* Posts by king_tut

59 posts • joined 20 Feb 2012

Page:

Microsoft's Surface Studio desk-slab, Dial knob, Surface Book: We get our claws on new kit

king_tut

Updated Surface Book

Any more details on the upgraded CPU? I thought it was just the same i7-6600U that was in the highest end Surface Book - certainly isn't Kaby Lake. I had thought the "Surface Book i7" name was daft - the "Surface Book with Performance Base" being used on the MS (USA) Store is much more descriptive - the new Surface Book SKU seems to be the same i7 tablet/screen, but with a modified base (extra battery, new dGPU, better cooling).

Any news on when the Surface Book i7/performance base will be available in the UK? I ask the 'experts' on the MS (UK) Store, and they didn't know.

Personally I'm excited - I'm in the market for a new laptop, and was looking at Hybrids, but wanted a bit more oompf than was currently available. This new iteration is just good enough for me to justify getting it, as I want something which can be used for gaming.

MPs and peers have just weeks to eyeball UK gov's super-snoop bid

king_tut

Re: Thoroughly underwhelming joint Committee

> They were asking ethical questions of their technical witnesses - but yes you're right of course.

Note that that was the Science & Technology committee, who were generally supposed to be focussed on the technical and implementation aspects of the bill. The S&T committee isn't great, but at least has some technical knowledge.

The joint committee are a different group who, frankly, suck on a technical front. Or at least, I've seen no evidence that they know anything about the subject.

king_tut

Re: Thoroughly underwhelming joint Committee

> why this bill should be shelved

One thing to bear in mind with any effort to shelve this bill. Everything apart from the ICRs (i.e. the ISP mandated logging of metadata), and to a small extent the National Security Notices, is already being done, and being done with very little oversight. Shelving the bill would retain the status quo - namely that things like Equipment Interference (hacking) will continue under the Wireless Telegraphy Act, with no oversight, will continue. Be careful what you wish for.

king_tut

Re: Thoroughly underwhelming joint Committee

@streaky

Absolutely! Everyone who has a clue should put in a submission - I'm already working on mine, covering a number of points (which I'm posting on my blog as well)

It needs to be informed evidence though. Just ranting about privacy will be ignored. If concrete examples can be given, etc, then a lot more notice will likely be taken. Hell, if they like the submission, they may even request you come down and given evidence in person.

Note that the link you provided was for the Science & Technology committee, so evidence should be limited to technical matters.

There is also the joint committee on the bill itself, which can be contacted for wider issues/evidence: http://www.parliament.uk/business/committees/committees-a-z/joint-select/draft-investigatory-powers-bill/contact-us/

king_tut

Re: Thoroughly underwhelming joint Committee

Not his scary homophobic views, but his overall authoritarian stance. If you're bored, I recommend you reading his truly bizarre speech on the Investigatory Powers Bill: http://www.theyworkforyou.com/lords/?id=2015-07-08a.190.0&s=speaker%3A13253#g198.0

And he's one of only 4 joint committee members who have even spoken on the IP Bill, DRIPA, or the Anderson report!

For more details on the breakdown: https://kingtut666.wordpress.com/2015/11/26/no-evidence-of-balance-the-joint-committee-on-draft-investigatory-powers-bill/

king_tut
WTF?

Thoroughly underwhelming joint Committee

I've written about this elsewhere, but I'm very underwhelmed with the appointments. Only Lord Strasbourger and Stuart McDonald MP are likely to be pro-civil-liberties, and only Matt Warman MP is even slightly technical (and he was a consumer tech journalist).

7 weeks is really not a long time, and I'm amazed and confused that only 2 weeks are being allowed for witnesses.

IMHO the government are doing this all wrong. They should have loaded the committee with pro-civil-liberties, and then accepted most sensible recommendations. That would have then let them have a nice smooth progress, as the civil liberties camp wouldn't have anything sensible left to say, through the debates and the votes - the times when there is likely to be press interest. Now, they're guaranteeing a mess in the future.

IOCCO: Police 'reckless' for using terrorism powers on journo sources

king_tut

Re: What is the point of the IoCCO?

They are tasked with providing the oversight, and doing the investigation. They are the ones who identified the problem in the first case, and then did the deeper dive. They then refer it to the Investigatory Powers Tribunal (and/or tell the affected parties how to do so themselves). The IPT is a court.

Think of IOCCO as the police. They do the investigation, and then pass on the prosecution to the court system.

king_tut

Re: IPBill

@Doctor Syntax

Under s6, the Investigatory Powers Commissioner can opt to levy a fine (monetary penalty notice) if an interception occurred without lawful authority (defined in s5 - basically that a warrant is in place), but wasn't intentional. i.e. if a cockup happens and you accidentally intercept someone/something you shouldn't have. However, s6(3)(c) gives a get-out-of-jail of if the person was making an attempt to act in accordance with a warrant, so not all cock-ups are covered.

Appeals would go through the First-Tier Tribunal, which is a court of law. Essentially the situation is like a fixed penalty notice.

If the interception was intentional, and without lawful authority, then it's a crime under s2, with 2 years in jail and/or a fine as the penalty.

In this particular case, it appears that a warrant would have been present, but wouldn't have gone through the process correctly. I'm not sure therefore whether there was, or was not "lawful authority". Yet another bit of the IP Bill that needs proper definition. Ho hum :)

king_tut

IPBill

It's worth noting how this may have been handled differently under the Investigatory Powers Bill.

Firstly, there is an actual criminal offence that would have been broken (s8 of the bill). That could result in fines and jail terms. Even if a criminal prosecution wasn't followed, the individuals who broke the rules could have been fined 50k (s6 of the bill).

Secondly, under s171(4), there may not have been a referral to the IPT, as a breach of the ECHR is not itself sufficient for an error to be a "serious" error. And the existence of the error would also only be made public if a "serious error" occurred and it is in the public interest to release the info.

What the IPBill giveth, the IPBill taketh away...

Who's right on crypto: An American prosecutor or a Lebanese coder?

king_tut

Re: Nope, don't care

> You can secure your home against unwanted entry, but you cannot refuse to comply with a search warrant. Why then can the same not be held true for encrypted data?

You're referring to a RIPA part 3 warrant. Which is and has been used. While it has been used to put some child-porn people in jail IIRC (as the maximum sentence under RIPA part 3 is less than that from kiddie porn), there's also claims that some of the people affected were innocent of anything other than being tinfoil-hat wearing paranoids.

Samsung S6 calls open to man-in-the-middle base station snooping

king_tut

Re: Confusion - S or Q?

I'm hearing from sources that this is definitely a Shannon problem. Generic Qualcomm _can_ suffer from this, but only if manufacturers are idiots and don't ship in a secure mode.

king_tut

Data as well

This is bigger than voice. Normally the baseband processor (BPC) and OS running on it swaps data with the main OS by reading/writing to some shared memory in RAM, plus some semaphores etc and a couple of hardware interrupts. Unfortunately it's common for no-one to lock down the permissions the BPC has, so that it actually has read/write access to a device's entire RAM. It can then search for crypto keys or data in the clear and exfiltrate them, root the main OS, etc.

The solution for this problem is simple, and it comes to re-evaluating your threat model. Don't treat the BPC and Qualcomm OS running on it as trusted components - treat them as potentially malicious. Limit read/write access from the BPC using the ARM xPUs, specifically the Memory Protection Unit. Unfortunately this is not wholly trivial, as when Qualcomm changes the memory ranges they use then you have to update your memory regions on the protection unit - Qualcomm and memory ranges are a bit like MS-RPC and firewalls...

I guarantee that few phone devs have done the relevant work, as it's a security thing which won't be prioritised, and most trust Qualcomm. Which has been found to be idiotic, if they don't implement any kind of signing checks for BPC updates...

Encrypt voice calls, says GCHQ's CESG team ... using CESG encryption

king_tut

Re: CESG's hobby is promoting applications for IBE

Absolutely - I agree. This is why HMG likes it (plus licencing etc). However, certificate based has the same problem - just that it's called a trusted root CA. You can roll your own root CA for a private community, and you can roll your own KMS likewise.

IMHO a larger issue of IBE is that the KMS/PKG needs to be online, whereas a root CA can be offline/air-gapped.

king_tut

Read the spec/RFC

CESG have been banging on about Identity-based crypto for ages now. MIKEY-SAKKE is a combination of using MIKEY [1] for the key management, with Sakai-Kasahara algorithm [2] for the crypt itself. Note that MIKEY-IBAKE and MIKEY-TICKET are some of the main contenders for future secure voice standards under VoLTE. The UK want MIKEY-SAKKE instead for assorted reasons.

The idea for MIKEY-SAKKE is that the Identity (phone number) is used as a public key (after some mathematical operations), for which the owner of the identity is the only one with a private key. Obviously though there must be some sort of trust or magic to allow this - that magic is via a 'Key management server' or 'Private key generator' which is mutually trusted by both parties. This KMS generates the private key, based on the identity, and distributes it securely to the owner of that

identity. The "Lawful Intercept" capability comes from the fact that the government can send a warranted request for the keys to the owner of the KMS.

There are similarities between a KMS and a root signing certificate server. The difference is that client public key certificates don't need to be distributed, and keys etc are short-lived so you don't have to deal with immense CRLs. Call setup times are faster and require less bandwidth than using certs, although the difference is small enough not to really matter to most.

Personally I'm not wholly convinced - I think it's generally no better or worse than other approaches, just with a different set of pro's and con's.

[1] https://en.wikipedia.org/wiki/MIKEY

[2] https://en.wikipedia.org/wiki/Sakai%E2%80%93Kasahara_scheme

GCHQ's CESG team's crypto proposal isn't dumb, it's malicious... and I didn't notice

king_tut

Re: @ King Tut

> King Tut, eh? Do we know each other from Zürich, circa early 90s?

Not me - only been using this pseudonym (and variations) for 15 years or so :) There are others though - meaning any link to me for criminal activity is plausibly deniable...

king_tut

Re: @ King Tut

> IMEI blocked? so just the ne'er-do-wellers will use the phone on another network (or country)...

True. But that doesn't affect the confidentiality or integrity of my data, or any usefulness wrt my phone number as an identity (i.e. the subjects of this discussion)

Plus, if more people got their IMEI blocked, then stealing phones would be less profitable...

king_tut

Re: @ King Tut

Yep, SIM lock as well. And I had the IMEI blocked within 30 mins.

It's depressing how little attention people take to their own security :(

king_tut

Re: a user’s identity is their public key

Some more detail here...

Basically, the identity (in this case a phone number, but could be an email address or whatever) is used as a public key (sort of), but the key thing is that a Key Management Server (KMS) is used to provide the private key for that public key. The KMS ensures only the holder of that identity gains access to the private key. The KMS is equivalent to a root certificate in terms of trust.

There is no requirement for one big KMS etc. Instead, each 'service' can run its own KMS. E.g. want to be able to use your phone number to do secure comms to the NHS, you can register with the NHS's KMS. Want to also have secure comms between a group of friends, you can run your own KMS on a server you trust. Each KMS will create a different private key for the given identity.

Want to be able to access a load of services that trust each other - they'll either have one big KMS, or some kind of trust relationship between them.

king_tut

Re: @ King Tut

> GCHQ don't need to nick your phone, they can intercept the text messages.

As can many other people. Your voice calls and text messages are only encrypted during the wireless stage between your phone and the base station - everything else is in the clear. GCHQ (+NSA, FSB, DGSI/DGSE, BND/BfV, and so on) are I'm sure more than happy for you to use insecure comms - the current situation.

king_tut

Re: @ King Tut

I have. And it was locked, so I didn't lose anything.

But still, the key point for secure comms is protecting device<->device. The "a user’s identity is their public key" is specific to secure voice - I don't think the standard is suggesting anything else.

Outside that is a human problem, which neither MIKEY-SAKKE nor any of the other equivalent standards would do anything to fix. Blaming a protocol for not fixing a problem it wasn't aiming to fix, is like saying the El Reg is a shite website because they haven't sent me any hookers recently.

It's a fair point that people need to realise that phone != person. I'd hope that was generally obvious. This is precisely why you need to authenticate to your back when you phone it - even if you're phoning from your mobile, which they have as your number in records. The phone number is easily spoofed if you've the right kind of connection, and so mustn't be trusted, even excluding the theft argument. Instead, you're authenticating by something you know, rather than something you have. The difference is, that if you're using secure voice comms, you can be reasonable sure that the confidentiality of that person<->org authentication is secure - a major difference from the situation now.

king_tut

"Anyone who knows my phone number can authenticate as me, and MITM is trivial."

Erm, nope. Have you read the RFC, or the standards around it? The purpose of the KMS etc is to stop that.

The same could be said for "Anyone who knows my website address can authenticate as me, and MITM is trivial." which is obviously untrue. _But_ there's a huge dependency on a trusted authority - a root CA for SSL, a KMS for MIKEY-SAKKE.

Don't get me wrong, MIKEY-SAKKE has some problems, and I'm wholly unconvinced by it.

Also, your argument that phone number != person's ID is wholly spurious. Yes, it's true, however it's irrelevant. If I phone your phone number, I expect to get you. If we know each other, we may authenticate with a voice challenge/response we've previously established. If we don't know each other, we'd need a key distribution mechanism.

All of which is irrelevant. The purpose of secure voice standards is to provide guarantees of the integrity and confidentiality of voice comms, and to mutually authenticate endpoints against a MITM attack. MIKEY-SAKKE provides this (for some value of 'provides'), as do other key agreement protocols such as ZRTP (instead of MIKEY)(which uses the user reading out a string).

UK's super-cyber-snoop shopping list: Internet data, bulk spying, covert equipment tapping

king_tut

Re: Security Theatre and/or Snooping

> This isn't supposed to be about your run-of-the-mill burglar and wannbee crime lords though, it's supposed to be about terrorists and *serious* crime.

Very true. However if you only put in laws etc to help detect the very best, then you miss out on opportunities to catch the low hanging fruit. There is of course the question of proportionality - are the measures in this bill necessary and proportionate, and sufficient for as much as is possible while remaining proportionate. There are many issues in the bill which I'm not happy about though - e.g. there's no excuse for a 5-day urgent exception for judicial review of a warrant.

As for stupid serious and organised criminals, I suggest reading the operational case for ICRs [1] as well as the case studies at the start of the green paper itself.

[1] https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473769/Internet_Connection_Records_Evidence_Base.pdf

king_tut

Re: On the back of a fag packet

@xj650t: I think you're under-estimating the number of URL requests - don't forget advertising etc.

However, let's look at the numbers a different way: 10000 requests/user/day, 200 bytes average per request, = 2MB/user/day. = 730MB/user/year, £50/2TB hard drive, = 1.8p/user/year (plus SAN costs etc)

And if you look at https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/473769/Internet_Connection_Records_Evidence_Base.pdf it's entirely likely that # of criminals caught would be >0.

king_tut

Re: TOR Lite for the masses?

@Nifty

> With a rushed out bill like this, a privacy arms race will start.

It's not especially rushed out. This is a draft, which will then go through two different committees*, will then be introduced as a normal bill in parliament, will go through the commons (1st, 2nd reading*, committee*, 3rd reading*) then lords (1st, 2nd reading*, committee*, 3rd reading*). Each * marks a debate. They're looking for this to go through late in 2016. That's really not rushed.

I also think you're vastly overestimating how much the average person cares about privacy. And I think it's unfortunate that so few people do care.

king_tut

Re: Logging all requests or just some?

> They won't be logging domains because resolution to ip addresses happens on the user's computer (and quite possibly soon in the browser to secure DNS).

Note that for HTTPS connections, the ISP can know the hostname of the service you're accessing, due to SNI: https://en.wikipedia.org/wiki/Server_Name_Indication

king_tut

Re: A Request

@TimR: I don't work for El Reg, but that is precisely the sort of thing I'm working on at the moment. I expect that within a week or two you'll find my, and many other people's, analysis on line. Which a Reg writer will then skim through and write an article :)

I'm not up to the ICRs yet in my read through. God it's a long document...

king_tut

Re: Cautiously optimistic

@Charlie Clark

> The biggest question the bill has to answer is why is it needed at all? It's just another expensive and ineffective powergrab that further limits civil liberties. hm, how long do we need to consider that?

They've partially tried to make that point in the intro to the document, but with nowhere near enough detail. The David Anderson QC report was much better IMHO.

From what I can see so far though, there are very few new powers (although there are definitely some, which the gov isn't being honest about). A lot of the things being talked about as new, weren't. Instead, they were previously indirectly allowed as a side effect of the Intelligence Services Act, Wireless Telegraphy Act, and a few others, and had no real oversight or protections in place. This Bill is apparently trying to collect and collate all the different related powers in one single place, and put them under a uniform and good (albeit with some big issues) warrant and oversight regime.

This Bill shouldn't cost much money, and is a _vast_ improvement over RIPA and DRIPA in many areas.

king_tut

Re: Cautiously optimistic

@Nick Kew: Yeah, I'm rather bemused by the downvotes, especially as I didn't think I'd said anything especially controversial. Ho-hum :)

As an aside, I'm now on pp63, and have found a few issues I don't like. Have 2 pages of notes already, and haven't gotten to the scary stuff yet (bulk interception).

king_tut

Re: Cautiously optimistic

Re: Ledswinger

>> Be polite now, being rude doesn't advance your valid point

> I didn't think that calling the OP a government lickspittle was being rude, more a matter of record.

Personally I do feel it rude, but that's not relevant. What was relevant is that the poster making that claim made (IMHO) no valid supports. I'm also intrigued where this 'record' is that describes OP as a gov lickspittle as I know for a fact he isn't, and has regularly complained about RIPA, DRIPA, and other laws.

Source: Am OP :)

king_tut

Re: Cautiously optimistic

>> This is vastly better than previous Bills, and based on May's statement I am cautiously optimistic

> Speak for yourself, government lickspittle.

Hmmm, a good start to your argument.

> This is the sort of behaviour that for years we've known to be the province of totalitarian regimes like East German and North Korea. I don't need to read 200+ pages of poorly written rubbish to know that this is a mad, bad and stupid idea, from mad, bad, and stupid people.

Nice to see evidence for your argument - you have an opinion and don't need any facts to support them...

> If that pasty faced rich boy and his boot faced home secretary thinks they are going to solve anything by spying on the entire population, then it only shows even more what a pair of vacuous twerps they both are. I don't want my government spying on me and everybody else just in case the police, taxman or bunglers of local government think it might be useful. I don't buy all this "terrible, terrible threats" nonsense that the security services peddle.

You don't like the current government. Okay. Neither do I, but that's not relevant. Interesting that you don't think there are any threats whatsoever, and appear to believe there are never any cases where interception would be needed. I'm a tad astonished, given the many many cases were intercept has proven vital, but ho hum...

> I don't believe it to be the case, but if not being able to spy on my computer use hinders the plods, maybe that's the price of freedom.

I agree a balance is needed. But your extreme position is broadly speaking no different to that of someone who believes we should spy on everyone all the time just in case they may commit a crime (note: that _isn't_ what the draft bill is asking for)

king_tut

Re: Cautiously optimistic

> Irrespective of whether I've read the draft bill or not (and I haven't), I have to question in what world legislation that permits warrant-less internet surveillance of an entire population

It doesn't, a warrant is needed. And there isn't surveillance of the entire population.

Note that there are some things very close, and I agree there are dangerous issues here, but are you saying that all the different warranted powers should not be allowed?

king_tut

Re: "where life is at immediate risk"

Apart from that local councils can't intercept or obtain the data, so that's irrelevant.

king_tut

Re: Security Theatre and/or Snooping

While I agree that these can be circumvented, I also think you're over-estimating many criminals. And just because something can be circumvented, doesn't of itself mean that it's not useful. The lock on your door can easily be circumvented - is locking your door security theatre?

It's a fact that a lot of criminals are stupid. Furthermore, the further prior to committing a crime, the less OpSec they show. Finally, you can get unlucky - your VPN may not spin up properly and your set up may fail open, leading to you accidentally accessing a site not using your protection. Examples abound of this.

king_tut

Re: Cautiously optimistic [Emergency provision]

@IT Hack: This is exactly the detail that needs thinking about. I absolutely can see there being a need for the provision. I also see how it can be abused. The question is - what is the impact of abuse. For example, if the judge then refuses to sign off, will that immediately be referred to IOCCO? Will it be made public, or will the subject be made aware so that they can sue. Or will it be hushed up?

If the latter - the provision is bad! If some of the former, the political risk of abuse could be high enough to make sure that abuse doesn't happen.

king_tut

Cautiously optimistic

This is vastly better than previous Bills, and based on May's statement I am cautiously optimistic as a load of my previous concerns (judicial warrants, s94 telecoms act, CNE, oversight, and avowal) seem to have been met. BUT I'm remaining cautious - the devil is in the detail.

I recommend ignoring anyone who says, right now, that it's good or bad. The Bill is 228 pages long, and bloody complex. I'm slowly working through it, and am certain no-one can properly digest this in even the next 24 hours.

TalkTalk plays 'no legal obligation' card on encryption – fails to think of the children (read: its customers)

king_tut

Class Action Lawsuits

Maybe this will be the first case under the new class action lawsuit rules? http://www.bbc.co.uk/news/uk-34402483

How much of one year's Californian energy use would wipe out the drought?

king_tut

Mexico export from Baja...

Mexico would probably find it easier to build desalination plants from a political/activist perspective. They could then ship it north, and export it to the US. Yes, all this would cost, but it may well be profitable, and be a nice export income for Mexico. Plus, it would provide Mexico some strategic strength against the US - "screw us over, and we'll turn off your water" - think Putin/Ukraine and Natural Gas.

Of course, the corruption in Mexico may make this unfeasible, and the US may not be willing to accept the import of the water. Depending where you're shipping to/from, the price may be expensive, but, for example, South Coronado is only ~15 miles from San Diego - although construction there would be problematic from an sea-environmental (the land itself is a desert) perspective.

Robot surgeons kill 144 patients, hurt 1,391, malfunction 8,061 times

king_tut

How does it compare to human-only surgery?

The report (or certainly the article - haven't read the source material) doesn't really analyse the % stats, and neither does it compare the robotic rates vs human only. In any surgery, there will be problems. Yes, the malfunctions suck, and many are inexcusable. However, are the results worth it? Are robots better than humans for certain types of surgery?

What goes up, Musk comedown: Falcon rocket failed to strut its stuff

king_tut

Strut picture

http://i.szoter.com/741dc2bcf5762a48.jpg

From /u/darge89 on reddit.

High Court smacks down 'emergency' UK spy bill as UNLAWFUL

king_tut

Re: I've always wondered about RIPA/DRIPA

What would happen if I signed the official secrets act and was being forced to disclose a secured password.

They'd just get a sufficiently cleared police officer.

allow me to hand over passwords to 'ANY THIRD PARTY', under threat of prosecution should I do so.

Any contract I am involved in the drafting of says "unless required to by law" or similar (there's often several caveats - e.g. parliament can mandate things when working with government departments). Also, I think criminal law trumps, and in this case protects you from liability under, civil law, as long as you show due diligence by making sure any warrant is in place, legal, valid, etc.

king_tut

... is invalidated in its entirety by the ruling?

Only section 1 (data retention) of DRIPA was disapplied with this ruling. The other parts which covered some wording tweaks to RIPA (s3, s5), the extra-territoriality of RIPA (s4), or improvements to (s6) and reporting on (s7) oversight all remain.

king_tut

Re: Called it :)

Further to this, and remembering that IANAL, I think there's a quick fix the government could do. Under RIPA s1(3) and s1(4) the secretary of state can introduce regulations with additional provisions. Under s1(4)(d) these provisions may include restrictions on access.

Regulations are secondary legislation that needs to be laid before parliament but for which there's no debate etc. There's not even necessarily a yes/no vote on them.

If the secretary of state issues regulations that require that a) data retained can only be accessed for serious offences, and b) a warrant or similar needs to be signed by a judge prior to each access, then that _may_ be sufficient to continue access. Doing so would meet both of the "in so far" bits of the judgment (see para 122 of the full judgement at https://www.judiciary.gov.uk/judgments/david-davis-and-others-v-secretary-of-state-for-the-home-department/ )

king_tut

Re: Called it :)

If the legislation is unlawful does that mean prosecutions made under it are now also unlawful and subject to appeal, or maybe even automatic overturn?

There weren't any prosecutions AFAIK, so this is moot - this relates to what the ISPs etc had to do to retain the data, not what the police etc could do with it (which is covered by RIPA). There would only have been a prosecution if an ISP refused to comply with a retention notice.

Also, technically it's only section 1 of the law that has been disapplied - which is the bit dealing with data retention.

As for whether prosecutions could have been overturned, I'm not sure. The fact that the court is suspending their judgement until March 2014 - i.e. DRIPA s1 remains valid until then - in order for the government to fix things implies to me that there wouldn't have been grounds for an overturn. But then I'm absolutely not a lawyer, so I may well be talking out of my arse.

king_tut

Yep - under RIPA Part III

A couple of examples from a quick Google:

- http://www.theregister.co.uk/2009/11/24/ripa_jfl/

- http://www.bbc.co.uk/news/uk-england-11479831

In both cases I think there wasn't any doubt they had the passwords. I'm not aware of any cases where there was doubt whether the person _could_ unlock the files, or where that was a plausible defence.

king_tut
Holmes

Called it :)

Not a surprise, I called it on my blog days before it received royal assent :) Still very pleasant to hear.

Government reaction will be interesting. I'm sure they'll appeal. As it is though, the timescale for pushing through the new RIPA replacement was already tight, due to the December 2016 sunset clause in DRIPA. They now only have until March 2016. They were planning to introduce legislation through a joint committee of Lords and Commons in autumn this year - which only gives them 6 months - which is really not much time at all. And all the recent reports (ISC, Anderson, RUSI) recommended a major rewrite and replacement of both RIPA (+DRIPA) and other laws permitting surveillance/interception.

So, will they rush through a DRIPA replacement, keeping (or extending) the sunset clause, eating up legislative time in the process, or rush through the RIPA replacement, possibly reducing the scope in the process?

HOVER ROCKET space station podule mission LIGHTNING HOLD DRAMA

king_tut

Clarifications

A couple of little clarifications. It could be argued that the rocket sort-of splits into thirds, not into half: the first stage tries to land, the second stage gets up to orbital speed, and then the third stage (aka payload) Dragon craft is what docks.

It also wasn't a 60-second launch window - it was an instantaneous window AFAIK. Most ISS launch windows are instantaneous as they have to basically launch when the ISS is overhead (more accurately, when it can launch into the same plane as ISS - having the same inclination and LAN). They could launch a little before/after, but it would require a load more delta-V by Dragon.

But then I've been drinking wine for a while now, so I may be wrong :)

US military SATELLITE suddenly BLOWS UP: 'Temperature spike' blamed

king_tut

Re: A satellite overheated and exploded??

Satellites in general use Hydrazine for propellant, which they need to often tweak their orbit. In addition, some military satellites carry extra as they are expected to change orbit quite often in their lifetime.

Hydrazine is a pretty dangerous chemical, which can definitely go boom in certain circumstances. There's a few different variants, some use a catalyst, whereas others are pairs which are stored separately. The separates are hypergolic - all these need to do is mix and they go boom.

'NSA, GCHQ-ransacked' SIM maker Gemalto takes a $500m stock hit

king_tut

Why did you trust them in the first case? The only way to be secure (or rather, to know how secure you are) is for all sensitive crypto primitives to be under your control. Would you trust Gemalto (or any other 3rd party) to generate your SSL certificates, including private keys, for you?

king_tut

Re: Fundamental misunderstanding of telecoms

You're absolutely correct, from the technical side. Having the keys allows ad-hoc decryption around the world. And there is definitely a danger of abuse. There are therefore two questions:-

1) Should these agencies have ways to gain access to intercept product. If no, then there's no danger of abuse, but there will be an increased danger from assorted serious crimes including terrorism. How much of an increase is a difficult question - I think the gov regularly overplays this, but I think there is definitely a risk. If yes, then...

2) What can you do to stop abuse, or detect if it happens. This is all about oversight, and technical controls to audit and control access. I would hope, and expect, that there will be technical controls to anything which gains access to product, that the relevant warrant details need to be entered. The oversight can then check these. Note that I primarily care about UK citizens, although proportionality should be maintained everywhere - just because your wife pops over to Poland to visit friends doesn't give you the right to spy on her.

I also think that details of the technical controls, and how the oversight operates, must be public - that's the only way we can trust it. We have to a) be able to judge for ourselves whether the controls would be sufficient, and then b) trust in the oversight bodies, and that they will use the controls. This is ultimately where the recent "GCHQ broke the law" ruling came in - (a) is pretty much what EU law requires, and GCHQ weren't making the knowledge public. They still haven't enough, IMHO, and I want to see improvements there.

It should be noted that I think David Anderson and IOCCO are doing a good job. I'm less comfortable with the ISC - there are too many "insiders" in the ISC who have publicly been in the authoritarian camp.

king_tut

Re: Fundamental misunderstanding of telecoms

Yep, nation/states jealously guard their prerogatives. But then allowing anyone to hack anyone else with no controls just leads to anarchy.

Citizens _can_ go on the offensive. It's called elections. Elected officials can reign in the intelligence services, if they want. Unfortunately, most people are idiots, perfectly happy to sleep-walk into crappy situations with crappy elected officials.

The overlap is the whistleblowers, and I firmly believe there should be whistleblower protections. It's a difficult situation though - when does whistleblowing (telling the public about abuses which are, or probably are, happening) become leaking secrets (telling the public about things which aren't abuses but cause measurable damage to intelligence operations). This is where good quality oversight is absolutely vital - an area that could be improved in the UK, and is an absolute mess in the US.

Page:

Biting the hand that feeds IT © 1998–2019