* Posts by Graham Cobb

156 posts • joined 13 May 2009

Page:

Google gives away 100 PETABYTES of storage to irritate AWS

Graham Cobb

Re: Wot no Oracle?

I went and looked at the Oracle offer after the earlier Reg article. Unfortunately there seemed to be two problems:

1) You don't seem to want personal customers (and probably not SMEs either -- the signup process was very corporate-oriented, unlike Amazon's).

2) You don't seem to allow for import/export using harddisks -- I use Glacier and I just send a copy of my backup disk to Ireland to import a terabyte or so of data. Uploading that over my DSL connection would be hopeless!

Of course, I'm not particularly surprised: Oracle's customers are mainly large businesses, and your very low price is unlikely to be worthwhile for Oracle for people who only need a few TB.

2
0

Cloudy VMs leak ID details that could allow attacks, says researcher

Graham Cobb

Is spying possible?

I read the slides, but not the thesis. I can see the various side channels, and the way they can be exploited to set up a communication between co-operating sender and receiver. I have amused myself with playing with such side-channels in the past -- I remember being particularly pleased with using the VMS cluster-wide lock manager to have surreptitious communication between between processes on different nodes of the cluster by manipulating lock states. Side-channel communication between systems sharing some resource always possible -- the only question is how much you can force the effective bit-rate down while keeping the resource usable.

However, it is not clear to me whether the research is making the much stronger claim that one machine can spy on another without co-operation. Is it really the case that one VM can read cached memory data belonging to another VM? That would seem like a major, and obvious, hole which would have been found and fixed long ago. I am not familiar with the x86 cache manipulation instructions but I presume the emulation of those is handled in the hypervisor.

0
0

How British spies really spy: Information that didn't come from Snowden

Graham Cobb

Stop abusing statistics

"GCHQ values bulk interception highly. It told Anderson that it contributes to about 55 per cent of its intelligence reports and is used mainly to find patterns in online communications that indicate involvement in threats to national security, in particular for “target discovery” – finding previously unknown people"

Sounds impressive, doesn't it? But it is meaningless in the debate. As we have discovered from police abuse of RIPA data collection, once they have an easy tool, the lazy will use it all the time. Now just about every police investigation starts by pulling all the telecoms data on everyone involved -- showing massive stats for use of telecoms data -- but without any information at all on whether this gross violation of privacy was critical for the case! Of course the bulk interception data is used in most reports (I am surprised it is only 55%) -- if you have the data why not make your life easier by abusing it for purposes for which it was not collected and which are not proportionate?

In fact, if bulk interception data is used in 55% of reports then the collection is clearly nowhere near proportionate -- proportionate collection would result in data that was useful in fewer than 2% of reports!

The question Anderson should have asked GCHQ was "how many of the 'targets discovered' were later found not to be relevant at all?" And then reduce the answer he gets by a large factor to account for the inevitable authoritarian over-grading of targets (like including legitimate protesters who do nothing wrong and should not be being tracked or targetted).

11
0

UK.gov makes total pig's ear of attempt to legalise home CD ripping

Graham Cobb

Of course it is "priced in"

How on earth did they get away with claiming format shifting is not priced in? It has been priced in forever, and that price is almost zero.

Imagine if a music company offered two versions of a CD: one permitting format shifting and the other not. The latter would have to be priced at a discount, of course. That discount is the "price" of the format shifting option.

If some company had actually done this, and had managed to set the prices such that they got significant sales of both options, then they could reasonably claim that there was a non-trivial price for format shifting, and that that was NOT priced in on the non-format-shifting CD. That would have formed evidence that format shifting was NOT priced in to ordinary CD sales.

But, they never did this. So, they cannot possibly claim format shifting was not priced in. They should not have been allowed to get away with it.

It is obvious that if someone wants to claim that some restrictions has some value, for which they should be compensated, they need to be able to point to evidence showing that, given a choice, people were previously buying both with and without the restriction, at different prices. The price difference is the value of the restriction (to both the buyer and the seller). This should be true for DRM as well: if you want DRM-removal to be illegal you should have to be successfully selling content with and without DRM at different prices so people should not be able to change one into the other after purchase.

0
0

Minister for Fun opens consultation on future of the BBC

Graham Cobb

Put on a lot of stuff I don't like

The main tasks of the BBC should be three:

1) Independent and unbiased communication of important news and information (on all channels, including web). "Unbiased" does not mean "without editorial selection", nor does it mean "inclusive of all possible viewpoints" -- experts (including expert journalists) should provide the information, including expert opinion. If there is real (not fake) controversy then create a "special" about the controversy. Hint: if it is Murdoch or the Daily Mail claiming they are biased then they have probably got it right -- those channels are perfectly capable of distributing their own propaganda and don't need the BBC's help.

2) Minority and community programmes. Most programmes on the BBC should be things I find very dull (but someone else finds very interesting). Leave commercially successful topics (cooking, holidays, antiques, pop music) to commercial broadcasters but carry a very wide range of minority interest programmes. Some of them will be aimed at particular communities (Bangladeshi, Lesbian, etc), others at special interests (minority sports, arts and hobbies), others may deal with unpopular but important topics (e.g. foreign current affairs). Many will be pure entertainment, but they will be material which is aimed at a small audience so is not carried by the commercial channels.

3) Education, both in documentary and drama form. Personally I want to see REAL science (not dumbed down) and other educational topics like history. Others may be interested in education about human rights issues in foreign countries, or the threats to ecosystems. Note: this material does NOT need to be unbiased -- in many cases opposing viewpoints are well covered by commercial broadcasters and their corporate sponsors.

In most cases the BBC should be making their own programmes, And avoiding expensive stars. They should not be measured on commercial success or ratings. Rather, they should be measured on diversity: the measure of success should be that every person in the country has watched (and values) one BBC programme in the year, not that very many have watched each programme.

1
0

Loneliest Pirate's EU copyright report secures MEPs' approval

Graham Cobb

Collecting societies will be disappointed

“We know this resolution has had a long and difficult path to adoption, but every side seems to defend the importance of authors receiving fair remuneration but fails to put forward any concrete proposals to correct current failings,”

Despringe has hit the nail on the head. That is what this whole argument is about.

However, in my view, authors (or, at least, the people they have voluntarily contracted with to publish them) currently receive more than a fair remuneration and the changes that are needed are to reduce the rights and powers of publishers and collecting societies, not increase them. I will not be satisfied unless copyright terms are reduced, and more copyright exceptions are created.

2
0

Privacy advocates descend on proposed domain name change

Graham Cobb

Re: @Graham Marsden

Where did you get the idea this is about .com? This is about ALL domains: the rule says you will not be able to register any domain name using a proxy if you are deemed to be using it commercially. What is "commercially"? Who decides? If I am non-commercial today can I be deemed to be commercial tomorrow? Am I commercial if I include ads on some of my pages? What if I ask for donations? What if I ask for donations to a charity? What if I use my webpage to advertise some charitable event (Children in Need)?

It is ridiculous. There are national laws about how trading entities make themselves known (e.g. UK companies have to publish their registered number). The national rules of the person registering the domain should apply. And so should their data protection rights (so if I have used a proxy in the EU, it would be violation of my data protection rights for the proxy to pass my name on to anyone who asked except law enforcement).

1
0

What is this river nonsense? Give .amazon to Bezos, says US Congress

Graham Cobb

Re: Pedantic Grammar Nazi Compromise?

"They don't want people to be able to register names such as igotscrewedby.amazon or bitemyshineymetalass.amazon to name a couple of the more polite domains"

There is an easy answer to that. I think I might go and register "justfucked.me". I am sure I can make as much money as ".sucks". How much am I bid for my new "amazon" hostname? How much for "apple"?

0
0

Farewell then, Mr Elop: It wasn't actually your fault

Graham Cobb

Metro was the failed gamble

I am no fan of Elop (I was a fairly well-known developer in the Maemo community and I use a Jolla phone today) but, with hindsight, I think it is clearer to understand what went wrong.

First, as Andrew points out, Nokia had become dysfunctional long before Elop. Eventually the board recognised this and they made the decision to go with Microsoft: that is the reason they hired Elop. You can certainly argue, with hindsight, that that was the wrong decision -- they should have gone with Android -- but it seemed a reasonable decision at the time.

Even at the time, everyone in the business knew that it was almost impossible to create a viable third platform (after Apple and Android) no matter how good it was. The problem, as everyone recognised, was apps: app developers would not develop for a new platform unless it had massive numbers of users, and the users would not come unless there were lots of apps. Maemo/Meego/N9 had proved this. [This is just a repeat, of course, of the VCR industry -- except in that case the three platforms were reduced to just one -- but it was also content availability which forced that].

However, Microsoft thought they could use their massive power, and deep pockets, to prove everyone wrong. And they came up with an interesting idea to make it happen. One which actually seemed to have a chance of working: Metro.

Metro was an attempt to create a platform which would work for the PC, tablets and phones. The idea was that a large proportion of the massive number of Windows PC apps would become available for tablets and phones, which would kickstart the takeup of Windows Phones. The large number of users of Windows Phones would then attract IOS and Android app developers to port to the platform (also making those apps available to desktop users as well, as a side effect).

I can still see why that was attractive. It is the only sensible idea anyone has ever come up with for breaking the IOS/Android duopoly. And I can see why it was attractive to the Nokia board: Microsoft was about the only company which could make a strategy like that successful. I expect the Microsoft board told the Nokia board that they saw this strategy as the only future for Microsoft -- something they may still be right about.

In the end, even Microsoft couldn't do it. Even with hindsight it is hard to say whether the delays and compromises in Metro were the cause or whether the idea was never going to work. For whatever, reason, it was a gamble which failed. Nadella's challenge is to salvage a future for Microsoft with it knocked back to just being a desktop PC platform vendor and business software vendor.

9
5

Grumpy EU ministers agree shaky pact on new data protection law

Graham Cobb

Profiling

What does "a balanced view on profiling" mean?

It is my profile, so I get to decide whether or not you can create it and what you can do with it. Just me. Fully. No balance involved.

Of course, you are welcome to show me the wonderful benefits you can provide if I choose to give you certain capabilities to profile me. Just as you would if you were asking for money instead. I decide if that is worth it to me. That is how balance works. Not in the regulations.

1
0

'Right to be forgotten' applies WORLDWIDE, thunders Parisian court

Graham Cobb

Re: Far too many questions.....

I think you misunderstand the law. There is no restriction in posting (true) information. However widely you want. In your example, you could take out full page ads in all the world's newspapers reporting on this act, as often as you like, before or after it is removed from Google. The right is only to not have the information appear if I ask for a dossier on Ryan Giggs, not to restrict publication of the information.

The court has held that a search engine search for a person's name is equivalent to asking for a dossier, report, background check, credit check, etc on that person. All those have to remove this piece of information. However widely it is reported or known -- even if the person is so famous that everyone knows the story (Washington chopping down a cherry tree) -- it cannot be included in a dossier on the person.

You ask: how does anyone know what to delete? In principle it is out-of-date and no longer relevant information (and some other special categories like spent convictions). In some cases courts end up making that decision.

1
0
Graham Cobb

Sorry, Velv, you misunderstand what the right is (maybe you are not an EU resident?).

There is no right to have (true) information removed (or forgotten). There is only a right to have out-of-date information not included in reports (dossiers, credit checks, employment histories, etc) on you. The court has decided that searching for a person's name in Google is the same as going to a research agency and requesting a dossier on someone (I can certainly see the similarity). So, they both have to remove the out-of-date information from the report they give the user.

When Google handles a right-to-remove request, it does not stop indexing the page: it stops including that page in results returned on a search of the name. The page can still be returned on other searches.

Having a right to REMOVE information from the internet would be much more serious than just having the right to have it dropped from searches against your name.

0
0

Online identity woes can only be solved through the medium of GIF

Graham Cobb

Re: Setting the fox to guard the henhouse

The website is now working for me (mostly -- the layout seems to be borked but it is mostly readable).

It certainly is saying the right things -- the proof will be in the actions. I have to say I think it was a very serious mistake to go public with a board just consisting of corporate types, and without any representatives of privacy/identity civil society on the board. That sends out a very worrying message. It will take a while to build confidence and relevance.

But it is nice to have the CEO participating in the forum.

3
0
Graham Cobb

Setting the fox to guard the henhouse

Good idea to work on some agreed requirements, but I am extremely dubious about having it led by corporate CISOs, rather than an open community including privacy organisations.

Corporates aren't well known for being keen on privacy, and one key aspect of privacy is being able to use different identities with different players, with no way for those players to link or correlate those identities. For example, I use a different email address for every company I do business with not just to work out which ones are selling/losing my info but to avoid them linking my accounts. I also use cash when possible (instead of credit cards) and use different credit cards with different companies. This is specifically to prevent corporates doing some things they would like to.

Even in the real world, different people know me by different names (in my case this is for historical reasons -- this is true for many people, for example women who have been married several times and may use different names in different contexts). I do not have, or need, just one identity.

Does GIF have the right structure to take these issues into account? I can't find out, because their web site is empty when I try to look at it!

8
0

Paper driving licence death day: DVLA website is still TITSUP

Graham Cobb

Re: I just love government projects

"Leaving both the contractor and the Gov department to merrily repeat the TITSUP FUBAR incident ad infinitum"

Back when I was a consultant, I had my share of "project management learning experiences". But I a learnt from them. Others learnt from them better than I did and did larger and larger and more and more critical projects, and became good at it!

Using a contractor doesn't mean you can't get very experienced programme managers, with good and hard-working sub-project managers. But you have to pay for them, of course -- good ones are deservedly expensive!

The question we should be asking is not "why was this given to contractors" but "why was the low bid chosen, instead of properly assessing the experience of the key staff and the company and paying for repeatable quality".

2
1

US Patriot Act's phone spying rules are dead – but that means very little

Graham Cobb

Re: Got Clue?

If he was "under surveillance" then it isn't what this argument is about. This is about intercepting the communications data of the vast majority of people who are not identified and under suspicion.

4
1

Secure web? That'll cost you, thanks to Mozilla's HTTPS plan

Graham Cobb

Re: The only upside I can see...

"...sites which lurk around, turn up on searches, but which haven't been modified for years and may even be for businessess which are now defunct, should finally disappear completely."

And that is upside how? It just seems to be downside to me.

Sites with information that is years old but valid should not need to be (and should not be) modified. We are not all MIllennials who need shiny!

The National Museum of Computing just issued an appeal for a data-sheet for an old piece of equipment they are trying to restore or emulate or something. Backed up with an offer of a financial reward! So, it is pretty important to them. If the web had been around then, and someone had the information they need on their old website, it would now be valuable.

15
2

Facebook flings PGP-encrypted email at world+dog. Don't lose your private key

Graham Cobb

Re: PGP is not security

"Security" is many different things -- PGP is definitely good for some of those things.

For communications (email and others), there are four main types of threats I care about: casual observers (e.g. someone who sets up a free access point and watches traffic for kicks, hoping to get the odd credit card number but mainly getting his jollies from people sharing nude photos), identity thieves (who know how to exploit what they can capture to learn enough to steal from me), government mass data collection, targeted government investigation.

PGP deals almost completely with the first two and has a significant impact on the third (especially when combined with using TLS for SMTP, hiding much metadata). Nothing really deals with the last, although routine use of PGP by companies will at least remove "uses PGP" as a trigger for an investigation.

I am hopeful that what this will really mean is that next time I ask my accountant or IFA if I can send them the data they want using PGP email they might have heard of the concept! Maybe even seen an article in Accounting Today (or whatever magazine they read)!!

0
0

Snoopers' Charter queen Theresa May returns to Home Office brief

Graham Cobb

The civil service are surely part of the problem, but I think it is ministers who have chosen to let the securocrats out of their bag and give them so much power and influence over the Home and Foreign offices to wipe out any objections from any more public-spirited civil servants.

Unfortunately Authoritarian/Liberal is an orthogonal political dimension to Left/Right (not that the Labour party can be called left wing any more anyway). I see many "central planning" and "state control" socialists as just as authoritarian as "hanging and flogging" conservatives. The snoopers charter was always going to be a problem after this election unless either the Greens or the LibDems held some influence.

6
0
Graham Cobb

Re: Theresa May. :(

To be honest I would have liked to have seen the coalition continue, with the LibDems tempering the worst excesses of the right-wing.

Yes. My first thought, on learning the result on Friday morning, was "WTF? I understand the disappointment with the LibDems but didn't people realise that they were the only thing keeping the Tories reined-in? What have you done!".

Of course, no one realised that one in eight people voting UKIP would result in only one seat, but they were only ever useful for a protest vote -- they were never going to rein-in the Tories -- just push them further Right.

I'm going to have to increase my contributions to ORG, No2ID, BBW, etc quite a lot.

3
0

ID yourself or get NOTHING (except Framework), snarls Metasploit

Graham Cobb

Re: Possible loopholes

Would these rules apply to a US company / organization that writes and distributes their code from outside the US?

Yes. At least assuming the underlying rules haven't changed since I did Export Compliance training while working for a US company in the UK last century. A US company can (and will) be subject to penalties if it provides any access to export controlled materials (not just software: manuals, training and professional services are included) to denied parties.

The legal basis seems fairly reasonable in this case: Metasploit is clearly a munition, although dual use. And arms control is what these regulations were designed for. Unfortunately, they weren't really designed for software -- which isn't that hard to engineer, in the modern world.

1
0

Lawyer: Cops dropped robbery case rather than detail FBI's StingRay phone snoop gizmo

Graham Cobb

Re: I can't wait...

Fans of "The Wire" may be interested in this article from Techdirt:

https://www.techdirt.com/articles/20150413/09250230636/baltimore-cops-asked-creators-wire-to-keep-cellphone-surveillance-vulnerabilities-secret.shtml

0
0

Tale of 2 cyber-confabs: Govts, nerds on one side. Shock hotel room searches on the other

Graham Cobb

Re: really comprehensive article

Yes, it was a good article.

I encourage anyone interested in this to become a member of the Internet Society (free, open to all as individuals) and to join the Internet Policy mailing list. While a few of the comments are incomprehensible (I am not familiar with all the jargon of "civil society" organisations), some of the discussions are quite interesting and accessible.

The fault line between governments (and their civil servants and the consultants who work for them) and civil society is interesting to observe, as is the different approach taken in different parts of the world.

Some of the issues being discussed on these lists and at these conferences are hard problems (like zero rating vs net neutrality) and the regulatory decisions will have important consequences.

0
0

Smart meters are a ‘costly mistake’ that'll add BILLIONS to bills

Graham Cobb

Re: SMART = Smart Meters Are Real Threat?

Particularly in the light of today's serious revelations about personal data being sold "for 5p".

3
0

I wish I'd leaked sooner says Edward Snowden in post-Oscar chinwag

Graham Cobb

I really don't think anyone cares about their privacy, except in very generalized terms.

There is some truth in that. Somehow we need to convince the man in the street that he needs to care about other people's privacy. He may not be particularly worried about himself being monitored -- the issue is that there are people for whom it does matter a great deal. And many of those could be him under some slightly different circumstances in the future.

As well as the obvious cases like lawyers and journalists, there are the abused wife trying to avoid being tracked down by her policeman husband, the fracking/animal rights/anti-abortion/insert-favourite-left-or-right-wing-cause-here protester trying to prevent the police "randomly" stopping and searching them, the social pot smoker trying to avoid being refused a job.

But there are also cases of complete innocents who could be our punter tomorrow: the person who uses a local plumber who also does business with a someone who turns out to be criminal, the school governor who serves on a committee with a local cleric who turns out to be a radical, the jogger who regularly runs near where someone was attacked, etc. All these innocent people should be protected from harassment and suspicion (and demands to "prove" their innocence) unless there is some actual reason to suspect them.

I don't know how to do it, but we need the man in the street to realize the issue is not their own privacy but that a free society needs other people's privacy protected.

1
0

NO WARRANTS NEEDED for metadata access, argues Oz A-G

Graham Cobb

Re: encrypt everything

That doesn't work with the metadata.

It does if you use something like Bitmessage. Bitmessage is clunky today, and there are potential concerns about both its security and scalability, but if governments press on with this approach (unreasonable retention, access without warrants, pressure on commercial operators to decrypt) then the open source world will create really secure end-to-end solutions. Access to information about criminals will go DOWN.

On the other hand, if governments pull back from disproportionate actions, then Bitmessage will, like most open source projects, remain clunky, hard to use, possibly insecure, poorly maintained and used by a tiny group of people. I understand why politicians have such short term thinking but not why the spooks let them get away with it.

1
0

Increased gov spy powers are NOT the way to stay safe against terrorism

Graham Cobb

Re: Well said

"... we don't need to copy the methods of those we spent most of the 20th Century fighting against. You cannot save freedom by destroying it."

Yes, that is the crux of the matter. I was a small child in the 1960's in East Anglia, surrounded by US Air Force bases, and I really used to lie awake at night worrying about a nuclear attack. I even drew plans for a nuclear shelter we could build in our garden!

When my parents became aware of my worries, they didn't tell me not to worry because they would stop it happening. They explained why we had to oppose the Communist regimes: these governments were repressive, you couldn't walk down the street without carrying papers to prove who you were, they were spying on their own citizens. All this to a child under 10!

I have never forgotten that. I went on to read Solzhenitsyn as a teenager and I have been committed to freedom of thought, writing and speech ever since. I wish Cameron had had the same explanation.

32
0

Peers warn against rushing 'enhanced' DATA SLURP powers through Parliament

Graham Cobb

Re: Not getting my vote...

So, the question of who to vote for to oppose these policies boils down to... which small party, if it finds itelf in coalition, is most likely to choose privacy as the one policy they insist on?

UKIP? Don't make me laugh.

Greens? Strong views on privacy but they will always be more concerned about the environment -- I can see them dropping the privacy issue if they can get some of their environmental policies in.

Lib Dems? Opposing snooping is about the only thing they have been consistently firm on. They seem like the best bet. Unfortunately, the way they are tainted, will they hold the balance of power next time round? Despite that, they seem to be the only choice for anyone who considers this the most important issue at the next election.

1
1

What do UK and Iran have in common? Both want to outlaw encrypted apps

Graham Cobb

It's about "safe spaces"

Apparently Cameron has said he will not allow "safe spaces" for people to communicate with each other without monitoring. So, where do I go to talk to my friend about how we are going to vote? Where do I go to talk to my MP about raising a government abuse in parliament? Where do I go to talk to my lawyer? Apparently all those conversations should be monitored.

Maybe we should ask him where he plans to go to talk to his friends in the City about his directorship for when he stops being PM? Where will he go to discuss secret trade treaties?

Fortunately, in this case, he is being completely stupid and nothing can come of it. Presumably, however, he is saying this so he can later present the real proposals as "we listened to the objections and have reduced our demands" - back to the original snooper's charter proposals.

25
0

Paris terror attacks: ISPs face pressure to share MORE data with governments

Graham Cobb

Re: Once more, with feeling

At least this should mean the end of the speculation about Theresa May as a future Prime Minister. What was needed, on this day of remembrance and outrage, was something statesmanlike and thoughtful. Instead we got a grubby political land-grab. End of Mrs. May's campaign.

7
1
Graham Cobb

They want Facebook to monitor our speech?

How can they, when these lives have been lost defending free speech, possibly be asking internet companies to monitor and report what we are all saying online? It is just sickening!

Will Charlie Hebdo's next cartoons be reported to the government by their email company as subversive?

3
0

MI5 boss: We NEED to break securo-tech, get 'assistance' from data-slurp firms

Graham Cobb

Come back when you have done some housecleaning

I am getting very bored with this whining from the securocrats. I know your job has got quite hard. No amount of whining will change that. Come back when you have:

1) Cleaned up. Owned up about the out-of-control years. Heads have rolled. Some people are in jail (yes, really -- there are no excuses for what has been going on and justice needs to be seen to be done).

2) Changed. Stopped untargetted surveillance. Reduced data retention to 30 days. Got warrants. Put in place an overview regime we can actually trust (yes, that is hard to do -- work out how to do it).

3) Come back with a realistic plan for how you will do your jobs to protect us given that technology means that the bad guys will have access to perfect encryption, high performance dark nets, etc (even if you make them illegal). Note: "I believe in fairies" is not a plan.

According to the speech there are 600 returned jihadists. Even if all of them managed to radicalise 100 other people, those 60,000 would be less than 0.1% of the population. That is not a justification for snooping on 64 million people. At those odds I am happy to take the risk of becoming the victim of a terrorist and just close down GCHQ.

12
0

HTTPS bent into the next super-cookies by researcher

Graham Cobb

Re: Ahh, but reading the original article does

I don't think defeating such fingerprinting is that hard. HSTS seems to be mainly an optimisation (although it has some security benefit if users are in the habit of typing in URLs with http: prefixes). Four things that I think should happen:

1) Browsers should only retain HSTS info for relatively short times (I would choose less than 1 day, others might choose several days, a browser might default to a longer period -- say 1 month). This is a bit harder to make work than you might think because you need to prevent the tracker from just "refreshing" the setting each time you connect to the site.

2) HSTS should be ignored for access from javascript.

3) Users should be able to turn HSTS off completely.

4) Plugins like HTTPS Everywhere should turn HSTS off completely and rely on their own capabilities.

That would mitigate the issue for normal users and allow the most privacy conscious to eliminate it completely.

0
0

'Tech giants who encrypt comms are unwittingly aiding terrorists', claims ex-Home Sec Blunkett

Graham Cobb

Get rid of cars

Now is not the time for lofty disengagement or disinterest. Car manufacturers who provide self-driven – and therefore secret – transport are, albeit unwittingly, helping terrorists to co-ordinate genocide and foster fear and instability around the world.

0
0

How mobile device management is taking on the BYOD challenge

Graham Cobb

Mixing up MDM and BYOD

The article seems to be about MDM, not BYOD. If the company needs the level of control over devices that is described as the goal of MDM in the article, then they will need to provide the devices. No one will bring their own device and accept that level of control.

BYOD is about companies being willing to trade off control in exchange for reduced cost and more satisfied employees. You can't have all three at once.

It would have been more useful if the article had been about what level of control is actually feasible with BYOD, not with company-owned devices.

1
0

GP records soon wide open again: Just walk into a ‘safe haven’

Graham Cobb

Re: Care.data opy out

Personally (others may differ), the issue is less about who has the data than what they are allowed to use it for. I don't care about the NHS (or even associated companies) using my data for caring for me, for planning and monitoring its own operations, for research into providing better care, etc. I don't even mind commercial companies using the data for research into new drugs/treaments or even for insurance companies to better plan their costs and become more profitable.

What I care about is that there has to be a legal requirement, with very strong penalties (fines of about 1% of global revenues and/or criminal prosecution of individuals, financial compensation to all individuals involved of several times any extra costs they incurred due to the offence) that the data cannot be used to discriminate between individuals, families, geographic areas. genetic makeup, etc in the provison or cost of products or services (such as insurance), nor for any purpose to do with marketing (such as targetting a person or ethnic group). The same thing goes for other data they may be able to find out (such as the rugby team membership an earlier commentator pointed out).

The purpose of both health insurance, and a national health service, is that the service is available to everyone, equally. Costs are shared, between the healthy and the sick, the old and the young, etc.

Ewan Robson's post talks about legal protections under the DPA, but it is not clear and unambiguous that all the things I mention above are prohibited. Also fines are extermely limited (the limits are small and in reality fines are usually non-existant), especially for a global drug company or insurer. If there is such protection, then I suggest they shout it from the rooftops before restarting this process. If not, abandon it.

1
0

Don't bother telling people if you lose their data, say Euro bods

Graham Cobb

Re: as long as

Sorry, Bronek, I think you are wrong. Whether "heavily encrypted data" is useless depends a lot on what other information the attacker has. In particular, if the attacker knows some of the plaintext then they may be able to break the encryption much more easily.

For example, a password database might be very securely encrypted. But if the attacker knows (or guesses, and can verify) some usernames and passwords that might lead to easier decryption of the whole thing. And inside information could also be very useful even if the keys themselves are not available.

In other words, the problem is not about how well encrypted the data is, it is about the whole circumstances of the breach. Most of that is not known (and certainly should not be evaluated by the company losing the data). The only reasonable behaviour is to notify everyone involved on every loss of personal data, no matter how well the data is encrypted.

0
0

Windows 10: Forget Cloudobile, put Security and Privacy First

Graham Cobb

If I have paid for the software, Microsoft should not collect any data at all

Basic things like "what programs are installed" and "what is the hardware configuration of your PC" are generally collected as part of operating system updates and/or automated troubleshooting systems because they provide clear technical benefits in solving technical issues. It would be pretty insane to say "don't collect this info, because NSA".

We will have to agree to differ. There is absolutely no excuse for sending any information about my computer, what I have installed on it, how often I use it, or what I use it for unless I have asked for help and explicitly understand that this information is needed (in which case I will carefully consider who I ask, like I would carefully consider who I take my PC to for servicing).

In this case, it isn't the NSA I am worried about -- why should Microsoft know? I don't tell Google what software I have installed, I don't tell Amazon where else I shop or what I buy there, I don't tell my car insurance company who I choose to use for home insurance or how many bedrooms it has. Why on earth would I provide any personal information to Microsoft just because I buy their product? This isn't Facebook offering me something for "free" in exchange for personal information.

1
0

Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE

Graham Cobb

Bad news for iPad

My (work supplied) iPad2 running iOS 7.1.1 is vulnerable (according to poodletest.com). I can't upgrade to iOS 8 (not only would I need to check all my demos still worked, general opinion seems to be that upgrading an iPad2 is not advisable) but presumably any fix will only be issued for iOS 8.

Must remember not to use it to access any important personal stuff (not just banking, but things like airline check-in).

Hmm, that raises an interesting question... will apps (like the BA app) inherit any fixes that may be supplied for iOS or Android or do the apps themselves need to be updated?

2
0

Get NAS-ty: Reg puts claws to eight four-bay data dumpsters

Graham Cobb

Open software on these boxes?

There have been many comments talking about building your own box and running your own software (from Windows, through special NAS distributions to generic linux). Very useful, thank you.

But what about running your own software (I would want a Linux variant) on any of these boxes? I can't help thinking that the hardware is probably chosen well for the NAS job, and I particularly want to reduce power consumption (my current file server is my previous desktop which pumps out a lot of heat -- I don't need graphics, or probably even the powerful CPU/memory it has). But I am not interested in their software -- I need to be able to run a modern Linux.

Can any of these boxes have the installed software replaced by open software? Is there a community around them which does that? I realise it will be more expensive than DIY but, given my background, I will find it easier just installing/using software.

0
0

Britain’s snooping powers are 'too weak', says NCA chief

Graham Cobb

Bristow is very dangerous

Bristow is clever and comes over as very reasonable. He is also very wrong. We need to be very firm and public about not letting him get away with assertions about losing capability.

As I mentioned last time he spoke, he is claiming he needs the power to put an electronic police tail on EVERY person, all the time, in advance, just in case someone does something bad. Collecting Communication Data is exactly the same as placing a police tail on you: the tail can't hear what you are saying but they track exactly where you go, who else is nearby, who you talk to (and for how long), what posters you stop and read, what shops and other building you go into. If the Snooper's Charter was in effect, the tail can follow you into the buildings and video everything you do there.

This is not some power they used to have which they lost due to modern technology. Previously they might have been able to put a tail on one or two people per county at any one time. So, they had to make actual decisions, allocate actual resources, get actual permission to do it.

Why does anyone let him get away with the claim that this is about "losing capability and coverage"? It is a complete transformation into a police state!

1
0

Adobe spies on reading habits over unencrypted web because your 'privacy is important'

Graham Cobb

So, I must be able to strip their DRM

I am planning to use this spyware as the basis of a complaint to the Secretary of State requesting that he gives permission for stripping Adobe DRM.

Clearly this is unacceptable behaviour by ADE, and ADE is the only (legal) way to read books I have purchased which are infected with Adobe DRM. There is nothing in the purchasing of the books which involves me agreeing to spyware. Also, it is well known that there is software easily available to remove Adobe DRM. So, the SoS clearly must give permission for that software to be used so that people can safely exercise their rights to read the books they have purchased.

This is exactly the sort of case of unacceptable TPMs for which the law gives the SoS the ability to grant permission to circumvent a particular TPM.

1
0

Linux systemd dev says open source is 'SICK', kernel community 'awful'

Graham Cobb

Re: Unpaid volunteers in a lot of cases @AC

Peter G is right that systemd is about weighing the advantages of the capabilities it provides vs the disadvantages of its deisgn and implementation. Debian struggled with this, with a public and acrimonious debate, and decided to go with systemd. Not because it was well liked but because it was useful.

There is no realistic prospect of anyone else implementing a (FOSS) alternative to systemd that is as useful. Not while the systemd team continues to exist. So, individuals may decide that they don't want to take on board the horrible design decisions made, but the large distributions are moving to it. Personally, I don't like it but I agree that it is the only viable option.

0
1

Marriott fined $600k for deliberate JAMMING of guests' Wi-Fi hotspots

Graham Cobb

Re: Ker-plunk

You are not alone.

Sony is not only on a last-resort list: they are on my never do business with them again list, for the same reason. I have not bought anything from any part of the Sony organisation since the rootkit.

HP are also on the same list, for their DMCA abuse (also over 10 years ago). The list is absolute for my personal purchases but I also do my best not to do business with HP in my professional life as well, as long as I am not damaging the interests of my employer, of course.

0
0

Business expects data retention will hit their bottom lines: survey

Graham Cobb

Depressing Oz data protection stat

The respondents were much more receptive to the idea of mandatory data breach reporting, with 89 per cent in favour of such a regime

That is very depressing. Not because I don't support mandatory breach reporting -- I do, very much. But because if 89% of businesses support it that means that they think it is something that will hurt their competitors and not them. Which means they don't understand anything about protecting their data. There is no way 89% of Oz businesses have even adequate data protection, let alone excellent protection.

And while management don't understand that they are massively at risk, they won't invest.

Still, maybe the first few mandatory breach reports will help them understand.

0
0

Hackers' Paradise: The rise of soft options and the demise of hard choices

Graham Cobb

PCs are not the battleground any more

Unfortunately this piece misses the point. PCs are not the important concern any more. It isn't even tablets and phones. The area to be concerned about is the Internet of Things.

The first reason is scale. PC's are well below one per person. Phones come in at around 1 per person. IoT devices will be tens per person or more. If you are worried about "Unfortunately, it seems that it is only after such an event that something gets done" then it is these devices which will have the most opportunity to cause chaos.

The second reason is that many (not all, of course) IoT devices are going to be in either safety-critical or, at least, seriously-inconveniece-causing environments. They may be controlling important household functions (locks, heating, lighting). More importantly, they will be working in offices, factories, railway stations, etc. Putting threatening messages up on the departure boards at Waterloo station in the rush hour may cause more loss of life than causing a car to crash.

The third, and most important, reason is that these devices need to be cheap. Really cheap. Designed and built down to a cost. And those which are not truly safety-critical (nuclear power station controllers) will not be regulated at all. Their hardware may be simple, their RTOS may not be designed for security, their interfaces will be wide open to simplify (make cheaper) integration, and their software will probably be crap -- more concerned about whether it is selecting and displaying ads correctly than whether it is functioning.

We already see serious security issues in SCADA controllers. We already see serious issues in vehicle engine management systems. Both those might get targetted by regulators. But will non-safety-critical IoT devices ever be safe to use?

0
0

Three floats Jolla in Hong Kong: Says Sailfish is '3rd option'

Graham Cobb

Re: Maturity is beginning to appear

I have a Jolla with a physical keyboard Other Half, which I use as my daily phone. A bit bulky but nice to have.

Unfortunately the keyboard was a limited run project by a community developer and hasn't been taken up by Jolla.

0
0

HTTP-Yes! Google boosts SSL-encrypted sites in search results

Graham Cobb

Re: Silly question

No, it isn't necessary to use SSL on sites which do not have logins. But it is the friendly thing to do. Part of the point is not just to protect your traffic, but to move to having most Internet traffic routinely encrypted to make the job of hoovering up all data by tapping backbone links harder. It also reduces the chance for the spooks to say "ah, his data is encrypted -- he must be a terrorist".

And, it makes it safer when you later decide to add a hidden page to Foofie's web site to make the Anarchist's Cookbook available -- no one can watch your traffic to see whether people are reading the poodle's page or the secret page.

3
0

UK.gov eyes up virtual currencies, fingers red tape dispenser

Graham Cobb

Re: The problems with bitcoin, as seen by governments

Sorry, Martijn Otto, you are fantasising. I am a strong proponent of privacy (see my other posts) and I am a strong supporter of both cash and bitcoin, but I am realistic about bitcoin.

1. The government most certainly can regulate it. As you said, they can regulate exchange. They can also require people to declare bitcoin usage -- and most legitimate users will comply. Bitcoin is much more traceable than cash (although it is easier to anoymise than other financial networks). Money laundering is a serious concern for governments and if large amounts of money are laundered through bitcoin, governments will get very heavy handed with it. You certainly can block a bitcoin transaction: put the participants in jail.

2. Financial institutions have plenty of opportunity to make money from bitcoin. Do you think that the needs for loans and savings accounts go away with bitcoin? Do you think that bitcoin credit cards will have transaction fees any lower than todays credit cards? Banks make a lot of money helping people and businesses handle cash today and they will make just as much money from bitcoin. The only people who could be disintermediated by bitcoin are money transfer networks: but they will find plenty of value to add in making transactions easy, handling taxation and reporting, providing escrow and insurance, etc.

3. You certainly can seize bitcoin. Most user's bitcoins are held in third party wallets, which are easy to seize. Even if they aren't, it is easy enough to order the holder to transfer the bitcoin to a government-controlled wallet.

Bitcoin is certainly very useful, but it doesn't undermine either governments or financial institutions!

5
0

Page:

Forums