king_tut • User • The Register Forums

'NSA, GCHQ-ransacked' SIM maker Gemalto takes a $500m stock hit

Friday 20th February 2015 19:57 GMT king_tut

Fundamental misunderstanding of telecoms

There seems to be some fundamental misunderstandings out there about how cellular comms actually work. The encryption keys which have been stolen were only ever used for the wireless link - i.e. between phone and cell tower, and even then could be circumvented via active attacks. Within the carrier networks the calls are in the clear.

Some carriers may encrypt some parts of their network - there is no guarantee though, and the carrier wouldn't necessarily tell you either way. So in short your comms were _already_vulnerable_ if you relied on this encryption. That's why you use multiple layers of crypto, and use end-to-end encryption. Yes, having the keys makes passive interception and decryption easier, but if you were relying on it for your security then you were an idiot.

In the UK, these keys are in theory not much use anyway. That's because the exact same warrant would be required to use these keys within the UK as would be needed to order the carrier to do cell interception - in fact, this was confirmed in the recent trial which found that GCHQ had been breaking the law because they hadn't made this fact public. The keys could be misused, yes, but oversight in the UK is actually pretty good - again, the recent "GCHQ broke the law" was a pretty technical finding, not intimating willy-nilly interception of anyone they want.

The US is a different situation - the yanks have bugger all oversight over their intelligence services. They need to sort their act out, but I expect to see pigs flying first.

Where the keys are useful is intelligence in unfriendly locations, where the UK government cannot ask the carrier to do intercept direct, and cannot ask the local intelligence/police to help as they're not trusted. For example, it would be dangerous to ask the ISI to do cell intercept on the Pakistani Taliban, due to supporters within the ISI itself who would leak the fact that specific phones were being targeted.

All countries spy on each other. The only countries that don't, only don't because they cannot afford to.

The more iffy area is spying on employees of Gemalto and carriers, in order to gain access. The leaked documents highlight that specific only K, Ki, and IMSI info was being searched for. There was no mention of looking for personal information for blackmail etc, and furthermore these were all work email accounts - I didn't see any evidence of searching home accounts for embarrassing details etc.

11 3

Shy, retiring British spies come out as MEGA HACKERS

Monday 9th February 2015 14:44 GMT king_tut

Update of existing Code

As noted in the article, the Interception Code of Practice is an update and revision of the existing guidance. From a rough comparison, they've done the following:-

- Incorporated the "external" bit of DRIPA

- Extending mention of privileged comms to include MPs and constituency affairs

- Taken on board a subset of the IOCCO recommendations from their recent investigation into police use of RIPA against journalists

- Made assorted other tweaks related to sensitive and privileged communications, e.g. journos etc

- Made a number of other tweaks, some good, some bad. e.g. the duration of initial warrants in para 3.17 has changed.

It seems that they've slackened some of the things they may have found to be an arse, while tightening rules that didn't really effect them anyway, but should have some credit for paying at least lip service to the oversight bodies.

In the unlikely case anyone is interested in the full list of changes, I'll be putting them on my blog at kingtut666.wordpress.com later today.

2 0

Monday 9th February 2015 13:39 GMT king_tut

Re: It only takes the government 14 yrs to comply with their own laws.

There was already a code, it's just this is the updated version. One thing I'm doing is to do a diff between them - to see if this (as I suspect) is just a reissue as a PR exercise.

0 0

Valve set for OpenGL BIG REVEAL at upcoming conference

Thursday 5th February 2015 00:45 GMT king_tut

Obligatory comment...

"We will present [...] live demos of real-world applications"...

So, Half-Life 3 demo then?

9 0

Snapchat jihadist-fearing peers return with LAST GASP Snoopers' Charter demand

Sunday 1st February 2015 14:32 GMT king_tut

The UK parliament is vastly more restrictive on such matters than the US, where sneaking in pork is a major sport.

The Lord's can't tack this onto any old bill - they self-police that any amendments must be relevant to the subject matter of the bill. See http://hansard.millbanksystems.com/lords/1968/feb/06/administration-of-justice-bill#column_1077 for when this came up in parliament. See also section 8.54 of http://www.publications.parliament.uk/pa/ld/ldcomp/compso2013/10.htm

In the Commons, there is also a requirement for relevance for amendments in committee (http://www.publications.parliament.uk/pa/cm201314/cmstords/900/body.htm#65), but I'm not sure about second reading.

0 0

Saturday 31st January 2015 17:17 GMT king_tut

Confused

I'm not sure what they're trying to get out of this. I can sort-of understand the inclusion of the amendments last week, as a way to restart discussion on the subject, and provide an opportunity for supporters to restate why they think such legislation is needed. Although why they didn't do it at second reading, I don't know, other than having the cover of Paris. However, that goal has surely been accomplished - Civil Liberties vs Interception and Retention is back on the radar of those who care.

So why re-introduce at report stage? There's no chance this will get through the Lords, especially being introduced so late in the bill's progress. In fact, I could imagine the tactics they're using actually causing some peers to vote against, who may previously have sat on the fence. Even if it gets through the Lords, there's no way it would get through the Commons, especially not with an election looming.

5 0

OK, so we paid a bill late, but did BT have to do this?

Monday 16th September 2013 22:43 GMT king_tut

RIPA and/or CMA?

Have they not just broken the law, under either RIPA or the Computer Misuse Act? IANAL but I've recently scanned through the legislation and they may have done so unless you gave them permission.

They appear to have intercepted your communications. Under RIPA ( http://www.legislation.gov.uk/ukpga/2000/23/contents ), section 2,

"(2)For the purposes of this Act, but subject to the following provisions of this section, a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if, he—

(a)so modifies or interferes with the system, or its operation,"

From section 1(5), a user has lawful authority: "...if, and only if—

(a)it is authorised by or under section 3 or 4;

(b)it takes place in accordance with a warrant under section 5 (“an interception warrant”); or

(c)it is in exercise, in relation to any stored communication, of any statutory power that is exercised (apart from this section) for the purpose of obtaining information or of taking possession of any document or other property;and conduct (whether or not prohibited by this section) which has lawful authority for the purposes of this section by virtue of paragraph (a) or (b) shall also be taken to be lawful for all other purposes."

So unless you've given permission for them to do this (the reference to section 3), then that's a no/no.

Under the Computer Misuse Act, there's a specific offence to do with "acts with intent to impair" - see http://www.legislation.gov.uk/ukpga/1990/18/section/3 This also seems to apply. Section (1) may also apply - while the language talks about "caus[ing] a computer to perform any action with intent to secure access to any program with intent to secure access.." which doesn't seem applicable until you look at section 17 (2), which defines "secures access" as "uses it" and this is further defined in 17 (3). Arguably they caused your browser to perform a function (show the popup) which you did not give consent to.

Of course, there's no chance of the police actually doing anything. And all the language in RIPA and CMA talk about "a person" so I'm not sure how that applies to a corporation in the UK.

2 0

Compulsory coding in schools: The new Nerd Tourism

Wednesday 18th April 2012 09:44 GMT king_tut

I disagree with the article...

Learning a bit of coding/programming is very valuable for everyone. Learning software engineering, and specific languages, would not be. Of course, the average IT curriculum, and quality of IT teaching, is very varied and generally poor - but that's a different question/point.

Firstly, by giving kids an opportunity to try the subject, they can find out whether they enjoy it or not. The ones who do, can continue to learn. Those who do not, can move on to other things, maybe with a bit of an appreciation of the complexity (and tedium sometimes) of the subject.

Secondly, as another reader commented, learning to code is more about learning to think. Learning to be logical and precise. Learning to ask awkward questions, test theories, push boundaries. And unlike most other classes, these lessons can be learnt in a reproducible way, with a minimum of other outside complexities to confuse the issues.

Finally, programming is one of few subjects, especially when you use pseudo-code, where there is very little to learn/memorise. Unlike many subjects at GCSE and A-level, you don't do well in programming by memorising answers - you do it by being able to think in a specific way. That difference in focus is very valuable. (Yes, I know the aim with GCSE etc is to move more towards thinking, and away from memorising, but just look at the average syllabus...)

11 0

LOHAN flashes fantastical flying truss

Monday 20th February 2012 14:29 GMT king_tut

Re: Horizontal

This was my concern as well.

In addition to the weight hanging in the middle (but suspended from the ends of the truss), how about rigging a pipe between the balloons? That way each balloon would have the same pressure inside, and in theory would be more likely to stay level (assuming each balloon is the same elasticity). The same pipe could also be used to fill both balloons at the same time.

I'd suggest some form of gyro, but the weight would be unacceptable.

0 0

Topics

Special Features

Vendor Voice

Resources

User topics

Article topics

Posts by king_tut

Page: