Posts by Peter Sommer

Finding evidence to prove infringement

There is rather too much "something must be done" and "the govenment aren't doing enough". and very little about how these noble ambitions are going to be achieved. There are enormous benefits to children in using the Internet and social media as well as the well-publicised down-sides. We need practical proposals how we are to manage this. That means not only attempts at legal and regulatory definitions but some thought as to what sort of evidence will need to be produced when you come to enforce. Looking forward to the consultation paper when it arrives.

Precise framing of any revised CMA will be critical

Rupert's recollection of the Prestel hack is of course impeccable. But what has made any revise of CMA to favour "legitimate research" tricky has been defining precise criteria for courts to apply to separate out the simple assertion by an accused of good intent. Just how careful and detailed will any licensed researcher scheme be?

Precise and testable definitions will be essential

I have acted as an expert witness in mamy CMA cases and been consulted in many. other situations which didn't maker it to court. (Dan Cuthbert's case,mentioned here, was one of them). Laws require precision so that they can be enforced consistently and fairly. A simple declaration by an actor/hacker of good intent isn't going to be enough. But if that route isn't followed what criteria for activity will need to be proved in order to get the benefit of a defence? It is this problem which has so far dfefeated the plans for a revised CMA. Let's see what the government can come up with.

Won't get full story from these witnesses

All three of these witnesses will ask for more restrictions. They will not speak to the dangers of over-blocking. Nor do they know much about realistic expectations of Internet filtering techniques.

Dreadfull idea

If you handle any sort of confidential information you are almost certainly breaching your obligations by letting Microsoft have access to it.

DarkTrace

Hmmm - DarkTrace as a company seems to be marketing-heavy. There are apparently good techies there also but the overall concept seems dubious.

As I understand it they place sensors in an organisation's IT infrastructure and collect data which is used to enable a machine leaning engine to identify "normal" behaviour. Subsequently any abnormal behaviour is flagged for attention.

The implication is that you get rapid results without all the complexity and costs of detailed risk analyis.

Let's be generous and assume the sensors reliably capture activity and that the machine leaning/AI engine is a good one. Most organisations have seasonal variations in terms of their activity - good and bad selling periods, effects of holidays etc. So it will take you a minimum of 12 months to learn about "normal" behaviour. What happens if this is a reasonably dynamic and innovative organisation so that there are changes in the IT infrastructure and use?

And then there's the classic problem of all anomaly detection products - how do you set the threshold for alerts? False positives / false negatives?

Hmmm......

Why didn't they use s 49 RIPA?

Most of RIPA 2000 has been replaced by the Investigatory Powers Act 2016, but Part III, which covers powers to require decryption, still remains. I wonder why the prosecution didn't pursue that route? (However the route they did follow got them a conviction, even though followed up by a conditional discharge)

DPA limits on police investigations of smartphones???

Police powers to examine smartphones etc seized from persons and/or premises aren't unlimited, though how far some police forces realise this is unclear. The present position is that provided the person or premises were lawfully searched no additional authority to examine smartphones, computers, etc is required.

This needs to change.

But Part 3 of the Data Protection Act, 2018 (which incorporates GDPR) specifically provides controls on the activities of law enforcement. The 6 data protection principles must be complied with -s 36(1) says that any purposes of processing must be specified, explicit and legitimate. This rather implies that there should be a written privacy impact assessment. I'd be interested to know how many UK police forces actually run PIAs against devices they seize, and how they reconcile this requirement against the need to triage devices to see if they are relevant to an investigation.

There's an associated UK law already!

The UK end of this attempt to speed up MLATs is already on the statute book - Crime (Overseas Production Orders) Act, 2019. What needs to happen now are the detailed protocols. Perhaps they'll be able to achieve that in a few weeks, but there are important issues of national sovereignty at play, plus the definitions and authorisations specified in this new Act vary from the structures set down in the Investigatory Powers Act, 2016.

But you are right - encryption is specifically excluded in the the CLOUD Act

Samrtphone forensics products

You can get an idea of what is possible from these URLs:

https://www.cellebrite.com/en/products/ufed-ultimate/

https://www.msab.com/products/xry/

https://www.oxygen-forensic.com/en/

And also at the National Physical Laboratory

Dr Christopher Evans was a popular writer on science and technology topics in the 1960s who also appeared on TV. His "real" job was at the National Physical Laboratory in Teddington researching the "man/machine interface". I was a guinea pig on a programme assessing whether "arts graduates" (ie me) would ever be able to use a computer. But one of the things he showed me that really captured my imagination was a science fiction short story generator. In effect all the stories had a similar structure and all that was happening is that at various points there were collection of words that could be randomly inserted. To my young eyes this was so novel and exciting that I never asked him whether he had invented to story generator or had borrowed the idea. And no, I can't remember what computer the program was running on...

Read the full report before commenting

The arguments are about the suitability of ISO 17025 for digital forensics. The standard makes sense and is likely to be financially viable for traditional forensics labs that specialise in sets of single tests - is there a match or what level of confidence is there in a match? Digital forensics deals with PCs, smartphones etc which are whole scenes of crime and where there may be many different files and artifacts all of which require separate testing for reliability - and be tested by validated/verified means.

But there are other avenues open to the courts to test technical and expert evidence, including following the Criminal Procedure Rules (CPR 19), the requirements of disclosure under the Criminal Procedure and Investigations Acts and, where appropriate pre-trial meetings between experts under CPR 19.6.

What is a "cybercrime" ?

There is no UK offence of "cybercrime"; the closest one gets is in the 1990 Computer Misuse Act. But most cybercrimes are in fact prosecuted as frauds under the 2006 Fraud Act, or as conspiracies, harassment, extortion, offences against children etc etc - you get the general idea. That's the first problem with cybercrime statistics. The second is the absence of any generally agreed definition - a now notorious BAE estimate endorsed by the Cabinet Office included "industrial espionage" as a very large element, although there is no theft of trade secrets law in the UK either. Next, how do we deal with guesses about attempts - is each stupid easily detected Nigerian or "update your security details" scam included in your statistics - or each bit of malware spotted by your A-V software? Or only "serious" attempts?There is no universally accepted answer to any of these. And then there's the question of value - it's clear enough when cash actually disappears, but do you include remedial costs, or the consequences of a lost business opportunity, or to reputation?

The only real answers are for statistics compilers is: make the figures large if you want the press coverage

US will probably alter the law when it modifies MLAT

Within the next 4-6 weeks the US is due to publish a new law to enable a speeded up Mutual Legal Assistance Treaty (MLAT) process with the UK so that law enforcement agencies in both countries will, subject to certain provisions, be able to go direct to CSPs in the "other" country direct rather than through the current, diplomat-dominated MLAT route. What's the betting that the US authorities will write-in extra-jurisdictional powers? (For the UK the extra-jurisdictional powers are already in cl 50 of the Investigatory Powers Bill)

Much missed

Pretty devastating news. I met Steve when he was still wondering if the House of Lords were going to find him guilty of forgery and counterfeiting for his Prestel hack. For various reasons I needed some-one to edit a 4th edition of my Hacker's Handbook - and I reckon I chose well. That would be back in 1987. Since then we probably spoke 2-3 times a week, exchanging gossip, helping out on techie problems and (in my case) giving quotes for Steve's stories.

These days there are rather too many people calling themselves tech journalists when their main activity seems to be cutting and pasting from press releases (the staff of the Register a significant exception of course) but Steve, like the much-missed Guy Kewney, knew how to research, explain, write up,and where appropriate enthuse his readers.

Non Freesat FTA channels on Freesat boxes

Not only does Freesat receive exactly the same channels on 29E as Sky but put them on their own EPG it is also possible (through rather awkward menu functions) to see other Free to Air channels on 29E which are not on the EPG. Out-of-region rebroadcasts on terrestrial channels (if you prefer to see BBC1 East Anglia but live in Manchester) but also the religious and other oddities services. Oh, and Sky News, which is not on the freesat EPG. You can do this both on Humax and Bush models.

What are the assumptions?

The value of a conventional war game depends heavily on the quality of the underlying assumptions - about weapons capability, terrain, supply lines - as well as the skill of the participants. For most wargames we have pretty good levels of knowledge which the game's organisers can use both in design and making judgements

But we know almost nothing about the Internet "terrain" in terms of the capacity of elements to resist attack or to recover, and we know next nothing about dependencies. And if we think we have knowledge today, it will be obsolete tomorrow, simply as a result of the natural process of innovation.

The easy temptation is to make all the targets weak and all the decision-making replicants stupid. That way the arms salesmen and soldiers can go back to the tax payer and say: "Our tests have shown how vulnerable we are We need even more money"

The Cyber Range project is really no more than an extremely expensive version of an XBox game with "cheats" built in to produce particular outcomes

Criminal Law is is different

In the case of Graham Waddon at Southwark Crown Court in 1999, which was about the publication of obscene material, HH Judge Hardy decided that the place of publication was the location from which material was uploaded (in that case, the UK) and not the location of the server (the US). This view was upheld on appeal. 2000 AllER (D) 502

Possession of indecent images

I don't know the full facts of this tortuous saga though I have read the judgements - and heard the gossip. . The immediate issue now is that possession of indecent images is a strict liability offence. In other words, the offence is made out once the fact of possession is proved, irrespective of intent. (s160 Criminal Justice Act, 1988). There are a limited number of defences, but these have to be proved by the accused on the balance of probabilities. s 46 Sexual Offences Act 2003 gives protection to, among others, defence experts, but only for the duration of their specific instruction, not for all time. After that the material should be securely deleted.

The problem for Avon & Somerset Police is that if they pass disks (or copies thereof) on in the belief that they are likely contain sexual images of children they themselves run the risk of the offence of "distribution" under s 1 Protection of Children Act, 1978 - there is a clear conflict here with the Court Order to return the material to Bates. They also run a risk of a further charge of aiding and abetting Bates in the possession offence. Bates, as soon as he receives the disks, commits the possession offence - so he may be unwise to want them back.

All this is irrespective of the Court's earlier conclusion that the extended search of Bates' premises was beyond the scope of the warrant the police had actually asked for.

Available via BT Internet at the moment

Not the slightest problem here; I have just managed to view pages I created back in 1997...

Mobireader + PRC out-of-copyright books

Get yourself a WinXP netbook, download the free Mobireader application, and search EBay for vendors offering out-of-copyright e-books in PRC format on DVD (PRC is an extremely compact format, Mobireader will let you display in any font you have on your computer and in any size).

Forget about in copyright e-books until book publishers find a more realistic charging system.

Don't think so...

First: You can't have a true forensic tool which which is only available to law enforcement. The defence requires a means to test any evidence that is being produced.

Second; the first Principle of the current ACPO Good Practice Guidelines for Computer Evidence says: "No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court." As soon as you put a USB stick into a Windows computer an entry is made into the USBSTOR part of the System Registry unless you know how to change the BIOS to boot from a USB device and the BIOS actually supports this function.

There is a problem in cases involving many seized computers of triage - determining at an early stage which computers are worth a more detailed look and which can be discarded. But, subject to a sight of the actual M$ USB product, most people will want to stick with a bootable "forensic" CDs based on Linux (like Helix) as it is far easier reliably to change a PC's BIOS to boot from CD. Given that most PCs now have DVD_ROMs rather than simple CD-ROM drives, we can expect that forensic bootable CDs to move on to the more expansive DVD format.

Who interprets?

The problem is - the document is simply guidance to the CPS on the circumstances in whch a prosecution should be brought. But each prosecutor makes up his/her own mind. Once the charges have been laid, the test for guilt will not be the CPS Guidance but how a trial judge interprets the wording of the statute when he instructs the jury about the law.

The hacking tools law was brought in, not because there is a wealth of cases where no other prosecutorial route was available but as a result of an obligation to provide a UK equivalent to a provision within the CoE CyberCrime Treaty. Almost certainly we could cover the position with incitement and "aiding and abetting" charges. But it was felt that a more visible form of Treaty conformance was required - although it has been clear to civil servants for a long time that there were considerable difficulties in finding words which differentiated between legitimate and malign motivations in deploying dual use tools

But some judges are pretty good...

The truth is judicial competence in IT matters is patchy not wholly absent, and it is difficult to predict, from judge to judge, what will happen in trial.

But to redress the balance of this particular news item and based on my not infrequent appearances as expert witness:

* a judge in the relatively sleepy market town of Aylesbury was fully up-to-speed with how peer-to-peer file sharing works

* in the recent defamation case between WPP's Martin Sorrell and former Italian business partners, the judge was able to cope with blogs, onion-routing and other anonymising techniques and the contents of registries as found in Windows recovery points. (and his normal territory includes privacy squabbles involving celebrity magazines)

* the district judge in the "pen-tester hacked into charity web-site" case had to understand web-servers, intrusion detection system logs and directory traversal hacks in deciding whether the Computer Misuse Act had been broken.

* at least one member of the Judicial Committee of the House of Lords is an enthusiast of flight simulators on the PC

Usually the authorities assign appropriate judges to cases which involve computer-derived evidence, though obviously not in this case. But at least part of the resolution of the problem relies on the skills of lawyers and, erhem, expert witnesses