No talk from TalkTalk

Charles Dunston’s budget ISP TalkTalk has been hacked again. Yawn. This time it’s big news on TV; the headline story in fact. Their website has been KOed for a couple of days, but it’s back online with a front page showing a different news agenda. They get their feed from AOL (also part of the Carphone Warehouse family), who probably just missed the kerfuffle; there’s no celebrity connection after all. Not yet, anyway.

If you’re a TalkTalk retail customer (or possibly a business customer – who knows how their systems interrelate and what data’s been pilfered), and you’ve used the same password with TalkTalk as any other sites, change your password on those sites NOW. The popular media is full of speculation as to what’s been compromised but they’re not mentioning passwords, presumably because TalkTalk will have told them that any passwords would have been encrypted. But if the criminals have got hold of the hashes, which is likely, it’s only a matter of time before they crack them.

How worried should customers of other ISPs be? Pretty worried, as on the serious side of the business they’re known as Opal Telecom, a significant LLU operator providing the link between the last time and the data centre for a large number of Broadband providers.

I can, of course, only speculate as to why this keeps happening to them. One reason might be related to several conversations I’ve had with people from ISPs TalkTalk has taken over along the way. Apparently they really don’t like hard stuff like UNIX/Linux, and within months of a takeover they force a switch to Microsoft before making all the UNIX people redundant. Any fool can use Microsoft – low levels of technical understanding are required, meaning cheap engineers and lower costs. But do their Microsofties actually know what they’re doing? I dare say that some of them do, and some of them don’t. But the bar for a point-and-click Microsoft house going to be lower.

David Cameron on Google Porn

I’ve been watching with dismay David Cameron’s statements on the Andrew Marr show at the weekend; he’s attacked Google and other big companies for not blocking illegal pornography. Let’s be clear: Google et al, already do, as far as is possible. The Prime Minister is simply playing politics, and in doing so is exposing his complete lack of understanding about matters technological and social.

It’s not just the coalition government; Edward Miliband trumped him in stupidity by saying that the proposed plans “didn’t go far enough”, which is his usual unthinking response to anything announced by the government that’s might be popular.

Cameron’s latest announcement is to force ISPs to turn on “no porn” filters for all households (optionally removed, so it’s not State censorship). I’d be fascinated to hear him explain how such a filter could possibly work, but as my understanding of quantum mathematics isn’t that good it I may yet be convinced. Don’t hold your breath waiting.

The majority of the population won’t be able to understand why this is technical nonsense, so let’s look at it from the social point-of-view. People using the Internet to distribute child-abuse images do not put them on web sites indexed by Google. If Google finds any, they will remove them from search results and tell the police, as would everyone else. Paedophiles simply don’t operate in the open – why would they? They’re engaged in a criminal activity and don’t want to be caught, and therefore use hidden parts of the Internet to communicate, and not web sites found by Google!

Examining the illegal drugs trade is a useful model. It’s against the law, harmful and regarded as “a bad thing” by the overwhelming majority. The police and border security spend a lot of time and money tackling it, but the demand remains and criminal gangs are happy to supply that demand. So how successful has 100 years of prohibition been? Totally ineffective, by any metric. With 80% of the prison population on drugs IN PRISON it should be obvious that criminals will continue to supply drugs under any circumstances, if there’s a demand. If anything, proscribing drugs has made it more difficult to deal with the collateral effects by making the trade and users much more difficult to track.

So, if we can’t stop drugs (a physical item) getting in to prisons (presumably amongst most secure buildings in the country) , does anyone seriously think it’s possible to beat the criminals and prevent illegal porn being transmitted electronically to millions of homes across  the country? David Cameron’s advisors don’t appear to have been able get him to understand this point.

Another interesting question is whether I should opt to have the porn filter removed from my connection. The only way such a filter could possibly be effective is if it banned everything on its creation, and then only allowed what was proven safe through. There are generally considered to be over 500 million web sites out there, with 20,000 being added every month. That’s sites; not individual pages. The subset that can realistically be examined and monitored to make sure they are safe is going to be quite small, and as a security researcher, I need to retrieve everything. So am I going to have to ‘phone my ISP and say “yes please, want to look at porn”? Actually, that won’t be a problem for me because I am my own ISP. The government doesn’t even know I exist; there is no register of ISPs (or even a definition of the term). There are probably tens of thousands in the country. So I shall await a call from Mr Cameron’s office with a full technical explanation of this filtering  scheme with interest.

Fortunately for the Prime Minister, his live speech on the subject scheduled for 11am has been displaced by a load of royal reporters standing outside a hospital and Buckingham Palace saying “no news yet” on the supposed imminent arrival of the Duke and Duchess of Cambridge’s first child.