Thank you. Beer gratefully accepted :)
Posts by Neil Brown
126 posts • joined 30 Sep 2008
How do you solve a problem like Privacy Shield? US and EU policymakers kick off discussions
Tor soups up onion sites with bountiful browser bump: No more tears trying to find the secure sites you want
Wednesday 3rd June 2020 15:01 GMT
Great!
We've offered .onion services (e.g. dlegal66uj5u2dvcbrev7vv6fjtwnd4moqu7j6jnd42rmbypv3coigyd.onion) for most of our web-facing stuff for a few years now, and we've used a bit of a kludgy workaround using web server config and exit node IP addresses to redirect Tor users to the .onion version automatically. We've supported alt-srv and onion-location for a quite a while now too, so great to see this will get broader usage.
Papa don't breach: Contracts, personal info on Madonna, Lady Gaga, Elton John, others swiped in celeb law firm 'hack'
Wednesday 13th May 2020 12:54 GMT
Re: Seminars or sales pitches?
> And the attitude was exactly like yours...
Honestly, I'm not surprised, given the volume of marketing bumpf we get sent. Missing what might be a useful seminar is perhaps the price to pay for not sitting through numerous sales pitches.
Bravo if you are or were doing things with BILETA — although I'd have thought you are mostly hitting lawyers in academia with that crowd (as most BILETA attendees are academics, and IT law academics at that, rather than the broad gamut of practitioners, with a few notable exceptions)?
Tuesday 12th May 2020 10:00 GMT
Seminars or sales pitches?
> They would not even attend free seminars on basic IT security because it detracted from the time they could bill to clients
I — lawyer — don’t typically attend free seminars on IT stuff, security or otherwise, since they are nearly always, in my experience, a sales pitch disguised as a seminar. Possibly one or two small bits of useful information, but mostly a list of dangers and pitfalls, and an explanation of how the presenter's company's chargeable product / service can solve them. (Perhaps it's exactly the same for non-lawyers going to a lawyer's seminar...?)
I tried to persuade the Law Society to run a "basics of IT security" session for lawyers in small firms, who may not have IT staff, where the content was vetted so it was practical and implementable and not (just) a sales pitch, but I got no-where, which was a shame.
Careful now, UK court ruling says email signature blocks can sign binding contracts
Monday 30th September 2019 12:28 GMT
Re: We have signed emails
You can have a binding contract without even the postcard — oral contracts are still contracts. Some specific situations require things to be in "signed writing", but that's the exception.
You might have *evidential* issues, but the lack of a written agreement, let alone the lack of a signature, does not vitiate the existence of a contract in most cases.
Monday 30th September 2019 10:13 GMT
Re: Email?
In this case, there was no dispute that the email was sent, with the content in question, from the person from whom it purported to have been sent. So no issue in terms of whether it was fraudulent.
If the defendant had alleged that they had never sent that email, and it was someone else spoofing their account, then the case would have looked very different, in terms of the points arguedt.
(Very few contracts under English law require a signature, so a trivially-copyable signature is unlikely to make a major different either way.)
Monday 30th September 2019 08:57 GMT
The law on signatures
For anyone bored, there are a couple of good sources of information on signatures under English law:
1.) The (very) recent Law Commission report on electronic execution of documents: https://www.lawcom.gov.uk/project/electronic-execution-of-documents/
2.) The (now rather aged) excellent article by Chris Reed, from 2000: https://warwick.ac.uk/fac/soc/law/elj/jilt/2000_3/reed/
But do bear in mind that most contracts under English law do not require signatures to be binding. There are some important exceptions, but the presence of a "signature", in many cases, is nothing more than evidential.
Monday 30th September 2019 08:51 GMT
Re: We have signed emails
Most commenters on here seem to be fumbling around in the dark, making comments over law they don't understand :)
IMHO, the decision did little more than apply existing law on signatures, looking at the purpose of the bit of text added automatically.
See, for example, the very recent work on this issue, from the Law Commission: https://www.lawcom.gov.uk/electronic-signatures-are-valid-say-governments-legal-experts/
Monday 30th September 2019 08:48 GMT
Optional
> merely an offer
So anyone receiving the email can accept the offer?
Would it not make more sense to phrase it as an "invitation to treat", which is not capable of acceptable?
> a properly signed and agreed contract
What is the difference between a "signed" contract and a "properly signed" contract? After all, the court here held that the inclusion of the email signature was "signed", and thus presumably also "properly signed".
What is an "agreed" contract (as that suggests that there are contracts which are not "agreed")?
If — as is the case for most contracts — neither a signature nor even written evidence is required, what impact does this wording have, if any?
etc.
[Bloody lawyers etc.]
Brit infosec firms urge PM Boris to reform the Computer Misuse Act
Monday 29th July 2019 09:46 GMT
“accredited professionals who act ethically ... to detect and prevent criminal activity."
No ambiguity there!
a.) accredited by whom? (“Do our training and get our accreditation — you can hack without fear of prosecution!”)
b.) who decides what is “ethical”? Which ethical model is to be applied? Is there some kind of ethics oversight board?
c.) allowing people to hack to “prevent criminal activity” seems broad? ("I hacked your computer and wiped it. Now it can't be used by criminals!")
El Reg talks to PornHub sister biz AgeID – and an indie pornographer – about age verification
None too chuffed with your A levels? Hey, why not bludgeon the exam boards with GDPR?
Tuesday 28th August 2018 10:33 GMT
Paragraph 25, Schedule 2, Data Protection Act 2018
The GDPR establishes the right of access — Article 15 — but it is subject to the specific exclusion / limitation in paragraph 25, Schedule 2, Data Protection Act 2018. The ICO's guidance essentially parrots this paragraph. This limits the scope of Article 15, and extends the time to respond.
What fun.
Probe Brit police phone-peeking plans, privacy peeps plead
Adtech-for-sex biz tells blockchain consent app firm, 'hold my beer'
Things that make you go hmmm: Do crypto key servers violate GDPR?
Thursday 5th July 2018 08:33 GMT
I'm not sure it's quite that easy...
There’s some rather shonky logic in the commentary here, IMHO.
First, I'd have thought that the starting point is to work out who is the controller of the processing which takes place on each key server, on what basis the data are being processed, what rights apply to the data subjects, whether any exceptions apply, whether any exemptions apply, and so on. Without this, it's all a bit nebulous.
Similarly, the reference to "implied consent" sounds like a red herring, since consent requires a "clear affirmative action" by the data subject — it is either "consent" or it is not — and, in any case, (a) consent can be withdrawn at any time (Article 7(3) GDPR), and (b) the right to erasure, under Article 17(1)(b) expressly applies to processing done on the basis of consent, where that consent is withdrawn. So, even if "implied consent" is a thing, you can't argue "implied consent" as the basis of continued processing, in the face of an objection / request for withdrawal of consent.
Lastly, I’m not sure where the concept that “the right of erasure only applies where it is practical” comes from. The right may not apply where the request is manifestly unfounded or excessive (Article 12(5)), but that’s hardly the same as whether the deletion is “practical”.
I suspect we simply have here a situation in which those designing and operating the key servers did so — perhaps entirely reasonably, at the time — without considering this kind of issue.
Trademark holders must pay for UK web blocking orders – Supreme Court
Wednesday 13th June 2018 19:37 GMT
Re: Interesting
I'm not sure that's true, as the shielding law treats each transmission in isolation.
A company which offered an Internet access service and its own IPTV service would be shielded from liability in respect of a transmission initiated by a user of its Internet access service, but would not be shielded for something it chose to distribute via its IPTV service.
Wednesday 13th June 2018 15:36 GMT
Re: Trademark - or copyright ?
The ruling stems from the Cartier litigation, which relates to website blocking injunctions issued to make it a little bit harder to access sites which infringe on certain trade marks.
It should apply to blocking orders based on infringement of copyright, but I guess that's a battle for another day.
It will be interesting to see whether it has an impact on blocking orders imposed on ISPs under the Digital Economy Act, in respect of porn sites which do not implement age verification, but there's a completely different framework. While it seems reasonable to me that the same approach should be taken, and that the BBFC should reimburse ISPs for their costs, that seems... unlikely.
It has no direct bearing on the Norwich Pharmacal orders used to obtain subscriber information from ISPs, in my opinion.
We wanted a camera, they gave us the eye of Gemini – and an eSIM
El Reg deep dive: Everything you need to know about UK.gov's pr0n block
Friday 23rd March 2018 07:17 GMT
Re: anonymous, non-tracking system wouldn't be hard
That describes one of the potential solutions — AVSecure — pretty well:
"Age verification cards will be obtainable at over 30,000 retail stores across the UK. It will allow face-to-face age verification to be completed at the point of sale. If you don’t clearly look over 18, you will be asked to show ID to the cashier in the same way you are asked when buying alcohol or cigarettes."
I'm not sure about the OTP bit though, although I *think* I've heard that mentioned...
UK.gov admits porn age checks could harm small ISPs and encourage risky online behaviour
Friday 5th January 2018 11:22 GMT
Re: From a legal perspective...
It depends.
A site can be made available “on a commercial basis” while still not being chargeable to visitors. For example, if the site derives income from advertising, or if it exists to drive traffic to paid sites.
There are draft regulations on what “on a commercial basis” means, here: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/600735/Draft_Online_Pornography_Commercial_Basis_Regulations_2017.pdf
(This is consistent with other areas of law, such as intermediary liability rules.)
Friday 5th January 2018 10:29 GMT
From a legal perspective...
The requirement to have age-verification in place applies to any person who "makes pornographic material available on the internet to persons in the United Kingdom on a commercial basis other than in a way that secures that, at any given time, the material is not normally accessible by persons under the age of 18." (s14(1) DEA 2017)
It does not matter whether that person is based in the UK or elsewhere.
An ISP can be compelled by an administrative (non-judicial) blocking order to take the steps either specified in the blocking notice, or else as "appear to the provider to be appropriate", to "prevent persons in the United Kingdom from being able to access the offending material using the service it provides". (s23(1))
The legislation expressly permits overblocking: "The steps that may be specified or arrangements that may be put in place ... include steps or arrangements that will or may also have the effect of preventing persons in the United Kingdom from being able to access material other than the offending material using the service provided by the internet service provider." (s23(3))
"Pornographic material" is defined in s15. It's too long for me to paste here, but it covers quite a lot, with an emphasis on material which was "produced solely or principally for the purposes of sexual arousal". And, since different people like different things, that potentially covers quite a lot.
UK Data Protection Bill lands: Oh dear, security researchers – where's your exemption?
Friday 15th September 2017 07:42 GMT
Logging applies only to law enforcement agencies
Clause 60 sits within Part 3, and Part 3 applies only to "processing by a competent authority", defined as "a person specified in Schedule 7, and any other person if and to the extent that the person has statutory functions for any of the law enforcement purposes, but excluding intelligence agencies".
At the moment, Schedule 7 contains pretty much what one would expect to be treated as law enforcement agencies.
For now, at least, "normal" data controllers can appear to be able to sleep a little easier...
Love bots lecture thrills room full of Reg readers
BT Home Hub SIP backdoor blunder blamed for VoIP fraud
Wednesday 25th March 2015 16:29 GMT
FreePBX
I'm happily using FreePBX at home — as a lawyer, it started as a way for me to learn more about VoIP and over the top communications services to be able to give better advice, and ended up being useful enough that I keep it going.
- My understanding is that 5060 need not be open, if the PBX registers outbound with the SIP trunk — the FreePBX GUI makes this very easy, if the trunk provider supports it
- If 5060 does have to be open, could it not be limited to certain IP ranges of the trunk providers?
- If it has to be open fully (e.g. to permit incoming SIP URI calls from any originator), FreePBX comes with fail2ban pre-installed, and there is an "intrusion detection" function in the GUI: configuring it to read from the security log and to ban an IP after [x] failed password attempts was not trivial (for me), but I did get it to work
(I wanted incoming SIP URI calls "because I can" rather than for anything else, and it generates a lot of spam (spit?) which needs to be handled — separate to password attacks — but, so far, that has seemed manageable.)
Ten Mac freeware apps for your new Apple baby
Friday 28th November 2014 13:46 GMT
Caffeine, MagicPrefs
Caffeine: a coffee cup icon which sits in the taskbar. Click it to prevent the screen from going to sleep — great for presentations.
MagicPrefs: small utility for giving more functionality to trackpads or mice. I use it to turn an Apple Magic Mouse into a very good presentation controller, with taps on the top for moving slides forward, backwards and for blanking the screen.
Friday 28th November 2014 12:36 GMT
And some more:
GPGMail / GPGTools: GPG implementation for Mac, including email signing + encryption. Beta for Yosemite currently, but reasonably stable. (I believe it is changing to requiring a payment, though)
Handbrake: for ripping DVDs / converting videos (potentially requires VNC too; I can't remember)
Chicken of the VNC: VNC client
Isolator: for keeping just one window in focus, without using full screen mode
MacTheRipper: DVD ripper
photorec: Unix command line recovery tool, great for recovering photos, documents etc. from USB or memory sticks
Telephone: nice SIP client with address book integration, but does not support encryption :(
Transmission: BitTorrent client, for downloading those Linux distributions
I’ve never paid for it in my life... we are talking Wi-Fi, right?
Sunday 24th August 2014 07:10 GMT
Boingo subscription
When I was going through a phase of travelling every week or so last year, I finally bit the bullet and bought a Boingo subscription covering Europe, Africa and the Middle East — it was on "special offer", which might be available all the time if you hunt for it, for €9.95/month. I have had no problem streaming video over it, or running a VPN, and the times when I have needed to use their tech support phone number I was impressed — mobile providers could learn a lot from them!
It's a nuisance that this subscription does not include the US too, but I use a 3 pre-paid SIM with "Feel at Home" for that: £15 for a month for about 25GB, I think. The rules prohibit tethering although it did work when I tested it, just to check.
WTO sets new date for copyright crunch
Friday 14th June 2013 13:05 GMT
Alan Story's "Copy/South Dossier"
Well worth reading for anyone interested in the impact which Western copyright policies can have on less developed countries:
http://copysouth.org/portal/node/1
(The dossier is both Free and free — they'll even send you a hard copy (if they have any left) for nothing, and would not accept a donation...)
Japan Airlines to serve KFC on Christmas flights
Medical scan record that the NHS says will cost £2k to retrieve: Detail
Thursday 8th November 2012 14:35 GMT
Re: Disproportionate effort?
it does not need to supply the data
It could supply a copy of the data, perhaps, just not in an intelligible form — it perhaps depends on whether the storage medium has more than one patients' records on it, and whether it has any way of duplicating the disc without the specialist machine.
Thursday 8th November 2012 14:34 GMT
Disproportionate effort?
It seems that the trust has the information, but not a means of expressing it in intelligible form without reacquiring some dedicated kit, or else finding a trusted third party to perform the conversion. I would be surprised if the trust did not argue that this constituted disproportionate effort, meaning that it does not need to supply the data:
s8(2), Data Protection Act 1998:
The obligation imposed by section 7(1)(c)(i) [to have communicated to the data subject in an intelligible form the information constituting any personal data of which that individual is the data subject] must be complied with by supplying the data subject with a copy of the information in permanent form unless—
(a)the supply of such a copy is not possible or would involve disproportionate effort
The Information Commissioner's Office has a reasonably concise guide on applying this test: http://www.ico.gov.uk/~/media/documents/library/Data_Protection/Detailed_specialist_guides/disproportionate_effort.pdf
So you want an office of Apple Macs - here's a survival guide
Monday 5th November 2012 13:23 GMT
Re: I just dont get it
Me, from time to time — I have not been able to get (yet, perhaps, but I've been waiting for a few months now) video editing software on my work machine, and so just bring in my Mac when I need to do it. I'd prefer that I could do it on my work machine, but it's not a big deal for me to use my own machine — I'm certainly not expecting any technical support for it, nor am I connecting it to the network.
Quite a lot of people in the office are using tablets of various guises (although, frankly, most are iPads) too, which are not corporate issue — I've used mine as a handy library of reference documents since I got one, and it's great to be able to have the legislation and cases, guidance documents and the like to which I refer quite regularly available in a small and searchable form.
Monday 5th November 2012 10:50 GMT
I think it's pretty good for individual files, but I've had a bad time using it to image a replaced (identical) machine from a Time Machine backup. It took many hours before crashing, and it was far easier to reconfigure the machine by hand, and then sync documents back down from Unison (as I used then; now from my owncloud repository).
As a tool for backing up / restoring an entire system, my experience has been that it is unreliable.
Monday 5th November 2012 10:45 GMT
Support agreement with Apple?
I'd have thought that the "harder to fix" nature of the more modern Macs made them more challenging in a corporate environment? With my work Dell machine, when the hard drive dies, it's trivial to pop it out and put in another — if the SSD on my Air were to die, I'm not sure there would be a huge amount I could do without Apple's assistance? Having a stack of spare machines may be a workaround, to give time to get the borked machine to Apple, but keeping a stack of hard drives on hand seems easier and cheaper?
(Purely a guess on my part, based on being a Windows user at work, and a Linux/Mac/BSD user at home.)
