* Posts by Harry Stottle

202 posts • joined 2 May 2007

Page:

One solution to wreck privacy-hating websites: Flood them with bogus info using browser tools

Harry Stottle

Re: Mutant 59 - Missing the point

@That One

you're missing a major point. Which is not unreasonable, given that Mutant 59 didn't make the point in the first place, or perhaps I should say "didn't make the point strongly enough".

These micro-payments alone would net the likes of google and facebook billions per year. That kind of money will attract AND FUND genuinely honest alternatives who regard their obligation to their users (who will probably also own the service) as fiduciary rather than predatory.

Frankly I strongly approve both strategies: Chaff to reduce the value of data to the parasites, and micro-payments to encourage the development of honest services.

Of course, nobody will read this as I'm posting a day too late and the tide's gone out but I want to put it on record anyway.

3
0

UK watchdog finally gets search warrant for Cambridge Analytica's totally not empty offices

Harry Stottle

Relatively simple fix...

This is a relatively simple example of another problem which can be fixed by the solution to Accountability Theatre.

Had the solution been in place for this instance, every data item or collection they'd ever received, together with all correspondence and recorded conversations about the project (including, for example, the internal emails from their Academic Colleaugues at Cambridge, protesting at the "get rich quick" scheme) would have been hashed on receipt or creation and those hashes committed to an immutable audit trail. Mandatory access controls would have ensured that no data could be processed (or, in appropriate cases even accessed) without confirmation that its hash was duly recorded, along with identity and proof of access.

This process would render doubts and discussion about the length of time it takes to get warrants utterly irrelevant as the audit trail would either confirm the completeness of material - or reveal which items were missing or tampered with. As I say, (Relatively) Simples.

Solving the larger problem of Facebook (et al) leeching private data from their victims is not quite so simple, by virtue of scale. But the ability to prove, indisputably, who has agreed to, or authorised or implemented or paid for (whatever) would go a long way to forcing transparency into their murky world.

4
0

FYI: There's a cop tool called GrayKey that force unlocks iPhones. Let's hope it doesn't fall into the wrong hands!

Harry Stottle

Re: "Thanks for that excellent example of 'False dichotomy'."

The key phrase in your contribution is:

"It's like weapon, it can be a gun in the hands of a police officer saving you, or an AR-15 in the hands of a murderer shooting at you, if there is no sensible regulations and controls."

What you seem to be unaware of is that there ARE no SENSIBLE regulations and controls on the police (or any other agents of the state who might use technology like this on your phone/laptop/desktop etc)

We'd all be a lot more comfortable with State Surveillance if we knew (and could prove) that those doing the surveillance were themselves under the strictest form of surveillance. That's why I keep rabbiting on about Accountability Theatre.

14
0

VPN tests reveal privacy-leaking bugs

Harry Stottle

Excellent VPN testing advice

strongly recommend this site for those wishing to test their own VPNs...

My personal preference is for the open source PIA which doesn't get a mention in that previous link. I'll be testing it pronto...

4
1

Revealed: UK.gov's ‘third direction’ to keep tabs on spies’ potentially criminal activities

Harry Stottle

Accountability Theatre

excuse my obligatory reference but if they will keep illustrating the problem I feel duty bound at least to try to kick off a discussion about the obvious solution...

3
0

Dropbox to let Google reach inside it and rummage about

Harry Stottle

At the risk of sounding like a sponsor...

We've been using dropbox for several years as the collection and distribution mechanism for our clients (our software creates encrypted customer backups and dumps them in the dropbox where we collect them and store them in 3 offline silos; we also use dropbox to distribute updates to our software)

Began to get nervous following the Snowden revelatations and started looking around for alternatives using owner controlled encryption. Eventually found Sync (sync.com). We're now using paid 1Tb accounts on both though we're gradually migrating it all across to Sync. So far very impressed with them. Did a reasonable amount of due diligence and the security seems to stack up, though I've not seem them peer reviewed by the crypto community.

Much better level of control over who gets to see what and one feature I particularly like is that while we pay for the Tb account, we can share ALL of that with users who only sign up for the free 5Gb account. And I mean share as in full read write access, not just links to files.

But what we're increasingly using it for is secure communications. Create the document somewhere in an unshared area of your Sync box and you can send "privacy enhanced links" to your contacts, specifyiing passwords, expiry dates and download limits - with (anon) notification on download. I've actually nagged sync into going one step further and offering the option of email verified one time passwords, with notification, which would then make it a very easy way to deal securely with confidential and private material, complete with proof of delivery. They've put it on their "to think aboout" list.

In part my motive for this spiel is to raise awareness among fellow readers that there are alternatives to Dropbox we can trust but also to nudge more people into using their communication features and adding their nags to mine!

3
0

Microsoft finally injects end-to-end chat crypto into Skype – ish...

Harry Stottle

Re: Souce code

yes and

what HAS prompted this response?

In contrast to Dan55's assertion that they must be haemorrhaging users, I see no evidence of that. Indeed, I'm in a running battle with colleagues family and friends to get them to desert Skype BECAUSE it doesn't include E2EE and that I object even to the possibility that the NSA can eavesdrop on our calls at will. Most people don't give a damn.

So - tinfoil hats on please - the only obvious reason I can think of for Microsoft's sudden apparent support for conversational privacy - is much the same as the reason we thought Microsoft had bought Skype in the first place - i.e. to provide access on demand to the TLAs. I suspect the intention is make it look like E2EE and market it as such and thus avoid a rush to true E2EE which is the TLAs worst nightmare.

So your point is critical. Without trusted independent verification of the source code and a means of verifying that the version we're actually using conforms to that code, their claims will be meaningless.

And I suggest that one way we can measure the authenticity of this project is to watch the reactions of the TLAs and authoritarian politicians. If they campaign against it - to the point that Microsoft are forced to defend the project in court - then it might just be real. If the response is muted, the conclusion will be obvious...

In either case, the Code verification is mandatory for the purposes of Trust.

3
2

ICO slammed for 'unfair' approach to FoI appeal by UK judges

Harry Stottle

Accountability Theatre By Design

this isn't just how Accountability Theatre works, it is how it is INTENDED to work. All they think they need is a smokescreen to make it look like grown ups are watching over the authoritarians on our behalf...

0
0

Firefox to warn users who visit p0wned sites

Harry Stottle

Re: 'Giving users what they don't want is classic Mozilla'

are you saying there IS an 'EFF Panopticlick' option? (i.e. something which defeats the browser id attack) If so, I, for one would bite yer arm off for a link...

So far I've been to the 'EFF Panopticlick' page but other than the depressing evidence that I still haven't managed to defeat their identifier test, could see nothing that suggests solution or even mitigation...

1
0

Another toothless wonder? Why the UK.gov's data ethics centre needs clout

Harry Stottle

I predict a whitewash

Generously we should allow them a year from first recruitment.

If after that time they haven't pronounced on the major elements of the Surveillance State - such as ANPR - and ruled its implementation unethical on the basis of its obvious Accountability Theatre, then its credibility will be on a par with fig leaves...

4
0

Microsoft scoops Search UI out from the gaping black maw of Cortana

Harry Stottle

Winaerotweaker and Everything will fix a number of your complaints

The easiest way to control most of the features you hate (or love) in Windoze is to install Winaerotweaker possibly combined with Spybot Antibeacon to kill telemetry. The solution to Search is Everything. All these are free.

WinAT contains about 200 settings organised by functional area (eg Desktop, Context Menu, Network etc)

Here are some of the features I personally favour:

Disable nearly ALL the "Call Home" features

App lookup in Store

Error Reporting

Web Search

Auto update of Store Apps

Cortana

Windows Ink

Telemetry

and Block all Ads

(although if you're still paranoid, install Anti-Beacon and remember to select all the items on the 2nd tab as well)

Disable driver updates (the ones most likely to bork your system/s)

Disable Windows updates easily (easiest is to set Ethernet connection as "metered") (more detailed version below)

Verbose logon messages (so if something delays shut down or startup you can usually identify the culprit)

Show seconds on your taskbar clock (didn't even know that was possible till I spotted it in WinAT)

Add various to the Context menus eg

File Hashing menu (brilliant if you a regular hash checker, which I am)

"Kill Not Responding Tasks"

Shutdown menu (and change default behaviour)

Power Options

Remove the Shortcut and Shortcut arrow from your desktop icons

More detail on controlling Windows Updates:

Setting Ethernet as metered will halt the update process till you OK it but doesn't control what gets delivered.

For total blockage of Windows Updates, disable the service but if you merely wish to control when it happens and (partially restrict what gets updated)

download wushowhide.diagcab

It treats the update process as a troubleshooter but don't let that deter you.

Run it when you know updates are available. Choose the "Hide Updates" option when its finished checking for updates. Tick those you do NOT want, Close the "troubleshooter".Then permit the update in the normal way.

For even tighter control (pro users and up only) use gpedit

/admin templates/windows components/windows update/configure automatic updates

click enabled and choose "2 - Notify for download and auto install"

you almost return control of the Windows update process to where it used to be pre W10

As for Everything, I cannot figure out why Microsoft hasn't bought him out.

It's genuinely a life changer for anyone with millions of files on their system (I currently have 7.6 million). It does what you kind of expected file search programs to do before you actually had to use one. i.e. INSTANTLY find all occurrences of relevant matches anywhere on your system. I'd really love to know how he's done it because he's clearly using the technology far better than Microsoft do. Example: I'd read someone raving in similarly favourable terms about it and sceptically thought, yeah, right. I'll try it out not expecting it to deliver.

Installed in seconds. Told me it was indexing my system. I thought fair enough - expected it to take days (like microsoft's indexing) or at least hours. It took less than a minute for my (then) 6.25 million files spread across 16 drives/partitions.

I didn't believe it, so I began to test it. Found files in places I didn't even know existed.

It has vastly improved my file management by helping me to avoid unnecessary duplication and reminding me where I store files relating to arbitrary topics. Who needs the Windows Search joke?

1
0

FCC boss Ajit Pai emits his net neutrality extermination plan

Harry Stottle

So where exactly is this proposed US Policy Working?

Genuine curiousity. This table of International Broadband speeds shows 19 countries with faster average download speeds than the US (and 30 faster than the UK).

Does any one of those permit the kind of throttling and content based restrictions which Pai is arguing will "improve" internet performance? I haven't studied their broadband policies but I haven't heard of anyone else having to resort to this kind of nonsense to achieve a better service.

So, on what basis, other than the favouring of selected vested interests, can the proposal be defended? More importantly, why aren't questions like that being aired in America?

7
0

Privacy Pass protocol promises private perusing

Harry Stottle

Re: Idealism, meet business model

@AC

didn't spot your comment till after I'd replied to Rob V

if you look at the examples I provide in that response, you'll understand that we're talking about the routine anonymous protection of digital data. Ours is a very light-weight solution where it is much easier to keep track of the hashes you've used to protect individual data items,The PK solution too clumsy for what we anticipate will eventually be perhaps half a billion such transactions a day.

You might be interested in the comment I made a few weeks back (and the links therein)

0
0
Harry Stottle

Re: Idealism, meet business model

@Rob V

who probably won't get to read this because the crowd has moved on, but I'll put the reply here for the record, if for no other reason than being able to refer back to it myself at some later date

**********************

Another key feature of our solution is that we never hold or publish sensitive data. All we guarantee is proof of integrity of the data protected by the system. We have no idea what those data are and we don't need or want to know.

It's broadly suitable for anyone wishing to be able to prove - if challenged at a later date - that the relevant data remains as it when registered.

Here are some of the things I've personally considered it useful to protect, anonymously:

Ensuring I can win any "their word against mine" arguments:

eg recordings of sensitive skype conversations I've had - the most significant of which were with sundry commercial services who have failed to deliver on (whatever) or threatened me with sanctions over perceived failures on my part (eg a 3 year row I had with Npower)

or more often, even when not in dispute, just wishing to ensure I had verifiable evidence of the exchange.

dash cam footage I've captured of extremely dangerous driving by other motorists (some of which I've passed to the Police)

dash cam footage of an accident where I was at fault but was a minor collision (I sent that to my Insurance company. I needed to ensure that the other party didn't overclaim the damage)

drafts of intellectual property concepts I'm working on at various stages, but not yet ready to publish

covert recordings of interviews conducted between a disabled relative and a DWP agent performing an assessment of her condition with the intent of reviewing her benefit entitlements

Sundry predictions I've made where I anticipated needing to be able to prove that I'd made the prediction ahead of the actual event **

and so on.

In nearly all of the cases above, there was no need or desire on my part to publish either the material or my association with it. It was merely a sensible precaution.

Other examples I haven't personally used include the protection of photographs, music, poetry and literature, and any other digitally captured creative work, particularly in draft form

Contracts where neither party seeks or needs publicity

Entire audit trails - for example the accounts for a commercial company - including all the detail they would never normally publsh. (But if challenged, can use the proof of integrity to show that an entire data set remains as it was at the relevant date)

In fact the list is endless. It is telling that in today's world even some Reg readers find it difficult to understand why Anonymity is a perfectly valid and reasonable requirement and how that doesn't conflict with people still wanting to be able to prove their claims if challenged. It's an example of what I call Anonymous Accountability.

**such as my 2015 prediction that the Republicans would nominate Trump. I didn't predict his actual election though! I was confident that the repubs were rabid enough to nominate him but I was also confident that the Americans as a whole were not stupid enough to elect him. Definitely got that one wrong!

0
0
Harry Stottle

Re: Idealism, meet business model

as it happens, I'm working on something very similar, which, if I get it right, will also deal with the problem of things like anonymous proof of various attributes like Age, Nationality, gender, arbitrary memberships, etc

Of course, I can't tell you too much, or I'd have to kill you, but I'll give you one use case for free.

Our system will allow authors to register their "ownership" of a document anonymously, with a view to third parties to whom the document is distributed being able to prove its integrity. It also allows them to revoke that registration later as having been superceded by a later version of their document. Obviously, we don't want anyone but the legitimate author to be able to issue such updates/revocations. Hence the need for anonymous authentication where, in this case, all you're proving is that you are the same entity who created the original document...

0
0

The NAKED truth: Why flashing us your nude pics is a good idea – by Facebook's safety boss

Harry Stottle

A better idea would be Face only...

this suggestion is predicated on the notion that a nude photo without a face (or name) is rarely a hostage to fortune.

if users could submit one or two "face only" photographs, with some sensible evidence that it was indeed their own face (eg an automated web cam session using the face recognition they're already experimenting with), then farcebook could introduce a new rule.

No photograph which includes a recognizable face(nude or otherwise) can be posted, except by the owner of the face, or with the explicit recorded permission of the face-holder. That would kill many birds with one stone...

3
0

UK.gov: IT contracts should be no more than 7 years. (Not 18, Fujitsu)

Harry Stottle

Re: Missing the point

and, in addition...

why not have a simple rule along the lines of:

if any project requires ongoing support from more than (n) personnel after year(y), then the contract should include the training of suitably vetted or recruited in-house staff with, say, a 12 month hand-over period...

I'm sure one size wouldn't fit all, but as a template, that's the kind of model that might begin to wean us off the current model.

1
0

Automatic for the people: Telcos forced to pay for giving you crap services

Harry Stottle

No excuse for the 15 month delay

In addition to MrBanana's comment, the 15 month delay might well be justified as the date by which the compensation will be handled AUTOMATICALLY, but there's no reason at all why we shouldn't be able to lodge MANUAL claims today...

Would be nice to add a small legal tweak to the effect that any claims not dealt with within, say, 30 days, will automatically be approved if submitted to a small claims court (with appropriate evidence of course).

That should make the buggers' eyes water...

4
0

US domestic, er, foreign spying bill progresses through Congress

Harry Stottle

A Pivotal moment in the evolution of the Police State of America

as they seek to enshrine, in law, what can only be described as Accountability Theatre

I strongly recommend, for anyone who didn't see it when it first emerged in April 2015, the excellent John Oliver take on Surveillance, which includes his visit to Moscow to meet Ed Snowden. It is the best non-technical description of the significance of all the main issues that I've ever seen

2
0

Facebook's send-us-your-nudes service is coming to UK, America

Harry Stottle

Photo DNA cannot be as reliable as they boast

It's an educated guess, because I don't claim inside knowledge.

But I reach that conclusion on the basis that they're not making it freely available for home use. To be fair, it doesn't look like Microsoft have anything but honorable motives on this occasion (although I would question their own security - if the FBI comes calling are they in a position NOT to release such images?) (one of the many questions Facebook will also have to answer)

They make the software available in various cloud offerings and have donated it to a Missing Child charity amongst others. So why aren't they simply allowing us all to download a copy and do our own hashing and upload the results instead of the image - as suggested in the first post on this thread (John Robson)

I can think of only two possible explanations. First is that the process is so power hungry, you'd need a Bitcoin mining rig to run it. That doesn't look feasible from what I've read about the process. Looks like it might take about as long as creating a couple of thousand hashes. Under a second on most desktops.

The second is that they don't want it in our sticky little hands because it would relatively trivial to find ways to modify target images in such a way that they wouldn't be detected, so to preserve the value of the service, they don't want the great unwashed to access it.

In short, they're relying on "Security Through Obscurity" and, like most such attempts, that'll work for a few months, until the obscurity is cracked...

Oh, and by the way, the (partial )solution to sharing intimate private images is sharing one time keys which BOTH/ALL parties have to re-combine to access the images/data (as outlined in Digital Telepathy)

3
1

Transparent algorithms? Here's why that's a bad idea, Google tells MPs

Harry Stottle

Commercial Accountability Theatre

is just as evil as political Accountability Theatre especially when the commercial entity is more powerful than most governments.

The solution is the same. Yes you may have legitimate secrets which need protecting but that doesn't mean that NO ONE outside your organisation should be allowed to access them. It just means we need a publicly trusted audit team to do the job on our behalf. In the case of Google and similar commercial giants, that implies a team of a few dozen, at least 2/3 of whom will need serious IT analytical skills including Security analysis. We also need representation from one or two Civil Liberty specialists (eg ACLU, LIBERTY etc) and all need to be bound by NDAs - unless they find evidence of illegality.

They need the time and budget to do the job properly and they need the right to access ANY parts of the system at ANY time, under appropriate secure monitoring of their own activities, in order to be able to confirm that everything is/was compliant with relevant regulation and remains so.

None of which would aid either competitors or gamers.

6
0

Bored 'drivers' pushed Google Waymo into ditching autopilot tech

Harry Stottle

Re: Attention Test Required

The commentards will have moved on by now but I'll still put this on record.

Yes I am deadly serious.

Bit surprised at the hostility.

Although I didn't know it when I started using this techique (2008) Google actually patented it back in 1998

So I'm not proposing an entirely novel concept. I've since seen references to it being used in many "serious" authentication or confirmation dialogues where it is vital to be sure that the user really is awake. So it is ideally suited to the Level 3 driving scenario

If such techniques are NOT used then (as implied by some of the other responses, and suggested by some of the developers) we should skip Level 3 and go straight to Level 4. (where the cars are certified to be able to take complete control of the vehicle for any preplalnned route)

The problem with that is they need the experience gained in Level 3 to get to level 4. Skipping it would probably add up to 5 years to the Level 4 development schedule

2
0
Harry Stottle

Attention Test Required

as I've said elsewhere:

in some of the software I develop I use deliberate random errors in certain dialogues, to spot humans trying to answer questions without inspection or thought.

It occurs to me that something similar is required for the "Level 3" driverless cars (which are supposed to be able to handle almost all situations but still need close human monitoring). i.e. the software should regularly (but randomly) send false alarms to the control panel and measure the time and accuracy with which the human deals with them. If their response time exceeds a safe threshold, take the earliest opportunity to park the car and cede full control to the human (with an auto reset of, say, the next day?)

The first time I tried this, I expected user hostility. Instead they treated it as a game and told us that it made an otherwise tedious task much more interesting and entertaining. I suspect the same could happen in the Level 3 scenario...

4
3

There's a battle on over two US spying laws: One allows snooping on citizens – one bans it

Harry Stottle

I refer my honourable friends to my previous answer...

Surveillance of citizens is indeed a problem, but not THE problem.

This answer applies just as much - if not more - to those carrying out the surveillance of citizens, as to the Cops the comment was triggered by...

1
0

US DoJ eases gagging rules, Microsoft drops data slurp alert lawsuit

Harry Stottle

a tiny victory

for the connected classes

much more significant win for the Microsoft PR team.

4
0

Let's make the coppers wear cameras! That'll make the ba... Oh. No sodding difference

Harry Stottle

Re: History of Digital Telepathy

You're most kind

One point I'd emphasise is that for private citizens (or even authorities acting outside their working "parameters") the recording would only be trusted because it will (MUST) have been demonstrated conclusively, that no one - especially including the authorities - can ever access their data without their uncoerced and informed consent. That's the difficult bit (and that sentence is my contender for understatement of the year)

But I genuinely believe it is possible to get there from here...

0
0
Harry Stottle

Re: Really?

"complaints falling by up to 90% etc "

I agree. The balance of experience seems to be better than favourable already. But it is being done in a half assed way. They're capturing evidence and are essentially ignoring the rules of evidence, and the opportunity to make it mathematically verifiable. That omission is likely to be by design. They are probably aware that a bullet proof audit trail will severely constrain their freedom to abuse.

2
0
Harry Stottle

And no significant change can be expected until...

1 wearing body cams is made mandatory

2 the law is changed in line with my fictional "History of Digital Telepathy"

Short Version:

Citizen - Innocent Until Proved Guilty

Authority - Guilty Until Proved Innocent

where the digital recording of EVERY activity by any authority in the conduct of their official duties is mandated and proven by entries on an immutable database, available for inspection by (publicly) trusted independent Auditors (to eliminate Accountability Theatre)

Where it is made illegal for an instruction to be given without that recording, and illegal to follow such instructions without confirmation that the recording exists (most of which can be automated)

So that, whenever an authority is accused of stepping over the mark, everyone will know that they must have a recording. They would not, however, be obliged to reveal it. But we the people (in our role as Jury) would be entitled to read such refusal as admission of guilt.

Of course, there is the legitimate problem raised by equipment failure, which suggests that no single point of failure should be permitted. i.e. two recording systems (at least) should always be available and if either one breaks, the authority should suspend their activities at the earliest opportunity to get it repaired or replaced.

And that, ladies and germs, is how we might wrest control from government and start making their lives as much a misery as they've spent the last few thousand years doing to us....

9
2

Boffins trapped antiprotons for days, still can't say why they survived the Big Bang

Harry Stottle

Its only a provisional result

at 68%, it's only interesting enough to justify further experiments, not to rewrite the text books.

They don't generally regard these things as settled till they reach or exceed 95% (that, for example, was the trigger for the official announcement of the Higgs Boson)

0
0

'Screaming' man fined $149 for singing 'Everybody Dance Now'

Harry Stottle

This only makes sense if

he was driving in an open top car (or with the windows wide open) through a built up area.

Otherwise, the authorities should have been told as (legally) forcefully as possible, to fuck right off...

1
0

Brit spooks 'kept oversight bodies in the dark' over data sharing

Harry Stottle

Yet more

classic Accountability Theatre

3
0

Man prosecuted for posting a picture of his hobby on Facebook

Harry Stottle

Malicious Prosecution

I trust m' learned friends will be advising the victim of his right to sue for Malicious Prosecution

Looks to me like this case would fit the definition almost precisely...

5
1

Customers cheesed off after card details nicked in Pizza Hut data breach

Harry Stottle

Re: Surely they don't store payment card details. So wtf?

ah, that's interesting.

Is it not possible (I naively assumed this was routine) to have a "provisional" authorisation code which would deal with that situation? (Ideally confirmed by a "signature" from the customer, but let's not run before we can walk...)

7
0
Harry Stottle

Surely they don't store payment card details. So wtf?

Someone help me understand...

I presume they don't store payment card details. (if that assumption is wrong, then all bets are off and I withdraw my question)

So, assuming they don't, yes they need to process the data, but presumably that's done in a couple of secure sessions (one with the customer, one with the Card Issuer) but once they've received a payment authorisation, they have no further legit use for the data. So how has an attacker breached their defences? Are the secure communication protocols broken? or what...

4
0

Remember how you said it was cool if your mobe network sold your name, number and location?

Harry Stottle

Re: Failure of democracy.

Completely Agree but don't have the space or time to answer the questions in your final para

The short version is

1 Incentivise the use of private notarised personal data "wallets" securely stored in various devices and capable of providing the answer to some questions without revealing actual data (eg whether someone is above or below an age constraint can be revealed without revealing date of birth). Also capable - with the co-operation of couriers who buy into the idea in order to feed off the "privacy preferred" market - of supplying one time "address keys" which even the courier can expose only in sufficient detail for their current sorting requirements. (but the merchant or supplier never gets to see or store)

2 in the few instances where data really does need to be warehoused, compartmentalise it so that one warehouse may hold, for example, address data but not names or other private data; while another might hold dates of birth etc. (Only linkable with more one time keys etc)

3 impose strict video-logged access controls on such data warehouses so that if any human access the protected data, (publicly) trusted auditors will always be a) notified and b) able to discover exactly who, when, why and where they accessed the data (and, of course, have full legal rights to blow the whistle if they spot anything underhand).

4
0

Western Dig's MAMR is so phat, it'll store 100TB on a hard drive by 2032

Harry Stottle

Why not SSD Drives?

Can someone who understands the technology please explain why we'd still be using rotating platters in 10 or 20 years time? Surely the evolutionary path has switched to solid state...

2
6

UK spy oversight body updates rules to include right of appeal

Harry Stottle

Appeal Schemeil

Until they facilitate giving a publicly trusted independent auditor access, on demand, to an immutable audit trail revealing everything that took place, when and why, its all Accountability Theatre

4
0

How bad can the new spying legislation be? Exhibit 1: it's called the USA Liberty Act

Harry Stottle

Obligatory ref to Accountability Theatre

Accountability Theatre

I'm restraining myself. Haven't mentioned it for weeks, but this example is about as egregious as they come...

2
0

Online criminal records checks to take a punt on troubled Verify system

Harry Stottle

First intelligent statement I've seen, regarding Identity, from a Government Source

(that is, if the Law Commission qualifies as a Government source - not sure of their constitutional position)

the full quote from the Law Commission reveals that someone actually knows what they're talking about:

"We have concerns, however, as to whether the use of Verify would be sufficient to protect testators from undue influence and impersonation. Verify does not currently ensure that the person entering the information is in fact the person he or she is purporting to be; rather it focuses on verifying that the person exists. While the involvement of witnesses generally provides some protection against fraud and undue influence, Verify does not currently have any facility for the participation of witnesses. Furthermore, Verify relies on passwords to control access to the service. There is a risk, therefore, that testators will give their passwords to family members or carers, and might be pressured to do so by persons wanting to abuse them."

If only these people could also advise the authoritarians on end to end encryption...

6
0

Schrems busts Privacy Shield wide open

Harry Stottle

Re: Well, I told you so.

I too bully my customers and colleagues into trying to take Privacy issues more seriously though, to date I haven't been paid (or even thanked) for my efforts.

I'd be very interested if you could point to a more formal version of your argument which I could thrust under my resistors noses...

8
0

Cops' use of biometric images 'gone far beyond custody purposes'

Harry Stottle

Re: OTOH this may be a good thing ...

Probably too late for you to notice this reply but if you do see it, I would dearly love to see evidence of that result (multiple collisions when entries compared to each other) . Not challenging your veracity. In fact I really hope it's true and there is some published evidence to support it. Would just love to be able to use that argument and wave it in certain faces...

1
0

Intelligence director pulls national security BS on spying question

Harry Stottle

Obviously the answer is "Yes"

am I missing some subtlety here?

Saying "No" - like Clapper did - would only be risky if, like Clapper's example, it was a lie

Ergo, the answer is obviously Yes. The only security threat might lie in explaining in exactly which circumstances the illegal spying on citizens takes place. (such as when the citizen is talking to someone not on American soil - which I believe is already exempted, but you get the gist)

1
0

Auto-makers told their autopilots need better safeguards

Harry Stottle

Attention "heartbeat" required...

in some of the software I develop I use deliberate random errors in certain dialogues, to spot humans trying to answer questions without inspection or thought.

It occurs to me that something similar is required for the "Level 3" driverless cars (which are supposed to be able to handle almost all situations but still need close human monitoring). i.e. the software should regularly (but randomly) send false alarms to the control panel and measure the time and accuracy with which the human deals with them. If their response time exceeds a safe threshold, take the earliest opportunity to park the car and cede full control to the human (with an auto reset of, say, the next day?)

0
0

Smart cities? Tell it like it is, they're surveillance cities

Harry Stottle

Accountability Theater - Again

The actual monitoring (data capture) is not (or need not be) the issue. The issue is human access to - for whatever purpose - the captured data. Surveillance is merely one of the purposes.

The problem, as ever, is that we the people have no means of determining when the technology and relevant data is switched from one mode (capture) to the other (access). This is the gap I've previously and repeatedly referred to as "Accountability Theatre".

The short version is that there are always going be justifiable cases for surveillance. For a traffic based example, I rather like the idea that we could develop an AI system to watch motorway traffic in order to identify genuinely dangerous situations emerging in real time. This would include things like some imbecile driving the wrong way, or a car randomly weaving in a manner likely to indicate someone falling asleep at the wheel. Or someone driving at twice the speed limit in busy traffic. Where such threats are identified, the AI prods a Human and they can raise an alarm, send out a traffic cop, turn on the warning signals etc etc.

I doubt that anyone is going to argue with that kind of use of surveillance. Where it crosses the line into authoritarianism is, for example, with John Robson's suggestion that it could also be used to "enforce appropriate speed limits". This is a grey area. Certainly, as hinted above, some speeds would qualify for the alarm surveillance mentioned above . Driving at 80 on a reasonably clear motorway does not. That said, we should have no issue with the data captured being used, after a serious incident (eg a fatal accident) to see to what extent either speeding or careless driving contributed to the accident.

And in all cases, where data is accessed for any reason whatsoever, by a human actor, it should not be technically possible for such access to take place, without it being subject to the most rigorous surveillance of all, with the data being provably captured to an immutable audit trail.

1
1

Snoops 'n' snitches auditor IPCO gets up and running

Harry Stottle

More Accountability Theatre...

most of their time will be spent monitoring "Security Theatre" so it is entirely appropriate that their process constitutes Accountability Theatre

10
0

Oracle has to pay top sales rep stiffed out of $250,000, US court rules

Harry Stottle

Re: Wasting the courts time

simple solution, at least for cases like this where deep pocket is trying to with-hold an award. Allow them to appeal as long and often as they like; with a 1% interest charge PER DAY from the date of the original award. Payable only if they lose, of course...

4
0

Foxit PDF Reader is well and truly foxed up, but vendor won't patch

Harry Stottle

Sumatra Seconded (again) and Thanks for the Libre Office (Draw) tip

Sumatra easily lightest weight stable pdf reader.

Was using Foxit as well for my occasional pdf editing needs. Then spotted reference (above) to Libre Office Draw being able to do the job. Tested it and it works. Bit clunky (go into edit mode/ saves to an odg file / leaves it it read only mode/ enable editing / edit / save / export as pdf) but more than happy to put up with that in order to liberate myself from foxit...

Would have attached this as thankyou reply to who-ever it was who posted that Libre Office tip but damned if I can find the comment now!

1
0

Revealed: 779 cases of data misuse across 34 British police forces

Harry Stottle

So painfully naive, it hurts

Why should we trust the Authority's own response to an FOI inquiry?

No one we trust has unconstrained access to the data for audit purposes. It is much more likely that we're seeing an (unknown) fraction of the real offences - enough to make us believe a proper job has been done - than reality.

Until ALL authorities are under a mandatory requirement to implement audited access control with the data protected by an immutable audit trail, all attempts at "oversight" should be treated as, at best, suspect, at worst, criminal deception.

1
0

Guess who's here to tell us we're all totally wrong about net neutrality? Of course, it's Comcast

Harry Stottle

Does Net Neutrality correlate with Broadband Speeds?

Honest question to which I suspect I can guess the answer but do not know.

Where are the highest broadband speeds? The answer to that might be provided by posts like this

The crucial question is whether any of those have retained or discarded net neutrality. My belief is that they've all retained it but I can't find sources to sustain that belief. If my conjecture is valid, why would anyone anywhere be arguing to discard neutrality? Why would even the greediest American capitalists not seek to emulate the success of their Asian exemplars?

Or am I missing something?

2
0

Big question: Who gets the blame if a cyborg drops a kid on its head?

Harry Stottle

Re: Can you trust this tech?

It very definitely IS a serious question. My own attempt at a serious answer is here but in short, mind reading technology can only be prevented from being a totalitarian wet dream if we force governments to accept some of the protections it also makes possible (principally the ability to block authentication when "coercion" is detected) so that no one can be forced to disclose anything without their informed consent. Please see also my comments here

1
0

Page:

Forums

Biting the hand that feeds IT © 1998–2018