* Posts by Harry Stottle

258 publicly visible posts • joined 2 May 2007

Page:

Zoom finally adds end-to-end encryption for all, for free – though there are caveats

Harry Stottle

Yes but

Agreed, OS is definitely the target for optimal Trust. But achieving it could cause serious delay. So I would settle for a formal security audit signed off by one or two of those we trust in the Crypto/Security community. Bruce Schneier and Ross Anderson spring to mind.

The reason that waiting for the OS version might cause significant delay is that their current codebase is likely to contain both legitimate commercial secrets which could advantage their commercial rivals and/or embarrassing kludges and admissions which they wouldn't want the world to see. Anyone who's written extensive code of their own will be familiar with that problem.

It is more important to get the product out there as soon as possible if only for the massive boost it will give to the E2EE awareness campaign. Even if it turned out to have NSA mandated/engineered backdoors in it, the eventual and inevitable exposure of those would, ultimately, further the cause.

So publish and be damned say I.

Privacy Shield binned after EU court rules transatlantic data protection arrangements 'inadequate'

Harry Stottle

GDPR Compliance of Major US Cloud Vendors

Since the Reg, amongst others, spelled out the implications of the USA Cloud Act, I've been advising my own clients that if they keep any GDPR protected data on any digitally accessible platform whose provider retains access to the platform and is either American or has a legal presence on US soil, then unless the relevant data is provably encrypted with a key possessed only by themselves, they cannot claim to be GDPR compliant.

This new ruling seems to amplify that case considerably.

Does anyone disagree?

ESET rushes to defend rival Malwarebytes in legal war sparked by vendor upset at 'unwanted program' labeling

Harry Stottle

If only they did something about reports of False Positives

bit late to this party but I thought I'd put my beef on record.

I agree, in general, with the overall security brief, that malware detection is one of the vital layers of protection (against known threats). But the bastards are often clearly and egregiously guilty of abusing their position.

The classic example of abuse by the anti malware crowd is their failure to respond or react to reports of false positives.

Process Hacker is the instance which riles me most of all. As we speak Virustotal reports that 20 detectors identify it as a threat. This is bollocks, as I suspect a fair smattering of Reg readers are fully aware.

a) it's open source and has been around since 2008. That makes it instantly more trustworthy than most of the alleged malware detectors

b) it is in constant use by several thousand, possibly million, reasonably experienced users; a community who would have identified real threats well before the malware detectors got around to it

Some argue that the Malware hypers are targeting PH because it is better, and certainly more transparent, at detecting illicit hidden processes than they are and thus threatens their own credibility and bottom line. While this is true, it doesn't make much sense. Nobody has the time (regularly) to sweep their system manually, using PH, to find the occasional threat. And users of PH are the least likely netizens to have exposed themselves to such threats in the first place.

What is really happening, in my view, is that the Malware hypers are - deliberately - conflating dangerous tools (which PH certainly can be, in inexperienced or malicious hands) with actual malicious software. PH CAN be used to damage stuff, (as can hundreds of other software tools) but isn't intended for that purpose. And it's ONLY stuff whose intentions are malicious (or whose code is obviously faulty, like the Norton 2016 example) that should be in their crosshairs.

The real kicker, though, is that it doesn't matter how many of us ( and I know there are many thousands) report PH as a false positive, NONE of the malware hypers ever acknowledge or react to such notifications.

For those who have become thoroughly pissed off by the automatic disabling of PH (especially when it's set to replace Task Manager), the way to prevent that is to activate the Admin account and install it as admin. That usually prevents the bastards from mucking about with it. Otherwise you'll find yourself in a constant round of "permitting" or "excluding" it from their overactive and knowingly dishonest "protection"

And the most dangerous result of this deliberate deceit by the anti-malware crowd is that a sizable portion of the community they should most value (the likes of us) have learned not to trust them. After all, if they can consistently report, as a threat, something we know to be safe, why should we trust any of their other reports?

After IBM axed its face-recog tech, the rest of the dominoes fell like a house of cards: Amazon and now Microsoft. Checkmate

Harry Stottle

Re:FR for the 'Chelsea Flower Show'

Amazed at the downvotes. You seem to have attracted the dork vote.

For the benefit of the hard of thinking, the point of the (I suspect) tongue in cheek recommendation to impose FR on the Chelsea Flower show is that it would give the largely white priveleged middle and upper class attendees a taste of what it's like to be under oppressive and intrusive surveillance.

If serious, then although I agree with the sentiments, I would have to disagree with the recommendation because it would be hypocritical to support it for that case while opposing it in all the others. And, in contrast, my own recommendation is that anyone involved in surveillance - whether they made the laws which enable it, or are paid to implement it - should be subject to a somewhat higher level of surveillance, 24-7, for as long as they remain involved in the policy or its implementation.

It remains the primary pre-condition required to overcome Accountability Theatre

Huge if true... Trump explodes as he learns open source could erode China tech ban

Harry Stottle

Serious Point About Satire...

While I applaud any attempt to satirise the twats in charge, I've yet to see any that really land a killer blow on Trump/Bolsonaro/Duterte. And the best they've come up with on President for Life, Xi Jinping is to equate him with Pooh Bear.

For satire to succeed, the target must have some level of credibility which is available to be undermined. Thatcher, for example, was a trained chemist with the ability to comprehend and comment intelligently on various matters scientific. Her mistake was to believe that her competence extended into fields well beyond her experience. This left her wide open to attacks on her neo-liberalism and the absence of Society. Nixon too, was intelligent and occasionally capable but suffered from catastrophic over-confidence in his presidential authority to protect him from wrong doing.

The current crop of, particularly, right wing authoritarian leaders have no such initial plausibility so satirising the likes of Trump (or any other leader with learning difficulties) is nigh impossible because it's almost like abusing someone for their affliction.

And simply replaying their mind boggling performances just makes the whole situation worse.

But a light has appeared in the darkness. Replaying their performances through Lip-syncing turns out to be a near perfect response. Interestingly the first comics charging out of these traps are all female, perhaps because the words of an ignorant malicious male look ten times dumber when they appear to emerge from a female face. Here are some of the examples I've collated, all Trump related, so far, but give it time. At the bottom is the grauniad story which explains the context...

How to more cases that anybody in the world

How to testing

How to Grief

How to strong death totals

The brilliant germ

God blesh the united shtatesh...

Record breaking

Guardian Story

Breaking virus lockdown rules, suing officials, threatening staff, raging on Twitter. Just Elon Musk things

Harry Stottle

Fine the Bastards for Excess Deaths

Given that the negative effects of premature exposure cannot be accurately predicted, I suggest that the appropriate judgement for ANY corporate entity putting its workers at risk in the current crisis should be along the following lines:

Until firther notice, you are required to report all Covid related infections and fatalities amongst workers you require to attend your premises. Your reports will be cross referenced against public records and any under-reporting will be a criminal offence unless a court is persuaded that the failure was a genuine accident or oversight and does not form part of a pattern of failure to disclose.

In 12 months time (and, if necessary, every 12 months thereafter), your cases will be analysed and compared to the State records. If your statistics reveal a Covid related death rate more than 1% in excess of the rate for the State in which your activities take place, you will be fined $10 million per excess death. The total fines will be shared out amongst all the families of your employees who died during the period and were required to work at your premises.

That should concentrate their minds

I have specified the State as the comparison target, rather than the Nation, given the colossal disparity in the way States are responding and the likely effects of that disparity on their local death rates. I accept that this means employees in the most reckless of States will be more exposed and less compensated by this arrangement than in the more cautious States because the aberrant employer will be more "normalised" by what is going on in their State. I also accept that some States (eg Florida) are already trying to hide their Covid related death rate. But these factors can be partially mitigated by reference to Excess Deaths generally and, in any case, are not directly the fault of the employer. These political issues require a parallel but different policy to deal with the aberrant States' political leadership; the most obvious of which is the rather weak but reasonably effective recall of such politicians and their subsequent, preferably permanent, exclusion from power through action at the ballot box, by the survivors.

For commercial offenders, however, a court ruling such as the one outlined above would certainly deal with the likes of the Muskrat going out on a limb within one of the more cautious States and could form a template for similar reckless behaviour around the world. The description above is US centric but the principle could be adapted fairly easily for any country with a reasonably independent judiciary.

Just a thought...

Trump Administration fast-tracks compulsory border facial recognition scans for all US citizens

Harry Stottle

Are we smelling the Coffee yet?

we've got a rich seam of State Surveillance and countermeasure stories bubbling up over the last few days. This is the third I've felt obliged to comment on today. However, to prevent RSI, forgive me for redirecting you to this comment on privacy protection (in the context of Firefox's proposed "FPN") which concludes by referring to the principle threat which comes from the State itself...

Mayday in Moscow as devs will be Russian to Putin mandatory apps on phones, laptops, TVs

Harry Stottle

As I was saying...

only a few minutes ago, here and a few days ago, here

the biggest enemies of both privacy and liberty are the State, now ably assisted and enabled by the Surveillance Capitalists. Both Russia and China are merely the more overt examples of what is being quickly normalised around the globe.

Newly born Firefox 71 emerges from its den – with its own VPN and some privacy tricks

Harry Stottle

Is Joepie91 fer real??

Regular Regitards will be familiar with the substance of this response but I include the detail for the benefit of any newbies wanting a quick guide to achieving reasonable privacy online.

That GitHub post almost looks like a schill.

No, VPN is not THE solution to privacy but it's a major component. Especially if you randomise your choice of server.

No, You can't trust VPN providers without performing some serious due diligence.

Generally speaking, in the world of security, nothing less than a formal security "reduction" (proof) is considered convincing, but in the case of my own preferred supplier (PIA - see this review) proof of the pudding comes by way of their survival of at least two State based attacks - one in Russia, where their servers were seized and no user details were retrieved; and one in the USA where the court determined that they were unable to comply with demands for user data. That's at least as convincing as a formal security proof and, arguably, more so!

No, VPN alone will not prevent tracking,

You need to throw about half a dozen other weapons at that problem, including switching on the Do Not Track options, DNS over Https, ad blocking via Ublock Origin (my preference) or Adblock Plus, script controls with Umatrix or Noscript (or similar), Sandboxed browsing with automatic deletion of web traces (eg Sandboxie, though I'm a bit nervous about their new owners) and Canvas fingerprint blocking. On the subject of which, my private experiments recently tipped me back into Firefox (along with other improvements in V70) and away for SRWare Iron when, after testing various Canvas fingerprint blockers using Panopticlick to confirm their effects, I discovered that NONE of those available for Chrome engines actually did much good. Yes they change or mask your fingerprint but they don't do the only thing which works, which is to randomise it. Only Canvas Blocker in Firefox passed that test.

But the issue that angers me most, especially when the source is another technically literate contributor like the author of that github post, is their wilful ignorance of the threat posed by the combination of the Surveillance State and Surveillance Capitalism.

His 2nd "legitimate" use of VPN is:

"You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters."

which implies that he's perfectly content with "government sanctioned adversaries". Most of us who visit these pages, however, recognise that government adversaries are, by far, the biggest threat. (I only recently bleated on a similar issue in a recent Reg discussion) and they are easily my own major reason for using the above countermeasures (and a few others).

And the point that is most often glossed over by such pillocks is that the single biggest advantage to be gained by widespread adoption of things like VPN and secure private email (I strongly recommend Protonmail) is "Herd Protection". There are millions of legitimate reasons to oppose and campaign against the forces of internal repression (occasionally called "governments") and that makes all of us prepared to voice such opposition potential targets for their digital surveillance. The more of us who use masking and privacy protocols, the more protection we supply to each other, not just ourselves.

Go champion retires after losing to AI, Richard Nixon deepfake gives a different kind of Moon-landing speech...

Harry Stottle

@ Chris the BeanCounter

And you, Mr Bean Counter, are guilty of complacency (at best), or ignorance.

Are the UKUSA authoritarians likely to attempt massive incarcarations and torture based "re-education"? No. But they're certainly guilty of and heavily invested in the technological infrastructure which makes that shit possible. It's already far more intrusive and pervasive than anything dreamed of by the Stasi.

Their use of it will, for the time being at least, and in deference to the freeer press, be somewhat more surgical than the fucktards we're watching in China..The intimate details they are stockpiling on all citizens are already selectively mined and used to persecute the more troublesome dissidents; the ones who might make the more docile citizens sit up and take notice of what is being done in their name.

Of course, if the current woolly generations of politicians are replaced by more aggressive authoritarians, like those we see in Hungary or Poland, the infrastructure will already be in place to weaponise the jackboot version.

I strongly recommend "The Age of Surveillance Capitalism" by Shoshana Zuboff. It's the best researched history of what's been going on "in our name" for the past 20 years and, if it doesn't activate your opposition, I suspect you're probably already terminal.

Remember the FBI's promise it wasn’t abusing the NSA’s data on US peeps? Well, guess what…

Harry Stottle

Given J Edgar Hoover...

and the way in which the first head of the FBI used illegally obtained and retained data for several decades to blackmail presidents, hide his own (then illegal and poilitically sensitive) sexuality and extend his own reign way beyond the limits for public employees, it's hardly surprising that his successors have learned that they're big enough to do whatever the fuck they want; both to the law and to the little people...

Loathed Aussie mining magnate Clive Palmer punts libel sueball at YouTube comedian

Harry Stottle

Jordan Shanks Update Response

the original video seems to have been buried but Jordan has published this much more detailed response

Remember that security probe that ended with a sheriff cuffing the pen testers? The contract is now public so you can decide who screwed up

Harry Stottle

One of the main purposes

of my proposed solution to Accountablity Theatre is to provide cover for just such legitimate operations.

Clearly what they omitted (and what was obviously omitted from their contract) was the step of informing a trusted confidante who was NOT a member of the client organisation nor the pen testing organisation but was trusted by both (eg a Lawyer) - of what they're plans were. The other step that they should have taken was to ensure a full digital record of every relevant action they took (whether through body cams for the on site "break in" or digital recording of their discussions, conclusions and plans and how/when those were shared with the T3P); and, of course, the routine digital capture and multiply redundant storage of all their evidence, together with regular snapshot hashes stored on an immutable audit trail (public hash-chain or block chain)

And although it obviously fits this case, it should apply not just to undercover surveillance activities, but ALL the activities carried out by anyone whose activities have - or could have - significant effect on the lives of others. None of the evidence is public by default. Only the proof that the evidence exists (the hash-chain) needs to be public. Then, in the event of reasonable challenge, the defendent has proof of their valid behaviour and decision making process. That "proof of proof" needs to be mandatory. And if in the event of challenge, if they can't prove that they kept the evidence, they're automatically guilty. And if they have the proof but choose not to present it, we're entitled to reach the same conclusion.

Citizens: Innocent until proven guilty

Authority: Guilty until proven innocent

Australia didn't blame China for parliament hack in case it upset trade relations – report

Harry Stottle

"We have been harmonised: Life in China's surveillance state" by Kai Strittmatter

slightly off topic but am halfway through this on my Kindle, and it's truly shocking.

As a long term opponent of authoritarian regimes I thought I already had a handle on what China was up to on the inside. I was wrong. Big time.

Their current dictatorship is much cleverer than Mao and has achieved a degree of control, particularly over the control of dissent, and the citizen's awareness of their own history which makes Big Brother look like a rank amateur. Their crude but effective dominance of their internet and technology sector is way beyond what I imagined possible for those with an authoritarian mindset. And you can see that their "success" - particularly in social control - is already becoming a model for our own authoritarians to aspire to. The only thing we've currently got in our favour is that our authoritarians are nowhere near as intelligent and organised as theirs...

World's oldest human was a 122-year-old French smoker after all

Harry Stottle

Dry run?

I can't think of any motive for the Russian authors, other than as a dry run for how best to launch arbitrary fake news items onto a compliant Web...

Two years ago, 123-Reg and NamesCo decided to register millions of .uk domains for customers without asking them. They just got the renewal reminders...

Harry Stottle

FreeParking not quite as evil but on the spectrum...

I've got half a dozen clients with freeparking supplied domains.

Late April they sent me this:

"Could you have a reserved .uk domain?

When the new .uk domain was launched in the summer of 2014, we reserved a number of .uk domains for registrants of existing .co.uk domains registered before 28th October 2013. If you own a .co.uk, .org.uk, .me.uk, .net.uk, .plc.uk, or .ltd.uk, the matching .uk domain name may have been reserved for you and you should do the following:

Check your account. If your name was allocated then it will require renewal soon.

Check your rights here. You have until June 25th to decide, but time is running out!

Check with us. We are here to help if you are unsure as to your rights or you wish to claim your .uk."

which was up front and not unreasonable but we weren't interested. I told them so.

Despite which, since then, approximately every 2 weeks I've been getting "Consolidated Renewal Reminders" which I can't ignore in case any of them involve the domains we actually own. In classic American marketing protocol, they claim they cannot suppress the automated message! I bet if I could afford to take the buggers to court, they'd find a way pdq

That said, at least they haven't gone the extra mile and tried to invoice us...

Bloke who claimed he invented Bitcoin must hand over $5bn of e-dosh in court case. He can't. He's waiting for a time traveler to arrive

Harry Stottle

Negative Proved: Craig Wright<>Satoshi Nakamoto

Not that any of us believed his claims in the first place; not least as a result of his continuing failure to present the promised digital proof.

It is, however, usually difficult to prove a negative. But this, I would argue, nails it:

"But an expert took a look at the email and concluded from the email’s digital signature that it has been sent in early 2014."

Whatever other criticisms you may aim at Bitcoin, its real author clearly and fully understood the issues around immutablity and the digital proof of data integrity. No one with that level of comprehension could possibly have imagined that they'd get away with forging an email in 2014, which relied on a timestamped digital signature.

Ergo, this charlatan can not be that still anonymous author.

Biz forked out $115k to tout 'Time AI' crypto at Black Hat. Now it sues organizers because hackers heckled it

Harry Stottle

Look into my eyes

not around my eyes, into my eyes... 3,2,1, you're under...

I predict that video will attract a cult following among geeks who collect the finer examples of fermented snake oil.

Have you noticed there is a common feel to most of the popular snake oil presentations. They are obviously aimed at anyone EXCEPT the very people they really need to persuade, should what they're peddling have any chance of being anything more than fantasy. They're peppered with scientific jargon but in a naive and pseudo-scientific way; slick and PR glossy, with no sign of ironic awareness of the enormous gaffs or gaps they inevitably expose.

Their ideal target is the kind of consumer who NEEDS something they desire to be true, but cannot find any academic support for their desired truth. There are hundreds of examples in homeopathy and quack medicine generally. More dangerously, this approach also appeals to authoritarians (leaders and followers); for example, the myriad politicians who insist on "secure" back-doors to encryption.

The difficulty for those of us less easily hypnotised is that proving this kind of negative (your argument is bullshit) is MUCH more difficult than the presentation itself and much harder to follow and understand; as illustrated by Mark C's excellent demolition paper (my favourite line from which is: Thus, this method is simply the following: “skip the even numbers")

Here's a top tip: Don't trust the new person – block web domains less than a month old. They are bound to be dodgy

Harry Stottle

Blocking ALL new websites is over-reach

by all means, provide prominent warning that the site is new, and as yet, not widely trusted and should be treated with caution. After that, it's caveat emptor...

Finally. Thanks so much, nerds. Google, Apple, Mozilla end government* internet spying for good

Harry Stottle

"Fake" Root CA?

might be a quibble but surely the danger is not that its "Fake". The CA is no doubt set up in the standard manner by an ostensibly legitimate organisation and is not pretending to be anything else. The danger is not its "authenticity" but straightforward abuse of what is designed to be a trust anchor, by a corrupt authoritarian regime.

Latest sneak peek at PowerShell 7 ups the telemetry but... hey... is that an off switch?

Harry Stottle

Not Traceable? Bah humbug...

"As for that unique identifier, he told us it was "to help us understand if our user base is growing and not just usage." The identifier itself, he said, is "a unique guid for the machine and user, so it can’t be traced back to either the machine nor the user.""

er... excuse me?

unless that quote is misreported or I've badly misunderstood it, that claim is nonsense.

If that's a static "unique identifier" (remains same between sessions) as opposed to a new random session id every time, then, given all the other identifiers slurped by MS telemetry, that would make the powershell ids trivially traceable to the given machine and, with a little more effort, the exact user

Incognito mode won't stop smut sites sharing your pervy preferences with Facebook, Google and, er, Oracle

Harry Stottle

Don't forget "Canvas Fingerprinting"

Even if you trust your VPN provider (I do. I use and recommend the - open source but paid - PIA ) that only protects you from IP tracking. The growing threat is the use of Canvas fingerprinting for which you need to install tools like "CanvasFingerprintBlock" for Chrome (and derivatives) or the equivalents for Firefox, Opera etc.

And I strongly recommend (for ALL browsing, whether or not onanistically motivated) the use of Sandboxie (or an equivalent), set for automatic deletion on exit, so that anything the bastards drop onto your system is automatically wiped at the end of each browser session. This combination enables you to permit all the cookies they can eat without rendering any part of your system or browsing patterns subsequently trackable.

Oh, and timlibert: did your survey perchance check how many of the sites were using Canvas Fingerprinting?

We ain't afraid of no 'ghost user': Infosec world tells GCHQ to GTFO over privacy-busting proposals

Harry Stottle

A modest Constitutional Proposal

Difficult to control the increasing rage I feel as we continue to see these recurring attempts to bully the public and politicians into accepting egregious invasions of privacy with all its risks to civil society that others have mentioned.

I think its time we organised a major constitutional challenge, beginning with a petition on the government website and funded by a crowd-sourcing campaign. I hereby propose a first draft of such a plan:

The aim would be to render illegal the imposition of any communication controls which have the potential to be abused in ways I don't need to repeat, in detail, here; but certainly including any threats to dissent, free association and standard privacy expectations.

The relevant Law would further make it a mandatory condition of employment that

a) anyone witnessing such abuse would be guilty of abetting that crime if they fail to report it

b) anyone proposing the implementation of such controls or any other attempt to bypass the law, would be guilty of the new crime

Ideally I would also like to ban any politician proposing such a change in policy from holding office for a period of ten years but that implies a limitation on free speech which I can't defend.

None of the above implies that such intrusive surveillance can never be permitted. The conditions under which it may be permitted, however, must be strictly confined to the following conditions:

1) the surveillance attack must be limited to an individual or tightly defined small group of related individuals who are suspected, as a result of legitimate intelligence sources, of committing or planning acts which could result in significant physical harm to other citizens, serious damage to property (eg a cost in excess of £500k) or serious financial fraud (eg a value in excess of £1m)

(i.e. the law will explicitly recognise that intrusive surveillance is not justifiable for "trivial" matters)

2) the decision making process and the implementation of the attack must all be digitally recorded and the records protected by timestamped hashes stored on immutable hash-chains or block-chains (see my previous thoughts on Accountability Theatre for more detail)

3) a civil audit team (12-20 experts), independent of both government and the intelligence agencies must be informed of the existence of all such planned attacks prior to their implementation and must have unfettered access to the data and decision makers, together with the legal right to raise objections both with the courts and, if they deem fit, with the media. They also have the unfettered right to publish summaries and reports on the operation of this monitored surveillance regime as and when they see fit.

4) that audit team must include experts in ALL the relevant fields (Law, Civil Liberties, Intelligence/Surveillance and Crypto). They should be selected by a process similar to jury selection but from a restricted publicly visible pool of a few thousand volunteer experts. The state and normal citizens can have the right to object to selected members of that pool and to propose their exclusion, on publicly stated grounds, but these proposed exclusions must themselves be approved by an ad hoc jury randomly drawn from other members of the pool who have not been selected for exclusion (and can, therefore, be assumed to be widely trusted)

5) No prosecution would be permitted to include Surveillance based intelligence unless it is certified by the auditors as having been gathered under the new legal conditions. The defence team would be entitled to a more detailed report from the auditors to justify the use of the intelligence, though the auditors would have the discretion to withhold details which could damage the operation of the intelligence gathering process or key individuals involved in it.

Any questions?

Trump fights with Google over Chinese military, AI scoops Turing Prize, Dota2 competition coming

Harry Stottle

General Joe says...

Trump’s top military aide General Joe Dunford, chairman of the Joint Chiefs of Staff, said Silicon Valley partnering with China “will help an authoritarian government assert control over its own people..." [edit: "like they already help us with ours"]

there you go Joe, FTFY

Put down the cat, coffee, beer pint, martini, whatever you're holding, and make sure you've updated Chrome (unless you enjoy being hacked)

Harry Stottle

No Mint expertise

not even a Mint user but can't you just download a full installation and run that? On windows, that didn't used to overwrite my settings.

to be safe, though, you probably ought to back up your settings. This page will give you clue what to look for and where (though it's windoze centric so you'll have to extrapolate)

'course, haven't tried it for a few years, since I switched to SRWare Iron (privacy protection Chrome fork)

My question to the panel is "is Iron equally at risk?" but I think the "Chromium" question above might have answered that...

good luck

When 2FA means sweet FA privacy: Facebook admits it slurps mobe numbers for more than just profile security

Harry Stottle

Re: The Age of Surveillance Capitalism

wry note for the tinfoil hat brigade.

After writing that obviously enthusiastic support for Zuboff's analysis, I decided to throw caution to the winds and buy her book. (kindle version if you care). Accidentally found myself on Amazon.com (instead of .co.uk where my account resides) Was confronted with the unsurprising news that it is already the "#1 best seller" but this was accompanied by the somewhat less expected news that "This title is currently not avaiable for purchase" - which makes its #1 best seller status something of a miracle.

There's almost certainly a non conspiratorial reason for the current block on its sale. I'm sure even the TLAs don't have the clout to suspend a title on Amazon (not, at least, without the judicial theatre of a court injunction) but it did add some flavour to the moment.

Happily, the UK site let me buy it.

Harry Stottle

The Age of Surveillance Capitalism

The latest media hyped response to this syndrome is Shoshana Zuboff's "Age of Surveillance Capitalism (etc)"

Downloaded the Intercept video podcast yesterday and listened to it last night (watching isn't necessary). Its a dual presentation with her and Naomi (Shock Doctrine) Klein.

Obviously I was sympathetic to their overall message but it was hardly news to any Reg readers, especially those of us who have been punting the "Privacy=Security" message since the tail end of the last century. And they're a bit short of technical grasp, which is forgiveable. It's not their field.

However, they were making a particular argument which I can only label as classic conspiracy theory and which even I, who recognise and preach the dangers of GooMazonSoftBook et al, found a bit of a stretch. And I don't know whether its the phase of the moon or this story which has pushed me over the edge, but this morning their analysis feels a whole lot more plausible.

Short version: They all started out with good intentions. Google, in particular, professed hatred of advertising and proclaimed it as a threat to the net. They also recognised the horrendous potential for intimate surveillance and set their pitch against that, most famously with their (now retired) "Do No Evil" mission statement.

Then came 9-11

And all plans to improve privacy protection (from legislators and businesses alike) were rolled into reverse. This (conspiracy alert) was orchestrated by the TLAs; who realised that private companies could get away with things they could not because (believe it or not) the TLAs were more accountable and couldn't ignore the constitution. Private companies could.

So, viritually overnight, the nascent talk of privacy protection became talk of the need to invade your privacy for your own - and the nation's - protection.

All the politicians had to do, to complete the coup, was to legislate mandatory reporting on demand, of any private data, the TLAs wanted, by those private companies; who were also granted huge leeway to get on with scraping all the private data they could eat. Add on the mythical oversight by the judicial rubber stamping process and you've squared the circle. You've introduced the Stasi-Panopticon 2.0 into what citizens laughingly think of as liberal democracies and nobody but us weirdos has even noticed or, if they have, don't realise they are now reverted to Serfdom with its new name - "users".

The book has already made a big splash. Be interesting to see if it can "wake" the "users" out of their soma inspired complacency.

HPE wants British ex-CFO to testify in UK Autonomy lawsuit before Uncle Sam sentences him

Harry Stottle

Ponzi Scheme

love the phrase "unsustainable Ponzi scheme" which implies the existence of sustainable Ponzi schemes, presumably like the US Dollar and other Fiat currencies?

Here come the riled MPs (it's private, huh), Facebook's a digital 'gangster' ('disingen-u-ous'). Zuckerberg he is a failure (on sharing data)

Harry Stottle

The Hypocritic Oath

Just one of many I screamed at the radio.

Difficult to reign in my rage on hearing this story and the unquestioning BBC "Today" toadying of its proponents on this morning's show.

Let's make it clear from the start that I recognise the reality of the problem they identify. Fake news, disinformation, targeted propaganda etc are all widespread evils not just hosted by the internet's big beasts but engineered as income streams.

But for senior politicians to come out swinging about this issue is about as egregious as Hitler complaining about Stalinist purges.

Someone needs to do a PhD on this shit but my starting hypothesis would be that, if we could find an objective way to measure Fake news and Disinformation and track it to its sources, the single largest contributors, throughout human history, have always been governments or those aspiring to govern.

I was going to list examples but I doubt if any fellow Reg readers need them.

I'll just comment on why the BBC and UK Parliament are so happily aligned on this issue. They both have a vested interest in portraying themselves as the gold standard of verifiable political fact. Commercial upstarts like Fakebook have no business muscling in on their pitch. A biblical quote featuring motes and eyes comes to mind...

Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs

Harry Stottle

Hashing<>Encryption

@ DaLo

At the risk of teaching the occasional grandmother to suck eggs, I feel the urge to correct a few errors in your post.

Encryption entails a (roughly) 1 to 1 relationship between plaintext and ciphertext. i.e for every character in the plaintext there should be at least one in the ciphertext (ignoring compression)

Cryptographic hashing produces a fixed length output regardless of the size of the input. Using SHA256, for example, anything we hash will produce a 32 byte hash - whether its your 8 character password, or War and Peace.

One consequence of the difference is that hashing algorithms are NOT vulnerable to poor quality entropy (eg the output from weak Random number generators). If they used randomness at all, they wouldn't work because the hashes for a fixed input would usually vary.

Bcrypt is the exception to that rule. It is optimised for password handling. For example maximum input length is (from memory) 256 characters. And it does include randomness and thus always produces a different hash for a given input, which, amongst other things, means you can't test a Bcrypt password simply by repeating the hashing process. You need a partial decryption process which reads a section of the hash to determine the randomness which produced it, so it can verify the input against the output.

And bcrypt passwords can even vary (slightly) in length (which confused the fuck out of me when I was learning how to use it) and doesn't run the hashing process once but, typically, a few thousand times (user configurable). All these tricks are how bcrypt makes Brute Force attacks thousands of times more time consuming. It SHOULD, by now, be the standard hashing technique for all passwords. If the NTLM passwords were Bcrypt hashed, they'd still be safe!

UK Home Office dumps huge sack of complex data sets on biometrics ethics board's desk, goes for beer (probably)

Harry Stottle

Call me cynical

because I am.

The purpose of an Ethics board should be to advise on "how we should behave?"

The purpose of this one, I would wager, is to determine "what can we get away with?"

One click and you're out: UK makes it an offence to view terrorist propaganda even once

Harry Stottle

Re: Terrorist material

you've just reminded me of my own schooldays (late 60s), where I spent my first year of Sixth form, with the blessing and occasional assistance of the (boarding) school, teaching myself to construct and test small rockets (max range 15 miles) using, mainly, a zinc sulphur mix as the propellant. Proudest day of my life remains the first public test, where half the school turned out to watch it fail. Missed the target flag, 1000 yards from the launcher, by 9 feet.

Chances of any modern schoolkid having that experience?

Harry Stottle

So how would I write something like this?

I posted this essay on Militant Islam in 2006. It entailed a few months of research and crawling over their propaganda and published statements. Enough to lock me away for life it would now seem. I don't appear to be protected by any of their "reasonable defences". It wasn't an academic exercise (in any formal sense) . I was (am) just one of many concerned citizens trying to make sense of what goes on in the minds of authoritarians. That seems to have become increasingly necessary ever since, as outrageous policy proposals like this, clearly illustrate.

If you want a vision of the future, imagine not a boot stamping on a face, but keystroke logging on govt contractors' PCs

Harry Stottle

Goose and Ganders

First off, no politician (or authority in general) should even be permitted to make proposals like this until they themselves are already properly accountable.

That should be a statement of the bleedin' obvious but obviously isn't, which is why I keep having to say it.

Second, particularly in the higher end of the IT field which this appears to target, the notion that capturing computer based activity correlates with the value of any work being done betrays complete ignorance of the creativity which adds the real value to any project. This is related to the earlier comments which touch on the difference between quantity and quality. Yes, we've all had intense sessions where we pump out thousands of lines of code which all looks very productive (till you run it) But equally, I can sometimes spend hours looking at a blank screen, or perhaps a simple diagram on it, or even playing a mindless game, while trying to solve a problem, which eventually concludes with me typing one or two lines of code which achieves the desired result with elegance.

Third, there are definitely use cases where such direct surveillance is justified, though sometimes we're lucky it wasn't enforced. Think Edward Snowden! More importantly, one of the measures that should be mandatory alongside GDPR is that anyone with access to sensitive data which isn't their own should be obliged to keep a private encrypted copy of their machine activity, periodically snap-shot and hashed to a publicly available immutable audit trail; so that in the event of any challenge to their handling of that data, they are in a position to prove their innocence, if necessary "in camera" to a trusted jury. However, should they be challenged and refuse to make that evidence available, we should be entitled to assume their guilt.

(this concept is argued is somewhat more detail here)

No fax given: Blighty's health service bods told to ban snail mail, too

Harry Stottle

ProtonMail

Protonmail is already up and running and easily the best combination of security and user friendliness currently available. It's certainly easier than using gmail nowadays.

Two ways it could work. First option, anyone wishing to sign up for email contact should be encouraged to go and get their free PM account and make that their default email address (if advising novices, include advice on strong passwords). GPs could do the same but would be kicking against the bosses official line. Those few with the cojones to place patient trust and confidentiality ahead of "just following orders" will proceed regardless. Result: patchy adoption and plenty of friction.

Best would be if NHS signed a contract with PM to provide the service. That would send such an amazingly positive message to the world in general that the long term consequences are impossible to estimate. And PM would get a solid funding boost which would enable their operation to spread further and faster. Of course this won't happen. The spooks won't permit such a dangerous publicly endorsed precedent. But it makes for a good daydream.

Option 1 remains available.

Google's stunning plan to avoid apps slurping Gmail inboxes: Charge devs for security audits

Harry Stottle

We look forward to Gmail's Own Security Audit

I'm unaware of any formal security audit of Gmail itself. That could just be ignorance on my part, but I have searched, using google of course, and failed to find one. (Kindly correct me if I've missed it)

Assuming it's absence is not my oversight, I presume Google intend to lead by example.

Other fairy stories are available

Google: All your leaked passwords are belong to us – here's a Chrome extension to find them

Harry Stottle

Keepass - with Tusk - stored in Sync

I used to use and recommend Roboform, until they made it increasingly difficult to host your own keys and insisted on driving everyone into their cloud. I might even have persisted with that, had they responded intelligently to my request for sight of their security audit or equivalent, and details of the security structure which would prevent them (or anyone else) getting at my key collection. Instead they responded with marketing hype.

So then I did the research and went looking for any open source option which had not been caught with it's digital trousers around its ankles. That very quickly led me to Keepass.

It's probably perfect for most Reg readers because you're likely to be on the geek spectrum, but it's way over the heads of "normal" users, which is a shame because it offers very strong and configurable protection.

My only real beef with it was the absence of what I considered to be the most user-friendly feature of Roboform - it's ability to act as a bookmark database and, having found the bookmark, take you to the site and login automatically. (like the password managers built in to most browsers)

But then I found Tusk which does a reasonable job of imitating the Roboform functionality. I have it installed in both Firefox and Iron. Has its quirks and limitations but has done a good job of keeping the browser security under control without breaching the underlying "wallet".

Limitation example: it can't capture newly created credentials while in browser. You have to open up Keepass (separately) to access things like its password generator, then add the new "account" to Keepass and save it. Then you have to deselect the Keepass kdbx file from Tusk and reselect it to get the updated version.

That's a bit of a faff, especially if you're also a Sandboxie user. (has to be done outside the sandbox or it'll be forgotten at the end of the session)

That's the kind of thing that stops it being "user friendly" enough for mere mortals, but digital warriors like us will find it reassuringly difficult.

One other thing. Other Keepass commentards above have pointed out that its "non cloud". Which it is. But Tusk tries to nudge you into storing your keys in the cloud, so you can access them anywhere. It does have a "local file" option, which I use.

But I'm also happy with the security of the cloud provider sync.com and have a 1Tb account with them (they also do free 5Gb accounts) They're the only cloud service who have managed to convince me that they offer true blind encryption (even they cannot see what I store in their box)

So I'm happy to store my keyfile in Sync (stored as a "Local File"), where it's still protected by my strong password, but accessible from any of my devices.

Strongly recommended for those who object to Security Theatre.

Now you, too, can snoop on mobe users from 3G to 5G with a Raspberry Pi and €1,100 of gizmos

Harry Stottle

Re: This is why calls should have end to end encryption

Unless you're using the new feature (version 8+) "Private Conversation" I hope you're not under any illusion that your "normal" Skype calls are E2EE. Frankly, we should be seriously sceptical even about their so called Private Conversation. There is no formal independent audit (in the public domain) to verify its claims and Microsoft's track record of co-operation with the TLAs is legendary (and, as many of us, including fellow Reg commentards, speculated at the time, probably accounts for their purchase of Skype in the first place)

I've tried out their allegedly "Private Conversation" and it "feels" like Security Theatre. Unlike the much better attested E2EE options (eg Wire, Viber, Blizz, Signal, Qtox, Wimi etc ) all of which all manage to cope with conference calls and video, and some of which also manage screen sharing, Skype's PC offers voice only and one party at each end only. No Video, no screen sharing. Why is that? I can list some of the more obvious options:

1) the other providers are incompetent and bluffing about their security.

2) Microsoft are unable to find competent security engineers to create their own multiparty version

3) They have calculated this is the "least they can do" to ward off demands for genuine privacy/security but by making its functionality so limited, they ensure that most users will ignore it (and stick out like sore thumbs when they choose it)

4) They just want to make users feel "it's so limited it must be secure" while, in reality the TLAs continue to have unimpeded access.

My money's on the last option, with an each way bet on (3)

Facebook spooked after MPs seize documents for privacy breach probe

Harry Stottle

Missing Information

First off, brilliant stroke by Parliament. For a change, someone was awake at the wheel.

But

a) how and why was the "victim" of this attack carrying such sensitive data around with him in the UK or, if he wasn't, how could he be compelled, with no legal role in FB, to access and hand over the data?

b) how did the authorities over here even learn that the opportunity existed?

Regardless, I'm impressed.

Bedroom design outfit slapped with £160k fine for 1.6 million spam calls

Harry Stottle

2nd Offence should mean Jail Time...

1st time can be accident or ignorance

2nd time, post penalty, that's policy...

Swedish ISP spanked for sexist 'distracted boyfriend' advert for developer jobs

Harry Stottle

The first time

I've ever felt justified, or even motivated, to use the phrase "Political Correctness Gone Mad"

MI5: Gosh, awkward. We looked down the sofa and, yeah, we *do* have intel on privacy bods

Harry Stottle

The Show Must Go On

investigations like this are all part of the ongoing Accountability Theatre

Until all such intel and data gathering entities are legally required to make their data auditable with digital immutability, reviewed, on demand, by impartial juries (not the State and its poodles), the routine civil abuses and steady growth of authoritarian Police States will continue apace...

Cookie clutter: Chrome saves Google cookies from cookie jar purges

Harry Stottle

Sandboxie is your friend

First line of defence for me and most of my clients.

This particular issue is trivial for SB users. If you've set the relevant sandbox to delete on exit, whatever google et al have dumped onto your machine (cookie caches, profiles, unwanted updates, plugins etc etc) all evaporate on exit.

More important than that, in the ten years or so since I started bullying my clients into using it, it has caught and prevented at least a dozen ransomware attacks and several dozens other malicious attempts to infect users. Typically, the ransomware will exhibit its normal behaviour (eg lock screen with warning that your hard drive has been encrypted and you need to pay bitcoins to this address to recover blah blah) and my client calls me in a panic. The usual fix is "right click on the Sandboxie icon and choose terminate all programs". Threat and sweat eliminated instantly.

It's also particularly good for testing out software that you're not sure you can trust. Install it into its own sandboxie (which you set NOT to delete on exit) then run as normal. If it does anything suspicious, it can't cause harm outside the box.

Unscrupulous users have suggested that it's also a good way to run "30 day trial" software forever (delete on expiry, rinse and repeat) but you didn't hear that from me.

The only downside is that it is so good at preventing change that you have to remember to disable the Sandbox to permit those changes you actually want (like browser updates, adding plugins etc)

I would say it has prevented far more damage than all my other routine defences put together (firewalls, av, anti-keyloggers, etc)

Bug? Feature? Power users baffled as BitLocker update switch-off continues

Harry Stottle

Why does anyone trust Bitlocker?

it's not open source and I can't imagine Microsoft permitting a formal security audit.

Given their close connection with the TLAs I'd place a reasonable bet that there's a backdoor in the code, but that's just my paranoia. More importantly, unlike open source alternatives like Veracrypt, there is no way to prove the absence of a back door.

I really don't get it. Anyone using bitlocker clearly has some desire for security and/or privacy, which implies a little bit more awareness of the issues than the common herd. How can they not be aware of that fundamental trust problem?

The only thing I can think of is that they're concerned about script kiddies or thieves or family members getting access to their data but don't mind if it's Microsoft or the Government. Weird!

Suggestions anyone?

That syncing feeling when you realise you may be telling Google more than you thought

Harry Stottle

er... does this apply to those of us who don't allow Chrome to store our passwords?

Not that I use Chrome for anything but the occasional test. When I need the chrome engine, I use SRWare Iron which studiously strips out the standard Chrome poison.

But I have clients who use Chrome and I have managed to persuade some of them to use Keepass.

If Chrome is able to log those users in without consent, it implies they're keeping our passwords in plaintext. (or, possibly, encrypted but with a key of their own) as opposed to the usual salted hash.

Anyone know the score on that?

Activists rattle tin to take UK's pr0n block to court

Harry Stottle

Precisely

the upside to the Snowden revelations was the massive uptake of End to End encryption. Still only a small percentage, but we're now seeing millions of Whatsapp/Telegram/Signal etc users, instead of the few tens of thousands who were using it.

The upside of crass authoritarianism like this proposed childish version of Age Verification will be, as you suggest, a massive uptake in VPN technology.

These assaults on basic liberties are training citizens in the vital art of subverting and bypassing government. Not yet quite at critical mass, but every little helps. Hopefully we can get there before it's too late and you've got a generation of nanny-state raised kids who don't know any better

Expanding Right To Be Forgotten slippery slope to global censorship, warn free speech fans

Harry Stottle

What's the alleged point?

can someone please explain what is SUPPOSED to happen as a result of google's "delisting"?

I came across this BBC Page a few months back, in a similar context. It lists all the pages google has allegedly delisted.

I tried a dozen or so of the links. You get to the BBC story. It's usually fairly obvious who would have an interest in suppressing the story. So then I went to google and pasted in their name to see what would come up. In all but one case the BBC story itself came up in the first page of results. In ALL cases, some other equally damaging reference to the person/story also appeared on the first results page.

So what exactly is the alleged effect/benefit of the delisting?

Chap asks Facebook for data on his web activity, Facebook says no, now watchdog's on the case

Harry Stottle

Re: Divided Loyalty

yes to this and...

Had the plaintiff been (instead) a "person of interest" to the FBI and they'd requested his entire history, I somehow doubt that FB would have dared give them the same response...

Encryption doesn't stop him or her or you... from working out what Thing 1 is up to

Harry Stottle

Privacy=Security

One of the hardest things to explain to the "If you've nothing to hide" fools is that if anyone can discover where you are, they also know where you aren't. Which, along with remotely "casing the joint" (google street view ferinstance), gives them all they need to know about when to break in.

The level of detail they can get from this extra level of surveillance is the icing on the cake. Now they can figure out what time you go to bed, get up, leave the house etc etc. Even more detailed than the "Smart Meters" they're trying to impose.

Welcome to Panopticon World...

Page: