In spite of the Washington Post being chosen by Snowdon to publish his “revelations” (a circulation-grabbing but arguably cyclical move), and in spite of accepting a Pulitzer prize for this irresponsible journalism, the paper is now calling for him to be prosecuted. Unlike the liberal Guardian in the UK, the US paper, which profited by his betrayal are now seeing the situation for what it is.
Aussie Census takes a tumble
The Australian government bureaux of statistics had a census yesterday. Every aussie, wherever in the world they happened to be, and to fill in the on-line census form before midnight. For those living in London, they tried to do this late afternoon in order to meet the deadline. No luck! it’s down with a message saying “Sorry Mate, our servers are currently shagged. Please try later and we’ll forget about the fine this time.” Or words to that effect.
On trying again this morning, it was still out of action.
I wonder if all the Australians in the world decided to leave it to the last couple of hours of the day, and whoever designed the system didn’t consider what the peak load might be?
Please don’t click here to see for yourself, as their servers are overloaded enough already.
Update: 10-Aug-16 17:06
Apparently they’re now blaming it of foreign hackers or a DoS. There was some controversy about the security of an on-line census before the event; I see a “told you so” slanging match before long!
Five year old “new” malware discovered “by Kaspersky”
Yesterday Russian security company Kaspersky has released an analysis of what it claims is previously undiscovered malware, which has come to be known as Salron. Kaspersky’s analysis is incomplete, but contains more detail than was generally available in public beforehand. They admit it’s “probably” been around for five years, and this is true; but it’s not exactly unknown. The unknown group behind the attacks has become known as Strider, and they’re using a backdoor program called Remsec. Details of this were published by Symantec a week ago.
Kaspersky’s conclusion is that this is a “Nation State” level piece of malware. It’s possible, but other than being very competently produced, I have seen no conclusive evidence to back the claim at this stage, but there’s quite a bit that’s circumstantial. According to Symantic, it’s been used to target relatively few organisations – mostly in Russia, with a Chinese airline and an unspecified embassy located in Europe. In other words, that naughty Mr Putin is at it again. Or is it the Chinese attacking their neighbour?
Based on the public analysis, it was written by some very smart people and avoids the mistakes made in previous systems such as Stuxnet. Kaspersky points to it being a rung up the technology ladder as an indication it was another government-sponsored effort, although in practice, anyone could learn the same lessons and produce a new generation.
AV companies have been detecting this for over a week, and it hasn’t thrown up a large number of infections. This is intriguing. Also, the way it works to circumvent very specific and uncommon high-end security software indicates its in the APT category.
Microsoft, who’s operating systems it attacks, has yet to comment.
BBC plays the temperamental chef
Today the BBC hit back after being told to do its job. The white paper on its future told the public service broadcaster that it needed to produce public service output, rather than duplicating material ably produced by the commercial sector. The phrase used was “distinctive output”, and this was repeated ad nausium in its reporting of this morning’s story that it would be dropping its popular web recipe archive.
The reason given was that this was not “distinctive output”, and according to Radio 4’s Today programme, it was to save £15M/year from its on-line budget. Really? Anyone who knows anything about web publishing can tell you that publishing recipes is cheap, especially when you already have them. A quick look around the BBC more exotic on-line offerings will soon show where the money really goes.
So what are they up to? Politics, of course. The liberal elite running the BBC isn’t happy about being reminded how it is supposed to be spending our money, and is acting up in a disgraceful manner.
In its own on-line reporting of the matter, the BBC is linking this to the new requirement to publish details everyone having their celebrity lifestyle funded by more than 450K of our license money. This is going to be be awkward for the luvvies and the star-struck BBC executives fawning over them.
It’s about time the BBC started serving the people who pay for it. It’s hardly impartial when it comes to politics; it’s right in there playing politics itself – albeit the playground variety.
Apple is too cool for the CIA to touch
You can’t have missed the furore over Apple’s refusal to help the CIA get the data from a terrorist murderers iPhone. On the one side the CIA says that we need the data to protect the public, a line with the judiciary of the USA agrees with, and Apple should do everything possible to get it for them. On the other side there’s Apple’s PR engine trying (successfully) to spin the story and avoid complying with the court order.
In the mean time the Brazilians haven’t shown such deference to a cultural icon when it comes to Facebook owned WhatsApp refusing to hand over data concerning a major drugs trafficker, even after several court orders. The Brazilian authorities have arrested Diego Dzodan, Facebook’s hancho in Latin America, and thrown him in jail until such time as the company obeys the law.
Perhaps he Americans could try that with Tim Cook – you break the law, you go to jail.
Meanwhile, Apple might seem to be setting itself up as the criminals friend over this. In the land of the free where profit is king, I guess their money is as good as anyone else’s so perhaps we should be too judgemental. But in an outrageous spin, Apple has told the world that if they comply with the court order then all Apple handsets will have a backdoor and no longer be secure. This is disingenuous. The situation is this:
Apple encrypts the data stored on the phone. You have to enter a password to unlock it. If you enter ten wrong passwords it will wipe the data from the phone. The CIA has asked Apple to modify this handset to disable the data wiping feature, so the CIA can then just keep throwing passwords at it until it unlocks. Clearly, this is going to have no physical effect on any other handset anywhere else in the world. So what’s Apple’s problem?
If Apple helped the CIA break in to the handset, Apple can no longer claim that its handsets are invulnerable. Terrorists, fraudsters and anyone up to something will know that the authorities can get at Apple data even more easily than if it was stored on iCloud. Note well: the fact that Apple hasn’t produced the mod needed to do this (publicly), doesn’t mean that its not possible right now; and it may even be happening. But Apple wants to maintain the illusion that it can’t.
Put another way, it’s easy enough to bypass the locks on a front door. You just need a large enough sledge hammer. Doubt this? Look at the footage of a police raid taking place – a few burly coppers with a battering ram and it’s open in seconds. Apple is selling locks and trying to pretend there’s no such thing as a sledgehammer.
So why, might one ask, don’t the US authorities stop messing around and get the court order enforced? Are they really scared of Apple?
What’s really worrying about this situation is that “civil liberties campaigners” and some corporate America is rushing to put out statements in Apple’s defence. In other words, big business reckons it’s above the law made by the people using a democratically elected government.
Grant Shapps – need for speed?
People (e.g. the Guardian) are clearly out to get Grant Shapps MP, and given their bias you can see why. But he’s not helping with the publication of his recent report, which he and British Infrastructure Group of MPs have wittly titled “Broadbad” (PDF format).
It’s calling for Openreach to be made independent of the remainder of BT, in order for the public to get the “super-fast” broadband we need if we’re not to revert to the stone-age. They claim that BT has wasted 1.7Bn on rolling out this technological artery to rural areas, yet 5.7M household’s don’t have the “minimum required” speed of 10Mb.
I say wrong, wrong and wrong.
First off, Openreach hasn’t received 1.7Bn for the rural broadband project. It’s only received about a third of that, and it’s a project in progress.
Secondly, I’d dispute that 5.7M households have yet to be connected. This is based on an old Ofcom report using figures available before the project got under way.
Thirdly, the case for 10Mb+ Internet connections to homes h as not been met. It’s justified because the UK will “lag behind” countries like Japan and South Korea. So what?
The UK lags behind the USA in gun crime; should we therefore relax restrictions on firearms ownership? “Lagging behind” per se does not matter a jot. Their justification as to why we need higher speeds amounts to “Ofcom have shown that as consumers get better download speeds, they consume more data”. No sh*t, Sherlock!
So what is this data people are consuming? Basically Netflix. Only video has the “need” for high throughput Internet connection, and although this might help the bottom line of OTT media providers, it’s hard to see any other economic benefits to anyone.
According to the report, Spain also has faster connections than our unlucky punters; so if they’re trying to correlate domestic broadband speeds with economic virility, they’ve shot their fox.
As I’ve said before, the whole concept is insane. Streaming video requires about 2Mbps. How many streams does a household need?
Most other high-usage domestic customers are, basically, pirating media. They need fast upload speeds for that, which aren’t really mentioned in the report. Why should the public purse be subsidising either OTT operators or pirates?
A few weeks ago I tackled someone from the Home Office about this crazy idea, and the reasoning behind it was more cynical than I thought. It’s only one civil servant’s opinion, but my contact has a pretty good idea about how government really works.
Consider all the infrastructure projects we could be working on; things that would benefit the country. There’s road and rail networks (HS2 is a drop in the ocean), the national grid, water supply and sewers. How about a sustainable transport network, as it’s a certainty we’re going to need one. All these cost serious money, with the exchequer hasn’t got. But the government has to be seen to be investing in infrastructure. The cheap option is to roll out mad-speed Internet. They can claim it’s needed for business; voters have no idea what a megabit of data can actually be used for. And the public want it. They don’t need it, but that’s not the point. They want it.
If you tell Mondeo Man his broadband is lagging behind the Spaniards, he’ll want something done about it. (If you tell him to wire up the house properly instead of using WiFi, it’d be in one ear and out the other.)
So, by making a fuss about broadband speeds and then demanding action from BT, and throwing relatively little money about, the government can look like it’s dealing decisively with a pressing issue.
As for Mr Shapps, he claims to have been in the Internet business before becoming an MP. He should know better, but it turns out he had a web development company so probably doesn’t know the difference between a kilobit and a megabit either. If only he’d asked.
How people get around the Netflix and iPlayer proxy block
Earlier this month at CES, Netflix’s chief product officer Neil Hunt stated that his company’s policy on subscribers accessing content over a VPN remained unchanged. That’s to say that they ask customers not to do it, as it can bust licensing restrictions on content. Neflix is probably the largest provider of streamed TV programmes around the world, now operating in a claimed 190 countries.
I’m not a fan of Netflix – they’re big campaigners for “Net Neutrality”, meaning that all content must be treated the same and ISPs can’t charge more or slow down particular traffic. As their content is not for the public good, and yet accounts for about 40% of the world’s public Internet traffic, they would say that, wouldn’t they? As media organisations such as the BBC (iPlayer) are in the OTT game, the fact that this is a business model where the bulk of the costs are paid for by all Internet users whereas the profits go to the streaming service is not generally mentioned in the popular press. In other words, they profit from the ISP’s investment without contributing anything back. Amazon Prime is another good example.
Anyway, the content that Netflix streams is licensed from content producers, who have good reasons for licensing it on a geographic basis. A TV programme broadcast in one country becomes harder to sell to networks abroad if it’s already available via streaming, and upsetting the status quo won’t be good for content producers. This will leading to less investment in good programming. Netflix is “campaigning” to change this, as though the public, including its customers, have some kind of rights that are being denied. It would, of course, help Netflix’s commercial interests if regional licensing didn’t exist – at least short-term.
That aside, I was amused to see that Neflix’s latest pronouncement, in a company blog post by David Fullagar (VP of Content Delivery Architecture) a week after the CES announcement, that it would now be clamping down on its customers use of proxies or VPNs to smuggle streamed data across boarders. One might surmise that the content providers, many of whom are also local broadcasters, didn’t appreciate Neil Hunt’s complacent sounding comments. The status quo he was defending was basically an weakly enforced contractual prohibition on its customers streaming through a proxy. A actual enforced ban would result in a loss of revenue to Netflix, or if you’re less cynical, would go against the company’s stated aim of “all content free to all (subscribers)”.
But in spite of the soothing words to calm the outrage of its content suppliers, what can Netflix actually do about this? How do you block your customers using a VPN?
It seems to me that it’s impossible to tell whether you’re sending UDP packets to an IP address that’s actually a VPN. It can’t be done. There can be any number of endpoints behind one IP address (an asymmetric NAT LAN), and any number of VPN connections to who-knows-where. And they’ll all appear as one IP address, and the traffic will be indistinguishable.
So how do streaming companies block VPNs now? By having a list IP addresses used by published ones, and that generally means commercial ones. Okay, that might work for the public/commercial VPNs. I shan’t be shedding too many tears if they’re blocked, because they’re making money out of license-busting, which is wrong.
But consider this. Supposing you pay the BBC for a TV license but live abroad for part of the year. You have a moral right to view the content you’ve paid for, and could do so using iPlayer. The only problem is that iPlayer may detect you’re outside the UK by your IP address, and stop you. The solution? Put a proxy server on the network in your house in the UK and connect to it when you’re abroad. I have evidence that this happens a lot.
This can also be done immorally. People in one country with relatives living abroad can set up such a proxy for their friends and relatives to use, and Netflix will be none the wiser. Even if Netflix did suspect an IP address of having too much traffic, what could they possibly do about it? Contact the owner and investigate? How would they even find the owner?
Many ISPs use dynamic addresses in order to charge more for a static one to business customers, with the effect that you don’t know who’s using what IP address today. If you do find a suspected VPN, tomorrow it’s IP address will have changed to one of millions, all used by normal domestic customers.
Finding the many small, private VPNs is going to be impossible. One method might be to probe an IP address to see if a VPN port was open. This is no proof that it’s in use, and no proof that it’s not used for one of the many purposes that a VPN was designed for. And even if they were to try it, it’s simple to restrict access to the VPN ports to your friends abroad. And besides, probing an IP address for an open port without permission is illegal.
The only other method I can think of that would work is to examine the traffic to/from an IP address and see if there’s a correlation between outgoing packets and incoming data from one of Netflix’s servers. But Netflix can’t do that; only an ISP has the technical ability to examine traffic on a particular subscriber’s line. And those are the ISPs that Netflix is abusing by loading them with 40% of their traffic without contributing to the cost. Good luck with that.
The Force is Strong in George Osborne
George Osborne, Chancellor of the Exchequer, has an exit strategy from politics. Rather than being employed as a consultant in the city, his career will revolve around making appearances and selling autographs at sci-fi conferences.
How do I know this? Read the credits for “The Force Awakens”. He’s mentioned there, unambiguously, as “George Osborne, Chancellor of the Exchequer”. It probably only appears on the UK release though.
New Nominet Registrant terms
If you have a domain name ending in .uk it’s probably administered by Nominet (exceptions being .gov.uk etc). Nominet is a not-for-profit outfit set up in 1996 to manage UK domain names as the Internet expanded. Unlike certain other countries, our domain registration service as traditionally operated for the benefit of Internet users, which is as it should be.
Right now Nominet is holding a public consultation on changes to the terms and conditions for anyone registering a domain name. It’s mostly sensible stuff, like dropping the need for a fax number. But there are a couple of changes that do worry me.
First off, there is a provision in the old terms that if Nominet changed the T+C of the contract once it had started, the owner of the domain could cancel and get a refund. This is only fair; people registering direct with Nominet could be paying hundreds of pounds in advance and you can’t change the rules of the game once it’s started without consequences.
The plan is to drop this provision, with the apparent stated justification that they can’t remember anyone ever invoking it. Lack of use doesn’t mean the provision is wrong; it simply means that they haven’t upset anyone with a change in T+C enough to make invoking it necessary. One likely reason for this is the requirement for a public consultation before changing the T+C’s.
The second problem is that they want to drop the need for a public consultation before changing T+C. This is all in line with “industry practices”, apparently.
Hang on Nominet, what have industry practices got to do with you? You’re not an industry; you’re a service run for the benefit of, and paid for, by Internet users in the UK. Other countries have domain registration services run on commercial lines, for the benefit of shareholders, and the last thing you should do is follow suit on their sharp practices. So why ask for permission to do so?
Nominet has been a beacon of how the Internet should be run, setting the highest standards in fairness and transparency. It should continue this way by setting an example of the highest standard.
Eroding the power of the stakeholders may be convenient from an operational point of view, and doing things properly may cost money (not something Nominet is short of). Dropping these awkward provisions may seem like a good idea at first glance. But for the sake of the wider picture, eroding the rights of domain owners would hardly be their finest hour. Unless, of course, the public consultation tells them to back off!
Here’s a link to the consultation. If you’re in the UK, your views count.
Governments’ hacking fantasies
It’s silly season again.
Yesterday George Osborne warned that Islamists were tooling up and planning deadly cyber-attacks against the UK, targeting critical systems like ATC and hospitals, as he announced government spending on countermeasures would double from about £200M to £400M a year. Mr Osborne shown a rather tenuous grasp of technology in the past, and I fear he’s been watching too many Hollywood movies when forming his current opinion.
I know a bit about ATC, and the chances of a jihadi disrupting NAS over the internet are slight. Damaging aviation is much easier by more direct means.
Likewise, while I have little time for the design of NHS computers systems, even they’d be hard to seriously disrupt. So difficult that it really wouldn’t be worth the bother. If you want to knock out a hospital, blow up the generators and electricity feed – it’s obvious. About the only systemic damage you could do remotely would be to mess up central databases, but these seem to get messed up regularly anyway, and the world goes on.
But this seems positively sane and sensible compared to today’s report from the “US-China Economic and Security Review Commission”. They’re all exercised about those nasty Chinese guys pinching trade secrets by hacking in to US companies and their government agencies. I’m sceptical about the idea that the Chinese government is behind this, and the Commission has weakened the credibility of their claims with their suggested response to the activity:
Yes folks, their suggestion is that Americans hack in to the Chinese systems and steal back or delete the stolen data. How exactly does one steal back data? And do they really think it’s possible to locate, identify and delete stolen data found in a foreign country. Deleting all copies of data from a local system is hard enough, and if the IT department knows its stuff, it’s impossible as it won’t all be on-line.
Whilst there’s plenty of evidence that people in China, and possibly the military, are engaged in cyber-espionage, this idea reads like the plot of another Hollywood movie of the type George Osborne seems to have been watching. Everyone in the security world knows that the majority of criminal activity on the Internet actually comes from…. the USA. This doesn’t mean the US government is behind it – by the sound of the advice they’re getting, they wouldn’t know how.
People like me have been saying that cyber-crime is (going to be) a big problem for many years now, and I welcome governments waking up and taking it seriously at last. The private sector has done spectacularly badly, as the money is in the superficial stuff, and real security gets in the way of profits. It’s just a shame that governments have woken up and are groping groggily around in the dark.