding and removing keyboards to laptops is very common in a corporate environment -- I am always plugging and unplugging keyboards as I move my laptop between desk, conference rooms, carrying it over to someone else's desk to show them something, etc. Several times each day (particularly now that we work in a full hot-desk, open plan environment where you can't even have a phone call without disturbing people so have to go a "phone booth" room each time you get a call). And I typically have the laptop closed while I am doing it and I wouldn't want to open it just to acknowledge a pop-up (and presumably acknowledging it from the new keyboard would defeat the point).

I think there may be more success for a popup if the keyboard seems to be combined with another function -- although plugging in hubs with keyboard, mouse, external disk pre-connected is also common so that has to still be allowed.

I certainly hope Microsoft are working on a way to counter this, but it is not as easy as it may seem.

0
0
Graham Cobb

Re: I call semi-bollocks

I think you are missing the point. As an earlier commentator said, what this does is turn today's USB sticks into the equivalent of the old infected floppy.

In the business world today, USB sticks are routinely exchanged between people (in the same company, or between companies). When I meet a customer, it is very common that we will exchange documents on a USB stick (they may want a copy of the presentation I have just given, or I may want a copy of the RFP that his purchasing dept will send me in a few days time). If the customer's PC has been infected, this attack allows them to infect my PC as well, even if I use my own USB stick and without actually opening any documents from the stick.

As for those who mention non-Admin accounts, VMs, or keeping assets separate: I am talking about the business environment. That is completely geared up for doing business -- not for security. I have been in sales/marketing for many years now and have NEVER worked for a company (big or small) where my normal work account on my laptop does not have local admin rights -- locking down the PCs, particularly for home and travelling users, is just too hard (i.e. expensive in support resources and expensive in lost time for the user). Despite best intentions, the company ALWAYS ends up making the tradeoff that all field people accounts have admin access on their own laptop.

That may or may not be a good idea, but it is the way of the world. This attack is very serious in the world of business users in the field.

5
1

Adam Afriyie MP: Smart meters are NOT so smart

Graham Cobb

Re: Which devices are using resources?

@Ledswinger

I note your claims that the industry didn't ask for this, but I find that hard to believe. Of course, I don't think they asked for it to make life easier for consumers, or to help them save money. What the industry wants is remote control. That is the single biggest benefit to the suppliers.

There is no need for smart meters to include remote control: it increases cost, decreases reliability of the meter and massively decreases the reliability of the electrical supply when billing and admin mistakes are included. When I last switched suppliers, the new supplier forgot to take the direct debit and also forgot to send me any bills or even any letters saying I owed them any money. The first I heard of the problem was a phone call at 7AM from a debt collector accusing me of owing money! The supplier accepted full responsibility for their mistake, and paid me compensation for my trouble. But if I had had a smart meter, the first I would have heard was a power cut of, presumably, several days duration as I arranged for them to use the direct debit thay had on file.

I replied to the government consultation saying that the "remote control" feature should be able to be overriden with a physical (purely mechanical) bypass by the consumer, unless they were on a pre-payment tariff, and that under no circumstances should the supplier be able to cut anyone off without sending someone on-site (as well as all the other protections required today). The supplier could offer me cheaper tariffs if I was willing to leave the remote control available, but I would always have the choice of bypassing the remote control (possibly automatically switching to a higher tariff).

I live in a rural area and my electricity supply is unreliable enough already without introducing additional points of failure (physical and administrative).

2
0

Feel free to BONK on the TUBE, says Transport for London

Graham Cobb

Unregistered Oyster

Only two posts here about privacy? And both with 0 upvotes and one downvote (they both have one upvote now)?

I do not work in London but go there occasionally. I have an anonymous (unregistered) Oyster card. I top up with cash and, if I could be bothered, I could swap unregistered Oyster cards regularly with my friends.

There is no way I am ever going to pay for travel around London with a traceable instrument like a credit or debit card. Freedom to travel is a right, and it must be available anonymously in order to protect the basic human rights of freedom of expression, freedom of peaceful assembly and right to privacy.

I would object very strongly if anonymous travel cost more money than tracked travel -- that is why Oyster provides anonymous cards. Does anyone know how many unregistered cards are in use?

0
1

ICO: It's up to Google the 'POLLUTER' to tidy up 'right to be forgotten' search links

Graham Cobb

Re: No re-writing history?

@cored

It's not insane -- although it can be very confusing if you don't think in the way that data controllers (under EU legislation) are supposd to think.

1. Facts are facts. In general, you won't get a fact removed from somewhere like a newspaper (if it is true). There is no right to be forgotten.

However, Google is not a data store (as you point out). Google is processing data to provide a service: you type in a search term and Google collects information about that subject and tells you. That is where the legislation kicks in. If the data relates to a person, there are laws about processing it. They certainly aren't perfect but they protect us every day from people abusing information about us.

Amongst those laws are implictions on using data processing to create a profile of someone. As search engines were not envisaged in the laws, it has taken legal arguments to decide what the restrictions are on a profile created by searching the web (and it is perfectly reasonable to believe the decision is wrong -- but it has been made). The decision is that it is similar to other commercial companies which create profiles, like credit reference agencies. They are not allowed to include irrelevant or obsolete data, except in cases where dropping that data would be against the public interest (for example, someone standing for parliament is not likely to be able to get data about criminal offences dropped, even though the offences have expired -- they may be able to get them removed once they stop being a politician, however).

2. Your point only matters for well known people, where it is more likely that there is a public interest argument for retaining the data anyway.

3. Yes, old data can be useful. Lots of things could be useful which are not allowed. In the case of data about people, data protection overrides utility. Get over it.

4. Yes they are. Once Google stop moaning, they will put in place a process, using advice from data protection experts. A few more cases may go to court to get some grey areas sorted out. Then the process will just work.

This issue isn't publishing data, it is processing the published data and creating profiles of people. Google searches do it automatically. What I don't know is whether the same rules would apply to manual data processing. For example, if you were to look at all my postings on El Reg, gather some personal data from those (maybe I have said where I live or how old I am or something), create a Wikipedia page for me and publish that information, would I have the right to get old or irrelevant data permanently removed from that page? I don't know.

2
5
Graham Cobb

Re: Yes, there are several years of case law.

Yes, that is exactly what they will do. Just like every other business who handles personal data has to.

2
4
Graham Cobb

Re: I can see why Google should pay

Robert & Donn, you may not agree with laws about censorship and about having to remove factually correct information from dossiers, but that is the law in the EU. I realise it is not the US way, but in the EU personal data is strictly regulated and being "fair" to people trumps freedom of speech -- not the other way around. For example, it is a true fact that a person who lived previously in my house went bankrupt. However, as that person is in no way related to me, credit reference agencies are not permitted to record that information, even though it is true, as that might adversely affect my credit score.

If that information was on the internet, and someone did a Google search of my name and used that information when making a decision to give me credit, shouldn't I be able to prevent Google making that visible? If not, wouldn't that allow Google to compete unfairly against regulated credit agencies?

Today, the credit reference agencies know the rules and apply them: they make the decision, not a court, unless you disagree and sue them. Google will need to set up a similar process -- after a few borderline cases are decided by the courts, it will all settle down.

3
1
Graham Cobb

I can see why Google should pay

There are businesses in the EU who create or hold information dossiers on people (credit reference agencies, headhunters, etc). Those businesses are subject to strict laws about personal data processing (including rights to have old or incorrect information removed from the dossier), which create non-trivial costs for them.

The decision seems to be based on the interpretation that a Google search of a name creates, in real-time, a similar sort of dossier on a person. You can argue whether that is a sensible interpretation, but I do have some sympathy with it: I can see a future (with some smarter Google algoritms) where a Google search could replace a credit reference check.

If that interpretation is valid, then clearly Google need to be subject to the same data protection laws and processes that the other dossier-makers are subject to. Including the right to have false or old information left out of the dossier. And they should clearly have to bear the cost of that, just like the credit reference companies do. Just because their process constructs the dossiers in real-time instead of cumulatively over the years, doesn't change the rights of the subject of the dossier.

2
9

NEW, SINISTER web tracking tech fingerprints your computer by making it draw

Graham Cobb

Surely this is illegal under Computer Abuse and Data Protection laws?

If I have set Do Not Track, and I disable or regularly delete Cookies then I am making an unambiguous statement that I do not permit tracking. Any company trying to workround that (whether using canvas, or flash cookies, or anything else) is then abusing their access to my computer. I have not given permission for that. The deliberate action is illegal, whatever the technology. They are, of course, welcome to deny me access to their website if they wish -- but they are not permitted to hack me.

Many companies claim that creating URLs which are not published links and which leak information is illegal hacking of their website by users. If that is the case, then mis-using browser features to track me when I have explicitly refused permission is also illegal hacking.

Why haven't the data protection authorities made a clear statement that any sort of web tracking not based on cookies is illegal and that companies will be prosecuted under data protection laws.

1
0

Remember when Google+ outed everyone by their real names? Now Google's sorry

Graham Cobb
FAIL

Doesn't seem to work

I just tried creating an account. It still says "Are you sure you entered your name correctly?".

It also still wants a date of birth, and a gender. Neither of which am I willing to supply to any sort of social networking.

1
0

UK's emergency data slurp: IT giants panicked over 'legal uncertainty'

Graham Cobb

Re: try thinking ahead, assholes

In my view, data retention is the modern equivalent of putting a tail on someone: the tail can't hear what you say but they record everywhere you go, how long you spend there, who you talk to, which shop windows you look in, which buildings you enter. 64 million police tails. 24 hours a day.

One newspaper report said MI5 are expecting 500 returning jihadists from Syria. 500. Apparently that makes it proportional to tail 64 million people, 24 hours a day, because of 500 potential terrorists. Even if all of them managed to radicalise 100 other people, those 50,000 would be less than 0.1% of the population.

There is no way that jihadists (or even all terrorists) can be any sort of justification for blanket data retention.

Of course, the spooks and police know this. So what is the real reason? Apparently 10% of the population (6.5M) are trade union members -- maybe it is them who the government really want to track?

2
0

Super-snoop bid: UK government hits panic button on EU data retention ruling

Graham Cobb

Police state

May is hopeless -- and her merging of snoops and police access doesn't help her or anyone else wanting a sensible debate on this subject.

NCA's Bristow, on the other hand, is much more concerning. He seems to be a sensible man, and the arguments in his speech are well made and effective.

Those of us who disagree with him need to be equally good in our arguing against his vision of a police state. In my view, the public don't understand what using Communication Data means. Collecting Communication Data is exactly the same as placing a police tail on you: the tail can't hear what you are saying but they track exactly where you go, who else is nearby, who you talk to (and for how long), what posters you stop and read, what shops and other building you go into. If the Snooper's Charter was in effect, the tail can follow you into the buildings and video everything you do there.

Unlike a real police tail, this is not reserved for criminals or even suspects. The tail is put on EVERYONE. Even children. 24 hours a day. At home, work, out and about. Just in case you turn out later to have been a paedophile.

Having a permanent tail on everyone seems like the clearest example of a police state that I have seen.

I, for one, am very willing to sacrifice some protection to avoid living in that police state.

30
0

Vodafone: SPOOKS are plugged DIRECTLY into our network

Graham Cobb

@AC -- you are quite right about people not understanding why freedom from surveillance is critical. My "road to Damascus" monent came when looking around the Stasi museum in Leipzig and realising just how close the Stasi came to being able to stop the "Monday demonstrations" (which led to the fall of the Berlin wall, https://en.wikipedia.org/wiki/Monday_demonstrations_in_East_Germany) due to their mass surveillance -- and they were using manual processes not computerised processing and tracking. The people at those demonstrations were not rebels or activists -- they were ordinary people who's emails "no one would be interested in".

Imagine if a small party (like UKIP, or the Greens -- whichever is your particular demon) was able to hold the balance of power after the next election, formed a coalition, acquired a strong, charismatic leader and started forcing through policies "for the country's good". All very sensible, honest and decent, no doubt. But isn't there a risk that real debate and substantial protest would not be allowed once they had got the national security apparatus to believe they were doing the right thing for the country?

5
1
Graham Cobb

Re: Err...

I suspect this really means, "If we receive a demand we can issue a quote and make sure we get paid for granting access"

That is a start. After all, the closest thing to democratic oversight of security agencies is budget control. Making sure that excessive surveillance costs considerable money would help to limit it.

5
1

REVEALED: GCHQ's BEYOND TOP SECRET Middle Eastern INTERNET SPY BASE

Graham Cobb

Re: Said it before

Just exactly what do you expect out intelligence services to do? How do you expect them to do it?

I expect them to stop mass and untargetted surveillance. Surveillance within the UK should require a warrant, issued by a court not a politician, and be limited to a named target person. Surveillance of our allies should be exceptional -- it should require authorisation from the Prime Minister (who would bear responsibility for authorising it when it eventually came out, as all secrets do). Surveillance of non-allies would be more routine and would not require warrants but it should still be limited and focused on specific targets or purposes: there should be a robust and effective programme for making sure that non-relevant data is destroyed, not archived and certainly not shared with others (so that, for example, the CIA cannot use this to get round their own government's restrictions). All of the above policies should be publically debated and published, with oversight from parliament.

Unfortunately, it is unlikely we can directly enforce these restrictions. They should be in place, with very visible punishments for senior management when they are inevitably ignored (on the basis that whistleblowers will expose some proportion of abuse). However, the only real lever we, the people through parliament, have is money: GCHQ and MI5/6 budgets need to be cut substantially as a public response to the Snowden revelations, and there needs to be continuous effective oversight of their budgets. BT & Vodafone will not work for free, and other MoD agencies will be unkeen on hiding spy budgets within their budgets, so there is an opportunity to limit their activities at least in some way through money.

The budget, and the activities, of the intelligence services should be proportionate to the real threat and very focused on the most critical threats to public safety. It certainly doesn't include "serious financial fraud"!

4
2
Graham Cobb

Re: TRAITORS

Do you seriously think that anyone at GCHQ has the time, or interest, to look into the average El Reg commentard's extra-martial philanderings?

Are you being deliberately difficult or do you really not realise what the issue is with allowing untargetted data collection?

Of course GCHQ is not intereted in your, or my, email or our personal failings. Not unless we become a "person of interest". For example, write an exposé article for El Reg, or get our MP to ask an embarassing question, or investigate corruption, or campaign for or against abortion, or animal rights, or organise a national strike. At that point, it would be very convenient for the government if they could look back at everything we (and our friends and family) ever did or wrote and try to find some way to discredit us.

I am not worried for myself, I am worried for investigative journalists, campaigning lawyers, radical politicians, or anyone else who should be being given the full protection of the law but instead are being shafted by it. Government ministers are the last people who should be able to authorise wide surveillance powers -- that should be an emergency power, only used in time of overwhelming national need, authorised by parliament and made in public.

2
1

For your next privacy panic, look no further than vending machines

Graham Cobb

Re: Of all the privacy violations to worry about

I was talking to someone at a conference the other day who is selling facial recognition (and other things like gait recognition for when it can't get a clear view of your face) to supermarkets to add to the ubiqitious cameras they have in the shops and feed information into their already massive big data business intelligence systems. The supermarkets plan to not only link it to their loyalty card databases but also track you as you walk around the shop to see what route you take, which displays you stop at, etc. And not just statistically -- you.

This isn't the future -- the cameras are here now, the recognition software is here now, and the SI companies are looking forward to big contracts connecting it all together.

1
0

Kid crims don't need to skim: Paywave cards lead fraud rise

Graham Cobb

Re: Wavey-wavey cards lead to fraud?

Haven't you missed the point -- or am I confused? [Or maybe both]

What the policeman seems to be saying is that the fraud amounts may be tiny in financial terms, and well within the budget the banks have planned, but that it is causing an increase in very visible crimes (burglary, mugging, etc), particularly among children. I can certainly imagine that if kids have worked out that they can often use these cards for small purchases (say £10), then they may have become very popular, even though the banks are also perfectly happy to cover their customer's losses because it is only a very small total amount of fraud.

That seems to be an unexpected impact on society that could be quite important.

0
0

Still using e-mail? Marketers say you're part of DARK SOCIAL

Graham Cobb

Re: How much would you pay to Like my stuff?

If Google just punted total bollocks stats to all their customers, how many would actually notice?

My company tracks how many visitors come from various Google adwords, so we would notice. As far as I know, we have no idea how many ads are served (if we are told that we don't use the information) but we do look at how many visits happen, month-by-month (and sometimes, for specific campaigns, day-by-day). We then decide if what we are being charged is worth continuing with (and, by the way, it generally is -- when compared with other methods of getting visitors such as email marketing or newsletter advertising).

0
0
Graham Cobb

Re: Telephone Tracking

Ken, despite your scepticism, this is indeed a real technique.

In my experience it is not used for the big phone number that appears at the top of the page (and which you might remember or write down and call later) but for specific applications. It is routinely used for "click-to-call", where you click on a button and your phone dials a number -- in that case the number can be allocated knowing that the call is happening immediately.

It is also used for some other cases where numbers are likely to be either called soon or not at all -- things like customer service. The re-use times are measured in minutes, and a pool of 1000 numbers are likely to be plenty.

In all cases, the caller is queried to make sure the details automatically appearing on the agent's screen along with the call are correct -- so it isn't the end of the world if the matching doesn't work properly sometimes.

0
0

It's Google's NO-WHEEL car. OMG... there aren't any BRAKES

Graham Cobb

Re: I don't want one

@imanidiot: THAT is why they need to change the word. Of course you don't want to give up your car. I am not sure I do either. But there are so many benefits to society that governments will make it MUCH more favourable for you to use your "pod" for more and more things (commuting, going on holiday, ...) that eventually you will find you haven't driven your real car for three months. At that point you might decide you don't need your car any more.

But to get that point, they need to first sell you a "pod" as a supplement to your car, not as a replacement. Maybe first of all for commuting, where a 25MPH speed limit is fine because most of the commute is spent in traffic jams, and so you aren't worried about safety because the speeds are low, and it is great to be able to drink a cup of coffee and look at the sports pages on the way into work.

1
0
Graham Cobb

Stop calling them "cars"

What we need is to stop calling these "cars". The future is clearly driverless cars -- we all want all the benefits of personal, door-to-door transport, without the hassle and danger (and inefficiency) of human drivers.

But, to be successful, the industry has to stop calling them "cars". We all have to stop thinking about them as cars -- they are just more sophisticated versions of the people movers at airports.

People don't want someone telling them "you can't drive your car any more". And legislators need to make different laws for these new things -- you can't ask a person to take any responsibility if they have no controls, nor if they are not actively involved second-by-second -- anyone would lose concentration after a few minutes.

Keep cars as what they are now and give these new, driverless things a new name -- for example "pod". Eventually people will stop bothering with cars, governments will make cars less and less attractive (pods won't need personal insurance, only pods will be able to use motorways, go into central London, use bus lanes, ...).

Oh, and we need to get someone to take over from Google. I am looking forward to not having to drive, but I will pay extra not to need to tell any commercial company where I am going.

5
0

Son of ACTA pours fuel on IP trade fire

Graham Cobb

Policy laundering

"On investor-state dispute provisions, it states that countries can still pass their own legislation: “at most, it can lead to compensation being paid”"

No, at worst it can lead to policy laundering and disenfanchisement. Policy laundering (of policies the government want to enact but which will be unpopular) used to be done through the EU ("Oh look: the EU have required that we make interfering with DRM illegal. What a shame. Oh well, I suppose we had better get on with it"). But nowadays, blaming the EU is off the table: it creates votes for UKIP. So, having an "important trade treaty" that means that some wet-dream policy has to be implemented "because otherwise we can be sued by major multinationals" is ideal.

Unfortunately, every government (of every country, and of every political persuasion) benefits from having someone else to be able to blame for unpopular policies so that is how these things get agreed.

0
0

You know all those resources we're about to run out of? No, we aren't

Graham Cobb

Re: Ahem.

Sorry, Earl, I didn't make myself clear. I am not interested in "discussing the controversy" -- as you say, that is the opposite of science, used only by the most disreputable.

I am, however, interested in articles which are not just polemic (interesting, informative but polemic), but ones where I can have some way to make a judgement on the validity of the claims: the BBC certainly do make mistakes in science journalism but you have to have your supporting evidence clear if you are going to make that claim. In the academic world this is usually by citing references, pointing to supporting material. However, in the popular world it is normally by a trusted, independent journalist explaining whether there is any serious disagreement, if so by whom, what credentials and evidence the disagreeing parties have, etc.

Tim's article was educational and interesting. However, for a reader with no experience in this area, it gave no information as to where his claims lie on the continuum between "bleeding obvious to everyone" to "credited only by the tinfoil hat brigade". It was an opinion piece. I would like an analysis piece as well.

7
0
Graham Cobb

Re: Ahem.

Tim, It is a good, informative and interesting article. Definitely good science journalism. Thank you.

But that is only half of the picture. It isn't an investigative or independent review article. And I wouldn't ask you to write one precisely because you are a subject matter expert, with your own opinion. Where are the other good science journalists, who can investigate the (possibly divergent) views of experts, present the arguments for and against, and help us come to a conclusion?

Both aspects are needed: informative, educational articles about a subject area, and investigative, analytic articles to help us draw conclusions. I am not sure El Reg is the right forum for that, but I don't know where is nowadays.

4
7
Graham Cobb

Re: I would argue the situation was even worse

I would encourage you to still vote. We have serious problems with our politicians but I don't believe the "cash-for-policy" is anything like as bad as it will get if the public continue with apathy. Just look at the US, where the corporations really are in complete control, to see how bad it could get!

A caring and engaged electorate, even if largely powerless, may give politicians and their corporate sponsors some pause. And maybe we can actually encourage some genuinely useful candidates to stand in future elections.

21
0
Graham Cobb

Re: Great Article.

I agree it is a great article -- very persuasive. However, I know nothing about the subject matter and can't judge whether the assertions are correct, or whether there are any counter-arguments. What I am even more worried about, than the fact that some incorrect analysis is going around, is that we don't seem to have a good way for claims like these to be tested and debated and trustworthy conclusions to be drawn.

What has happened to the good science journalists? Presumably this is an effect of our unwillingness to pay for journalism any more. How do we get the BBC to rescue Horizon from the pit it has fallen into and start using it for serious science journalism like this?

Some topics, like climate change or string theory, are extremely hard to analyse and there can be genuine expert disagreement (although vested interests don't help!). But I would have thought that this topic was something which some genuine experts could all agree on in their lunch break.

22
0

Rubber-glove time: Italy to probe TripAdvisor over 'fake reviews'

Graham Cobb

False negatives are the hard problem

I tend to mostly ignore the positive reviews. I read them to find out factual information but I pay more attention to the less positive reviews. Mostly because people may love places that aren't our sort of place (maybe we are looking for value for money, or luxury, or quiet, or beach or ...) but things people don't like are often likely to apply to us as well. Also, it does help to guard against false positive reviews.

Of course, that does mean I am open to false negatives. Unfortunately, that is a real problem for the owner: it doesn't do me much harm to miss a fantastic place because of a false negative review (compared to the risk of selecting a bad place based on a false positive) so I am always going to be more open to false negatives. All they can really do is encourage people to keep submitting reviews and hope the false reviews are drowned out by real reviews.

3
0

Get cracking on STARTTLS says Facebook

Graham Cobb

Re: STARTTLS checker?

I use http://checktls.com for testing my configuration

0
0

EU: Let's cost financial traders $400m a day, because EVIL BANKERS. Right?

Graham Cobb

Re: Article sounds like a rant

Surely trackers only have to trade when the composition of the underlying index changes (a company enters or leaves the index)? Sure, the trackers need to trade, but orders of magnitude less frequently than many other traders. I don't see this putting up the costs of trackers significantly.

7
1
Graham Cobb

Try harder

Sorry, Tim, you have not managed to get your argument across (to me, at least).

I still don't see the need for HFT. Sure I like low spreads and high liquidity but higher spreads just means I have to make fewer trades and keep stocks longer. Lots of trading may be good for investors but you haven't shown any evidence at all that it is good for the companies issuing the shares or the economy as a whole.

I know that trades bring information to the market. But the HFT algorithms are bringing very, very little information -- they are just arbitrage machines. I am willing to be convinced by real evidence but, for now, I still believe HFT is a drain on real finance and that either a Tobin tax or something like a minimum hold period (say, an hour) would make real improvements to stability and the ability of the market to gather, hold and process information, and provide information to the economy as a whole. HFT makes so much noise that the "information" in the market is being lost completely.

Of course, I agree with you that the attempt to have regulators approve algorithms is stupid -- obviously written by someone who does not understand software development.

15
1

Page: