This evening I went to a well attended informal meet-up in Islington of #GamerGate supporters. This proved to be very interesting indeed, hearing what by any reasonably definition were ‘libertarian’ views about tolerance and objective truth being widely trumpeted, but being agreed on by people from a broad section of the political spectrum. I listened to a thoughtful self-described left-winger deliver an angry critique of the Guardian, not just their contra-evidence based reporting of #GamerGate, but also the deeply intolerant culture being propagated there. It appears such folks are not just shocked by what they see, they are serious pissed off by the ‘Social Justice Warriors’ doing it. The very rationally argued animus was palpable.
It seems clear to me that over the eight months #GamerGate has been going on, it is now leading diverse people to re-evaluate long standing social and political views and alliances. An articulate young lady I spoke with said she has lost friends over this, and now saw certain people very differently. Even if #GamerGate was over tomorrow (fat chance), there has clearly been a tectonic social event, and the aftershock is going to be felt for quite some time. New and very spontaneous networks are forming and it will be interesting to see where this leads.
As the world is ever more wired together, so too are the threats. So if Russian security companies like Kaspersky cannot be trusted when it comes to Russian state spying, and US companies like CrowdStrike and FireEye cannot be trusted when it comes to US state spying, seems to me that companies based in places like Finland, Switzerland or India might actually be able to parley that into a meaningful competitive advantage.
I anticipated something along those lines for quite some time myself.
The Internet is working well, so it’s not obvious that the FCC needs to help it. American companies own 10 of the world’s 15 largest websites (Google, Amazon, and Facebook to name an obvious few); the United States has greater access to advanced cable and fiber networks than any large country except Japan; it was the first to deploy advanced 4G/LTE mobile networks; it has more smartphones than anywhere else in the world; and it exports more digital goods per capita than any other nation.
These facts are indisputable, so they’re simply disregarded by the Internet regulation advocates campaigning for net neutrality. Among the arguments they use to make their case are that some foreign cities and small nations have built extremely speedy residential networks; many of these offer Internet services for a fraction of U.S. prices; rural American communities have slower and less reliable networks than cities do; and many older people have no interest in venturing onto the Internet at any price.
A core problem with these arguments is that they are, in truth, unrelated to net neutrality.
The FCC says it’s not passing new rules in hopes of improving the Internet but to preserve it as it is with “light touch regulations.” The agency is taking action because courts have voided all but a sliver of its three previous sets of rules. And President Obama raised the stakes by publicly urging the FCC to impose the “strongest possible rules” on the Internet to fill the regulatory vacuum.
– Richard Bennett
“Oh cool, lets drag this fascinating item of modern art inside our gates!
After all, we are technically savvy guys and not credulous fools.
What could possibly go wrong?”
It appears the government in Hungary wants to ensure than there is essentially no significant IT sector within their borders, with all the knock on joys to a modern economy that will bring.
Hungary’s government plans to levy a new tax on Internet data transfers, according to the draft 2015 tax bill submitted to parliament late on Tuesday, which could hit Internet providers and the country’s telecommunications companies.
The draft tax code contains a provision for Internet providers to pay 150 forints (60 US cents) in tax per gigabyte of data traffic, but would also allow companies to offset corporate income tax against the Internet tax.
To tax data is like subsidising idiocy by taxing insight. All states do amazingly stupid things but this one is a real doozy.
In a comment on my previous post, Mastiff wrote, “It is easier for me to buy stock in Microsoft than it is for me to buy equity in my friend’s clothing design business down the street, thanks to the state of securities law. So which will I tend to do?”
Which is a very good point indeed, and something I had not really considered that now seems obvious. It is just another way that large incumbents can use the state to stifle competition.
However, I have not read the Financial Conduct Authority’s policy statement on crowd funding, but there do seem to be some interesting ways of investing in small companies. Have a look at Abundance Generation, Seedrs, Bank To The Future and Crowdcube.
In the USA, there was the Jumpstart Our Business Startups Act, and Rock The Post offer startup investing.
Is this the start of something world-changing, or is it set to be stifled by too much regulation?
The Heartbleed bug is one of the more serious computer security vulnerabilities I have seen. It was discovered yesterday and is just starting to hit mainstream media now, so I will summarise my understanding of it.
It affects some web sites that use HTTPS secure connections. The purpose of HTTPS is, among other things, to encrypt data sent between your computer and the web server, so that anyone who sees the data in transit across the internet cannot read it. So it is used whenever you log in to a web site or enter personal information. You know you are using it when your web browser displays a little padlock icon somewhere.
The bug is in a software library that implements HTTPS, called OpenSSL. Not all web sites use this library, but many do. The bug affects certain versions of the library. Importantly, though, the bug has been in the library since December 2011, and has only recently been detected and fixed.
During this time, an attacker who knew about the bug could send a request to a web server, and get back some random information from the server’s memory that should not be public. This information could be almost anything known by the web server software. It is a lucky dip: the attacker can not choose what information he will get. Importantly, though, it can include server certificates, and user names and passwords of the web site’s users.
Having obtained a certificate, an attacker could spy on data transferred from the user to the web site, including passwords and any information entered. This is not trivial, but can be quite easy in certain circumstances. For example, anyone can sit in a coffee shop and intercept WiFi traffic of other customers using WiFi in the shop, but they will only get information about the other coffee shop customers. On the other hand, the NSA can presumably spy on all data sent to any web site. There will be attackers with levels of sophistication between these extremes. Normally a web browser will shout warnings at you if a HTTPS connection has been intercepted. Having a web site’s certificate enables an attacker to silence such warnings.
User names and passwords can also be obtained directly using the Heartbleed bug. This only happens on certain web sites, and the details retrieved are random. It is not possible to quickly obtain all details of all users. Rather, every time the attack is made, one or two users’ details might be revealed. That said, the attack can be repeated, and in two years it can be repeated a lot. So a determined attacker could gather details of many people in this time. This is real. Users on Reddit were claiming to have seen Yahoo Mail passwords as recently as a few hours ago. Right now, Yahoo Mail is fixed.
So what can you do? Realise that you are affected, but don’t panic. There is a very good chance none of your details have leaked. You can not be certain, but you already were not certain. There are likely many more security holes that are not yet common knowledge. However, on services that you have particularly sensitive information, it would be wise to first check that the bug has been fixed, and then change your password.
You can check if the bug currently affects a given service with an online tool. If the service is at all high profile, it is a fairly safe bet that it is already fixed. But you can not tell if your details or a service’s certificate have been leaked in the past. Unless a service takes action, credentials and certificates obtained in the last two years can still be used by attackers to log in or spy on communications. Hopefully web administrators will communicate whether they have been affected and whether they have changed their certificates, so watch for announcements.
When you change your passwords, now is a good time to stop using the same password for every service you use. Start using a password manager such as LastPass, 1Password or Password Safe. All of these are acceptably safe in my opinion, but there is some interesting discussion on this topic. The great thing is that a password manager will generate a different, random, impossible to guess password for each site you use, meaning that if someone does find out your password to one service, the damage is limited to that service.
If a service offers two factor authentication, where you use a smartphone app which generates an ever-changing code, use that, because it means knowing your password alone is useless to an attacker.
If you run a web server that uses HTTPS and handles users’ information, educate yourself, upgrade, and inform your users.
More generally, if you can possibly arrange to live your life under the assumption that everything you have ever done on the internet could become public knowledge tomorrow, you could save yourself a lot of trouble. Keeping secrets is hard.
The government lost the crypto-wars. Crypto is now freely available, but in a sense they won because there are so many ways at people’s data that bypass the cryptography. What we’re learning from the Snowden documents is not that the NSA and GCHQ can break cryptography but that they can very often render it irrelevant… They exploit bad implementations, bugs in hardware and software, default keys, weak keys, or they go in and break systems and steal data.
– Bruce Schneier
There is an interesting article in the Guardian titled US and UK spy agencies defeat privacy and security on the internet:
- NSA and GCHQ unlock encryption used to protect emails, banking and medical records
- $250m-a-year US program works covertly with tech companies to insert weaknesses into products
- Security experts say programs ‘undermine the fabric of the internet’
The second point is to me the most interesting as it suggest that open source is really the only way to fight back against this and as a result, I fully expect Open Source to eventually become illegal in the more panoptic parts of the world.
The first point however will be the driver of effective and widespread counter measures. The internet is simply too important to too many economic interests to allow the US and UK governments to have the ability to embed what will be catastrophic weaknesses in its underpinning architecture
The spooks are not stupid. There are two ways they can respond to this in a manner consistent with their current objectives. They can try to shut down the press — a distinct possibility within the UK, but still incredibly dangerous — or they can shut down the open internet, in order to stop the information leakage over that channel and, more ambitiously, to stop the public reading undesirable news.
I think they’re going for the latter option, although I doubt they can make it stick. Let me walk you through the early stages of what I think is going to happen.
In the UK it’s fairly obvious what the mechanism will be. Prime Minister David Cameron has thrown his weight behind mandatory opt-out porn filtering at an ISP level, to protect our children from a torrent of filth on the internet. (He’s turned to Chinese corporation Huawei for the tool in question.) All new domestic ISP customer accounts in the UK will be filtered by default, unless the owner opts out. There’s also the already-extant UK-wide child pornography filter operated by the Internet Watch Foundation, although its remit is limited to items that are probably illegal to possess (“probably” because that’s a determination for a court of law to make). And an existing mechanism — the Official Secrets Act — makes it an offense to possess, distribute, or publish state secrets. Traditionally newspapers were warned off certain state secrets by a process known as a Defense Advisory Notice, warning that publication would result in prosecution. It doesn’t take a huge leap of the imagination to foresee the creation of a law allowing for items subject to a DA-Notice to be filtered out of the internet via a national-level porn filter to protect the precious eyeballs of the citizenry from secrets that might trouble their little heads.
On the other hand, the UK may not have a First Amendment but it does have a strong tradition of press freedom, and there are signs that the government has already overreached itself. We’ll know things are really going to hell in a handbasket when The Guardian moves its editorial offices to Brazil …
– Charlie Stross
A comment piece over at the Guardian has compelled me to write my first post on this fair blog. I have been mulling over the idea about writing something about rent seeking and fixed lined broadband rollout in the UK for some time, but BT’s great broadband scam has pushed me over the edge finally.
The Guardian writer blames the market, competition and Margaret Thatcher for the fact that BT has won all of the government contracts to build fixed line broadband in the UK.Though most Guardian writers blame this triumvirate for most things, this writer makes a tenuous link between BT and competition ultimately calling for the renationalisation of broadband in this country. (He sounds much like Susan Crawford over in the US, but that is a post for another time) But what he gets so very wrong about blaming competition for the inability for the government to rollout broadband is that it is BT’s rent seeking behaviour coupled with a centrally planned project that has contributed to the so far unsuccessful UK broadband rollout project called BDUK.
There are so many reasons that BDUK has not succeeded that it hard to know where to begin. But for the purpose of this post it is important to understand that the broadband targets and rules for entering into procurement as a provider changed over the course of the last three years. Initially, the project was to provide next generation access (NGA) to 100% of the UK by 2015 and now it may only succeed in delivering 90% by 2017. Fibre to the home (FTTH) was the initial target and eventually fibre to the cabinet (FTTC) became the final and less optimal solution. The regional areas that divide up the entire BDUK project into smaller, sub-project areas were far too small to achieve economies of scale. The list goes on, but changeable rules against which companies and consortia were to pitch to be on the ‘approved’ list meant only risk and uncertainty for those businesses. In the end only BT survived and thus BT became the monopolist provider.
But if I ran BT I would make sure that I was the only procurer on that list through whatever means possible, including rent seeking. And that is precisely what they did. OFCOM, the telecoms regulator, DCMS, the department responsible for BDUK and BT have a cosy relationship with advisors and consultants making the rounds in contracts and positions among all three. But BT has a massive incentive to ensure that their fixed line broadband network became the only networked used to rollout new broadband services. If other vendors were chosen for BDUK then this old network, made up of traditional copper lines and some fibre, would be completely bypassed thereby rendering the network useless. Quite high stakes if you are that behemoth BT. Even an outsider’s attempt to petition DCMS to include wireless in its definition of ‘next generation access’ failed because it would mean using a new and probably non-BT network. Not allowing wireless as one of many ways to achieve rural broadband access is essentially absurd in this day in age. But the BDUK project stipulated only fixed line Internet access at delivery.
So while we do indeed have competition in urban areas and many rural areas for broadband access services (as most services like TalkTalk rent BT lines at wholesale prices) we have very little competition in broadband infrastructure and that is an important difference. BT has played their cards well in a centrally planned system created by civil servants who have made policy in order to achieve the delivery of fixed line broadband Internet access. No one person is to blame, but through bad policy making, EU regulations, rent seeking by BT, and no comprehensive oversight, we have a project that will be delivered well over time and budget and paid for by the taxpayer. True competition in services, diversified Internet access types, and infrastructure would have delivered far richer choices. Currently BDUK remains Hayek’s worst nightmare.
A new story from The Guardian, barely twelve hours after the last set of revelations: “NSA loophole allows warrantless search for US citizens’ emails and phone calls”.
Yes, this one is indeed far worse than the previous ones, unbelievable as that might seem.
Explaining why to those not following in detail is almost not worth it any longer, however.
A friend of mine long ago coined the term “Outrage Fatigue”, the condition in which so many awful actions by a set of State actors have been revealed that one can no longer hope to track the entire list of their offenses and crimes in one’s head.
I have long since passed that point for the Obama administration in general. Imprisonment without charge, war crimes, coverups, the silencing of whistleblowers and dozens of other acts have become so numerous that I cannot hope to remember them all.
However, I have now passed the point where, even as a putative subject matter expert, I could hope to remember even everything that has been revealed about just this one scandal.
It is painfully clear that the contempt of the Obama Administration and its minions for the rule of law is near total, that their contempt for the truth is near total, and that one’s confidence in anything they say in public whatsoever should be precisely zero.