* Posts by Harry Stottle

234 posts • joined 2 May 2007

Page:

Put down the cat, coffee, beer pint, martini, whatever you're holding, and make sure you've updated Chrome (unless you enjoy being hacked)

Harry Stottle

No Mint expertise

not even a Mint user but can't you just download a full installation and run that? On windows, that didn't used to overwrite my settings.

to be safe, though, you probably ought to back up your settings. This page will give you clue what to look for and where (though it's windoze centric so you'll have to extrapolate)

'course, haven't tried it for a few years, since I switched to SRWare Iron (privacy protection Chrome fork)

My question to the panel is "is Iron equally at risk?" but I think the "Chromium" question above might have answered that...

good luck

When 2FA means sweet FA privacy: Facebook admits it slurps mobe numbers for more than just profile security

Harry Stottle

Re: The Age of Surveillance Capitalism

wry note for the tinfoil hat brigade.

After writing that obviously enthusiastic support for Zuboff's analysis, I decided to throw caution to the winds and buy her book. (kindle version if you care). Accidentally found myself on Amazon.com (instead of .co.uk where my account resides) Was confronted with the unsurprising news that it is already the "#1 best seller" but this was accompanied by the somewhat less expected news that "This title is currently not avaiable for purchase" - which makes its #1 best seller status something of a miracle.

There's almost certainly a non conspiratorial reason for the current block on its sale. I'm sure even the TLAs don't have the clout to suspend a title on Amazon (not, at least, without the judicial theatre of a court injunction) but it did add some flavour to the moment.

Happily, the UK site let me buy it.

Harry Stottle

The Age of Surveillance Capitalism

The latest media hyped response to this syndrome is Shoshana Zuboff's "Age of Surveillance Capitalism (etc)"

Downloaded the Intercept video podcast yesterday and listened to it last night (watching isn't necessary). Its a dual presentation with her and Naomi (Shock Doctrine) Klein.

Obviously I was sympathetic to their overall message but it was hardly news to any Reg readers, especially those of us who have been punting the "Privacy=Security" message since the tail end of the last century. And they're a bit short of technical grasp, which is forgiveable. It's not their field.

However, they were making a particular argument which I can only label as classic conspiracy theory and which even I, who recognise and preach the dangers of GooMazonSoftBook et al, found a bit of a stretch. And I don't know whether its the phase of the moon or this story which has pushed me over the edge, but this morning their analysis feels a whole lot more plausible.

Short version: They all started out with good intentions. Google, in particular, professed hatred of advertising and proclaimed it as a threat to the net. They also recognised the horrendous potential for intimate surveillance and set their pitch against that, most famously with their (now retired) "Do No Evil" mission statement.

Then came 9-11

And all plans to improve privacy protection (from legislators and businesses alike) were rolled into reverse. This (conspiracy alert) was orchestrated by the TLAs; who realised that private companies could get away with things they could not because (believe it or not) the TLAs were more accountable and couldn't ignore the constitution. Private companies could.

So, viritually overnight, the nascent talk of privacy protection became talk of the need to invade your privacy for your own - and the nation's - protection.

All the politicians had to do, to complete the coup, was to legislate mandatory reporting on demand, of any private data, the TLAs wanted, by those private companies; who were also granted huge leeway to get on with scraping all the private data they could eat. Add on the mythical oversight by the judicial rubber stamping process and you've squared the circle. You've introduced the Stasi-Panopticon 2.0 into what citizens laughingly think of as liberal democracies and nobody but us weirdos has even noticed or, if they have, don't realise they are now reverted to Serfdom with its new name - "users".

The book has already made a big splash. Be interesting to see if it can "wake" the "users" out of their soma inspired complacency.

HPE wants British ex-CFO to testify in UK Autonomy lawsuit before Uncle Sam sentences him

Harry Stottle

Ponzi Scheme

love the phrase "unsustainable Ponzi scheme" which implies the existence of sustainable Ponzi schemes, presumably like the US Dollar and other Fiat currencies?

Here come the riled MPs (it's private, huh), Facebook's a digital 'gangster' ('disingen-u-ous'). Zuckerberg he is a failure (on sharing data)

Harry Stottle

The Hypocritic Oath

Just one of many I screamed at the radio.

Difficult to reign in my rage on hearing this story and the unquestioning BBC "Today" toadying of its proponents on this morning's show.

Let's make it clear from the start that I recognise the reality of the problem they identify. Fake news, disinformation, targeted propaganda etc are all widespread evils not just hosted by the internet's big beasts but engineered as income streams.

But for senior politicians to come out swinging about this issue is about as egregious as Hitler complaining about Stalinist purges.

Someone needs to do a PhD on this shit but my starting hypothesis would be that, if we could find an objective way to measure Fake news and Disinformation and track it to its sources, the single largest contributors, throughout human history, have always been governments or those aspiring to govern.

I was going to list examples but I doubt if any fellow Reg readers need them.

I'll just comment on why the BBC and UK Parliament are so happily aligned on this issue. They both have a vested interest in portraying themselves as the gold standard of verifiable political fact. Commercial upstarts like Fakebook have no business muscling in on their pitch. A biblical quote featuring motes and eyes comes to mind...

Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs

Harry Stottle

Hashing<>Encryption

@ DaLo

At the risk of teaching the occasional grandmother to suck eggs, I feel the urge to correct a few errors in your post.

Encryption entails a (roughly) 1 to 1 relationship between plaintext and ciphertext. i.e for every character in the plaintext there should be at least one in the ciphertext (ignoring compression)

Cryptographic hashing produces a fixed length output regardless of the size of the input. Using SHA256, for example, anything we hash will produce a 32 byte hash - whether its your 8 character password, or War and Peace.

One consequence of the difference is that hashing algorithms are NOT vulnerable to poor quality entropy (eg the output from weak Random number generators). If they used randomness at all, they wouldn't work because the hashes for a fixed input would usually vary.

Bcrypt is the exception to that rule. It is optimised for password handling. For example maximum input length is (from memory) 256 characters. And it does include randomness and thus always produces a different hash for a given input, which, amongst other things, means you can't test a Bcrypt password simply by repeating the hashing process. You need a partial decryption process which reads a section of the hash to determine the randomness which produced it, so it can verify the input against the output.

And bcrypt passwords can even vary (slightly) in length (which confused the fuck out of me when I was learning how to use it) and doesn't run the hashing process once but, typically, a few thousand times (user configurable). All these tricks are how bcrypt makes Brute Force attacks thousands of times more time consuming. It SHOULD, by now, be the standard hashing technique for all passwords. If the NTLM passwords were Bcrypt hashed, they'd still be safe!

UK Home Office dumps huge sack of complex data sets on biometrics ethics board's desk, goes for beer (probably)

Harry Stottle

Call me cynical

because I am.

The purpose of an Ethics board should be to advise on "how we should behave?"

The purpose of this one, I would wager, is to determine "what can we get away with?"

One click and you're out: UK makes it an offence to view terrorist propaganda even once

Harry Stottle

Re: Terrorist material

you've just reminded me of my own schooldays (late 60s), where I spent my first year of Sixth form, with the blessing and occasional assistance of the (boarding) school, teaching myself to construct and test small rockets (max range 15 miles) using, mainly, a zinc sulphur mix as the propellant. Proudest day of my life remains the first public test, where half the school turned out to watch it fail. Missed the target flag, 1000 yards from the launcher, by 9 feet.

Chances of any modern schoolkid having that experience?

Harry Stottle

So how would I write something like this?

I posted this essay on Militant Islam in 2006. It entailed a few months of research and crawling over their propaganda and published statements. Enough to lock me away for life it would now seem. I don't appear to be protected by any of their "reasonable defences". It wasn't an academic exercise (in any formal sense) . I was (am) just one of many concerned citizens trying to make sense of what goes on in the minds of authoritarians. That seems to have become increasingly necessary ever since, as outrageous policy proposals like this, clearly illustrate.

If you want a vision of the future, imagine not a boot stamping on a face, but keystroke logging on govt contractors' PCs

Harry Stottle

Goose and Ganders

First off, no politician (or authority in general) should even be permitted to make proposals like this until they themselves are already properly accountable.

That should be a statement of the bleedin' obvious but obviously isn't, which is why I keep having to say it.

Second, particularly in the higher end of the IT field which this appears to target, the notion that capturing computer based activity correlates with the value of any work being done betrays complete ignorance of the creativity which adds the real value to any project. This is related to the earlier comments which touch on the difference between quantity and quality. Yes, we've all had intense sessions where we pump out thousands of lines of code which all looks very productive (till you run it) But equally, I can sometimes spend hours looking at a blank screen, or perhaps a simple diagram on it, or even playing a mindless game, while trying to solve a problem, which eventually concludes with me typing one or two lines of code which achieves the desired result with elegance.

Third, there are definitely use cases where such direct surveillance is justified, though sometimes we're lucky it wasn't enforced. Think Edward Snowden! More importantly, one of the measures that should be mandatory alongside GDPR is that anyone with access to sensitive data which isn't their own should be obliged to keep a private encrypted copy of their machine activity, periodically snap-shot and hashed to a publicly available immutable audit trail; so that in the event of any challenge to their handling of that data, they are in a position to prove their innocence, if necessary "in camera" to a trusted jury. However, should they be challenged and refuse to make that evidence available, we should be entitled to assume their guilt.

(this concept is argued is somewhat more detail here)

No fax given: Blighty's health service bods told to ban snail mail, too

Harry Stottle

ProtonMail

Protonmail is already up and running and easily the best combination of security and user friendliness currently available. It's certainly easier than using gmail nowadays.

Two ways it could work. First option, anyone wishing to sign up for email contact should be encouraged to go and get their free PM account and make that their default email address (if advising novices, include advice on strong passwords). GPs could do the same but would be kicking against the bosses official line. Those few with the cojones to place patient trust and confidentiality ahead of "just following orders" will proceed regardless. Result: patchy adoption and plenty of friction.

Best would be if NHS signed a contract with PM to provide the service. That would send such an amazingly positive message to the world in general that the long term consequences are impossible to estimate. And PM would get a solid funding boost which would enable their operation to spread further and faster. Of course this won't happen. The spooks won't permit such a dangerous publicly endorsed precedent. But it makes for a good daydream.

Option 1 remains available.

Google's stunning plan to avoid apps slurping Gmail inboxes: Charge devs for security audits

Harry Stottle

We look forward to Gmail's Own Security Audit

I'm unaware of any formal security audit of Gmail itself. That could just be ignorance on my part, but I have searched, using google of course, and failed to find one. (Kindly correct me if I've missed it)

Assuming it's absence is not my oversight, I presume Google intend to lead by example.

Other fairy stories are available

Google: All your leaked passwords are belong to us – here's a Chrome extension to find them

Harry Stottle

Keepass - with Tusk - stored in Sync

I used to use and recommend Roboform, until they made it increasingly difficult to host your own keys and insisted on driving everyone into their cloud. I might even have persisted with that, had they responded intelligently to my request for sight of their security audit or equivalent, and details of the security structure which would prevent them (or anyone else) getting at my key collection. Instead they responded with marketing hype.

So then I did the research and went looking for any open source option which had not been caught with it's digital trousers around its ankles. That very quickly led me to Keepass.

It's probably perfect for most Reg readers because you're likely to be on the geek spectrum, but it's way over the heads of "normal" users, which is a shame because it offers very strong and configurable protection.

My only real beef with it was the absence of what I considered to be the most user-friendly feature of Roboform - it's ability to act as a bookmark database and, having found the bookmark, take you to the site and login automatically. (like the password managers built in to most browsers)

But then I found Tusk which does a reasonable job of imitating the Roboform functionality. I have it installed in both Firefox and Iron. Has its quirks and limitations but has done a good job of keeping the browser security under control without breaching the underlying "wallet".

Limitation example: it can't capture newly created credentials while in browser. You have to open up Keepass (separately) to access things like its password generator, then add the new "account" to Keepass and save it. Then you have to deselect the Keepass kdbx file from Tusk and reselect it to get the updated version.

That's a bit of a faff, especially if you're also a Sandboxie user. (has to be done outside the sandbox or it'll be forgotten at the end of the session)

That's the kind of thing that stops it being "user friendly" enough for mere mortals, but digital warriors like us will find it reassuringly difficult.

One other thing. Other Keepass commentards above have pointed out that its "non cloud". Which it is. But Tusk tries to nudge you into storing your keys in the cloud, so you can access them anywhere. It does have a "local file" option, which I use.

But I'm also happy with the security of the cloud provider sync.com and have a 1Tb account with them (they also do free 5Gb accounts) They're the only cloud service who have managed to convince me that they offer true blind encryption (even they cannot see what I store in their box)

So I'm happy to store my keyfile in Sync (stored as a "Local File"), where it's still protected by my strong password, but accessible from any of my devices.

Strongly recommended for those who object to Security Theatre.

Now you, too, can snoop on mobe users from 3G to 5G with a Raspberry Pi and €1,100 of gizmos

Harry Stottle

Re: This is why calls should have end to end encryption

Unless you're using the new feature (version 8+) "Private Conversation" I hope you're not under any illusion that your "normal" Skype calls are E2EE. Frankly, we should be seriously sceptical even about their so called Private Conversation. There is no formal independent audit (in the public domain) to verify its claims and Microsoft's track record of co-operation with the TLAs is legendary (and, as many of us, including fellow Reg commentards, speculated at the time, probably accounts for their purchase of Skype in the first place)

I've tried out their allegedly "Private Conversation" and it "feels" like Security Theatre. Unlike the much better attested E2EE options (eg Wire, Viber, Blizz, Signal, Qtox, Wimi etc ) all of which all manage to cope with conference calls and video, and some of which also manage screen sharing, Skype's PC offers voice only and one party at each end only. No Video, no screen sharing. Why is that? I can list some of the more obvious options:

1) the other providers are incompetent and bluffing about their security.

2) Microsoft are unable to find competent security engineers to create their own multiparty version

3) They have calculated this is the "least they can do" to ward off demands for genuine privacy/security but by making its functionality so limited, they ensure that most users will ignore it (and stick out like sore thumbs when they choose it)

4) They just want to make users feel "it's so limited it must be secure" while, in reality the TLAs continue to have unimpeded access.

My money's on the last option, with an each way bet on (3)

Facebook spooked after MPs seize documents for privacy breach probe

Harry Stottle

Missing Information

First off, brilliant stroke by Parliament. For a change, someone was awake at the wheel.

But

a) how and why was the "victim" of this attack carrying such sensitive data around with him in the UK or, if he wasn't, how could he be compelled, with no legal role in FB, to access and hand over the data?

b) how did the authorities over here even learn that the opportunity existed?

Regardless, I'm impressed.

Bedroom design outfit slapped with £160k fine for 1.6 million spam calls

Harry Stottle

2nd Offence should mean Jail Time...

1st time can be accident or ignorance

2nd time, post penalty, that's policy...

Swedish ISP spanked for sexist 'distracted boyfriend' advert for developer jobs

Harry Stottle

The first time

I've ever felt justified, or even motivated, to use the phrase "Political Correctness Gone Mad"

MI5: Gosh, awkward. We looked down the sofa and, yeah, we *do* have intel on privacy bods

Harry Stottle

The Show Must Go On

investigations like this are all part of the ongoing Accountability Theatre

Until all such intel and data gathering entities are legally required to make their data auditable with digital immutability, reviewed, on demand, by impartial juries (not the State and its poodles), the routine civil abuses and steady growth of authoritarian Police States will continue apace...

Cookie clutter: Chrome saves Google cookies from cookie jar purges

Harry Stottle

Sandboxie is your friend

First line of defence for me and most of my clients.

This particular issue is trivial for SB users. If you've set the relevant sandbox to delete on exit, whatever google et al have dumped onto your machine (cookie caches, profiles, unwanted updates, plugins etc etc) all evaporate on exit.

More important than that, in the ten years or so since I started bullying my clients into using it, it has caught and prevented at least a dozen ransomware attacks and several dozens other malicious attempts to infect users. Typically, the ransomware will exhibit its normal behaviour (eg lock screen with warning that your hard drive has been encrypted and you need to pay bitcoins to this address to recover blah blah) and my client calls me in a panic. The usual fix is "right click on the Sandboxie icon and choose terminate all programs". Threat and sweat eliminated instantly.

It's also particularly good for testing out software that you're not sure you can trust. Install it into its own sandboxie (which you set NOT to delete on exit) then run as normal. If it does anything suspicious, it can't cause harm outside the box.

Unscrupulous users have suggested that it's also a good way to run "30 day trial" software forever (delete on expiry, rinse and repeat) but you didn't hear that from me.

The only downside is that it is so good at preventing change that you have to remember to disable the Sandbox to permit those changes you actually want (like browser updates, adding plugins etc)

I would say it has prevented far more damage than all my other routine defences put together (firewalls, av, anti-keyloggers, etc)

Bug? Feature? Power users baffled as BitLocker update switch-off continues

Harry Stottle

Why does anyone trust Bitlocker?

it's not open source and I can't imagine Microsoft permitting a formal security audit.

Given their close connection with the TLAs I'd place a reasonable bet that there's a backdoor in the code, but that's just my paranoia. More importantly, unlike open source alternatives like Veracrypt, there is no way to prove the absence of a back door.

I really don't get it. Anyone using bitlocker clearly has some desire for security and/or privacy, which implies a little bit more awareness of the issues than the common herd. How can they not be aware of that fundamental trust problem?

The only thing I can think of is that they're concerned about script kiddies or thieves or family members getting access to their data but don't mind if it's Microsoft or the Government. Weird!

Suggestions anyone?

That syncing feeling when you realise you may be telling Google more than you thought

Harry Stottle

er... does this apply to those of us who don't allow Chrome to store our passwords?

Not that I use Chrome for anything but the occasional test. When I need the chrome engine, I use SRWare Iron which studiously strips out the standard Chrome poison.

But I have clients who use Chrome and I have managed to persuade some of them to use Keepass.

If Chrome is able to log those users in without consent, it implies they're keeping our passwords in plaintext. (or, possibly, encrypted but with a key of their own) as opposed to the usual salted hash.

Anyone know the score on that?

Activists rattle tin to take UK's pr0n block to court

Harry Stottle

Precisely

the upside to the Snowden revelations was the massive uptake of End to End encryption. Still only a small percentage, but we're now seeing millions of Whatsapp/Telegram/Signal etc users, instead of the few tens of thousands who were using it.

The upside of crass authoritarianism like this proposed childish version of Age Verification will be, as you suggest, a massive uptake in VPN technology.

These assaults on basic liberties are training citizens in the vital art of subverting and bypassing government. Not yet quite at critical mass, but every little helps. Hopefully we can get there before it's too late and you've got a generation of nanny-state raised kids who don't know any better

Expanding Right To Be Forgotten slippery slope to global censorship, warn free speech fans

Harry Stottle

What's the alleged point?

can someone please explain what is SUPPOSED to happen as a result of google's "delisting"?

I came across this BBC Page a few months back, in a similar context. It lists all the pages google has allegedly delisted.

I tried a dozen or so of the links. You get to the BBC story. It's usually fairly obvious who would have an interest in suppressing the story. So then I went to google and pasted in their name to see what would come up. In all but one case the BBC story itself came up in the first page of results. In ALL cases, some other equally damaging reference to the person/story also appeared on the first results page.

So what exactly is the alleged effect/benefit of the delisting?

Chap asks Facebook for data on his web activity, Facebook says no, now watchdog's on the case

Harry Stottle

Re: Divided Loyalty

yes to this and...

Had the plaintiff been (instead) a "person of interest" to the FBI and they'd requested his entire history, I somehow doubt that FB would have dared give them the same response...

Encryption doesn't stop him or her or you... from working out what Thing 1 is up to

Harry Stottle

Privacy=Security

One of the hardest things to explain to the "If you've nothing to hide" fools is that if anyone can discover where you are, they also know where you aren't. Which, along with remotely "casing the joint" (google street view ferinstance), gives them all they need to know about when to break in.

The level of detail they can get from this extra level of surveillance is the icing on the cake. Now they can figure out what time you go to bed, get up, leave the house etc etc. Even more detailed than the "Smart Meters" they're trying to impose.

Welcome to Panopticon World...

Amnesty slaps Google amid crippled censored China search claims

Harry Stottle

First, they censored Chinese Searches...

The mere fact that they're prepared to do this has rendered their entire enterprise fundamentally untrustworthy. (or "even more so" for those who had already lost faith)

From this point on, until and unless they give us access to their code, we will never know whether, where, when and why similar algorithmic controls are being targeted against us in the "free" West. There are certainly many western governments, and many authoritarian advocates on both the right and left, who would welcome "search censorship" with open arms

UK 'fake news' inquiry calls for end to tech middleman excuses, election law overhaul

Harry Stottle

*Cough* Accountability Theatre (again)

Governments only really have one tool in their box (that they can understand well enough to deploy) and that is the hammer of Coercion. Naturally every problem they are confronted with becomes a nail.

And, in the context of Fake News and Social Media, that approach clearly and verifiably works. The Chinese don't have much of a problem with Fake News on Weibo. Better still they don't even have the problem of Real News that might be embarrassing to the government.

That's the kind of WinWin scenario that's bound to appeal to authoritarians around the planet, including, obviously, our own authoritarians in Parliament (not just Government).

The effective strategy for dealing with the problem is a minor variant on the strategy for dealing with Accountability Theatre. It wouldn't "prevent" Fake News (which is the authoritarian solution) so much as expose it and leave it dangling in the wind when set alongside Real News stories with verifiable sources and audit trails. And, of course, it would make much more difficult the suppression of Real News.

So don't expect to see Governments embracing this approach any time soon. But there's nothing to stop the "honest" media treading that path. It's in their interests more than most

Cardiff chap chucks challenge at chops*-checking cops

Harry Stottle

Re: ANPR Tagging and strategic use of ANPR at grid "pinch points" is becoming commonplace.

"The use of this technology should be transparent because if used in certain ways, it can distort democracy.

Every electronic device on our streets "monitoring/collecting data" e.g. electronic road signs, should have marker where you can look up online exactly what resolution of video/image/audio is being collected. What processing of the image is taking place - facial/ANPR, what cross-referencing is taking place against say, Government databases.

Where this data is being stored, what is the purpose/justification and who has access to it and what is the criteria being used to access such data/images. How many times has this data has been accessed.

You get the point."

Well said Sir (or Madam) We certainly do!

'Tesco probably knows more about me than GCHQ': Infosec boffins on surveillance capitalism

Harry Stottle

The Real Threat is State Seizure of Corporate Surveillance Data

I made the same point about the Tesco's hold on your personal data in my "Datastophe" blog back in 2007. But I also made the point that it is nowhere near as sensitive (or valuable) as the Data (then, recently) "mislaid" by the HMRC (see same blog)

I didn't make the point then which I do nowadays. Governments are - universally - the biggest bullies in the playground. The only reason we need to tolerate them at all is that, when they work remotely like they're supposed to, they help protect us from the other, lesser, bullies.

But increasingly, they are a) hoovering up increasing volumes of our personal data, either illegally, or only legally after a hasty adjustment to their laws and b) increasing abusing that data against the citizenry either to suppress dissidence or to exert social control.

The excess hoovering now routinely includes their self appointed "right" to demand our private data from the likes of Tescos (or ISPs, or Banks etc etc) and THAT is the principle reason we should now object to "corporate surveillance"; the mandatory right of the State to add it to their own ballooning collection.

Ultimately, of course the only credible protection against State abuse is going to be solving the problem of Accountability Theatre. I'm hopeful that may be closer than you might think...

GCHQ bod tells privacy advocates: Most of our work is making sure we operate within the law

Harry Stottle

Re: Legal =/= moral or right

To begin with, not relevant to your post but to the article and Levy's stereotypical response; I make my obligatory reference to Accountability Theater, which covers the issue of Surveillance amongst others.

In response to your rhetorical quiestion: "Do you really want public employees making decisions about what is "moral or right" rather than "legal"?"

I draw your attention to the Nuremberg trials where it was made explicit, in international law, that no citizen can use, in their defence, the argument that they committed the obviously immoral act only because they were "following orders" (legal or otherwise). This imposes a direct obligation on each citizen explicity to consider the wider moral implications of their actions, over and above the Law of their land.

Clearly, for example, if the Law mandates the persecution of a class, race, religion or gender on no other basis than those attributes, it follows, from the Nuremberg judgements, that is the duty of the citizen to challenge and disobey such laws.

So yes, we do want public employes, when making decisions on how to implement public policy, first to understand the law and what it mandates but second to consider whether in the circumstances of a given case, implementing the law as mandated would itself breach the implied higher laws of International ethics.

An obvious example of where precisely such employee overrides should have taken place (in the UK) has been aired in considerable detail recently in the context of the Windrush scandal, where civil servants have (for the most part) enthusiastically implemented the "hostile regime" designed primarily by the current Prime Minister during her role as Home Secretary.

In my view both the politicians who mandated that regime, and the civil servants who implemented it have all committed serious criminal offences worthy of incarceration (though it would have more been fitting, had the option still existed, to have deported them to a prison colony)

One solution to wreck privacy-hating websites: Flood them with bogus info using browser tools

Harry Stottle

Re: Mutant 59 - Missing the point

@That One

you're missing a major point. Which is not unreasonable, given that Mutant 59 didn't make the point in the first place, or perhaps I should say "didn't make the point strongly enough".

These micro-payments alone would net the likes of google and facebook billions per year. That kind of money will attract AND FUND genuinely honest alternatives who regard their obligation to their users (who will probably also own the service) as fiduciary rather than predatory.

Frankly I strongly approve both strategies: Chaff to reduce the value of data to the parasites, and micro-payments to encourage the development of honest services.

Of course, nobody will read this as I'm posting a day too late and the tide's gone out but I want to put it on record anyway.

UK watchdog finally gets search warrant for Cambridge Analytica's totally not empty offices

Harry Stottle

Relatively simple fix...

This is a relatively simple example of another problem which can be fixed by the solution to Accountability Theatre.

Had the solution been in place for this instance, every data item or collection they'd ever received, together with all correspondence and recorded conversations about the project (including, for example, the internal emails from their Academic Colleaugues at Cambridge, protesting at the "get rich quick" scheme) would have been hashed on receipt or creation and those hashes committed to an immutable audit trail. Mandatory access controls would have ensured that no data could be processed (or, in appropriate cases even accessed) without confirmation that its hash was duly recorded, along with identity and proof of access.

This process would render doubts and discussion about the length of time it takes to get warrants utterly irrelevant as the audit trail would either confirm the completeness of material - or reveal which items were missing or tampered with. As I say, (Relatively) Simples.

Solving the larger problem of Facebook (et al) leeching private data from their victims is not quite so simple, by virtue of scale. But the ability to prove, indisputably, who has agreed to, or authorised or implemented or paid for (whatever) would go a long way to forcing transparency into their murky world.

FYI: There's a cop tool called GrayKey that force unlocks iPhones. Let's hope it doesn't fall into the wrong hands!

Harry Stottle

Re: "Thanks for that excellent example of 'False dichotomy'."

The key phrase in your contribution is:

"It's like weapon, it can be a gun in the hands of a police officer saving you, or an AR-15 in the hands of a murderer shooting at you, if there is no sensible regulations and controls."

What you seem to be unaware of is that there ARE no SENSIBLE regulations and controls on the police (or any other agents of the state who might use technology like this on your phone/laptop/desktop etc)

We'd all be a lot more comfortable with State Surveillance if we knew (and could prove) that those doing the surveillance were themselves under the strictest form of surveillance. That's why I keep rabbiting on about Accountability Theatre.

VPN tests reveal privacy-leaking bugs

Harry Stottle

Excellent VPN testing advice

strongly recommend this site for those wishing to test their own VPNs...

My personal preference is for the open source PIA which doesn't get a mention in that previous link. I'll be testing it pronto...

Revealed: UK.gov's 'third direction' to keep tabs on spies' potentially criminal activities

Harry Stottle

Accountability Theatre

excuse my obligatory reference but if they will keep illustrating the problem I feel duty bound at least to try to kick off a discussion about the obvious solution...

Dropbox to let Google reach inside it and rummage about

Harry Stottle

At the risk of sounding like a sponsor...

We've been using dropbox for several years as the collection and distribution mechanism for our clients (our software creates encrypted customer backups and dumps them in the dropbox where we collect them and store them in 3 offline silos; we also use dropbox to distribute updates to our software)

Began to get nervous following the Snowden revelatations and started looking around for alternatives using owner controlled encryption. Eventually found Sync (sync.com). We're now using paid 1Tb accounts on both though we're gradually migrating it all across to Sync. So far very impressed with them. Did a reasonable amount of due diligence and the security seems to stack up, though I've not seem them peer reviewed by the crypto community.

Much better level of control over who gets to see what and one feature I particularly like is that while we pay for the Tb account, we can share ALL of that with users who only sign up for the free 5Gb account. And I mean share as in full read write access, not just links to files.

But what we're increasingly using it for is secure communications. Create the document somewhere in an unshared area of your Sync box and you can send "privacy enhanced links" to your contacts, specifyiing passwords, expiry dates and download limits - with (anon) notification on download. I've actually nagged sync into going one step further and offering the option of email verified one time passwords, with notification, which would then make it a very easy way to deal securely with confidential and private material, complete with proof of delivery. They've put it on their "to think aboout" list.

In part my motive for this spiel is to raise awareness among fellow readers that there are alternatives to Dropbox we can trust but also to nudge more people into using their communication features and adding their nags to mine!

Microsoft finally injects end-to-end chat crypto into Skype – ish...

Harry Stottle

Re: Souce code

yes and

what HAS prompted this response?

In contrast to Dan55's assertion that they must be haemorrhaging users, I see no evidence of that. Indeed, I'm in a running battle with colleagues family and friends to get them to desert Skype BECAUSE it doesn't include E2EE and that I object even to the possibility that the NSA can eavesdrop on our calls at will. Most people don't give a damn.

So - tinfoil hats on please - the only obvious reason I can think of for Microsoft's sudden apparent support for conversational privacy - is much the same as the reason we thought Microsoft had bought Skype in the first place - i.e. to provide access on demand to the TLAs. I suspect the intention is make it look like E2EE and market it as such and thus avoid a rush to true E2EE which is the TLAs worst nightmare.

So your point is critical. Without trusted independent verification of the source code and a means of verifying that the version we're actually using conforms to that code, their claims will be meaningless.

And I suggest that one way we can measure the authenticity of this project is to watch the reactions of the TLAs and authoritarian politicians. If they campaign against it - to the point that Microsoft are forced to defend the project in court - then it might just be real. If the response is muted, the conclusion will be obvious...

In either case, the Code verification is mandatory for the purposes of Trust.

ICO slammed for 'unfair' approach to FoI appeal by UK judges

Harry Stottle

Accountability Theatre By Design

this isn't just how Accountability Theatre works, it is how it is INTENDED to work. All they think they need is a smokescreen to make it look like grown ups are watching over the authoritarians on our behalf...

Firefox to warn users who visit p0wned sites

Harry Stottle

Re: 'Giving users what they don't want is classic Mozilla'

are you saying there IS an 'EFF Panopticlick' option? (i.e. something which defeats the browser id attack) If so, I, for one would bite yer arm off for a link...

So far I've been to the 'EFF Panopticlick' page but other than the depressing evidence that I still haven't managed to defeat their identifier test, could see nothing that suggests solution or even mitigation...

Another toothless wonder? Why the UK.gov's data ethics centre needs clout

Harry Stottle

I predict a whitewash

Generously we should allow them a year from first recruitment.

If after that time they haven't pronounced on the major elements of the Surveillance State - such as ANPR - and ruled its implementation unethical on the basis of its obvious Accountability Theatre, then its credibility will be on a par with fig leaves...

Microsoft scoops Search UI out from the gaping black maw of Cortana

Harry Stottle

Winaerotweaker and Everything will fix a number of your complaints

The easiest way to control most of the features you hate (or love) in Windoze is to install Winaerotweaker possibly combined with Spybot Antibeacon to kill telemetry. The solution to Search is Everything. All these are free.

WinAT contains about 200 settings organised by functional area (eg Desktop, Context Menu, Network etc)

Here are some of the features I personally favour:

Disable nearly ALL the "Call Home" features

App lookup in Store

Error Reporting

Web Search

Auto update of Store Apps

Cortana

Windows Ink

Telemetry

and Block all Ads

(although if you're still paranoid, install Anti-Beacon and remember to select all the items on the 2nd tab as well)

Disable driver updates (the ones most likely to bork your system/s)

Disable Windows updates easily (easiest is to set Ethernet connection as "metered") (more detailed version below)

Verbose logon messages (so if something delays shut down or startup you can usually identify the culprit)

Show seconds on your taskbar clock (didn't even know that was possible till I spotted it in WinAT)

Add various to the Context menus eg

File Hashing menu (brilliant if you a regular hash checker, which I am)

"Kill Not Responding Tasks"

Shutdown menu (and change default behaviour)

Power Options

Remove the Shortcut and Shortcut arrow from your desktop icons

More detail on controlling Windows Updates:

Setting Ethernet as metered will halt the update process till you OK it but doesn't control what gets delivered.

For total blockage of Windows Updates, disable the service but if you merely wish to control when it happens and (partially restrict what gets updated)

download wushowhide.diagcab

It treats the update process as a troubleshooter but don't let that deter you.

Run it when you know updates are available. Choose the "Hide Updates" option when its finished checking for updates. Tick those you do NOT want, Close the "troubleshooter".Then permit the update in the normal way.

For even tighter control (pro users and up only) use gpedit

/admin templates/windows components/windows update/configure automatic updates

click enabled and choose "2 - Notify for download and auto install"

you almost return control of the Windows update process to where it used to be pre W10

As for Everything, I cannot figure out why Microsoft hasn't bought him out.

It's genuinely a life changer for anyone with millions of files on their system (I currently have 7.6 million). It does what you kind of expected file search programs to do before you actually had to use one. i.e. INSTANTLY find all occurrences of relevant matches anywhere on your system. I'd really love to know how he's done it because he's clearly using the technology far better than Microsoft do. Example: I'd read someone raving in similarly favourable terms about it and sceptically thought, yeah, right. I'll try it out not expecting it to deliver.

Installed in seconds. Told me it was indexing my system. I thought fair enough - expected it to take days (like microsoft's indexing) or at least hours. It took less than a minute for my (then) 6.25 million files spread across 16 drives/partitions.

I didn't believe it, so I began to test it. Found files in places I didn't even know existed.

It has vastly improved my file management by helping me to avoid unnecessary duplication and reminding me where I store files relating to arbitrary topics. Who needs the Windows Search joke?

FCC boss Ajit Pai emits his net neutrality extermination plan

Harry Stottle

So where exactly is this proposed US Policy Working?

Genuine curiousity. This table of International Broadband speeds shows 19 countries with faster average download speeds than the US (and 30 faster than the UK).

Does any one of those permit the kind of throttling and content based restrictions which Pai is arguing will "improve" internet performance? I haven't studied their broadband policies but I haven't heard of anyone else having to resort to this kind of nonsense to achieve a better service.

So, on what basis, other than the favouring of selected vested interests, can the proposal be defended? More importantly, why aren't questions like that being aired in America?

Privacy Pass protocol promises private perusing

Harry Stottle

Re: Idealism, meet business model

@AC

didn't spot your comment till after I'd replied to Rob V

if you look at the examples I provide in that response, you'll understand that we're talking about the routine anonymous protection of digital data. Ours is a very light-weight solution where it is much easier to keep track of the hashes you've used to protect individual data items,The PK solution too clumsy for what we anticipate will eventually be perhaps half a billion such transactions a day.

You might be interested in the comment I made a few weeks back (and the links therein)

Harry Stottle

Re: Idealism, meet business model

@Rob V

who probably won't get to read this because the crowd has moved on, but I'll put the reply here for the record, if for no other reason than being able to refer back to it myself at some later date

**********************

Another key feature of our solution is that we never hold or publish sensitive data. All we guarantee is proof of integrity of the data protected by the system. We have no idea what those data are and we don't need or want to know.

It's broadly suitable for anyone wishing to be able to prove - if challenged at a later date - that the relevant data remains as it when registered.

Here are some of the things I've personally considered it useful to protect, anonymously:

Ensuring I can win any "their word against mine" arguments:

eg recordings of sensitive skype conversations I've had - the most significant of which were with sundry commercial services who have failed to deliver on (whatever) or threatened me with sanctions over perceived failures on my part (eg a 3 year row I had with Npower)

or more often, even when not in dispute, just wishing to ensure I had verifiable evidence of the exchange.

dash cam footage I've captured of extremely dangerous driving by other motorists (some of which I've passed to the Police)

dash cam footage of an accident where I was at fault but was a minor collision (I sent that to my Insurance company. I needed to ensure that the other party didn't overclaim the damage)

drafts of intellectual property concepts I'm working on at various stages, but not yet ready to publish

covert recordings of interviews conducted between a disabled relative and a DWP agent performing an assessment of her condition with the intent of reviewing her benefit entitlements

Sundry predictions I've made where I anticipated needing to be able to prove that I'd made the prediction ahead of the actual event **

and so on.

In nearly all of the cases above, there was no need or desire on my part to publish either the material or my association with it. It was merely a sensible precaution.

Other examples I haven't personally used include the protection of photographs, music, poetry and literature, and any other digitally captured creative work, particularly in draft form

Contracts where neither party seeks or needs publicity

Entire audit trails - for example the accounts for a commercial company - including all the detail they would never normally publsh. (But if challenged, can use the proof of integrity to show that an entire data set remains as it was at the relevant date)

In fact the list is endless. It is telling that in today's world even some Reg readers find it difficult to understand why Anonymity is a perfectly valid and reasonable requirement and how that doesn't conflict with people still wanting to be able to prove their claims if challenged. It's an example of what I call Anonymous Accountability.

**such as my 2015 prediction that the Republicans would nominate Trump. I didn't predict his actual election though! I was confident that the repubs were rabid enough to nominate him but I was also confident that the Americans as a whole were not stupid enough to elect him. Definitely got that one wrong!

Harry Stottle

Re: Idealism, meet business model

as it happens, I'm working on something very similar, which, if I get it right, will also deal with the problem of things like anonymous proof of various attributes like Age, Nationality, gender, arbitrary memberships, etc

Of course, I can't tell you too much, or I'd have to kill you, but I'll give you one use case for free.

Our system will allow authors to register their "ownership" of a document anonymously, with a view to third parties to whom the document is distributed being able to prove its integrity. It also allows them to revoke that registration later as having been superceded by a later version of their document. Obviously, we don't want anyone but the legitimate author to be able to issue such updates/revocations. Hence the need for anonymous authentication where, in this case, all you're proving is that you are the same entity who created the original document...

The NAKED truth: Why flashing us your nude pics is a good idea – by Facebook's safety boss

Harry Stottle

A better idea would be Face only...

this suggestion is predicated on the notion that a nude photo without a face (or name) is rarely a hostage to fortune.

if users could submit one or two "face only" photographs, with some sensible evidence that it was indeed their own face (eg an automated web cam session using the face recognition they're already experimenting with), then farcebook could introduce a new rule.

No photograph which includes a recognizable face(nude or otherwise) can be posted, except by the owner of the face, or with the explicit recorded permission of the face-holder. That would kill many birds with one stone...

UK.gov: IT contracts should be no more than 7 years. (Not 18, Fujitsu)

Harry Stottle

Re: Missing the point

and, in addition...

why not have a simple rule along the lines of:

if any project requires ongoing support from more than (n) personnel after year(y), then the contract should include the training of suitably vetted or recruited in-house staff with, say, a 12 month hand-over period...

I'm sure one size wouldn't fit all, but as a template, that's the kind of model that might begin to wean us off the current model.

Automatic for the people: Telcos forced to pay for giving you crap services

Harry Stottle

No excuse for the 15 month delay

In addition to MrBanana's comment, the 15 month delay might well be justified as the date by which the compensation will be handled AUTOMATICALLY, but there's no reason at all why we shouldn't be able to lodge MANUAL claims today...

Would be nice to add a small legal tweak to the effect that any claims not dealt with within, say, 30 days, will automatically be approved if submitted to a small claims court (with appropriate evidence of course).

That should make the buggers' eyes water...

Page:

Biting the hand that feeds IT © 1998–2019