Re: Could just as easily have happened here
Why did you suggest this?
I just thought of a "prudence" sandwich.
I'm going to need therapy.
229 posts • joined 23 Mar 2007
God does not play dice with the universe: He plays an ineffable game of His own devising, which might be compared, from the perspective of any of the other players [i.e. everybody], to being involved in an obscure and complex variant of poker in a pitch-dark room, with blank cards, for infinite stakes, with a Dealer who won't tell you the rules, and who *smiles all the time*.
-- (Terry Pratchett & Neil Gaiman, Good Omens)
It wasn't really malware. It was a backdoor planted by the Met so that they can do away with pesky things like search warrants in future.
Clearly Alun Michael isn't sufficiently NuLabour and 'they' need to keep an eye on him. This is no surprise as he is an MP for Cardiff. And we know that Wales isn't really NuLabour as they've made prescriptions free.
"Take responsibility for security on your own site"
"It was a third party who done it, not us"
Obviously you don't rely on a garage to service your car - you take responsibility and do it yourself.
And you don't rely on parts from the manufacturer - you take responsibility and make your own brake pads.
And you don't rely on farmers and supermarkets - you take responsibility and grow all your own food.
"thanking the hacker"
Err .... I read the article again and I can't see anywhere where the hacker is thanked. Yes they acknowledged the problem and yes they took prompt action. But there's no mention of thanking the hacker, merely acknowledging that the problem was reported by hackersblog.org.
There could really be a problem. Most comments have focused on PGP's use of crypto algorithms. Perhaps there is a compatibility problem with the way both PGP and the VPN product integrate into the OS.
PGP does much more than merely encrypt files. PGP doesn't just rely on the user remembering to encrypt their data before sending it. PGP has also side-stepped the problem of integrating into the different mail clients. PGP functions as an internal proxy server to handle both inbound and outbound traffic.
I have PGP installed on my system at home. Look what happens when I try to make an SMTP connection to an arbitrary address.
$ telnet 126.96.36.199 25
Connected to 188.8.131.52.
Escape character is '^]'.
The PGP SMTP proxy has intercepted the connection and will give me the opportunity to encrypt the subsequent message.
The VPN software will also be intercepting attempts to establish TCP connections. Perhaps the two attempts to intercept connections interfere with one another.
"Medical conditions do not make you innocent of committing a crime, only a mitigation when passing sentence once guilt has been proven."
The definition of most crimes includes both actions and knowledge. Historically, the view was "the act does not make a person guilty unless the mind is also guilty".
The criminal law should not apply where the defendant does not understand their actions or the consequences. In other words: "did the defendant know what he was doing?".
In the past Woolies Pic'n'Mix was quite good. In the distant past it was very good. But about 18 months ago the supplier of Pic'n'Mix changed and the current stuff is horrid. And it's the same supplier to the cinemas. Euck. Whether it's in pristine condition or mixed with fluff it's still just rat food.
PS, Does anyone know if it's possible to get Bassett's Wine Gums in the UK?
You can just picture it. I'm leaving a sports club; there's someone I've never seen before in the car park. I say: "Wow, that's a flash car. Is it yours?".
"Right, sonny, you're nicked."
I've just asked a question that links a person to a car. And we all know that a car is an obvious target for attack.
To protect ourselves we must ostracise the military, intelligence services and police.
First item on evrey job application form and membership form for every club or society:
"If you are now, or have ever been a member of the military, intelligence services or police do not complete this form."
Most clubs and societies ask for a home address so that they can send out newsletters, diary dates and so on. I imagine it's easier to attack these prople at or near home rather than at work. So a home address will be useful for a terrorist.
"But," I hear you say, "the form doesn't ask them to reveal whether they fit this category." Quite right. The law doesn't require you to know that you are asking for information about a member of the military, intelligence services or police. The law merely requires you to have asked about someone who is a member of this set.
"How does an educated professional fall for this?"
Easy. He rings up his bank and asks: "Has the cheque cleared" and the bank answers: "Yes".
When the cheque is subequently returned it's clear that the bank's "Yes" as not accurate. Hence he claims that Citibank are liable.
But, given the credit crunch why should a liar (or do I mean lawyer) expect banks to tell the truth.
"He says ""We take this very seriously,". He's a bloody liar. If they fucking took it seriously, they would have taken effective measures the FIRST time this shit happened."
I don't think they are taking it seriously third time.
Browsing a few pages, with right-click and view source later what do we find?
A hidden field with what looks suspiciously like an SQL phrase.
Nurse, bring me the syringe I want to do an SQL injection.
Somewhere there is programmer who is depriving a village of its idiot.
"I want them to precisely define "extreme"?"
No. That is exactly what you don't want.
You don't want a definition of extreme created by a small group of politicians and their advisors sitting in the safe environment of a parliamentary committee room. You want a definition that reflects the current opinion of the populous. This was the beauty of the OPA. “Obscene” was defined as a tendency to deprave or corrupt. It was left to a jury to decide. This allows the meaning of obscene to vary with the current opinion of the public. The OPA also took into account the likely audience. So, the idea of “obscene” varies between a shop window and a private club.
"So either they've done a lot of multiple requests for one single arrest or they are doing a lot of investigation that never gets anywhere."
I suggest the former.
IP addresses that change with each DHCP lease, but all one person.
Data relayed through innocent third-parties.
Contact with innocent people.
Those phone calls and emails to Brian who works in a garage could have been about kiddie pictures but they also be about getting the breaks fixed.
"If there were no costs to the Police then there is no consequence to them flooding an ISP with requests and eventually they would be out of business."
More likely the ISP will allocate minimal resources to processing the requests and the in tray will grow bigger and bigger. Eventually the response time will become so long that the data will be obsolete before the police receive it.
Both the DPA and FOIA allow a charge to be levied for requests. Unlike these two acts I don't think RIPA specifies any response time limit.
"So both the UK and US courts have jurisdiction over the offence, but it seems more reasonable to prosecute him here."
Maybe reasonable, but not cheaper. Does the legal system pay to ship one suspect to the US or pay to bring lots of witnesses to the UK?
I don't think the extradition has been conducted fairly, but a US trial would be cheaper. Certainly cheaper for the UK.
"reinforcing potential abusers"
The assumption is that there are some people who are sexually attracted to children but have not performed any sexual actions with children. Presumably the idea it that if such people see cartoons of children engaging in sexual activity they will move on from merely desire to action. While this is an interesting thesis is there any evidence that such cartoons will transform fantasies into reality?
I doubt if there is any evidence. And I doubt if there actually any people who are tipped over the edge by cartoons. If someone who is attracted to children and has not engaged in any sexual activity with children will they really change their beheviour as a result of seeing cartoons? Surely a more likely trigger is the commercial exploitation of children. Isn't there a bigger encouragement from children dressing as adults? Should shops be selling children's versions of clothes that enhance the sexuality of adults?
"That's me and several other old people"
And somewhere I may still have a copy of Club International with a cartoon sequence of Lucy and Charlie Brown, it finishes with Charlie Brown refusing to perform mouth-to-mouth resuscitation when Lucy fails to swallow and starts to choke.
"Which home user will pay for a high-speed connection when they can only browse the web on it?"
Well, the web includes iPlayer. So you can throw away your telly and just watch TV online. The money you've saved on the TV License will pay about half the cost of an Internet connection.
"most people simply would not need more than a basic, say, 2Mbit line (in fact 512k would probably be more than adequate)"
I've tried both speeds. 512k isn't fast enough for iPlayer, 2M is fine. But, I haven't tried iPlayer HD.
"Yes , maybe it was hit by a UFO - a craft that can traverse light years of space in an instant, travel at hypersonic speeds in our atmosphere, accelerate at 1000s of G , and yet for some reason couldn't spot a 200 foot wind turbine in its path."
Why the UFO itself? Why not an extraterrestrial garbage truck dumping its refuse?
Or just simply a sophisticated craft with a dumb pilot?
I can't see it being "invisible bug pixies" But I went for the lazy option.
Seadragon project manager: Have you tested the app?
Programer: Yeah, yeah. Lots of testing.
Other programer: What a dork. What does he users are for? Testing - couldn't be arsed.
But on reflection, the lazy option is too simple. There's probably something in the iPhone kernel that notices the origin of the app and if Redmond it activates the well programing construct - the "if ... then ... maybe" statement.
"I think this question has already been answered several times. Here's what I understand: the OPA only criminalises publication; the new "extreme porn" law criminalises possession. That is a huge change and a massive invasion into everyone's privacy."
"a massive invasion into everyone's privacy" - no, not really. When the OPA was created in 1956 telephone mail order didn't exist, let alone online delivery of a publication. You needed to visit a shop or sent payment in the post. The OPA effectively blocked the opportunity to obtain obscene material.
Technology has bypassed the need to visit a shop. While it would be possible to amend the OPA to cover online sales and delivery it's not clear how the enforcement would work. It isn't sensible to try and prosecute an ISP for allowing the data into the country - in the same way it isn't sensible to try and make ferry companies liable for the pile of magazines in the boot of a car.
With electronic copies it's very difficult to identify the publisher or importer. This means criminalising the possession of obscene material as the obvious reaction. Perhaps was flawed and should have always included possession as well as publication.
"Article from me on Cif later today btw, come play."
I hope you conduct some research and discover some facts.
"there needs to be a statutory approach to this .... and you have to ask yourself why government is so opposed to that approach"
Very easy to understand. Government regulation will require government effort and government money. To avoid the burden of government regulation the ISPs were allowed self regulation. Rather than risk an MP proposing proactive checking of content we have a scheme that only has to react to reports. Rather than require every ISP to have their own staff to assess content the ISPs pooled resources. Rather than have differing assessments across ISPs a central organisation provides a single decision.
"Why should they be able to hold your very valuable property just in case they may later find something dodgy in it?"
Because a court has given them permission.
"We think you might have been receiving stolen goods ('we had an anonymous phone call'), so we'll ban you from your own house for a year or two until we get round to sending someone to search it."
This is nonsense.
Try reading the "CODE OF PRACTICE FOR SEARCHES OF PREMISES BY POLICE OFFICERS AND THE SEIZURE OF PROPERTY FOUND BY POLICE OFFICERS ON PERSONS OR PREMISES"
The police won't get a search warrant on the basis of an anonymous phone call. Furthermore, if you bother to read the Code of Practice you'll see there are ways to get your property back.
"The consequences for individuals can be severe. And, as I thought I reported, there just aren't any guidelines out there: no guide, no statistics. Checked with the Home Office, several Police Forces and some forensics experts.
If anyone knows different, I'd be interested."
While not aimed specifically at computers there are codes of practice for the implementation of the Police and Criminal Evicence Act 1984. Code B covers searches and seizures and is available in many places including
There are (or were) guidelines produced by ACPO about the handling of computer material. This was written to ensure the material obtained could be used as evidence. I don't think it covered the problem of shared systems. The aim was to ensure the material could be examined reliably and the integrity of the evidence would not be challenged. I don't know if these guidelines still exist as they were written over 10 years ago.
"So they have no reason not to make another copy to give to the owner."
Errr. Are you sure?
Doesn't it depend on the alleged crime?
Should Garry Glitter have been given a copy of his data? What if the system was used to control a botnet? Or holding the pages for a phishing bank site? Or had a file with stolen credit card details? Or the artwork for fake share certificates?
Would you give back the jemmy and lock picks to a burglar while he is awaiting trial?
It would be very, very time consuming to delete all data that may relate to an offence. And there's no guarantee that all data had been identified. The only safe way is for the accused to be able to ask for copies of specific files. Please can I have copies of my address book and my letters.
CryptoCard's Hollister said: "I don't want to criticise to technology of Emue card but it's too expensive for the extra benefit it offers. I don't expect you'll see large volumes. It's further up the technology curve than banks want to go."
Well, he would say that wouldn't he.
While the CryptoCard avoids the problem of replay type attacks it doesn't solve the problem of man-in-the-middle attacks. If you've got to enter your PIN and the OTP it's better than just the static security code. But it's not good enough.
With the millions of users out there with trojans running on their PCs can you really trust the machine in front of you? If it hasn't already happened then it won't be too long before a man-in-the-middle attack will be built into the tojan running on the PC in front of you. The CryptoCard does nothing to protect the data from modification in transit. At least with the Emue card there is the possibility of generating a signature external to the user's PC.
This is the challenge. A useable payment process that can cope with a PC or till that cannot be trusted.
Another example of the government ignoring the north (ie, anywhere not the south-east).
While the Harwell site _may_ currently be best location why has there been a run-down of other sites? Why has Daresbury in Cheshire been ignored? The Diamond source was built at Harwell when property and building costs were cheaper in Cheshire. Now another research facility is to be built at Harwell. What happened to the other sites around the country involved in space research? Loughborough? Manchester? and others.
Why don't they turn the court process into a real game show?
The jurors could then "phone a friend" or "ask the audience". The person found guilty could select their punishment in a "Deal or no deal" process. The viewers could vote for their favourite witness in "Strictly Telling the Truth".
Yes, a computer can be used to defraud, but a computer can be used for many legitimate purposes.
But the article doesn't suggest any legitimate uses for the Whizzinator. Unlike other prosthetic devices the Whizzinator doesn't help if you've suffered a Bobbit. I don't think it's realistic to suggest the Whizzinator is going to be used by men with a shy bladder who want to participate in Streams of Pleasure.
-----BEGIN PGP MESSAGE-----
Version: PGP Desktop 9.6.3 (Build 3017) - not licensed for commercial use: www.pgp.com
-----END PGP MESSAGE-----
So the Civil Servants have decided that being listed on a Children Missing Education report is not sufficient to qualify as vulnerable. Curious. Surely regular absense from school is a cause for concern and hence be added to the selective database.
What details would be entered for Victoria Climbie that would arouse any suspicions?
"Had ContactPoint existed, social workers who came into contact with Victoria and had looked up her details, would have found that she was known as a child living in England and was registered with a GP."
Nothing strange there.
"She would also have been listed in a Children Missing Education report and her absence from education would have been followed up by her local authority."
Yes, a cause for concern. But it's a cause for concern now. Why does it need a central database.
Ah! I guess a central database allows for a search for exceptions. List all the children with an empty "name of school" field. Or all children with an empty "name of GP" field. At the moment it must be possible to list all people who are not registered with a GP (or at least all people with an NHS number). If you're not with a GP your medial records are stored centrally (last PHCT?). But there is no equivalent central record for school registrations.
Biting the hand that feeds IT © 1998–2020