Archive for category Internet
Smut Filter: The answers
Posted by Zoe O'Connell in Internet on 12 October 2011
From multiple reports this morning, it seems the Big 4 ISPs are not too happy with Camerons announcement of his anti-porn initiative, and he’s made out it’s far more wide-reaching than it is really. But we do have a few answers, courtesy of Slightly Right of Centre (Who first reported on the ISP response), the Telegraph, the Guardian and of course El Reg.
Is it opt-in or opt-out? “Active choice” has been touted – customers will need to answer one way or another, without any default. However, reading between the lines it seems ISPs are (unsurprisingly) leaning towards a more opt-in model and it will not be switched on be default for existing customers.
Who decides what will be blocked? Will the block list be public? How do you appeal? Who can appeal? It’s wide ranging, which is worrying, as we’re told “as well as pornography, parents will be able to block access to gambling and other adult websites.” “Other adult websites” likely includes “things parents might or might not disagree with morally, such as sites to help LGBT youth”. It’s entirely possible that this initiative conflicts with Cameron’s recent focus on forced marriage. If web blocking becomes more widespread, with many options on what can be blocked and no central regulation, those who need help may well be unable to get it as easily.
But every ISP will apparently be using different technology, so it’s possible that there will not be any central block list but the possibility of some sites being blocked on one ISP and not on another with no clear route to resolve issues. With blocks on mobile devices, it is already very hard, if not impossible, to get an inaccurately listed site allowed as there is simply nobody to get in contact with about it. “ParentPort” (Which is a non-government collaboration between various media regulators) is repeatedly mentioned, but that may just be a clearing house for reports.
Who pays? No answer on this one, but it’s sounding like it’ll be the ISPs are going to be funding it – which means a slight increase in Broadband cost for everyone.
How is it going to work technically? According to the Telegraph, Cameron has been accused of “misunderstanding what is technically possible“. So it’s quite possible this hasn’t been figured out yet – more than likely, with secure sites and proxies, the blocks will only stop casual access. This is at least slightly mitigates other problems as anyone that needs help on a topic may be able to get around the filters.
Smut filter: The unanswered questions
Posted by Zoe O'Connell in Internet on 11 October 2011
“Confusion reigns” over the new proposal to filter internet access, because it has not been properly announced yet. Or, more likely, because it’s not been properly thought out. What we do know is that we know very little, but that’s OK because that well known technical expert, David Cameron, will be telling us all about it “later today”.
Is it opt-in or opt-out? Opt-out, i.e. switched on by default, is clearly a bad thing. The big four ISPs involved in this seem not to know themselves, but commercial pressures will tend towards it being opt-in only. Filtering costs money, and there are very small margins in the retail ISP industry.
Who decides what will be blocked? Someone has to make some policy decisions on what is acceptable – is what going to be the government or ISPs? Do we block just hard-core porn? What about page 3 images? Sites linked to terrorism? Sexual health sites? Sites accused of providing access to copyrighted material? Sites for dealing with LGBT issues, domestic violence, forced marriage… the list goes on. This is a big issue, because of the danger of further marginalising certain groups. What is acceptable content to one group is not acceptable to another.
Who pays? If it’s free, then you are effectively paying a tax on your unfiltered broadband service in order to subsidise those who do want filtering. Or will there be government money for this?
Will the block list be public? If a site ends up on the list without intending to, because of one image, will they be notified? This happened to Wikipedia with the IWF kiddy porn list, because of differences of opinion in what constituted child pornography, but the IWF list is not public.
How do you appeal? Who can appeal? Another messy area. Your site ends up on the block list, what now? Is there a presumption of removal until it’s shown it’s definitely infringing? For commercial sites, being blocked for even a few days could send them out of business. What if it’s a foreign site, does the site owner need to appeal or can anyone do it?
How is it going to work technically? We already have the IWF child porn block on many ISPs, but that is only intended to stop accidental, casual access. It’s trivial to bypass. If a site switches to secure connections (HTTPS) what then? Or connections on ports other than the default web port? Will whole sites be blocked or just the specific image or page that’s a problem? What about proxy sites? I’d expect well-advertised proxy sites and software to spring up the moment any filtering system goes live. “No dear, I’m not looking at porn online. How can I, we have a filtered connection!”
I don’t expect these to get answered today of course, because from the reactions of the big four ISPs it appears that this hasn’t been thought through.
Hi-tech policing during the riots
Posted by Zoe O'Connell in Internet on 17 August 2011
In an age where the police have powers to force telecommunications companies to hand over data and install interception equipment in their networks… where we spend vast amounts of money maintaining listening posts… on an operation where apparently even MI5 were involved…
Just how did the police crack the various BlackBerry Messenger groups used to coordinate the riots?
According to The Times: (£)
Scotland Yard said yesterday that it had picked up conversations on the BlackBerry Messenger (BBM) system after confiscating phones from arrested troublemakers. Police were then able to access the instant messaging network and respond to the more credible threats being circulated
Modern policing at it’s best. The best encryption available isn’t going to help if you have your collar felt by the old bill and they simply read what’s on your phone!
Updated Google privacy data: UK now “only” 2nd most snooped on
Posted by Zoe O'Connell in Internet, Liberty on 27 June 2011
A while ago, I produced a per-capita analysis of the Google privacy data showing that the UK, per citizen, is the most snooped on country – there were more requests per person in the UK to Google than any other country. More up to date data is now available, for July to December 2010, showing that the UK is no longer the most snooped on – we’ve dropped to second place. Singapore does not appear in the January to June data but no reason is indicated for this.
(Note: Previous positions in the table below are based on latest data from Google. Some countries did not have data available at the time the previous blog post was compiled, so those numbers do not match)
| Population | Previous position | Requests per Million (Jan-Jun) | Requests per Million (Jul-Dec) | |
| 1. Singapore | 5,076,700 | 5th | 20.9 | 23.2 |
| 2. United Kingdom | 62,008,049 | 1st | 40.5 | 18.7 |
| 3. France | 65,447,374 | 3rd | 28.5 | 15.6 |
| 4. Australia | 22,469,943 | 6th | 15.8 | 15.4 |
| 5. United States | 310,314,000 | 4th | 25.4 | 14.8 |
| 6. Italy | 60,402,499 | 6th | 19.9 | 13.9 |
| 7. Germany | 81,802,257 | 13th | 5.6 | 9.4 |
| 8. Brazil | 193,549,000 | 2nd | 31.5 | 9.3 |
| 9. Portugal | 10,636,888 | 10th | 6.9 | 8.6 |
| 10. Belgium | 10,839,905 | 11th | 6.5 | 7.8 |
And no real surprises in the removal requests category either as Lybia is still an order of magnitude ahead of every other country. The United States, home of free speech, drops out of the top 10 completely down to number 13 while the UK stays up at number six.
| Population | Previous position | Removals per Million (Jan-Jun) | Removals per Million (Jul-Dec) | |
| 1. Libya | 6,546,000 | 1st | 22.8 | 10.4 |
| 2. South Korea | 49,773,145 | 5th | 2.0 | 2.8 |
| 3. Germany | 81,802,257 | 2nd | 3.8 | 1.4 |
| 4. Brazil | 193,549,000 | 3rd | 3.6 | 1.4 |
| 5. Italy | 60,402,499 | 4th | 2.1 | 0.8 |
| 6. United Kingdom | 62,008,049 | 6th | 1.7 | 0.6 |
| 7. Argentina | 40,518,951 | 8th | 1.3 | 0.5 |
| 8. Switzerland | 7,866,500 | 13th | 0.6 | 0.5 |
| 9. France | 65,447,374 | 3rd | 0.5 | 0.4 |
| 10. Spain | 46,072,834 | 9th | 1.0 | 0.3 |
A refreshing change to copyright takedown notices
Posted by Zoe O'Connell in Internet on 27 June 2011
From time to time (OK, pretty much constantly – hundreds every month) we get copyright takedown notices from rights holders. We don’t do anything about them, we’re not their enforcement arm, but a handy little script automatically forwards them on to our customers via email. Most of them are of the form “WE’RE GOING TO SUE YOU UNLESS YOU STOP THIS RIGHT AWAY! Although, we may sue you anyway” wrapped up in some opaque legalese. So, it’s refreshing to have seen the following go past over the weekend:
Recently BayTSP detected an infringement of TV TOKYO Medianet Inc.’s copyright interests on your IP address. TV TOKYO Medianet Inc. appreciates that you enjoy their anime and hopes you can support them and the original creators directly by watching their programs at http://www.crunchyroll.com/watchbleach where they are making a strong effort to provide their content legally.
Supporting the content legally ensures that TV TOKYO Medianet can continue to broadcast more of the high quality anime which you crave. Crunchyroll.com gives anime fans access to the anime they want as soon as possible, allowing fans to watch episodes of their favorite series as they premiere in Japan. TV TOKYO Medianet urges you to show your support by going to the website below and watching content legally.
http://www.crunchyroll.com/watchbleach
TV TOKYO Medianet appreciates your interest in their anime and hopes you continue to be a fan.
Hopefully we’ll see more of the same in future, to my mind it’s a much more constructive approach than the usual one. (Oh, it then launches into the standard BayTSP WE’RE GOING TO SUE YOU UNTIL YOU BLEED legal language, but you can’t have everything. Most people probably don’t read that far down.)
Travelodge web site hack update
Posted by Zoe O'Connell in Internet on 23 June 2011
There’s been a few developments related to my earlier post about the possible Travelodge compromise. Firstly, it’s been covered by The Register so is attracting some interest. Travelodge themselves have also confirmed via Twitter that they haven’t sold any data, which makes it pretty clear they’ve been broken in to.
I’ve also had a reply from the CEO of Travelodge. It’s a bit light on content:
Thank you for your email regarding spam e-mail you have received. I am sorry you have had the need to write to me, but appreciate you bringing this to our attention.
Please be assured we are taking this matter most seriously. I attached a copy of a letter to our customers, for your information.
It’s not clear who the letter has or is being sent to, but it was included as a PDF and the text reads:
Our main priority is to ensure the security of our customers’ data, which is why I wanted to make you aware, that a small number of you; may have received a spam email via the email address you have registered with us.
Please be assured, we have not sold any customer data and no financial information has been compromised.
All financial data (including credit card information) is compliant with current best practice standards and is audited to PCI (Payment Card Industry) requirements.
The safety and security of your personal information is of the upmost importance to us and as a result we are currently conducting a comprehensive investigation into this issue.
If you receive an email similar to the one detailed below, please delete it as spam.
They’ve included a copy of the original spam – I’ll not reproduce it here. The letter closes:
If you have any questions regarding this matter please email: andrea@tra…dge.co.uk. A
further update will be given, when we have completed our investigation.
At least they’ve responded quickly to this as companies can often take days or weeks. The lack of any detail is understandable, given that it’s still early days and they probably don’t know what happened themselves yet – but then, how can they give us assurances that financial data is safe if they do not know what happened…? The mention of PCI is a little superfluous, given that PCI-DSS is the baseline standard required by banks before you’re allowed to handle any credit card information. It’s no guarantee of security.
@PogoWasRight is on the right track, asking Travelodge: “Do you handle email marketing in-house or do you outsource to an email service provider? If the latter, who?”. We’ve seen cases of email marketing providers getting themselves broken into recently and Travelodge may be another in a long list.
Travelodge UK compromised?
Posted by Zoe O'Connell in Internet on 23 June 2011
Yesterday I received a spam email. Not unusual, but note the destination email address:
Subject: Zoe OConnell
Date: Wed, 22 Jun 2011 10:58:33 -0400
From: Lorraine Ackerson @lt;lorraineackersonas113@hotmail.com>
To: <zoe-travelodge@****.co.uk>Greetings.
Don’t miss exciting business chance.
Reputable agency is looking for energetic worker in United Kingdom to help us expand our activity in the UK sector.Necessity:
- 18+ United Kingdom resident
- Only operational knowledge of Internet & computer.
- Free access to personal e-mail box
- 2-3 free hours per day
- Fast replies on our written tasks
- Excellent organizational skills.You can without problem combine our work with your primary work.
Great income potential. Free study possible.
Applicants must be honest and commerce motivated. Operate only few hours per day.
Everyone located in the United Kingdom can be our representative.
Our manager will e-mail you within few hours if you attracted.—————-
Top News: taylor honored for boosting antelope island.
Note that it’s zoe-travelodge@… (You can guess what the full email is but I don’t want to make life too easy for spammers to harvest addresses) My mail system ignores anything after the dash and just puts it all in my mailbox, so that I can filter mail by source more easily and also spot who has been selling email addresses.
The spammers also knew my full name. And I’m not the only one in this position as several other users on twitter have complained of the same thing. I’ve just emailed the Chief Executive of Travelodge, Guy Parsons, (Hat tip to @benjymous for finding his details) to ask exactly what was stolen:
Dear Mr.Parsons,
Yesterday, I received spam email to an email address that has only ever been used to register on the Travelodge site. This was clearly not just someone making up random addresses as the email was specifically to zoe-travelodge@****.co.uk and the spammer knew my full name. I am not the only one to have experienced this as since last night at least half a dozen other people who also use unique addresses for registering on web sites have complained about exactly the same situation on Twitter.
It would appear likely, unless Travelodge are in the habit of selling on personal details to unsavoury third parties, that your site has been compromised. I would be grateful if you could confirm that this is the case and also what other details were stolen so that those affected can take appropriate action – was this just names and email addresses or were payment details and postal addresses compromised too?
I shall let people know if I get a reply.
Update at 1315: Travelodge UK, via twitter, have stated: “Sorry for the spam email you may have received. We have NOT sold any data. We’re currently investigating this issue and will update you ASAP”
Free sex! (An SEO tip)
Posted by Zoe O'Connell in Internet on 27 May 2011
If you want lots of hits on your blog, try a blog post with “Free Sex” in the title, such as Free sex change and relationship breakup, thanks to the census. It does rather well getting hits from search engines, although perhaps not the kind of audience I usually get…
Mobile phone tracking (without an iPhone)
Posted by Zoe O'Connell in Internet on 21 April 2011
I’m sure many have seen the news that Apple tracks where you go. Actually, it’s not new and Apple aren’t tracking you – your iPhone knows where you are but doesn’t send out the data. A Bad Guy™ would still need to get their hands on your iPhone (Or PC/Mac, with a backup on) to get the data. And if they can gain access to either of those, well, they could just as easily install their own application that will track far more than just location – such as contacts, recent calls and SMSes.
Actually, it’s really not that hard to find out where someone is. If you’re worried about your location, put your phone in “Flight” mode, with the radios off. (This also disables the GPS, due to some slightly odd rules on running GPS receivers on flights)
When the mobile phone networks were built nobody really thought that hard about security. Rather than worrying about centralising everything, SMSes are sent directly from the sending mobile network’s SMS Centre direct to the Mobile Switching Centre (MSC) of the recipient – with one operators MSC typically covering an area the size of a city. This means an operator (In any country worldwide) has the ability to look up the MSC of a subscriber to send them the SMS. If you can figure out which MSC numbers serve which locations… Oops.
There are even companies which offer the lookups as a commercial service, as it can be useful for spammersmarketing departments to know which phone numbers are still valid. And some have gone as far as openly offering the location information as well.
Is that really Yahoo you’re logging in to?
Posted by Zoe O'Connell in Internet on 24 March 2011
A chain is only as strong as it’s weakest link.
That little padlock in the corner of your browser lost a little of it’s security yesterday. It shows that you’re talking to a web site via a secure, encrypted connection and that you’re really talking to who you think you are rather than someone nasty intercepting your username, password and credit card details.
Except that someone has broken in to a reseller account from certificate authority Comodo and generated certificates for several sites, including Google, Yahoo and Skype. And the fake Yahoo one has already been used on the internet, presumably to steal login credentials.
These aren’t fake certificates, so there is no way for your browser to know they don’t really belong to who they say they are. It’s akin to someone stealing the machine used to print money or driving licences and running off some fake ones. Luckily, in this case we know (Or hope we know) the serial numbers of the fake certificates so web browsers have already had patches released to keep an eye out for them, but it’s still illustrated a weakness in the system and it’s not clear how much data has yet been stolen as a result of this attack.
It’s possible the Certificate Authorities won’t be around for that much longer anyway, as a new technology (DNSSEC) could be used to give web site hosts a different way of ensuring their sites are secure and will mean we no longer have to pay a third party to prove to others – or fail to prove, in this case – who we are.
The attack came from Iran, although that doesn’t necessarily mean the attacker was in Iran – it could just as easily been a machine controlled by someone from Russia, North Korea or Peckham, London.
Zoe’s Feeds