Not sure if "joint responsiblity" is a good start. In practice that could just mean that each party involved points fingers at the other.
293 posts • joined 5 Jan 2010
Nine million logs of Brits' road journeys spill onto the internet from password-less number-plate camera dashboard
No wonder cops are so keen on Ring – they can slurp your doorbell footage with few limits, US senators complain
Re: Better not put a Ring on it then
Are you holding out Amazon,..., as some kind of privacy champion??
Certainly not. It was not my intention to make them look like saints. You could argue that they have been less evil than some other global players, especially those in corporate America, but that debate would lead nowhere, since we only see what they've been called out on. Best to assume that they're all after our private data, the more the merrier.
Better not put a Ring on it then
(the door that is)
More seriously though, I'm not really shocked any more that privacy is trampled over. Happens everywhere all the time, sadly. But to see the scale of disregard in this case, from an Amazon-owned company no less, is a bit baffling. They are clever people. I'm assuming that someone has come to the conclusion that the free (albeit negative) coverage they get for this will be worth it.
Things won't change until (deliberate) privacy violations become crimes, where a person (not a business) can be held accountable and ultimately end up behind bars.
I've been dropping Dropbox slowly over the last couple of months. Going to switch it off by end of this month now. I use Syncthing instead. N-way filesystem sync between PC, laptop, home backup and remote virtual server, all of which use different encrypted file systems and three different OS between them. Has been working like a charm. Oh, and the transfer off-site goes via OpenVPN link between home router and virtual server. Not that I have reason to believe that Syncthing's in-transit encryption of traffic isn't good enough, but I trust OpenVPN to be better tested and scrutinised.
Re: Hmm, If I was working at a secret agency
[...] it greatly benefits certain agencies
Exactly that. Especially given that Intel and AMD are American, and ARM is British, but their chips are used globally. From an agency and gov point of view: What's not to like? I bet they are more upset that this has come to light than they ever were about the existence of those flaws.
I'd also be inclined to wager that there are more flaws like this in CPUs and other chips/hardware. It's no secret after all that the 5 Eyes would like to see backdoors and reversible encryption everywhere.
Lock them away...
...and conveniently lose paper trail and jail door key. Let's see how quick the database is fixed and/or a previously unheard-of backup found.
The mere fact that a law allows to snatch assets because somebody (police officer) thinks they might be connected to a crime, sounds very Wild West. Sad that these laws actually exist.
EU data protection?
Customers of these companies might therefore be affected by the attack despite not having signed up for Equifax's services. The US agency holds the personal details of 44 million UK citizens
I'd be curious on which legal basis they hold the data in the US. And I'd be even more curious how they are going to inform all non-customers about the data they kept and failed to secure. 44 million UK citizens, for Christ's sake. That's almost all of the adult population.
Absolutely spot on!
I'd only like to add one thing: You don't need to ponder "smart" control of resources, while hundreds of tons of water are wasted in London every year due to mains pipes that leak. Don't know about other countries, but this one has to get the basics sorted first. In the meantime I'll keep the little privacy I've got left, thank you very much.
Re: @John Smith ... NSA"Last year we proved <redacted> really did kill 20 US citizens at <redacted>
"You have the issue of bad guys wanting to kill you because you don't believe in the exact same things that they do. They think of you as the evil incarnate."
I've got a few issues with this statement. First and foremost it's the moral high ground which the U.S. and many of its citizens are still claiming. The number of civilian casualties in the Middle East caused by the U.S. and their allies, is likely a lot higher than the number of terrorism victims on U.S. soil, in the same time frame. You don't even need to go as far as including the Gulf wars, which were based on the evidently false claim that WMD existed in Iraq. (That claim was known to be false before the war, not after returning empty handed.)
Moral high ground and fear mongering together are the biggest threats to our society. They're both used for political and economical gain, not to make us safer.
Besides, a lot more people have died in car accidents, drug misuse, gun accidents and crimes; each of these categories individually have produced more fatalities. And they are domestic. Now why do you think that not a lot is happening to tackle those? Because there's nothing to gain for big arms dealers, intelligence agencies and politicians; all of them desperately need fear and threats to further their agendas, inside the country and abroad.
Every time we give a piece of privacy away, the terrorists have actually won another battle.
Unless the US social media companies are actually supporters of terrorism?
You don't have to go far back in time to find plenty of cases where the US, UK and others have made a sizeable amount of money by selling war machinery into countries which are now "evil" and supporting/hosting terrorists. In some cases you don't have to go back in time at all. The Saudi's are UK's biggest importer of weapons currently, for example, and as long as they keep fighting Yemen, they'll need more gear.
So if our governments (via arms manufacturers' lobbying and tax collection) have no interest in having an entirely peaceful world, why would companies in such countries care much about it?
Two things they want
1. They want to be seen to be doing something, anything.
2. They want more control over what we can and cannot see. Even if it's done with best intentions (I doubt that), there's no way anybody can effecitvely control which website should or shouldn't be visible. No pattern is perfect: Country of origin? (Hey there Donald!) Keywords? (let's ban everything about cars or knives?)
The UK Gov's wish (and that's all it is) answers to the demands of rags like the Daily Fail and their readers. But it's a futile attempt at best, and it's a very slippery slope.
Also, unless UK Gov somehow manage a world-wide ban of certain sites on Google (and all other search engines), people with enough criminal energy will easily be able to work around it. So it achieves nothing. Meanwhile, all the false positives will affect Law Abiding Citizen. Another win for the "terrorists" (in quotes, because we use that word way too lightly and sometimes inappropriately).
'First ever' SHA-1 hash collision calculated. All it took were five clever brains... and 6,610 years of processor time
Re: Stop using PDFs ?
That's a very good point you're making there, JimmyPage.
Since false certificates were part of this discussion, I'd like to see that too. A cert is nothing but a ASCII text document of a very specific format. That should be a lot harder to pull off than using binary blob formats like PDF, which would allow you to hide a lot of stuff quite easily to tweak the hash to your liking.
Having said that, I'm not defending SHA-1. It was already known that its days are numbered.
Also, let's not use the term "calculate" when we refer to this stunt Google pulled off. Anything that uses 6500 years of compute time sounds a lot more like trial & error to me... or trial, verify, dismiss, repeat. Not quite a straight forward calculation. So SHA-1 is not really broken; it's just too weak as compute power becomes cheaper.
EDIT TO ADD, even if wandering off on a tangent: There are better ways to break SSL encryption, regardless of the hash used. How many of the Certificate Authorities that your OS&browser know, do YOU know? How many of them do you personally TRUST? SSL is fundamentally broken by design; unfortunately with no feasible alternative as yet.
If big companies who earn money with coms and networking (in the broadest sense) struggle to keep their stuff secure (TalkTalk, I'm looking at you, but not only at you), how on earth can anybody think that some random company from far far away can and will keep their cheaply produced IoT stuff secure? Even if it was secure at time of purchase, who is going to update their daughter's doll? I mean seriously.
They did the right thing in Germany; the ban won't help much, but it raises awareness of the risks. It's a start, and goes quite in the opposite direction of what's happening here in the UK (as pointed out by someone else before).
This whole Internet of Trash is going to blow up in all our faces, if it hasn't already (depending on what gadget you have bought or intend to buy, or what is forced on you).
Gesture to appease Joe Public
Expelling known spies is and has always been just a gesture to show Joe Public, "Look, we're doing something about it." Just political bullshitting, to be honest.
Much harder to expell spies the US doesn't know are spies. Even more difficult to expell those who have an American passport. And those are the one to worry about.
On a side note, I don't buy this RU interference nonsense. It's a desperate attempt to depict Trump as an illicit successor in the White House. (Disclaimer: I think he is a shite candidate. But so was Clinton. Choosing the lesser of two evils was particularly hard this time around.)
Re: And there's also the Snooper's Charter
We're going to lose a lot of data business, I think, just by creating yet-another-jurisdiction to deal with
Exactly. New, currently undefined, red tape and uncertainty about what and when and how are poisson.
Also, the giant holes in the left and right foot? They are called Snoopers' Charter Crater and Digitcal Economy Abyss. Neither of them is going to help attract business, to say the least.
Re: I'm wondering
Who replies to text messages from numbers they don't recognise or people who won't identify themselves?
The same people who click on links in spam and phishing emails, and hand over credentials to third parties. We wouldn't see any of those "attacks", if there weren't enough stupid "customers".
EDF keep trying
to force one of those smart meters on me. And boy are they persistent. But so am I.
It might be the case that energy companies are supposed to roll that shit out by 2020. That doesn't mean that I'm obliged to help them with that. There's neither a law that requires house owners to have those
snoop smart meters, nor is there any law that allows energy companies to deny supply based on what meters are installed. So service will commence as usual, for the time being.
I don't care how old EDF think my meter is. It counts kwh just fine. They will not convince me otherwise, unless my leccy bill is suddenly much lower than it used to be (meter stopped working).
Dormant networks, unvalidated contacts
Surely ARIN itself could do the crims' job much easier, repossess orphaned and dormant address ranges and therefore delay the inevitable depletion of available IPv4 space a little bit further?
It's of course not a solution to the problem (slow IPv6 uptake), but would buy some time and remove a market for criminal extortion schemes.
You couldn't make this sh** up
They knew within two hours after the fact what went wrong. Hear, hear! Everybody who does not need a beating with a cluebat first, would have known *before* the fact how many visitors can be expected and what capacity might be needed (plus buffer and/or ability to scale).
And here's another piece of common sense: Things *always* get busier as a deadline comes closer. Some basic analytics and monitoring would have shown an alarming trend (for the un-initiated) and they could have spent those two hours to sort things out before seeing the service fail.
It was a spectacularly epic fail, not a success by any means. Politicians!
@Scunner - Re: Certificate Authority buys enterprise grade SSL decryption biz? What could go wrong?
How about this then? http://www.theregister.co.uk/2016/05/27/blue_coat_ca_certs/
Their gear is already being used in non-consentual ways. Just not by our own governments yet (to our knowledge).
Also, there's a new ElReg article highlighting the same issue, quoting concern in the security community about the acquisition: http://www.theregister.co.uk/2016/06/14/symantec_blue_coat_analysis/
The thing is that for enterprise-level security, backed by clear consent (via employment contract, code of conduct etc), there's no need to have a proper cert on the Blue Coat appliances. The Blue Coat cert will just be added to trusted lists on all clients and you're good to go.
Having an already widely trusted cert just enables much easier misuse of decryption, without any added security benefit for the normal enterprise customer.
Wasn't too long ago that Symantec was threatened to be "untrusted" by Google as well, because of other blunders:
Five years ago I would have agreed with your analogy to cars. However, nowadays every citizen is presumed guilty and subjected to extreme surveillance, further extended by IPB & Co, which is a hard to grasp concept already. To add insult to injury we see privacy not only infringed by government agencies, but also by lots of big enterprises; and Symantec/Blue Coat would make it so much easier for everybody, that I find it difficult to give them the benefit of a doubt and assume all the best intentions. Complacency and ignorance is what got us into this state of surveillance, and we're only at the beginning of it. Forgive me if I cannot just look at Symantec/Blue Coat and assume best intentions. For the protection of a local network with Blue Coat, a proper CA signed cert isn't needed; for transparent decryption in other places on the other hand, it is.
My original argument was that Symantec can no longer be trusted as a CA because their cert on Blue Coat appliances used by others will enable transparent decryption.
I stand by that. Trust, for me, is not only defined as to whether I think an entity is doing the right thing and has good intentions, but also if whatever they provide can be misused by others. An analogy to that would be a trusted network vs a DMZ. You control servers in the DMZ, and should be able to trust them, but they can potentially cause harm due to the fact that others may compromise (gain access, misuse) them, hence you keep them away from the crown jewels.
Certificate Authority buys enterprise grade SSL decryption biz? What could go wrong?
See title. Symantec needs to have its status as Certificate Authority revoked and removed from all browsers and SSL clients RIGHT NOW. Otherwise all clients will trust the certs that Blue Coat uses, and will not question or even flag the MITM nasties that Blue Coat has built a business on.
(Fine if used in a company and policies and employment contracts are clear about private use; But really bad if we see this kit popping up at ISPs and hosting companies, in line with bills like IPB)
With the IPB coming, EU membership is less important to consider
Rather than waiting until 24th June, I'd wait until a final decision on the Investigatory Powers Bill is made, if I was a non-European company looking for a place to host. It looks very much incompatible with EU data protection laws, puts logging and data hoarding burdens on service providers and hosting companies that are not yet clearly defined, and may well render the EU membership question moot in comparison.
A non-European company's best bets for hosting are Ireland (if English-speaking country and low corporation tax rates preferred), Netherlands (AMS-IX) or Germany (DE-CIX) if best possible connectivity within Europe is needed. As an added benefit they get a location inside the EU.
All these options are a lot cheaper for hosting than anything near LINX as well.
If Britain decides to leave the EU *and* introduce the IPB, it will no longer be attractive for anybody to host things here, including domestic companies.
Re: The man's an incorrigible optimist
Evidently he's not got much experience of the British government
I think he's well aware of it, not least because he used to be employed by the BBC. (And the British gov is not the only stupid one in the world.)
But you don't go on stage at a major security conference and call out the government for what they are. It closes all doors for any sort of communication in the future. So you keep your reasoning along the lines of "haven't lost all hope just yet". Who knows, being the renowned security guy he is, he might be hoping to get an advisor role with a government?
This is due to unprecedented demand.
You don't say. Of course there's no precedent for a Brexit referendum, because there's never been one.
That said, how hard can it be to make an educated guess about the capacity needed? (EDIT: and/or design it properly so that it scales?)
Can anybody please name any GDS project that hasn't failed spectacularly (or is about to)?
Register going BBC style reporting?
How can news about such important legislation only appear in those tiny news nibbles, which rotate all the way through in no time? IPB will take away over night the little privacy we had left, and turn all of us into subjects of surveillance, presumed guilty, while giving access to the information to a broad range of institutions and people with insufficient oversight and sign off procedures. Several committees and experts alike had doubts, which makes it even more outrageous and important, since you've got to wonder how it can receive such an overwhelming majority in the House of Commons.
This should be kept in the headlines indefinitely, not be disappearing with other FYI-style bites.
Re: Optional indeed...
Exactly what I thought, too. A lot of if, would, might, could, likely, unlikely etc etc
In essence the article supports what the "fear mongers" (remain camp) are saying: We do NOT know what's going to happen when Britain leaves, or when. A lot of things will have to be re-negotiated, which takes time and causes uncertainty - and that's always bad news for business.
On the pro side, if Britain left the EU, the next 1-2 goverments here will have a very hard time blaming any shit on the EU or migrants.