As Theresa May moves from the Home Office to Number 10, it is perhaps timely to reflect on public attitudes to surveillance as evidenced in Liberty’s campaign film “Show me yours” in April of this year. In the film (shown below), comedian Olivia Lee pursues members of the public with the intention of taking details from their mobile phones of all their recent communications or browsing activity. The reactions of the people approached speak for themselves. Unfortunately, Liberty research suggests that 75% of adults in the UK had never heard of the impending legislation laid out in the Investigatory Powers Bill.
Jul 13 2016
Permanent link to this article: https://baldric.net/2016/07/13/show-me-yours/
May 02 2016
I have recently been building a new NAS box (of which, possibly, more later). In fact the build is really a rebuild because I initially built the server about three years ago in order to consolidate a bunch of services I was running on assorted separate servers into one place. That first build was a RAID 1 array of two 2 TB disks (to give me a mirrored setup with a total of 2 TB store). At the time that was sufficient to hold all my important data (backed up both to other networked devices and to standalone USB disks for safety). But I have just upgraded my main desktop machine to a nice shiny new core i7 Skylake box with 16 GB of DDR4 and a 3 TB disk. That disk is already two thirds full (my old machine had a rather full 2 TB disk). This meant that my NAS backup storage requirements exceeded the capacity of my RAID 1 setup. Adding disks wouldn’t help of course because all that would do is add mirror capability rather than capacity. So I decided to upgrade the NAS and bought a bunch of new 2 TB disks with the intention of setting up a RAID 5 array of 4 disks, thus giving a total storage capacity of 6 TB (8 TB minus 2 TB for parity). Furthermore I initially looked at using FreeNAS rather than my usual debian or ubuntu server with software RAID simply because it looked interesting and, with plugins, could probably meet most of my requirements. But I could not get the software to install properly and after three abortive attempts I gave up and decided that I didn’t really like freeBSD anyway….
So I opted to go back to mdadm on linux – at least I know that works. Better still I would be able to retain all my old setup from the old RAID 1 system without having to worry about finding plugins to handle my media streaming requirements, or owncloud installation, for example.
My previous build was on debian (which is by far my preferred server OS) but ubuntu server has recently been released in a LTS version at 16.04 and I thought it might be fun to try that instead. So I did. (For any readers who have not tried installing linux on a RAID system there are plenty of sites offering advice, but the official ubuntu pages are pretty good). During the build I hit what I initially thought was a snag because the installation seemed to get stuck at around the 83% level when it was apparently installing the linux kernel image and headers. Indeed I confess that on the first such installation I pulled the plug after about three hours of no apparent activity because I was beginning to think that there might be something wrong with my hardware (the earlier FreeNAS failures worried me). My on-line searches for assistance were initially not particularly helpful since none of the huge number of sites advising on software RAID installation bothered to mention that initial RAID 5 build (or rebuild) using large capacity disks takes a very long time because of the need to calculate the parity data. Incidentally, it is this parity data and its layout that gives RAID 5 its write performance penalty.
One useful outcome of my research about RAID 5 build times (which in my case eventually took just over 6 hours) was my discovery of the wintelguy’s site providing an on-line calculator (and much more besides) for RAID performance and capacity. There is even a very useful page allowing you to compare two separate configurations side by side – thoroughly recommended. More worrying, and thought provoking, is the reclaime.com calculator for RAID failure. That site suggests that the probability of successfully rebuilding a RAID 5 array of 4 * 2 TB disks after a failure is only 52.8%.
That is why you need to keep backups…….
Permanent link to this article: https://baldric.net/2016/05/02/raid-performance/
Mar 30 2016
For some time mow I have been increasingly fed up with the poor service offered by SMS on my mobile phone. I’m not a hugely prolific sender of text messages, and those I do send are primarily aimed at my wife and kids, but when I do send them, I expect them to get there, on time and reliably. I also expect to be able to send and receive images (by MMS) because that is what I have paid for in my contract. Oh, and I would also like to do this securely, and in privacy.
Guess what? I can’t.
My wife and kids want me to use Facebook’s messenger because that is what they use and they are happy with it. I have signally failed to convince them /not/ to use that application, largely because they already have it installed and use it to send messages to everyone else they know. But then I have also failed to get my kids to understand my concerns about wider Facebook usage. (“There Dad goes again, off on one about Facebook.”).
So, what to do? Answer, set up my own XMPP server and use that. XMPP is an open standard, there are plenty of good FOSS XMPP servers about (jabberd, ejabberd, prosody etc.) and there are also plenty of reasonable looking XMPP clients for both android and linux (the OS’s I care about). And better yet, it is perfectly possible (and relatively easy) to set up the server to accept only TLS encrypted connections so that conversations take place in private. Many clients also now support OTR or OMEMO encryption so the conversations can be made completely secure through end-to-end encryption. Yes, I am aware that OTR is a bit of a kludge, but it is infinitely preferable to clear text SMS over the mobile network. And I like my privacy. Better yet, unlike GPG which I use for email, OTR also provides forward secrecy, so even if my keys should be compromised, my conversations won’t be.
And yes I also know that Facebook messenger itself offers “security and pivacy”, but it also used to be capable of interacting with the open XMPP standard before Zuckerberg made it proprietary a few years ago. And I just don’t trust Facebook. For anything.
So for some time now I have been using my own XMPP server alongside my mail server. It works just fine, and I have even convinced my wife and kids to use it when they converse with me.
I may now move away from using GPG to using OTR in preference. Anyone wishing to contact me can now do so at my XMPP address and may also encrypt messages to me using my OTR key. My fingerprints are published here.
Permanent link to this article: https://baldric.net/2016/03/30/jibber-jabber/
Jan 24 2016
Last month Troy Hunt posted an interesting comment on his blog about the problems around the etiquette of allowing guests onto your home wifi network. In his post, Hunt notes that guests can be deeply offended at being refused access. This is understandable. If they are guests in your home then they are probably close friends or family. Refusing access can make it seem that you don’t trust them. However, as Hunt goes on to point out, it is not the guests per se you need to worry about. Anyone on your network can cause problems – usually completely unintentionally. In my case I have the particular problem that my kids assume that they can use the network when they are here. Worse, they assume that they may access the network through their (google infested) smart phones. Now try as I might, there is no way I can monitor or control the way my kids (or their partners) set up their phones. Nor should I want to.
Hunt asks how others handle this problem. Like him I don’t much trust the separation offered by “guest” networks on wifi routers. In my case I decided long ago to split my network in two. I have an outer network which connects directly to my ISP and a second, inner network, which connects through another router to my outer network. Both networks use NAT and each uses an address range drawn from RFC1918. Furthermore, the routers are from different manufacturers so, hopefully, any vulnerability in one /may/ not be present in the other. My inner network has all my domestic devices, including my NAS, music and video streaming systems, DNS server etc. attached. These devices are mostly hard wired through a switch to the inner router. I only use wifi where it is not possible to hard wire, or where it would make no sense to do so. For example, my Sonos speakers and the app controlling them on my android tablet must use wifi. However, there is no reason why my kids, who insist on using Facebook, need to have access to my internal systems. So I run a separate wifi network on the outer router and they only have access to that. The only systems on the external screened network is one of my VPN endpoints (useful for when I am out and about and want to appear to be accessing the wider world from my home), and my old slug based webcam. My policy stance on the inner network is to consider the screened outer network as almost as hostile as the wider internet. This has the further advantage that bloody google doesn’t get notification of my internal wifi settings through my kids leaving “backup and restore” active on their android phones.
Permanent link to this article: https://baldric.net/2016/01/24/guest-network/
Jan 11 2016
I am a paying member of both Amnesty International and the Open Rights Group. Both those organisations, along with many other Civil Rights organisations, technology companies and concerned individuals are signatories to an open letter to Governments across the world demanding that we retain the right to strong encryption in order to protect our privacy. That letter says:
- Governments should not ban or otherwise limit user access to encryption in any form or otherwise prohibit the implementation or use of encryption by grade or type;
- Governments should not mandate the design or implementation of “backdoors” or vulnerabilities into tools, technologies, or services;
- Governments should not require that tools, technologies, or services are designed or developed to allow for third-party access to unencrypted data or encryption keys;
- Governments should not seek to weaken or undermine encryption standards or intentionally influence the establishment of encryption standards except to promote a higher level of information security. No government should mandate insecure encryption algorithms, standards, tools, or technologies; and
- Governments should not, either by private or public agreement, compel or pressure an entity to engage in activity that is inconsistent with the above tenets.
I’ve signed. You should too.
Permanent link to this article: https://baldric.net/2016/01/11/sign-this-now/
Jan 07 2016
I don’t wish to comment on that evidence here, Adrian Kennard has already provided much useful comment on the failings of the Draft Bill. My purpose in this post to highlight the absurdity of the Parliamentary Committee’s request that the ISPA evidence be withdrawn from it’s Website. The Register article ends with this update:
ISPA contacted The Register after the publication of this story to inform us: “ISPA was requested to remove the written evidence it submitted to the Joint Committee on the Investigatory Powers Bill from the ISPA website by the Joint Committee. Their guidance states that submissions become the property of the Committee and should not be published elsewhere until the Committee has done so itself.”
As of now (14.30 on 7 January) that evidence is still on the ISPA Website. Even if removed, it will still, of course, be available from a huge range of sources such as search engine caches (apologies for the google reference, but it is the obvious one). Or you could get it here.
The point is, once such a document has been published electronically on the net, no-one, but no-one, can put the genie back in the bottle and unpublish it.
The officials supporting the Joint Parliamentary Committee should know that. And if they don’t then I would submit that they are not technically competent enough to be supporting the Committee.
Permanent link to this article: https://baldric.net/2016/01/07/idiotic/
Jan 01 2016
Sadly, I read today that Ian Murdock, the “Ian” in Debian, died on Monday, 28 December 2015. He was only 42 years old. Various reports indicate that he had been distressed for some time before his death. The tweets reportedly from Murdock’s twitter account shortly before his death are very disturbing.
Murdock’s contribution to the FLOSS community was immense. The operating system he created with “Deb”, Debra Lynn, his then girlfriend, is the foundation upon which much of today’s internet infrastructure is built. Ubuntu, one of the most popular desktop linux distros, is itself built upon debian. This blog, and all of my web, mail and other servers is built upon debian. His legacy will endure.
Murdock left a wife and two young children. He died much, much, too young.
Permanent link to this article: https://baldric.net/2016/01/01/a-bad-way-to-end-the-year/
Dec 24 2015
It’s trivia’s birthday again (9 years old today!), so I just have to post to wish my readers (both of you, you know who you are….) a Merry Christmas and a happy New Year. Much has happened over the last year or so which has distracted me from blogging (life gets in the way sometimes) but I feel my muse returning so I may write more in the new year. Meanwhile, take a look at Alan Woodward’s update to Scott Culp’s 2000 essay “10 Immutable Laws Of Security” which he posted on the BBC site. It is called
have yourself a merry cyber-safe Christmas.
I’ll drink to that.
Permanent link to this article: https://baldric.net/2015/12/24/merry-christmas-2015/
Dec 08 2015
On sunday, the motherboard intially reported that, in the wake of the Paris atrocities of November 13th, the French Government was proposing to ban Tor and free WiFi. As it turns out, this is not strictly accurate. The report was later corrected – thus:
Correction: The initial headline and copy of this article suggested that the proposals to block Tor and control free wifi were already part of a proposed law. These are in fact points that the French police and gendarmes would like to see included in the bill, according to the document seen by Le Monde. The headline and copy have been updated to clarify this; we apologise for the error.
Nevertheless, the actual story is still worrying. Governments of all shades seem to react badly when they feel that they must be seen to “do something”. We, in the UK, have already seen how the desire to “do something” results in unfortunate over reaction and ill-thought proposals for legislation. So it is sad to see the French (for whom I have much admiration) apparently reacting to Paris by opting to clamp down on civil liberties. I’d like to think that the reality is not as bad as the initial report suggested though. Certainly the motherboard post now makes clear that:
French law enforcement wants to have (my emphasis) several powers added to a proposed law, including the move to forbid and block the use of the Tor anonymity network, according to an internal document from the Ministry of Interior seen by French newspaper Le Monde.
French law enforcement wish to “Forbid free and shared wi-fi connections” during a state of emergency. This comes from a police opinion included in the document: the reason being that it is apparently difficult to track individuals who use public wi-fi networks.
Noting that China actively blocks connections to Tor, the article continues:
If the French really wanted to block Tor, they might have to consider a model similar to the Chinese regime’s. Naturally, that might be worrying for anyone that cares about free-speech, increasing surveillance, or, say, democracy.
Let’s just hope that sense prevails and Western democracies do not react to terrorism in a way which reduces the very freedoms we cherish so much.
Permanent link to this article: https://baldric.net/2015/12/08/knees-and-other-jerks/
Nov 28 2015
Permanent link to this article: https://baldric.net/2015/11/28/cameron-meets-corbyn/
Nov 23 2015
Like most people in the UK at this time of the year I’ve been doing some on-line shopping lately. Consequently I’m waiting for several deliveries. Some delivery companies (DHL are a good example) actually allow you to track your parcels on-line. In order to do this they usually send out text or email messages giving the tracking ID. Today I received an email purporting to come from UKMail. That email message said:
Your parcel has not been delivered to your address November 23, 2015, because nobody was at home.
Please view the information about your parcel, print it and go to the post office to receive your package.
UKMail expressly disclaims all conditions, guarantees and warranties, express or implied, in respect of the Service. Where the law prevents such exclusion and implies conditions and warranties into this contract, where legally permissible the liability of UKMail for breach of such condition,
guarantee or warranty is limited at the option of UKMail to either supplying the Service again or paying the cost of having the service supplied again. If you don’t receive a package within 30 working days UKMail will charge you for it’s keeping. You can find any information about the procedure and conditions of parcel keeping in the nearest post office.
I /very/ nearly opened the attached file. That is probably the closest I have come to reacting incorrectly to a phishing attack. Nice try guys. And a very good piece of social engineering given the time of year.
Virustotal suggests that the attached file is a malicious word macro container. Interestingly though, only 7 of the 55 AV products that Virustotal uses identified the attachment as malicious. And even they couldn’t agree on the identity of the malware. I suspect that it may be a relatively new piece of code.
Permanent link to this article: https://baldric.net/2015/11/23/christmas-present/
Nov 10 2015
Yesterday, Kenneth Freeman posted a note to the tor-relays list drawing attention to a new resource called TorFlow. TorFlow is a beautiful visualisation of Tor network traffic around the world. It enables you to see where traffic is concentrated (Europe) and where there is almost none (Australasia). Having the data overlaid on a world map gives a startling picture of the unfortunate concentration of Tor nodes in particular locations.
I recently moved my own relay from Amsterdam (190 relays) to London (133) but the network needs much more geo-diversity. Unfortunately, international bandwidth costs are lowest is the areas where relays are currently located. Given that the relays are all (well, nearly all…..) run by volunteers like me and funded out of their own pockets it is perhaps not surprising that this concentration should occur. But it is not healthy for the network.
There appears to be a particularly intriguing concentration of 16 relays on a tiny island in the Gulf of Guinea. Apparently this is an artifact though because those relays are all at (0, 0) which I am told GeoIP uses as a placeholder for “unknown” (in fact, GeoIP location is a somewhat imprecise art so there may be other anomalies in the data.)
Permanent link to this article: https://baldric.net/2015/11/10/torflow/
Oct 29 2015
This is simply depressing. Today I received a classic phishing attack email – the sort I normally bin without thought. According to virustotal, the attachment, which purported to be an MS Word document called “Invoice 7500005791.doc”, was a copy of W97M/Downloader, a word macro trojan which Symantec says is a downloader for additional malware. So far so annoying, but not unusual.
However, the email came from an address given as “@lancashire.pnn.police.uk” (so it looked as if it came from a Police National Network address allocated to Lancashire Police). Intriguingly, the “From:”, “Return-Path:” and “Return-Receipt-To:” headers all contained the same (legitimate looking) address at that domain. Only one header, “Disposition-Notification-To:” was slightly different. It gave the email address as “@lancashire.pnn.police.au”. Now that header is used to request a “Read Receipt” and most email clients will obey that and display a message of the form “This message asks for a return receipt” along with a “send” button. Had I pressed that button, a message /might/ have gone to the “police.au” domain address. I say “might” because there is no such domain, so this could simply be a mistake on the part of the attacker. All the “Received:” headers (i.e. the addresses of mail servers the message went through en route to me) were shown as network 77.75.88.xx – whois records this as belonging to an entity called “Farahnet” registered in Beirut. Unfortunately the whois record does not give an abuse, or admin contact email address.
Most phishing emails simply have a forged “From:” address and all other headers are obviously wrong. This one looked distinctly odd and a little more professional than most. I therefore decided it might be a good idea to tip off the Lancashire Police to the misuse and misrepresentation of their domain name. This is where it got depressing.
Nowhere could I find a simple email address or other electronic contact mechanism to enable me to say to Lancashire Police “Hi guys, see attached, you may have a problem”. The Lancs Police website has a “Contact Us” page giving pointers to various means of providing feedback – but no immediately obvious one for reporting email attacks. Here the banks are way ahead of the Police. All banks I have ever dealt with have an email address (usually of the form “firstname.lastname@example.org”) to which you can send details of the latest scam. However, the bottom of the contact page on the Lancs Police site shows a link to “online fraud” under the heading “popular pages”. This link takes you to their on-line safety advice page which then has a further link to “Action Fraud“, the National Fraud & Cyber Crime Reporting Centre, that site in turn does actually give you a means of reporting phishing attacks. But it takes too long. I had to click through four pages of feedback with Radio buttons asking what I wanted to report, how the attack arrived, where it purported to come from etc. before I was given a page with the email address NFIBPhishing@city-of-london.pnn.police.uk and an instruction to email them giving the details I should have been able to provide on the damned form I had just spent ages finding and filling in.
Having obtained this email adddress, I was given a “Fraud Report Summary” (see below) which is precisely useless for anything other than simple statistics. My guess is that this information is collated simply to be used to provide the sort of banal analysis beloved of senior management everywhere.
Not good enough guys, not nearly good enough.
But it gets worse. In my attempts to find what should be an obvious contact point, I plugged “lancashire police cyber crime” (I know, I know) as search terms into my search engine. The first likely entry listed in response (after rubbish like facebook pages or comments on non-existent fora such as cybercrimeops.com) was https://www.lancashire.police.uk/help-advice/online-safety/online-crime-fraud.aspx
(note the https). This is a supposedly secure link to the very same page I later found on the Lancs Police site. Try clicking that link. If you use Firefox, this is what you will get (chrome will give you something similar):
So – the site is not trusted because it uses an X509 certificate which is only valid for the commercial domains of the service on which the Police site is presumably hosted. Idiotic. If I got that sort of response from a bank I’d be deeply worried. As it is, I’m just depressed.
Permanent link to this article: https://baldric.net/2015/10/29/lancashire-police-fail/
Oct 15 2015
The amendments refer to the fact that I no longer use Counterize to collect run time statistics. I prefer instead to use Awstats which runs over my log file on a weekly basis. I have also deleted reference to personal information collected in my feedback form because I no longer use such a form.
Permanent link to this article: https://baldric.net/2015/10/15/update-to-privacy-policy/
Aug 20 2015
At the end of last month I noted that I had been receiving multiple emails to each of the proxy addresses listed for my newly registered “private” domains. Intriguingly, whilst I was receiving at least three or four such emails a week before I wrote about it, I have had precisely zero since.
Probably coincidence, but a conspiracy theorist would have a field day with that.
Permanent link to this article: https://baldric.net/2015/08/20/update-to-domain-privacy/
Aug 19 2015
Last month my wife and I shared a holiday with a couple of old friends. We have known this couple since before we got married, indeed, they attended our wedding. We consider them close friends and enjoy their company. One evening in a pub in Yorkshire, we got to discussing privacy, the Snowden revelations, and the implications of a global surveillance mechanism such as is used by both the UK and its Five Eyes partners (the US NSA in particular). To my complete surprise, Al expressed the view that he was fairly relaxed about the possibility that GCHQ should be capable of almost complete surveillance of his on-line activity since, in his view, “nothing I do can be of any interest to them, so why should I worry.”
I have met this view before, but oddly I had never heard Al express himself in quite this way in all the time I have known him. It bothers me that someone I love and trust, someone whose opinions I value, someone I consider to be intelligent and articulate and caring, should be so relaxed about so pernicious an activity as dragnet surveillance. It is not only the fact that Al himself is so relaxed that bothers me so much as the fact that if he does not care, then many, possibly most, people like him will not care either. That attitude plays into the hands of those, like Eric Schmidt, who purport to believe that “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”
Back in October last year, Glenn Greenwald gave a TED talk on the topic, “Why privacy matters”. I recommended it to Al and I commend it to anyone who thinks, as he does, that dragnet surveillance doesn’t impact on them because they “are not doing anything wrong”.
Permanent link to this article: https://baldric.net/2015/08/19/why-privacy-matters/
Jul 30 2015
Dear Dave is at it again. Sometimes I worry about our PM’s priorities. Not content with his earlier insistence that UK ISPs must introduce “family friendly (read “porn”) filters”, our man in No 10 now wants to “see age restrictions put into place or these (i.e. “porn”) websites will face being shut down”.
El Reg today runs a nice article about Dave’s latest delusion. That article begins:
Prime Minister David Cameron has declared himself “determined to introduce age verification mechanisms to restrict under 18s’ access to pornographic websites” and he is “prepared to legislate to do so if the industry fails to self-regulate.”
It continues in classic El Reg style:
The government will hold a consultation in the autumn, meaning it will be standing on the proverbial street corner and soliciting views on how to stop 17-year-olds running a web search for the phrase “tits”.
and further notes that Baroness Shields (who is apparently our “Minister for internet safety and security”) said:
“Whilst great progress has been made, we remain acutely aware of the risks and dangers that young people face online. This is why we are committed to taking action to protect children from harmful content. Companies delivering adult content in the UK must take steps to make sure these sites are behind age verification controls.”
To which two members of the El Reg commentariat respond:
I give it 5 minutes after the “blockade” is put in place before someone puts a blog post up explaining how to bypass said blockade.
Re: 5 minutes
“I give it 5 minutes after the “blockade” is put in place before someone puts a blog post up explaining how to bypass said blockade.”
I can do that now & don’t need a blog.
Q: Are you over 18?
Someone, somewhere, in Government must be able to explain to this bunch of idiots how the internet works. Short of actually pulling the plug on the entire net, any attempt to block access to porn is doomed to failure. China has a well documented and massive censorship mechanism in place (the Great Firewall) in order to control what its populace can watch or read or listen to. That mechanism fails to prevent determined access to censored material. If a Marxist State cannot effectively block free access to the ‘net, then Dear Dave has no chance.
Unless of course he knows that, wants to fail, and plans his own Great Firewall in “reluctant” response.
Permanent link to this article: https://baldric.net/2015/07/30/get-your-porn-here/
Jul 28 2015
Over the past few months or so I have bought myself a bunch of new domain names (I collect ’em….). On some of those names I have chosen the option of “domain privacy” so that the whois record for the domain in question will show limited information to the world at large. I don’t often do this, for a couple of reasons. Firstly, I usually don’t much care whether or not the world at large knows that I own and manage a particular domain (I have over a dozen of these). Secondly, the privacy provided is largely illusory anyway. Law Enforcement Agencies, determined companies with pushy lawyers and network level adversaries will always be able to link any domain with the real owner should they so choose. In fact, faced with a simple DMCA request, some ISPs have in the past simply rolled over and exposed their customer’s details.
But, I get spam to all the email addresses I advertise in my whois records, and I also expose other personal details required by ICANN rules. I don’t much like that, but I put up with it as a necessary evil. However, for one or two of the new domains I don’t want the world and his dog attributing the name directly to me – at least not without some effort anyway.
Because the whois record must contain contact details, domain privacy systems tend to mask the genuine registrant email address with a proxy address of the form “email@example.com” which simply redirects to the genuine registrant email address. Here is one obvious flaw in the process because a network level adversary can simply post an email to the proxy address and then watch where it goes (so domain privacy is pointless if your adversary is GCHQ or NSA – but then if they are your adversaries you have a bigger problem than just maintaining privacy on your domain).
Interestingly, I have received multiple emails to each of the proxy addresses listed for my “private” domains purporting to come from marketing companies offering me the chance to sign up to various special offers. Each of those emails also offers me the chance to “unsubscribe” from their marketing list if I am not interested in their wares.
I’ll leave the task of spotting the obvious flaw in that as an exercise for the class.
Permanent link to this article: https://baldric.net/2015/07/28/domain-privacy/
Jun 05 2015
Yesterday’s Independent newspaper reports that HMG has let a contract with five companies to monitor social media such as twitter, facebook, and blogs for commentary on Goverment activity. The report says:
“Under the terms of the deal five companies have been approved to keep an eye on Facebook, Twitter and blogs and provide daily reports to Whitehall on what’s being said in “real time”.
Ministers, their advisers and officials will provide the firms with “keywords and topics” to monitor. They will also be able to opt in to an Orwellian-sounding Human-Driven Evaluation and Analysis system that will allow them to see “favourability of coverage” across old and new media.”
This seems to me to be a modern spin on the old press cuttings system which was in widespread use in HMG throughout my career. The article goes on to say:
“The Government has always paid for a clippings service which collated press coverage of departments and campaigns across the national, regional and specialist media. They have also monitored digital news on an ad hoc basis for several years. But this is believed to be the first time that the Government has signed up to a cross-Whitehall contract that includes “social” as a specific media for monitoring.”
Apart from the mainstream social media sites noted above, I’d be intrigued to know what criteria are to be applied for including blogs in the monitoring exercise. Some blogs (the “vox populi” types such as Guido Fawkes at order-order) will be obvious candidates. Others in the traditional media, such as journalistic or political blogs will also be included, but I wonder who chooses others, and by what yardsticks. Would trivia be included? And should I care?
According to the Independent, the Cabinet Office, which negotiated the deal, claims that even with the extended range of monitoring by bringing individual departmental contracts together it will be able to save £2.4m over four years whilst “maximising the quality of innovative work offered by suppliers”.
Now since the Cabinet Office is reportedly itself facing a budget cut of £13 million in this FY alone, it strikes me that it would have been much more cost effective to simply use GCHQ’s pre-existing monitoring system rather than paying a separate bunch of relative amateurs to search the same sources.
Just give GCHQ the “keywords” or “topics of interest”. Go on Dave, you know it makes sense.
Permanent link to this article: https://baldric.net/2015/06/05/why-pay-twice/
Jun 02 2015
Well, that didn’t last long.
When I decided to force SSL as the default connection to trivia I had forgotten that it is syndicated via RSS on sites like planet alug. And of course as Brett Parker helpfully pointed out to me, self-signed certificates don’t always go down too well with RSS readers. He also pointed out that some spiders (notably google) would barf on my certificate and thus leave the site unindexed.
So I have taken off the forced redirect to port 443. Nevertheless, I would encourage readers to connect to https://baldric.net in order to protect their browsing of this horribly seditious site.
You never know who is watching……..
Permanent link to this article: https://baldric.net/2015/06/02/de-encrypting-trivia/
Jun 01 2015
In my post of 8 May I said it was now time to encrypt much, much more of my everyday activity. One big, and obvious, hole in this policy decision was the fact that the public face of this blog itself has remained unencrypted since I first created it way back in 2006.
Back in September 2013 I mentioned that I had for some time protected all my own connections to trivia with an SSL connection. Given that my own access to trivia has always been encrypted, any of my readers could easily have used the same mechanism to connect (just by using the “https” prefix). However, my logs tell me that that very, very few connections other than my own come in over SSL. There are a couple of probable reasons for this, not least the fact that an unencrypted plain http connection is the obvious (default) way to connect. But another reason may be the fact that I use a self signed (and self generated) X509 certificate. I do this because, like Michael Orlitzky I see no reason why I should pay an extortionist organisation such as a CA good money to produce a certificate which says nothing about me or the trustworthiness of my blog when I can produce a perfectly good certificate of my own.
I particularly like Orlitzky’s description of CAs as “terrorists”. He says:
I oppose CA-signed certificates because it’s bad policy, in the long run, to negotiate with terrorists. I use that word literally — the CAs and browser vendors use fear to achieve their goal: to get your money. The CAs collect a ransom every year to ”renew“ your certificate (i.e. to disarm the time bomb that they set the previous year) and if you don’t pay up, they’ll scare away your customers. ‘Be a shame if sometin’ like that wos to happens to yous…
Unfortunately, however, web browsers get really upset when they encounter self-signed certificates and throw up all sorts of ludicrously overblown warnings. Firefox, for example, gives the error below when first connecting to trivia over SSL.
Any naive reader encountering that sort of error message is likely to press the “get me out of here” button and then bang goes my readership. But that is just daft. If you are happy to connect to my blog in clear, why should you be afraid to connect to it over an encrypted channel just because the browser says it can’t verify my identity? If I wanted to attack you, the reader, then I could just as easily do so over a plain http connection as over SSL. And in any event, I did not create my self signed certificate to provide identity verification, I created it to provide an encrypted channel to the blog. That encryption works, and, I would argue, it is better than the encryption provided by many commercially produced certificates because I have specifically chosen to use only the stronger cyphers available to me.
Encrypting the connection to trivia feels to me like the right thing to do. I personally always feel better about a web connection that is encrypted. Indeed, I use the “https everywhere” plugin as a matter of course. Given that I already have an SSL connection available to offer on trivia, and that I believe that everyone has the right to browse the web free from intrusive gratuitous snooping I think it is now way past time that I provided that protection to my readers. So, as of yesterday I have shifted the whole of trivia to an encrypted channel by default. Any connection to port 80 is now automatically redirected to the SSL protected connection on port 443.
Let’s see what happens to my readership.
Permanent link to this article: https://baldric.net/2015/06/01/encrypting-trivia/
May 14 2015
Yesterday the new Government published a press release about the forthcoming first meeting of the new National Security Council (NSC). That meeting was due to discuss the Tory administration’s plans for a new Counter-Extremism Bill. The press release includes the following extraordinary statement which is attributed to the Prime Minister:
“For too long, we have been a passively tolerant society, saying to our citizens: as long as you obey the law, we will leave you alone. “
Forgive me, but what exactly is wrong with that view? Personally I think it admirable that we live in a tolerant society (“passive” or not). Certainly I believe that tolerance of difference, tolerance of free speech, tolerance of the right to hold divergent opinion, and to voice that opinion, is to be cherished and lauded. And is it not right and proper that a Government should indeed “leave alone” any and all of its citizens who are obeying the law?
Clearly, however, our Prime Minister disagrees with me and believes that a tolerant society is not what we really need in the UK because the press release continues:
“This government will conclusively turn the page on this failed approach. “
If tolerance is a “failed approach”, what are we likely to see in its place?
Permanent link to this article: https://baldric.net/2015/05/14/what-is-wrong-with-this-sentence/
May 08 2015
Theresa May hasn’t wasted any time. The Independent reports today that Ms May (Home Secretary in the coalition administration) has said that the new Tory administration will bring the Draft Communications Data Bill, previously blocked by the Liberal Democrats, back to the House of Commons with the intention of getting it passed into law. As the Independent also reports, dear Dave, who is let us say, technically challenged, has in the past expressed the view that no form of communication should be unreadable by the Goverment. This implies severe restrictions on all forms of encryption.
Given that the Tories now have the majority they lacked in the last administration, it is clear that they will see themselves free to attack the kind of liberties I, and millions like me enjoy and cherish. The Open Rights Group maintain a wiki devoted to the relevant points of each political party’s manifesto relating to surveillance or other possible attacks on privacy. As they point out, the Tory party is committed to:
- introducing “new communications data legislation”;
- scrapping the Human Rights Act;
- requiring internet service providers to block (certain) sites;
- enabling employers to check whether an individual is an extremist;
- requiring age verification for access to all sites containing pornographic material.
There are, of course, huge practical and technical difficulties in implementing much of what the Tories wish to do (consider for example the idiocy of attempting to outlaw VPN technology) but that won’t stop them trying. Indeed, some of the technical difficulties may cause the new administration to bring in mechanisms to get around those problems. An obvious example would be the requirement for key escrow for anyone wishing to use encryption.
Excuse me if I find that unacceptable. Time to encrypt much, much more of my everyday activity from now on.
Permanent link to this article: https://baldric.net/2015/05/08/back-on-topic/
May 08 2015
The early results of yesterday’s poll are depressing beyond belief. It looks almost certain that the Tory party will have sufficient seats to form the next government.
I don’t often make party political points here (though my political leanings may sometimes be obvious) but I was reminded today of Neil Kinnock’s heart rending speech in Bridgend, Glamorgan, on Tuesday 7 June 1983, two days before the election in which Margaret Thatcher was returned as Prime Minister.
“If Margaret Thatcher wins on Thursday, I warn you not to be ordinary. I warn you not to be young. I warn you not to fall ill. I warn you not to get old.”
Those words resonate even more today than they did 32 years ago. I fear for the old, the poor, the disposessed, the weak, the young, the sick and yes, indeed, the ordinary people of this country. David Cameron and his cronies both inside and outside Government will now return to the task of dismantling all that is good and admirable about our society. A society should be judged on the way it treats its weakest and less able members. Cameron’s Tories are, at heart, brutal and uncaring. That frightens me.
Permanent link to this article: https://baldric.net/2015/05/08/do-not-be-ordinary/