* Posts by Peter Sommer

39 publicly visible posts • joined 18 May 2007

HPE has 'substantially succeeded' in its £3.3bn fraud trial against Autonomy's Mike Lynch – judge

Peter Sommer

DarkTrace

Hmmm - DarkTrace as a company seems to be marketing-heavy. There are apparently good techies there also but the overall concept seems dubious.

As I understand it they place sensors in an organisation's IT infrastructure and collect data which is used to enable a machine leaning engine to identify "normal" behaviour. Subsequently any abnormal behaviour is flagged for attention.

The implication is that you get rapid results without all the complexity and costs of detailed risk analyis.

Let's be generous and assume the sensors reliably capture activity and that the machine leaning/AI engine is a good one. Most organisations have seasonal variations in terms of their activity - good and bad selling periods, effects of holidays etc. So it will take you a minimum of 12 months to learn about "normal" behaviour. What happens if this is a reasonably dynamic and innovative organisation so that there are changes in the IT infrastructure and use?

And then there's the classic problem of all anomaly detection products - how do you set the threshold for alerts? False positives / false negatives?

Hmmm......

Computer Misuse Act: Tell the Home Office infosec needs a public interest defence in law, says CyberUp campaign

Peter Sommer

Re: A different solution to the Computer Misuse Act problem

Alistair: You will remember from the Law Commission paper back in the late 1980s the whole idea of the CMA was that it would be gap-filling for existing legislation. Since then, of course, we have had the Fraud Act 2006, which covers large numbers of "cyber crimes". People continue to wonder at the low annual numbers of CMA prosecutions - the explanation is that other "easier" prosecution routes are available. Moreover in those circumstances additional successful CMA convictions would be unlikely to produce a longer sentence, but would add to police and prosecution costs.

Mike Lynch-backed Darktrace to file for London IPO in aftermath of Deliveroo flop

Peter Sommer
Holmes

AI to solve cyber security - give me a break

Is the fundamental product any good? As I understand it the claim is that by using "artificial intelligence"/"machine learning" a lot of the traditional heavy lifting of conventional cyber security consultancy can be avoided. The various sensors that are placed in a client's system monitor traffic and decide what is normal. Anything abnormal is flagged for attention.

Problem number one: many businesses and organisations are seasonal so that it will take at least a year and possibly two or three before you can feed the machine learning system with enough data to make decisions. How, for example, would such a system have coped with COVID where suddenly there would have been a huge amount of remote accesses and homeworking?

Problem number two: most organisations are constantly developing new services and systems - all the time that your monitoring system is trying to work out what is normal.

Problem number three: any alert system such as we already have for intrusion detection systems is heavily dependent on the sensitivity settings. Too sensitive and you get many false positives; too insensitive and the bad guys get in unannounced. So you require a lot of humans to make judgements as the system produces alerts.

Darktrace seems to be a heavily marketing orientated operation and may account for success by selling to the ignorant.

Average convicted British computer criminal is young, male, not highly skilled, researcher finds

Peter Sommer
Megaphone

More thorough analysis available

A rather more thorough review of the Computer Misuse Act and related prosecutions appears in: http://www.clrnn.co.uk/publications-reports/ from the Criminal Law Reform Now Network. (I was one of the co-authors)

Far-right leader walks free from court after conviction for refusing to hand his phone passcode over to police

Peter Sommer

Why didn't they use s 49 RIPA?

Most of RIPA 2000 has been replaced by the Investigatory Powers Act 2016, but Part III, which covers powers to require decryption, still remains. I wonder why the prosecution didn't pursue that route? (However the route they did follow got them a conviction, even though followed up by a conditional discharge)

Unlocking news: We decrypt those cryptic headlines about Scottish cops bypassing smartphone encryption

Peter Sommer

DPA limits on police investigations of smartphones???

Police powers to examine smartphones etc seized from persons and/or premises aren't unlimited, though how far some police forces realise this is unclear. The present position is that provided the person or premises were lawfully searched no additional authority to examine smartphones, computers, etc is required.

This needs to change.

But Part 3 of the Data Protection Act, 2018 (which incorporates GDPR) specifically provides controls on the activities of law enforcement. The 6 data protection principles must be complied with -s 36(1) says that any purposes of processing must be specified, explicit and legitimate. This rather implies that there should be a written privacy impact assessment. I'd be interested to know how many UK police forces actually run PIAs against devices they seize, and how they reconcile this requirement against the need to triage devices to see if they are relevant to an investigation.

A new US-UK data agreement is worrisome but it won’t give access to encrypted comms

Peter Sommer

There's an associated UK law already!

The UK end of this attempt to speed up MLATs is already on the statute book - Crime (Overseas Production Orders) Act, 2019. What needs to happen now are the detailed protocols. Perhaps they'll be able to achieve that in a few weeks, but there are important issues of national sovereignty at play, plus the definitions and authorisations specified in this new Act vary from the structures set down in the Investigatory Powers Act, 2016.

But you are right - encryption is specifically excluded in the the CLOUD Act

UK cops blasted over 'disproportionate' slurp of years of data from crime victims' phones

Peter Sommer
Holmes

Actual forensic procedures and the law

A while back I wrote this detailed blog on the conflict between the need for digital evidence to be reliable and the need to respect privacy. It covers how digital forensics works in practice and the applicable law. https://bit.ly/2M7ERnt

Yes, I've been swotting up on court evidence in advance, says Autonomy founder Mike Lynch

Peter Sommer

There's no exception for murder trials! Relevant laws are Criminal Procedures and Investigations Act 1996 and 2003. Civil Procedure is in CPR 31.

Probe Brit police phone-peeking plans, privacy peeps plead

Peter Sommer

Samrtphone forensics products

You can get an idea of what is possible from these URLs:

https://www.cellebrite.com/en/products/ufed-ultimate/

https://www.msab.com/products/xry/

https://www.oxygen-forensic.com/en/

UK.gov: New London courthouse will focus on crimes of a cyber nature

Peter Sommer

Re: Will they fund the specialist lawyers and digital forensics experts?

"Work on defending people who don't want to go to jail and you'll earn 10 times more than the people hired to gather the evidence to send you there.". Not if they are being paid at legal aid rates; increasingly solicitors are finding it difficult to get experts to work at such rates unless the case is exceptionally interesting.

Peter Sommer

Will they fund the specialist lawyers and digital forensics experts?

There is little point in having a wonderful new building if there is no new funding for the specialist lawyers and digital forensics experts. Legal aid is in a crisis as lawyers and experts withdraw from publicly-funded work because the pay is a fraction of what can easily be earnt in private, civil, work. That means the new court will mostly host trials of very rich defendants.

Boffin rediscovers 1960s attempt to write fiction with computers

Peter Sommer

And also at the National Physical Laboratory

Dr Christopher Evans was a popular writer on science and technology topics in the 1960s who also appeared on TV. His "real" job was at the National Physical Laboratory in Teddington researching the "man/machine interface". I was a guinea pig on a programme assessing whether "arts graduates" (ie me) would ever be able to use a computer. But one of the things he showed me that really captured my imagination was a science fiction short story generator. In effect all the stories had a similar structure and all that was happening is that at various points there were collection of words that could be randomly inserted. To my young eyes this was so novel and exciting that I never asked him whether he had invented to story generator or had borrowed the idea. And no, I can't remember what computer the program was running on...

Forcing digital forensics to obey 'one size fits all' crime lab standard is 'stupid and expensive'

Peter Sommer

Read the full report before commenting

The arguments are about the suitability of ISO 17025 for digital forensics. The standard makes sense and is likely to be financially viable for traditional forensics labs that specialise in sets of single tests - is there a match or what level of confidence is there in a match? Digital forensics deals with PCs, smartphones etc which are whole scenes of crime and where there may be many different files and artifacts all of which require separate testing for reliability - and be tested by validated/verified means.

But there are other avenues open to the courts to test technical and expert evidence, including following the Criminal Procedure Rules (CPR 19), the requirements of disclosure under the Criminal Procedure and Investigations Acts and, where appropriate pre-trial meetings between experts under CPR 19.6.

Is digital fraud big in UK? British abacus-botherers finally have some answers

Peter Sommer

What is a "cybercrime" ?

There is no UK offence of "cybercrime"; the closest one gets is in the 1990 Computer Misuse Act. But most cybercrimes are in fact prosecuted as frauds under the 2006 Fraud Act, or as conspiracies, harassment, extortion, offences against children etc etc - you get the general idea. That's the first problem with cybercrime statistics. The second is the absence of any generally agreed definition - a now notorious BAE estimate endorsed by the Cabinet Office included "industrial espionage" as a very large element, although there is no theft of trade secrets law in the UK either. Next, how do we deal with guesses about attempts - is each stupid easily detected Nigerian or "update your security details" scam included in your statistics - or each bit of malware spotted by your A-V software? Or only "serious" attempts?There is no universally accepted answer to any of these. And then there's the question of value - it's clear enough when cash actually disappears, but do you include remedial costs, or the consequences of a lost business opportunity, or to reputation?

The only real answers are for statistics compilers is: make the figures large if you want the press coverage

Microsoft wins landmark Irish data slurp warrant case against the US

Peter Sommer

US will probably alter the law when it modifies MLAT

Within the next 4-6 weeks the US is due to publish a new law to enable a speeded up Mutual Legal Assistance Treaty (MLAT) process with the UK so that law enforcement agencies in both countries will, subject to certain provisions, be able to go direct to CSPs in the "other" country direct rather than through the current, diplomat-dominated MLAT route. What's the betting that the US authorities will write-in extra-jurisdictional powers? (For the UK the extra-jurisdictional powers are already in cl 50 of the Investigatory Powers Bill)

UK gov says new Home Sec will have powers to ban end-to-end encryption

Peter Sommer
FAIL

Earl Howe doesn't understand his brief

It is worth reading the Hansard transcript:

https://hansard.parliament.uk/lords/2016-07-13/debates/16071337000437/InvestigatoryPowersBill

It is particularly difficult to pass legislation when the government spokesman manifestly doesn't understand encryption or the clauses in the Bill he is supposing to promote.

Brit teen who unleashed 'biggest ever distributed denial-of-service blast' walks free from court

Peter Sommer

Not Aspergers

It wasn't Aspergers or anything like it ; the details of the significant mental illness were not made public and I don't propose to break professional confidences. But don't jump to the conclusion that Seth is having or will have a particularly easy time. Richard Cox got it right when he said that the judge had an unenviable task in balancing the various issues.

Want a cheap Office-er-riffic tablet? Microsoft Windows takes on Android

Peter Sommer

Re: I have a Kingsing W8 8" tablet

The Linx has a OTG USB and comes with the appropriate connector. External USB keyboard worked instantly and I was also able to play movies on an external 64GB usb stick via VLC. Haven't tried a USB HDD, yet, though there may be problems about delivering enough power.

'80s hacker turned journo, IT crime ace Steve Gold logs off

Peter Sommer

Much missed

Pretty devastating news. I met Steve when he was still wondering if the House of Lords were going to find him guilty of forgery and counterfeiting for his Prestel hack. For various reasons I needed some-one to edit a 4th edition of my Hacker's Handbook - and I reckon I chose well. That would be back in 1987. Since then we probably spoke 2-3 times a week, exchanging gossip, helping out on techie problems and (in my case) giving quotes for Steve's stories.

These days there are rather too many people calling themselves tech journalists when their main activity seems to be cutting and pasting from press releases (the staff of the Register a significant exception of course) but Steve, like the much-missed Guy Kewney, knew how to research, explain, write up,and where appropriate enthuse his readers.

Eight pocket-pleasing USB 3.0 hard drives

Peter Sommer
Unhappy

Not enough power!

An important thing to worry about is whether the drive will draw more current from the USB socket than the motherboard is happy about. All too often with larger capacity drives Windows will put up a "power surge" complaint. Some people think there are software fixes for this, but really manufacturers ought to be supplying Y-cables - 2 USB connectors for the PC/laptop, the second one to provide the necessary power. Most of the time they don't and you have to source the Y-cable from EBay

Computer misuse: Brits could face LIFE IN PRISON for serious hacking offences

Peter Sommer
Alert

10 years maximum penalty under s 3 Computer Misuse Act, not 5

10 years maximum penalty under s 3 Computer Misuse Act, not 5!

3 million Freesat receivers now out there, and boxes to get YouTube

Peter Sommer

Non Freesat FTA channels on Freesat boxes

Not only does Freesat receive exactly the same channels on 29E as Sky but put them on their own EPG it is also possible (through rather awkward menu functions) to see other Free to Air channels on 29E which are not on the EPG. Out-of-region rebroadcasts on terrestrial channels (if you prefer to see BBC1 East Anglia but live in Manchester) but also the religious and other oddities services. Oh, and Sky News, which is not on the freesat EPG. You can do this both on Humax and Bush models.

London Blitz bomb web map a hit-and-miss affair

Peter Sommer
Thumb Down

I can't find the bomb crater in my back garden

The map shows a high explosive bomb in my back garden or possibly mine and that of my neighbour. Bombs did fall round here - as one can see where there are 50s and 60s buildings in the middle of runs of Victorian houses. But not my immediate vicinity - and some of the trees in the alleged target area must have been planted before the 1940s and the blitz....

Home Sec: Let us have Snoop Charter or PEOPLE WILL DIE

Peter Sommer
FAIL

Theresa May doesn't understand the law as it already is

IP addresses are held already for 12 months: http://www.legislation.gov.uk/ukdsi/2009/9780111473894/schedule. Item 13 in the Schedule.

If small ISPs are not holding on to that information it is not because of a defect in the current law but because the Home Office / Police haven't asked them to do so.

Similarly all mobile phone companies already hold one year's records not only all calls and SMSs you send but all your locations for so long as the phone is switched on.

These are powerful types of communications data that are already available to the police (and very important they are too) and which are very unlikely to be affected by any future technological change.

Large numbers of decisions currently being made by the Home Secretary, starting with reducing police budgets by 20%, are easy candidates for "putting lives at risk"

The aim of the Bill is to get ISPs to collect information from all of us for potential future use which is not necessary for their business and which is outside current definitions of "communications data". That includes web-based email, Facebook and other social networking, google searches, and skype-like services.

This, the Home Office says, will cost the tax-payer £1.8bn over 10 years., £180m a year. The police only get £28m in real new money out of the Cyber Security Strategy

US Matrix-style Cyberwar firing range moves forward

Peter Sommer

What are the assumptions?

The value of a conventional war game depends heavily on the quality of the underlying assumptions - about weapons capability, terrain, supply lines - as well as the skill of the participants. For most wargames we have pretty good levels of knowledge which the game's organisers can use both in design and making judgements

But we know almost nothing about the Internet "terrain" in terms of the capacity of elements to resist attack or to recover, and we know next nothing about dependencies. And if we think we have knowledge today, it will be obsolete tomorrow, simply as a result of the natural process of innovation.

The easy temptation is to make all the targets weak and all the decision-making replicants stupid. That way the arms salesmen and soldiers can go back to the tax payer and say: "Our tests have shown how vulnerable we are We need even more money"

The Cyber Range project is really no more than an extremely expensive version of an XBox game with "cheats" built in to produce particular outcomes

Content 'made available' in jurisdiction where server is located

Peter Sommer

Criminal Law is is different

In the case of Graham Waddon at Southwark Crown Court in 1999, which was about the publication of obscene material, HH Judge Hardy decided that the place of publication was the location from which material was uploaded (in that case, the UK) and not the location of the server (the US). This view was upheld on appeal. 2000 AllER (D) 502

Selfridges punts £1,800 Spanish ham

Peter Sommer
Thumb Up

Jamon Iberico

I've had one-year-old ham made on the same basis - you can buy it in 100 gm slivers as opposed to a whole leg. And it really does have a wonderful taste; like fine wine you get an initial hit and then quite a long and different after-taste. You can buy affordable portions at good Spanish delis.

Bates: Cops to defy courts over return of indecent material

Peter Sommer

Possession of indecent images

I don't know the full facts of this tortuous saga though I have read the judgements - and heard the gossip. . The immediate issue now is that possession of indecent images is a strict liability offence. In other words, the offence is made out once the fact of possession is proved, irrespective of intent. (s160 Criminal Justice Act, 1988). There are a limited number of defences, but these have to be proved by the accused on the balance of probabilities. s 46 Sexual Offences Act 2003 gives protection to, among others, defence experts, but only for the duration of their specific instruction, not for all time. After that the material should be securely deleted.

The problem for Avon & Somerset Police is that if they pass disks (or copies thereof) on in the belief that they are likely contain sexual images of children they themselves run the risk of the offence of "distribution" under s 1 Protection of Children Act, 1978 - there is a clear conflict here with the Court Order to return the material to Bates. They also run a risk of a further charge of aiding and abetting Bates in the possession offence. Bates, as soon as he receives the disks, commits the possession offence - so he may be unwise to want them back.

All this is irrespective of the Court's earlier conclusion that the extended search of Bates' premises was beyond the scope of the warrant the police had actually asked for.

BBC goes live... over Wi-Fi

Peter Sommer
Thumb Down

Not working on Nokia E71!

Not working on Nokia E71!

Brit porn filter censors 13 years of net history

Peter Sommer

Available via BT Internet at the moment

Not the slightest problem here; I have just managed to view pages I created back in 1997...

Stob latest: It was a cunning trick, says Open University

Peter Sommer
IT Angle

Forensic Computing

Can I thank Dave Ashton for his kind remarks about OU M889, the Digital Investigations and Forensic Computing course?

I hope he will persist with the End of Course Assessment (ECA) despite his current view that it is bollocks. What he is asked to do is discuss the preparation of a Forensic Readiness Program (FRP) for a specific organisation. FRPs are first-cousins to traditional contingency plans but focus on the ability of an organisation to produce reliable evidence from its systems. FRPs are a requirement in HMG Infosec Standard No 2 because it is far better to have planned to be able to produce good evidence rather than hope that, during a panic-stricken event, some computer forensics wizard is going to find the goods - always supposing some amateur has not inadvertently destroyed the evidence anyway.

As he says, the course is on its first run and we hope to improve as we go on.

Can't comment on any other OU course, as Dave also says - I am not OU staff.

Sony PRS-505 Reader e-book

Peter Sommer

Mobireader + PRC out-of-copyright books

Get yourself a WinXP netbook, download the free Mobireader application, and search EBay for vendors offering out-of-copyright e-books in PRC format on DVD (PRC is an extremely compact format, Mobireader will let you display in any font you have on your computer and in any size).

Forget about in copyright e-books until book publishers find a more realistic charging system.

If your SSD sucks, blame Vista, says SSD vendor

Peter Sommer
Alert

It's not just the memory cacheing...

Vista's disk-activity issues extend well beyond simple swap files - there's Shadow Copy and background indexing also. As many others have already discovered, "optimised" Vista tends to mean XP

PC World pips Asus to UK Atom sub-laptop premier

Peter Sommer
Alert

New Windows operatng system?

According to the PC World Website in its extended specification ithe Advent 4211 has a Windows Vista XP operating system on it. ...

Malware not man blamed in child abuse download case

Peter Sommer
Alert

Here's the defence expert's report

Some-one has very kindly posted the defence expert's report on to the web. I now look forward to Facebook videos showing hats being eaten...

http://blogs.csoonline.com/files/Forensic%20Report.pdf

MS supplies cops with DIY forensics tool

Peter Sommer

Don't think so...

First: You can't have a true forensic tool which which is only available to law enforcement. The defence requires a means to test any evidence that is being produced.

Second; the first Principle of the current ACPO Good Practice Guidelines for Computer Evidence says: "No action taken by law enforcement agencies or their agents should change data held on a computer or storage media which may subsequently be relied upon in court." As soon as you put a USB stick into a Windows computer an entry is made into the USBSTOR part of the System Registry unless you know how to change the BIOS to boot from a USB device and the BIOS actually supports this function.

There is a problem in cases involving many seized computers of triage - determining at an early stage which computers are worth a more detailed look and which can be discarded. But, subject to a sight of the actual M$ USB product, most people will want to stick with a bootable "forensic" CDs based on Linux (like Helix) as it is far easier reliably to change a PC's BIOS to boot from CD. Given that most PCs now have DVD_ROMs rather than simple CD-ROM drives, we can expect that forensic bootable CDs to move on to the more expansive DVD format.

UK gov sets rules for hacker tool ban

Peter Sommer

Who interprets?

The problem is - the document is simply guidance to the CPS on the circumstances in whch a prosecution should be brought. But each prosecutor makes up his/her own mind. Once the charges have been laid, the test for guilt will not be the CPS Guidance but how a trial judge interprets the wording of the statute when he instructs the jury about the law.

The hacking tools law was brought in, not because there is a wealth of cases where no other prosecutorial route was available but as a result of an obligation to provide a UK equivalent to a provision within the CoE CyberCrime Treaty. Almost certainly we could cover the position with incitement and "aiding and abetting" charges. But it was felt that a more visible form of Treaty conformance was required - although it has been clear to civil servants for a long time that there were considerable difficulties in finding words which differentiated between legitimate and malign motivations in deploying dual use tools

Judge in tech trial says he 'doesn't know what a website is'

Peter Sommer

But some judges are pretty good...

The truth is judicial competence in IT matters is patchy not wholly absent, and it is difficult to predict, from judge to judge, what will happen in trial.

But to redress the balance of this particular news item and based on my not infrequent appearances as expert witness:

* a judge in the relatively sleepy market town of Aylesbury was fully up-to-speed with how peer-to-peer file sharing works

* in the recent defamation case between WPP's Martin Sorrell and former Italian business partners, the judge was able to cope with blogs, onion-routing and other anonymising techniques and the contents of registries as found in Windows recovery points. (and his normal territory includes privacy squabbles involving celebrity magazines)

* the district judge in the "pen-tester hacked into charity web-site" case had to understand web-servers, intrusion detection system logs and directory traversal hacks in deciding whether the Computer Misuse Act had been broken.

* at least one member of the Judicial Committee of the House of Lords is an enthusiast of flight simulators on the PC

Usually the authorities assign appropriate judges to cases which involve computer-derived evidence, though obviously not in this case. But at least part of the resolution of the problem relies on the skills of lawyers and, erhem, expert witnesses