From igb at batten.eu.org  Fri Oct  2 17:22:30 2009
From: igb at batten.eu.org (Ian Batten)
Date: Fri, 2 Oct 2009 17:22:30 +0100
Subject: =?ISO-8859-1?Q?Computer_expert_forged_rail_tickets_worth_=A312,4?=
	=?ISO-8859-1?Q?72_over_two_years_|_Technology_|_guardian.co.uk?=
Message-ID: <C82B220F-65C0-487C-9B70-07A5773073AB@batten.eu.org>


http://www.guardian.co.uk/technology/2009/oct/02/computer-expert-forged-rail-tickets

I wonder if he also forged the magnetic stripe, or if he avoided going  
through automatic gates?  Is the stripe signed in any way, or is it  
just an encoding of the front of the ticket?

ian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20091002/6a8f6b09/attachment.htm>

From benjamin at py-soft.co.uk  Fri Oct  2 17:55:22 2009
From: benjamin at py-soft.co.uk (Benjamin Donnachie)
Date: Fri, 2 Oct 2009 17:55:22 +0100
Subject: =?ISO-8859-1?Q?Re=3A_Computer_expert_forged_rail_tickets_worth_=A312=2C4?=
	=?ISO-8859-1?Q?72_over_two_years_=7C_Technology_=7C_guardian=2Eco=2Euk?=
In-Reply-To: <C82B220F-65C0-487C-9B70-07A5773073AB@batten.eu.org>
References: <C82B220F-65C0-487C-9B70-07A5773073AB@batten.eu.org>
Message-ID: <732076a80910020955l324b302eo46b4a63a08314932@mail.gmail.com>

2009/10/2 Ian Batten <igb at batten.eu.org>:
> I wonder if he also forged the magnetic stripe, or if he avoided going
> through automatic gates? ?Is the stripe signed in any way, or is it just an
> encoding of the front of the ticket?

When I worked for BTP, it was typically just the front of the ticket
that was forged and the user would just wave it in a plastic season
ticket wallet at the gate-line staff.  It is remarkably effective
during peak periods and the main reason why the most gate-line staff
now insist that you take your ticket out and try the automated
barriers first.

Ben


From clive at davros.org  Fri Oct  2 17:59:32 2009
From: clive at davros.org (Clive D.W. Feather)
Date: Fri, 2 Oct 2009 17:59:32 +0100
Subject: Computer expert =?iso-8859-1?Q?forged_?=
	=?iso-8859-1?Q?rail_tickets_worth_=A312=2C47?=
	=?iso-8859-1?Q?2?= over two years | Technology | guardian.co.uk
In-Reply-To: <C82B220F-65C0-487C-9B70-07A5773073AB@batten.eu.org>
References: <C82B220F-65C0-487C-9B70-07A5773073AB@batten.eu.org>
Message-ID: <20091002165932.GC90759@davros.org>

Ian Batten said:
> http://www.guardian.co.uk/technology/2009/oct/02/computer-expert-forged-rail-tickets
> 
> I wonder if he also forged the magnetic stripe, or if he avoided going  
> through automatic gates?  Is the stripe signed in any way, or is it  
> just an encoding of the front of the ticket?

I'm fairly sure it's just an encoding. I have vague memories of reading
somewhere that it's only 140 bits or bytes (I forget which), about a third
of which belong to TfL and the rest to ATOC.

-- 
Clive D.W. Feather          | If you lie to the compiler,
Email: clive at davros.org     | it will get its revenge.
Web: http://www.davros.org  |   - Henry Spencer
Mobile: +44 7973 377646


From pwt at iosis.co.uk  Fri Oct  2 18:30:22 2009
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Fri, 02 Oct 2009 18:30:22 +0100
Subject: =?ISO-8859-1?Q?Re=3A_Computer_expert_forged_rail_ticke?=
	=?ISO-8859-1?Q?ts_worth_=A312=2C472_over_two_years_=7C_Tec?=
	=?ISO-8859-1?Q?hnology_=7C_guardian=2Eco=2Euk?=
In-Reply-To: <20091002165932.GC90759@davros.org>
References: <C82B220F-65C0-487C-9B70-07A5773073AB@batten.eu.org>
	<20091002165932.GC90759@davros.org>
Message-ID: <4AC638AE.2070104@iosis.co.uk>

Clive D.W. Feather wrote:
> Ian Batten said:
>   
>> http://www.guardian.co.uk/technology/2009/oct/02/computer-expert-forged-rail-tickets
>>
>> I wonder if he also forged the magnetic stripe, or if he avoided going  
>> through automatic gates?  Is the stripe signed in any way, or is it  
>> just an encoding of the front of the ticket?
>>     
> I'm fairly sure it's just an encoding. I have vague memories of reading
> somewhere that it's only 140 bits or bytes (I forget which), about a third
> of which belong to TfL and the rest to ATOC.
Sorry to put a dampener on the discussion, but uk.railway is suggesting 
the following ruse:

"Z[one]1-2 travelcard, Hove-Brighton season for the gate lines, and a forged
ticket for ticket inspections. "

And another contributor writes "a BR sandwich, nothing in the middle".

The ticket inspectors on trains have never checked the mag stripe, even 
though for years they had those big ticket machines, many of which had a 
mag stripe reader.

Peter




From tony.naggs at googlemail.com  Fri Oct  2 18:46:38 2009
From: tony.naggs at googlemail.com (Tony Naggs)
Date: Fri, 2 Oct 2009 18:46:38 +0100
Subject: =?ISO-8859-1?Q?Re=3A_Computer_expert_forged_rail_tickets_worth_=A312=2C4?=
	=?ISO-8859-1?Q?72_over_two_years_=7C_Technology_=7C_guardian=2Eco=2Euk?=
In-Reply-To: <4AC638AE.2070104@iosis.co.uk>
References: <C82B220F-65C0-487C-9B70-07A5773073AB@batten.eu.org>
	<20091002165932.GC90759@davros.org> <4AC638AE.2070104@iosis.co.uk>
Message-ID: <ffe0ebc90910021046v2d61749dwdb5ca59a96f74276@mail.gmail.com>

2009/10/2 Peter Tomlinson <pwt at iosis.co.uk>:
>
> Sorry to put a dampener on the discussion, but uk.railway is suggesting the
> following ruse:
>
> "Z[one]1-2 travelcard, Hove-Brighton season for the gate lines, and a forged
> ticket for ticket inspections. "
>
> And another contributor writes "a BR sandwich, nothing in the middle".

Those are 2 ways of saying the same thing, but I am not sure that he
need bother.

When I lived near Brighton quite a few small coastal stations were
effectively unmanned, and my occasional experience of Thameslink
central London stations is that the gates are often open before 9
o'clock. Changing between coastway and Thameslink (he was caught by
First Capital Connect staff) trains at Brighton is done behind the
gateline.

Cheers,
Tony


From clive at davros.org  Fri Oct  2 18:54:46 2009
From: clive at davros.org (Clive D.W. Feather)
Date: Fri, 2 Oct 2009 18:54:46 +0100
Subject: Computer expert =?iso-8859-1?Q?forged_?=
	=?iso-8859-1?Q?rail_tickets_worth_=A312=2C47?=
	=?iso-8859-1?Q?2?= over two years | Technology | guardian.co.uk
In-Reply-To: <4AC638AE.2070104@iosis.co.uk>
References: <C82B220F-65C0-487C-9B70-07A5773073AB@batten.eu.org>
	<20091002165932.GC90759@davros.org> <4AC638AE.2070104@iosis.co.uk>
Message-ID: <20091002175446.GD90759@davros.org>

Peter Tomlinson said:
> Sorry to put a dampener on the discussion, but uk.railway is suggesting 
> the following ruse:
> 
> "Z[one]1-2 travelcard, Hove-Brighton season for the gate lines, and a forged
> ticket for ticket inspections. "

Ah, a dumb-bell plus a forged ticket for the middle bit.

-- 
Clive D.W. Feather          | If you lie to the compiler,
Email: clive at davros.org     | it will get its revenge.
Web: http://www.davros.org  |   - Henry Spencer
Mobile: +44 7973 377646


From rich at annexia.org  Fri Oct  2 22:51:36 2009
From: rich at annexia.org (Richard Jones)
Date: Fri, 2 Oct 2009 22:51:36 +0100
Subject: Computer expert =?iso-8859-1?Q?forged_?=
	=?iso-8859-1?Q?rail_tickets_worth_=A312=2C47?=
	=?iso-8859-1?Q?2?= over two years | Technology | guardian.co.uk
In-Reply-To: <C82B220F-65C0-487C-9B70-07A5773073AB@batten.eu.org>
References: <C82B220F-65C0-487C-9B70-07A5773073AB@batten.eu.org>
Message-ID: <20091002215136.GA18896@annexia.org>

On Fri, Oct 02, 2009 at 05:22:30PM +0100, Ian Batten wrote:
> http://www.guardian.co.uk/technology/2009/oct/02/computer-expert-forged-rail-tickets
> 
> I wonder if he also forged the magnetic stripe, or if he avoided going  
> through automatic gates?  Is the stripe signed in any way, or is it  
> just an encoding of the front of the ticket?

My journey (Kings Langley to Euston on London Sh*tland) wouldn't need
one to use any automatic barriers.  There are none at the start, and
at the end you can flash your ticket to the inspectors, which is often
quicker than going through the barriers anyway.

Rich.

-- 
Richard Jones
Red Hat


From Ross.Anderson at cl.cam.ac.uk  Mon Oct  5 16:51:13 2009
From: Ross.Anderson at cl.cam.ac.uk (Ross Anderson)
Date: Mon, 05 Oct 2009 16:51:13 +0100
Subject: The Defence Manual of Security - leaked
Message-ID: <E1MupqD-0001Yc-00@mta2.cl.cam.ac.uk>

Some wicked person has put the Defence Manual of Security, vols 1-3, on
wikileaks:

 http://www.wikileaks.org/wiki/UK_MoD_Manual_of_Security_Volumes_1%2C_2_
and_3_Issue_2%2C_JSP-440%2C_RESTRICTED%2C_2389_pages%2C_2001

It's over 2000 pages and will take us some time to digest. But on 
rapid perusal it seems to be the bureaucratic equivalent of spaghetti
code - a hodgepodge of things written by people from different 
backgrounds, and with different degrees of clue, in different decades.
I'm sure we will find a few goodies in there, though, among all the
blether

Ross


From Ross.Anderson at cl.cam.ac.uk  Mon Oct 19 15:24:31 2009
From: Ross.Anderson at cl.cam.ac.uk (Ross Anderson)
Date: Mon, 19 Oct 2009 15:24:31 +0100
Subject: Health privacy again
Message-ID: <E1Mzt9z-0007UB-00@mta2.cl.cam.ac.uk>

List members who follow the debate on the privacy of health records
may be interested in two items. 

The first is a segment this evening at 1930 on the Tonight programme:

   http://www.itv.com/news/tonight/episodes/healthrecordsforsale/default.html

which I understand will star Helen Wilkinson. The second is a paper by
up-and-coming US legal scholar Paul Ohm on the ineffectiveness of
"de-identification" as a means of protecting patient privacy:

   http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1450006

Now we technies have known for thirty years that de-identification is
much harder than it looks, thanks to Dorothy Denning. You can even 
read all about it in my book. However, up till now the policy folks
have been in deep denial about this. A major paper by a respected 
scholar in the UCLA Law Review, though, will be harder for them to
ignore than the science is.

Ross


From tom.thomson at bcs.org.uk  Wed Oct 21 11:36:51 2009
From: tom.thomson at bcs.org.uk (Tom.Thomson)
Date: Wed, 21 Oct 2009 10:36:51 +0000 (GMT)
Subject: Health privacy again
Message-ID: <949864.27761.qm@web86711.mail.ird.yahoo.com>

While it is potentially useful that a respected lawyer should
understand that 
de-indentification is largely ineffective and
legislators must recognise that there is an 
issue and make hard
choices, it is frightening to consider what legislators might do in
response to this information.

Legislators have a great ability
to misunderstand and misinterpret technical issues 
and facts, and to
treat them as meaning wjhatever they want them to mean.? Their 
ability
to draw horribly incorrect conclusions from technical facts by wantonly
adding
ridiculous and obviously wrong premises to the argument is
equally stupendous.

The problem is illustrated by Ohm hiomself in the current draft when he writes

? ? When countervailing values are so important 
? ? that they outweigh even the risk of grave harm from reidentification, 
? ? surrender may be justifiable. In particular, when national security, 
? ? public safety, or public health are at risk, regulators may try to tailor 
? ? laws to allow reidentification to advance security and safety. I would 
? ? hope that these exceptions would be very narrowly drawn, exquisitely 
? ? justified, and well-targeted to advancing the countervailing value.

I too would hope as Ohm would, but I would have no expectation that the hope 
would be fulfilled.

Let's
consider what recent UK governments under Blair or Brown would make 
of
this. Surely part of the argument would go as follows:-

? ? National security includes of course the economic well-being 
? ? of the nation.? The nation's economic well-being requires that
? ? government be efficient and cost-effective.???We can improve 
? ? our efficiency and cost-effectiveness by allowing all government 
? ? departments to have all information; they needn't bother with 
? ? de-identification when doing so, because de-identification is 
? ? known to be ineffective.? Therefor all legislation requiring 
? ? data to be protected and deindentified withing government will
? ? be repealed and rerplaced by a law specifically allowing all 
? ? central government departments to require all other government 
? ? departs (inclusing local government departments and departments 
? ? controlled by devolved assemblies/parliaments) to provide them 
? ? with all their data in fully identifiable form.

Other similar arguments would be advanced for the selling of our data 
to private organisations.???It would naturally be in the national 
interest for all? NHS data to be for sale to any pharmaceutical company in 
the world.? And so on.

So maybe the appearance of this paper has its down side as well as its up side?

There also appears to be a lack of understanding of the EU directive on personal 
data.? Ohm appears to suggest (or perhaps he means to attribute the suggestion 
to Brin)? that wathcing the watches is a possible partial (and definitely inadequate) 
solution to the problem of complete deregulation of disclosure, where 
watching the watchers apparently means having everyone disclose the nature 
of all data they hold and the details of all processing they do.? This would be a 
very heavy burden indeed on those who hold and/or process data, far heavier than
the burden imposed by the EU directive even if the latter applied to all data, yet 
this burden is cited as a reason to abandon the directive but not as a reason to 
reject the .watch-the-watchers "solution".

So the current draft perhaps needs a bit more polishing before iot's reasy for release
and fit to be cited.

M.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20091021/c7af5396/attachment.htm>

From casparb at microsoft.com  Wed Oct 21 18:58:56 2009
From: casparb at microsoft.com (Caspar Bowden)
Date: Wed, 21 Oct 2009 17:58:56 +0000
Subject: Health privacy again
In-Reply-To: <949864.27761.qm@web86711.mail.ird.yahoo.com>
References: <949864.27761.qm@web86711.mail.ird.yahoo.com>
Message-ID: <87A6D89C0D9E3E4E94253D25B8F9B2E7110B6B@DB3EX14MBXC316.europe.corp.microsoft.com>

I would agree with most of Tom's remarks

- A good discussion of why this matters can be found here http://www.liberty-human-rights.org.uk/issues/3-privacy/pdfs/liberty-privacy-report.pdf pp. 120-121
("Concerns over the effectiveness of the DPA...")

- I think Ohm would be the first to acknowledge he is not an expert in EU DP law. I am afraid that the US and EU privacy legal literature are 99.9% disjoint (and likely to remain so for a number of reasons)

- it is mildly scandalous that nobody has written the full-blown equivalent of Ohm's paper for EU (I have many references to partial treatments if anyone wants). But in a nutshell the state of divergence of EU Member State transpositions and interpretations of the meaning of the identifiability of personal data has been the intramural pachyderm of EU DP since the ink was dry on the Directive, viz. the fact that it is defined in two paragraphs in EC95/46, but took Art.29 WP twenty-five pages to elaborate in WP 156 (and still evade certain crucial topics). 

- my theory is that (some) regulators and EU DP negotiators knew about this 20 years ago, but it has been under the carpet so long it has mostly been forgotten. If anyone has any leads about this, please ping me offline

--
Caspar Bowden


From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-bounces at chiark.greenend.org.uk] On Behalf Of Tom.Thomson
Sent: 21 October 2009 12:37
To: ukcrypto at chiark.greenend.org.uk
Subject: Re: Health privacy again

While it is potentially useful that a respected lawyer should understand that 
de-indentification is largely ineffective and legislators must recognise that there is an 
issue and make hard choices, it is frightening to consider what legislators might do in
response to this information.

Legislators have a great ability to misunderstand and misinterpret technical issues 
and facts, and to treat them as meaning wjhatever they want them to mean.? Their 
ability to draw horribly incorrect conclusions from technical facts by wantonly adding
ridiculous and obviously wrong premises to the argument is equally stupendous.

The problem is illustrated by Ohm hiomself in the current draft when he writes

? ? When countervailing values are so important 
? ? that they outweigh even the risk of grave harm from reidentification, 
? ? surrender may be justifiable. In particular, when national security, 
? ? public safety, or public health are at risk, regulators may try to tailor 
? ? laws to allow reidentification to advance security and safety. I would 
? ? hope that these exceptions would be very narrowly drawn, exquisitely 
? ? justified, and well-targeted to advancing the countervailing value.

I too would hope as Ohm would, but I would have no expectation that the hope 
would be fulfilled.

Let's consider what recent UK governments under Blair or Brown would make 
of this. Surely part of the argument would go as follows:-

? ? National security includes of course the economic well-being 
? ? of the nation.? The nation's economic well-being requires that
? ? government be efficient and cost-effective.???We can improve 
? ? our efficiency and cost-effectiveness by allowing all government 
? ? departments to have all information; they needn't bother with 
? ? de-identification when doing so, because de-identification is 
? ? known to be ineffective.? Therefor all legislation requiring 
? ? data to be protected and deindentified withing government will
? ? be repealed and rerplaced by a law specifically allowing all 
? ? central government departments to require all other government 
? ? departs (inclusing local government departments and departments 
? ? controlled by devolved assemblies/parliaments) to provide them 
? ? with all their data in fully identifiable form.

Other similar arguments would be advanced for the selling of our data 
to private organisations.???It would naturally be in the national 
interest for all? NHS data to be for sale to any pharmaceutical company in 
the world.? And so on.

So maybe the appearance of this paper has its down side as well as its up side?

There also appears to be a lack of understanding of the EU directive on personal 
data.? Ohm appears to suggest (or perhaps he means to attribute the suggestion 
to Brin)? that wathcing the watches is a possible partial (and definitely inadequate) 
solution to the problem of complete deregulation of disclosure, where 
watching the watchers apparently means having everyone disclose the nature 
of all data they hold and the details of all processing they do.? This would be a 
very heavy burden indeed on those who hold and/or process data, far heavier than
the burden imposed by the EU directive even if the latter applied to all data, yet 
this burden is cited as a reason to abandon the directive but not as a reason to 
reject the .watch-the-watchers "solution".

So the current draft perhaps needs a bit more polishing before iot's reasy for release
and fit to be cited.

M.



From Ross.Anderson at cl.cam.ac.uk  Tue Oct 27 12:34:19 2009
From: Ross.Anderson at cl.cam.ac.uk (Ross Anderson)
Date: Tue, 27 Oct 2009 12:34:19 +0000
Subject: Bank fraud programme
Message-ID: <E1N2lFk-0002i1-00@mta2.cl.cam.ac.uk>

There was a programme last night on BBC East with a segment on the Jane
Badger case - Jane was the lady who was prosecuted for attemtped fraud
after she complained about phantom withdrawals from her Egg card. Now 
it's in the past, people outside the region can get it via iPlayer:

  http://www.bbc.co.uk/iplayer/episode/b00nkwqw/Inside_Out_East_26_10_2009/

Trailer:

  http://news.bbc.co.uk/1/hi/england/cambridgeshire/8325477.stm

Ross


From steve at greenend.org.uk  Tue Oct 27 14:49:05 2009
From: steve at greenend.org.uk (Stephen Early)
Date: Tue, 27 Oct 2009 14:49:05 +0000
Subject: Administrivia: posts from non-subscribed addresses
Message-ID: <4AE70861.2020405@greenend.org.uk>

Summary: messages to ukcrypto at chiark.greenend.org.uk from addresses that 
are not subscribed to the list will no longer be held for moderation. 
They will be rejected, with a message to the sender explaining the reason.

For a long time it has been the case that the ukcrypto moderation queue 
has been >99% spam.  The <1% ham consists almost entirely of messages 
from subscribers who are accidentally posting using the wrong source 
address.  By the time I get around to looking at the moderation queue, 
these messages have almost all been resubmitted using the correct 
address.  It will therefore save me time, and prevent duplicate messages 
from being posted to the list, if all messages from non-subscribed 
addresses are rejected immediately.

If you regularly post from multiple addresses, but want to receive list 
traffic at only one address, you can subscribe all of your addresses and 
set the 'nomail' flag on all but one of them.

Stephen Early
UKcrypto mailing list administrator


From colinthomson1 at o2.co.uk  Wed Oct 28 01:44:27 2009
From: colinthomson1 at o2.co.uk (Tom Thomson)
Date: Wed, 28 Oct 2009 01:44:27 -0000
Subject: Bank fraud programme
In-Reply-To: <E1N2lFk-0002i1-00@mta2.cl.cam.ac.uk>
References: <E1N2lFk-0002i1-00@mta2.cl.cam.ac.uk>
Message-ID: <CFA39A71D77840739E33CBC90E80694A@your41b8d18ede>

Sorry, this is off topic.  But Ross's remark is so provocative (not his fault - blame the BBC) that I have to RANT.

No, most people outside the region still can't get it.  

I happen to be in Spain at the moment, so I can't get it.  

I couldn't get it in Beirut, either, or in Tamil Nadu, which are the two places I've spent a lot of time in recent years.  Or indeed anywhere else (and I've been in a few other places too).  

It's not true that people outside the "East" region are all in England, or all in GB.  

It pisses off those of us who pay UK TV license fees that we can't get this stuff because we happen to be, for a period, elsewhere, and when we get back it will probably be no longer available.  We who spend significant time working abroad are clearly second rate Brits.  

It pisses me off too that to get BBC Alba in England I have to buy FreeSat kit because the BBS can't be bothered to broadcast that material on FreeView - my British but not English culture clearly marks me as a second rate Brit, not a real Brit at all, so there's no reason to make stuff in Gaidhlig available on FreeView - even though in the opposite case 99% of Radio and TV content available in Bearnaraidh is in English, the first language of 0.5% of the local population.  

Why can't we be honest and call it the EBC instead of the BBC?  Or still more accurately the EBCfNT (the English Broadcasting Corporation for Non-Travellers)?

M.

-----Original Message-----
From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-bounces at chiark.greenend.org.uk] On Behalf Of Ross Anderson
Sent: 27 October 2009 12:34
To: ukcrypto at chiark.greenend.org.uk
Subject: Bank fraud programme

There was a programme last night on BBC East with a segment on the Jane
Badger case - Jane was the lady who was prosecuted for attemtped fraud
after she complained about phantom withdrawals from her Egg card. Now 
it's in the past, people outside the region can get it via iPlayer:

  http://www.bbc.co.uk/iplayer/episode/b00nkwqw/Inside_Out_East_26_10_2009/

Trailer:

  http://news.bbc.co.uk/1/hi/england/cambridgeshire/8325477.stm

Ross





From igb at batten.eu.org  Wed Oct 28 17:57:18 2009
From: igb at batten.eu.org (Ian Batten)
Date: Wed, 28 Oct 2009 18:57:18 +0100
Subject: Bank fraud programme
In-Reply-To: <CFA39A71D77840739E33CBC90E80694A@your41b8d18ede>
References: <E1N2lFk-0002i1-00@mta2.cl.cam.ac.uk>
	<CFA39A71D77840739E33CBC90E80694A@your41b8d18ede>
Message-ID: <DC7CBB7C-D7D1-4684-B0D8-E9DFB492DBDC@batten.eu.org>

1.  If you had to log on to iPlayer using personal credentials, a lot  
of people who subscribe to this list would be the first to complain  
about having their television usage tracked.

2.  If iPlayer were made available outside the UK without even the  
semblance of control, a large portion of the content would disappear,  
because the BBC don't hold the rights.  The obvious example is almost  
all sports coverage, but it would also apply to almost all non-UK drama.

3.  Before the advent of iPlayer, the situation you describe was  
universal.

4.  The solution is straight-forward anyway: ssh into your home  
network and port-forward to your home squid server.  Works for me.

ian

On 28 Oct 2009, at 02:44, Tom Thomson wrote:

> Sorry, this is off topic.  But Ross's remark is so provocative (not  
> his fault - blame the BBC) that I have to RANT.
>
> No, most people outside the region still can't get it.
>
> I happen to be in Spain at the moment, so I can't get it.
>
> I couldn't get it in Beirut, either, or in Tamil Nadu, which are the  
> two places I've spent a lot of time in recent years.  Or indeed  
> anywhere else (and I've been in a few other places too).
>
> It's not true that people outside the "East" region are all in  
> England, or all in GB.
>
> It pisses off those of us who pay UK TV license fees that we can't  
> get this stuff because we happen to be, for a period, elsewhere, and  
> when we get back it will probably be no longer available.  We who  
> spend significant time working abroad are clearly second rate Brits.
>
> It pisses me off too that to get BBC Alba in England I have to buy  
> FreeSat kit because the BBS can't be bothered to broadcast that  
> material on FreeView - my British but not English culture clearly  
> marks me as a second rate Brit, not a real Brit at all, so there's  
> no reason to make stuff in Gaidhlig available on FreeView - even  
> though in the opposite case 99% of Radio and TV content available in  
> Bearnaraidh is in English, the first language of 0.5% of the local  
> population.
>
> Why can't we be honest and call it the EBC instead of the BBC?  Or  
> still more accurately the EBCfNT (the English Broadcasting  
> Corporation for Non-Travellers)?
>
> M.
>
> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-bounces at chiark.greenend.org.uk 
> ] On Behalf Of Ross Anderson
> Sent: 27 October 2009 12:34
> To: ukcrypto at chiark.greenend.org.uk
> Subject: Bank fraud programme
>
> There was a programme last night on BBC East with a segment on the  
> Jane
> Badger case - Jane was the lady who was prosecuted for attemtped fraud
> after she complained about phantom withdrawals from her Egg card. Now
> it's in the past, people outside the region can get it via iPlayer:
>
>  http://www.bbc.co.uk/iplayer/episode/b00nkwqw/Inside_Out_East_26_10_2009/
>
> Trailer:
>
>  http://news.bbc.co.uk/1/hi/england/cambridgeshire/8325477.stm
>
> Ross
>
>
>
>



From DaveHowe at gmx.co.uk  Wed Oct 28 20:04:57 2009
From: DaveHowe at gmx.co.uk (Dave Howe)
Date: Wed, 28 Oct 2009 20:04:57 +0000
Subject: Bank fraud programme
In-Reply-To: <DC7CBB7C-D7D1-4684-B0D8-E9DFB492DBDC@batten.eu.org>
References: <E1N2lFk-0002i1-00@mta2.cl.cam.ac.uk>	<CFA39A71D77840739E33CBC90E80694A@your41b8d18ede>
	<DC7CBB7C-D7D1-4684-B0D8-E9DFB492DBDC@batten.eu.org>
Message-ID: <4AE8A3E9.8020004@gmx.co.uk>

Ian Batten wrote:
> 1.  If you had to log on to iPlayer using personal credentials, a lot of
> people who subscribe to this list would be the first to complain about
> having their television usage tracked.
> 
> 2.  If iPlayer were made available outside the UK without even the
> semblance of control, a large portion of the content would disappear,
> because the BBC don't hold the rights.  The obvious example is almost
> all sports coverage, but it would also apply to almost all non-UK drama.
> 
> 3.  Before the advent of iPlayer, the situation you describe was universal.
> 
> 4.  The solution is straight-forward anyway: ssh into your home network
> and port-forward to your home squid server.  Works for me.

As an aside - note that the squid part isn't actually required; most
modern web browsers support a socks proxy in their settings, and ssh
natively supports this sort of tunnel (its the "dynamic" type; available
from command line or, if you are a windows user, puTTY)


From lee at nerds.org.uk  Wed Oct 28 21:08:31 2009
From: lee at nerds.org.uk (Lee Brotherston)
Date: Wed, 28 Oct 2009 21:08:31 +0000
Subject: Bank fraud programme
In-Reply-To: <4AE8A3E9.8020004@gmx.co.uk>
References: <E1N2lFk-0002i1-00@mta2.cl.cam.ac.uk>
	<CFA39A71D77840739E33CBC90E80694A@your41b8d18ede>
	<DC7CBB7C-D7D1-4684-B0D8-E9DFB492DBDC@batten.eu.org>
	<4AE8A3E9.8020004@gmx.co.uk>
Message-ID: <20091028210831.GX84856@nerds.org.uk>

On Wed, Oct 28, 2009 at 08:04:57PM +0000, Dave Howe wrote:
> As an aside - note that the squid part isn't actually required; most
> modern web browsers support a socks proxy in their settings, and ssh
> natively supports this sort of tunnel (its the "dynamic" type; available
> from command line or, if you are a windows user, puTTY)

And as an even further aside, you may wish to do this not only to
appear to be in the UK from a GeoIP perspective, but to encrypt/tunnel
your browsing away from the prying eyes of the government of your
current location.

  Lee

-- 
Lee Brotherston - <lee at nerds.org.uk>


From bdm at fenrir.org.uk  Wed Oct 28 22:43:48 2009
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Wed, 28 Oct 2009 22:43:48 +0000
Subject: Bank fraud programme
In-Reply-To: <20091028210831.GX84856@nerds.org.uk>
References: <E1N2lFk-0002i1-00@mta2.cl.cam.ac.uk>
	<CFA39A71D77840739E33CBC90E80694A@your41b8d18ede>
	<DC7CBB7C-D7D1-4684-B0D8-E9DFB492DBDC@batten.eu.org>
	<4AE8A3E9.8020004@gmx.co.uk> <20091028210831.GX84856@nerds.org.uk>
Message-ID: <20091028224348.66ffa672@peterson.fenrir.org.uk>

On Wed, 28 Oct 2009 21:08:31 +0000
Lee Brotherston <lee at nerds.org.uk> wrote:

> but to encrypt/tunnel your browsing away from the prying eyes of the
> government of your current location.

Good for your home location too....

-- 

Brian Morrison

bdm at fenrir dot org dot uk

   "Arguing with an engineer is like wrestling with a pig in the mud;
    after a while you realize you are muddy and the pig is enjoying it."
    
GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20091028/b5df6a87/attachment.pgp>

From igb at batten.eu.org  Thu Oct 29 08:51:35 2009
From: igb at batten.eu.org (Ian Batten)
Date: Thu, 29 Oct 2009 09:51:35 +0100
Subject: Bank fraud programme
In-Reply-To: <20091028224348.66ffa672@peterson.fenrir.org.uk>
References: <E1N2lFk-0002i1-00@mta2.cl.cam.ac.uk>
	<CFA39A71D77840739E33CBC90E80694A@your41b8d18ede>
	<DC7CBB7C-D7D1-4684-B0D8-E9DFB492DBDC@batten.eu.org>
	<4AE8A3E9.8020004@gmx.co.uk> <20091028210831.GX84856@nerds.org.uk>
	<20091028224348.66ffa672@peterson.fenrir.org.uk>
Message-ID: <D65A6685-F143-4A44-9DDC-CAECE8D12D6B@batten.eu.org>


On 28 Oct 2009, at 23:43, Brian Morrison wrote:

> On Wed, 28 Oct 2009 21:08:31 +0000
> Lee Brotherston <lee at nerds.org.uk> wrote:
>
>> but to encrypt/tunnel your browsing away from the prying eyes of the
>> government of your current location.
>
> Good for your home location too....

Encrypted tunnelling from one machine to another, both in the UK, and  
emerging unencrypted isn't much of a step forward, though.

ian




From lee at nerds.org.uk  Thu Oct 29 09:01:32 2009
From: lee at nerds.org.uk (Lee Brotherston)
Date: Thu, 29 Oct 2009 09:01:32 +0000
Subject: Bank fraud programme
In-Reply-To: <D65A6685-F143-4A44-9DDC-CAECE8D12D6B@batten.eu.org>
References: <E1N2lFk-0002i1-00@mta2.cl.cam.ac.uk>
	<CFA39A71D77840739E33CBC90E80694A@your41b8d18ede>
	<DC7CBB7C-D7D1-4684-B0D8-E9DFB492DBDC@batten.eu.org>
	<4AE8A3E9.8020004@gmx.co.uk> <20091028210831.GX84856@nerds.org.uk>
	<20091028224348.66ffa672@peterson.fenrir.org.uk>
	<D65A6685-F143-4A44-9DDC-CAECE8D12D6B@batten.eu.org>
Message-ID: <20091029090132.GZ84856@nerds.org.uk>

On Thu, Oct 29, 2009 at 09:51:35AM +0100, Ian Batten wrote:
> Encrypted tunnelling from one machine to another, both in the UK,
> and emerging unencrypted isn't much of a step forward, though.

Using tor would be closer, but that comes with it's own set of
problems (malicious exit nodes, poor bandwidth/latency, etc).

  Lee

-- 
Lee Brotherston - <lee at nerds.org.uk>


From james2 at jfirth.net  Thu Oct 29 11:29:44 2009
From: james2 at jfirth.net (James Firth)
Date: Thu, 29 Oct 2009 11:29:44 -0000
Subject: EC Infringement Proceedings Against UK Electronic Privacy Move to
	"Phase 2"
In-Reply-To: <20091029090132.GZ84856@nerds.org.uk>
References: <E1N2lFk-0002i1-00@mta2.cl.cam.ac.uk>	<CFA39A71D77840739E33CBC90E80694A@your41b8d18ede>	<DC7CBB7C-D7D1-4684-B0D8-E9DFB492DBDC@batten.eu.org>	<4AE8A3E9.8020004@gmx.co.uk>
	<20091028210831.GX84856@nerds.org.uk>	<20091028224348.66ffa672@peterson.fenrir.org.uk>	<D65A6685-F143-4A44-9DDC-CAECE8D12D6B@batten.eu.org>
	<20091029090132.GZ84856@nerds.org.uk>
Message-ID: <02e601ca588b$1de49ae0$59add0a0$@net>

The Commission today issued the following press release, copied below with
source link:

http://europa.eu/rapid/pressReleasesAction.do?reference=IP/09/1626&format=HT
ML&aged=0&language=EN&guiLanguage=en

IP/09/1626

Brussels, 29 October 2009

Telecoms: Commission steps up UK legal action over privacy and personal data
protection

The Commission today moved to the second phase of an infringement proceeding
over the UK to provide its citizens with the full protection of EU rules on
privacy and personal data protection when using electronic communications.
European laws state that EU countries must ensure the confidentiality of
people's electronic communications like email or internet browsing by
prohibiting their unlawful interception and surveillance without the user's
consent. As these rules have not been fully put in place in the national law
of the UK, the Commission today said that it will send the UK a reasoned
opinion.

" People's privacy and the integrity of their personal data in the digital
world is not only an important matter, it is a fundamental right, protected
by European law. That is why the Commission is vigilant in ensuring that EU
rules and rights are put in place," said EU Telecoms Commissioner Viviane
Reding. "Ensuring digital privacy is a key for building trust in the
internet. I therefore call on the UK authorities to change their national
laws to ensure that British citizens fully benefit from the safeguards set
out in EU law concerning confidentiality of electronic communications."

The Commission maintains its position that the UK is failing to comply with
EU rules protecting the confidentiality of electronic communications like
email or surfing the internet, which are provided in the ePrivacy Directive
2002/58/EC and the Data Protection Directive 95/46/EC . This follows a
thorough analysis of the UK authorities' response to the letter of formal
notice - the first phase in an infringement proceeding - sent to them by the
Commission on 14 April 2009 ( IP/09/570 ). The Commission launched this
legal action following its inquiry into the response given by the UK
authorities to UK citizens' complaints about the use of behavioural
advertising by internet service providers.

Specifically, the Commission has identified three gaps in the existing UK
rules governing the confidentiality of electronic communications:

    *

      There is no independent national authority to supervise interception
of communications, although the establishment of such authority is required
under the ePrivacy and Data Protection Directives, in particular to hear
complaints regarding interception of communications.
    *

      The current UK law - the Regulation of Investigatory Powers Act 2000
(RIPA) - authorises interception of communications not only where the
persons concerned have consented to interception but also when the person
intercepting the communications has 'reasonable grounds for believing' that
consent to do so has been given. These UK law provisions do not comply with
EU rules defining consent as freely given specific and informed indication
of a person's wishes.
    *

      The RIPA provisions prohibiting and providing sanctions in case of
unlawful interception are limited to 'intentional' interception only,
whereas the EU law requires Members States to prohibit and to ensure
sanctions against any unlawful interception regardless of whether committed
intentionally or not.

The UK has two months to reply to this second stage of the infringement
proceeding. If the Commission receives no reply, or if the response
presented by the UK is not satisfactory, the Commission may refer the case
to the European Court of Justice.

Background

The EU Directive on privacy and electronic communications requires EU Member
States to ensure confidentiality of the communications and related traffic
data by prohibiting unlawful interception and surveillance unless the users
concerned have consented to this (Article 5(1) of Directive 2002/58/EC ).
The EU Data Protection Directive specifies that user consent must be 'freely
given specific and informed' (Article 2(h) of Directive 95/46/EC ).
Moreover, Article 24 of the Data Protection Directive requires Member States
to establish appropriate sanctions in case of infringements and Article 28
says that independent authorities must be charged with supervising
implementation. These provisions of the Data Protection Directive also apply
in the area of confidentiality of communications.

A detailed overview of telecoms infringement proceedings is available at:

http://ec.europa.eu/information_society/policy/ecomm/implementation_enforcem
ent/infringement/



From casparb at microsoft.com  Thu Oct 29 19:03:24 2009
From: casparb at microsoft.com (Caspar Bowden)
Date: Thu, 29 Oct 2009 19:03:24 +0000
Subject: EC Infringement Proceedings Against UK Electronic Privacy Move
	to	"Phase 2"
In-Reply-To: <02e601ca588b$1de49ae0$59add0a0$@net>
References: <E1N2lFk-0002i1-00@mta2.cl.cam.ac.uk>
	<CFA39A71D77840739E33CBC90E80694A@your41b8d18ede>
	<DC7CBB7C-D7D1-4684-B0D8-E9DFB492DBDC@batten.eu.org>
	<4AE8A3E9.8020004@gmx.co.uk>	<20091028210831.GX84856@nerds.org.uk>
	<20091028224348.66ffa672@peterson.fenrir.org.uk>
	<D65A6685-F143-4A44-9DDC-CAECE8D12D6B@batten.eu.org>
	<20091029090132.GZ84856@nerds.org.uk>
	<02e601ca588b$1de49ae0$59add0a0$@net>
Message-ID: <87A6D89C0D9E3E4E94253D25B8F9B2E7113356@DB3EX14MBXC316.europe.corp.microsoft.com>

Just fancy that ;-)
...
>The RIPA provisions prohibiting and providing sanctions in case of unlawful >interception are limited to 'intentional' interception only, whereas the EU law >requires Members States to prohibit and to ensure sanctions against any unlawful >interception regardless of whether committed intentionally or not.

admin at chiark.greenend.org.uk] On Behalf Of Caspar Bowden
Sent: 16 April 2008 15:22
To: ukcrypto at chiark.greenend.org.uk
Subject: RE: EU says URLS and Search Terms _are_ PECR data

<<<Recital (21) Measures should be taken to prevent unauthorised access to communications in order to protect the confidentiality of communications, ***INCLUDING BOTH THE CONTENTS AND ANY DATA RELATED TO SUCH COMMUNICATIONS***, by means of public communications networks and publicly available electronic communications services. National legislation in some Member States only prohibits INTENTIONAL unauthorised access to communications.

Article 5 - Confidentiality of the communications

1. Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage OR OTHER KINDS OF INTERCEPTION OR SURVEILLANCE OF COMMUNICATIONS AND THE RELATED TRAFFIC DATA BY PERSONS OTHER THAN USERS, WITHOUT THE CONSENT OF THE USERS CONCERNED, except when legally authorised to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality>>>

So there's an interesting twist here: Recital 21 flags up that some member states only prohibit INTENTIONAL unauthorised access (with the implication that those Member States should fix their laws). And yea verily, S.1(1) of RIPA says

<<< Unlawful interception
1(1) It shall be an offence for a person intentionally and without lawful authority to intercept>>>

So

Q1. Was the end bit of Recital 21 having a dig at RIPA (amongst other national laws)?


From fw at deneb.enyo.de  Thu Oct 29 19:58:16 2009
From: fw at deneb.enyo.de (Florian Weimer)
Date: Thu, 29 Oct 2009 20:58:16 +0100
Subject: EC Infringement Proceedings Against UK Electronic Privacy Move to
	"Phase 2"
In-Reply-To: <02e601ca588b$1de49ae0$59add0a0$@net> (James Firth's message of
	"Thu, 29 Oct 2009 11:29:44 -0000")
References: <E1N2lFk-0002i1-00@mta2.cl.cam.ac.uk>
	<CFA39A71D77840739E33CBC90E80694A@your41b8d18ede>
	<DC7CBB7C-D7D1-4684-B0D8-E9DFB492DBDC@batten.eu.org>
	<4AE8A3E9.8020004@gmx.co.uk> <20091028210831.GX84856@nerds.org.uk>
	<20091028224348.66ffa672@peterson.fenrir.org.uk>
	<D65A6685-F143-4A44-9DDC-CAECE8D12D6B@batten.eu.org>
	<20091029090132.GZ84856@nerds.org.uk>
	<02e601ca588b$1de49ae0$59add0a0$@net>
Message-ID: <87y6mux99j.fsf@mid.deneb.enyo.de>

* James Firth:

> The RIPA provisions prohibiting and providing sanctions in case of
> unlawful interception are limited to 'intentional' interception
> only, whereas the EU law requires Members States to prohibit and to
> ensure sanctions against any unlawful interception regardless of
> whether committed intentionally or not.

WTF?  Really?  German law (?88 TKG, ?202a StGB, ?206 StGB) requires
intent as well, and for good reason, IMHO.  (The German criminal code
does not explicitly qualify intent, it is always required unless
stated otherwise.)


From joeldharrison at googlemail.com  Fri Oct 30 01:30:36 2009
From: joeldharrison at googlemail.com (Joel Harrison)
Date: Fri, 30 Oct 2009 01:30:36 +0000
Subject: EC Infringement Proceedings Against UK Electronic Privacy Move to
	"Phase 2"
In-Reply-To: <87A6D89C0D9E3E4E94253D25B8F9B2E7113356@DB3EX14MBXC316.europe.corp.microsoft.com>
References: <E1N2lFk-0002i1-00@mta2.cl.cam.ac.uk>
	<CFA39A71D77840739E33CBC90E80694A@your41b8d18ede>
	<DC7CBB7C-D7D1-4684-B0D8-E9DFB492DBDC@batten.eu.org>
	<4AE8A3E9.8020004@gmx.co.uk>	<20091028210831.GX84856@nerds.org.uk>
	<20091028224348.66ffa672@peterson.fenrir.org.uk>
	<D65A6685-F143-4A44-9DDC-CAECE8D12D6B@batten.eu.org>
	<20091029090132.GZ84856@nerds.org.uk>
	<02e601ca588b$1de49ae0$59add0a0$@net>
	<87A6D89C0D9E3E4E94253D25B8F9B2E7113356@DB3EX14MBXC316.europe.corp.microsoft.com>
Message-ID: <8799112C-9B21-4A29-9DE8-E83ACB33A9D2@googlemail.com>

The intent issue is a bit of a non-point as far as I'm concerned. Are  
cases of inadvertent or accidental interception really all that common?

A person might not realise that the acts he's performing amount to an  
interception. But as long as he intends to perform those acts, he has  
intentionally carried out an interception within the meaning of RIPA  
s1.  It doesn't matter whether he knows the legal definition of  
"interception".

Similarly, a person may believe, reasonably but wrongly, that he has  
lawful authority for carrying out an interception (e.g. he may  
mistakenly believe both sender and recipient have consented to the  
interception). But, again, the interception is intentional.

I really don't see that the communicating public in the UK is beseiged  
by interceptions that are unintentional and, for that reason, cannot  
be prosecuted.  The other issue - whether reasonable belief of consent  
should be sufficient to make an intentional interception lawful - is  
much more significant IMO.

Joel

On 29 Oct 2009, at 19:03, Caspar Bowden <casparb at microsoft.com> wrote:

> Just fancy that ;-)
> ...
>> The RIPA provisions prohibiting and providing sanctions in case of  
>> unlawful >interception are limited to 'intentional' interception  
>> only, whereas the EU law >requires Members States to prohibit and  
>> to ensure sanctions against any unlawful >interception regardless  
>> of whether committed intentionally or not.
>
> admin at chiark.greenend.org.uk] On Behalf Of Caspar Bowden
> Sent: 16 April 2008 15:22
> To: ukcrypto at chiark.greenend.org.uk
> Subject: RE: EU says URLS and Search Terms _are_ PECR data
>
> <<<Recital (21) Measures should be taken to prevent unauthorised  
> access to communications in order to protect the confidentiality of  
> communications, ***INCLUDING BOTH THE CONTENTS AND ANY DATA RELATED  
> TO SUCH COMMUNICATIONS***, by means of public communications  
> networks and publicly available electronic communications services.  
> National legislation in some Member States only prohibits  
> INTENTIONAL unauthorised access to communications.
>
> Article 5 - Confidentiality of the communications
>
> 1. Member States shall ensure the confidentiality of communications  
> and the related traffic data by means of a public communications  
> network and publicly available electronic communications services,  
> through national legislation. In particular, they shall prohibit  
> listening, tapping, storage OR OTHER KINDS OF INTERCEPTION OR  
> SURVEILLANCE OF COMMUNICATIONS AND THE RELATED TRAFFIC DATA BY  
> PERSONS OTHER THAN USERS, WITHOUT THE CONSENT OF THE USERS  
> CONCERNED, except when legally authorised to do so in accordance  
> with Article 15(1). This paragraph shall not prevent technical  
> storage which is necessary for the conveyance of a communication  
> without prejudice to the principle of confidentiality>>>
>
> So there's an interesting twist here: Recital 21 flags up that some  
> member states only prohibit INTENTIONAL unauthorised access (with  
> the implication that those Member States should fix their laws). And  
> yea verily, S.1(1) of RIPA says
>
> <<< Unlawful interception
> 1(1) It shall be an offence for a person intentionally and without  
> lawful authority to intercept>>>
>
> So
>
> Q1. Was the end bit of Recital 21 having a dig at RIPA (amongst  
> other national laws)?
>


From pwt at iosis.co.uk  Fri Oct 30 07:03:47 2009
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Fri, 30 Oct 2009 07:03:47 +0000
Subject: EC Infringement Proceedings Against UK Electronic Privacy Move
	to	"Phase 2"
In-Reply-To: <8799112C-9B21-4A29-9DE8-E83ACB33A9D2@googlemail.com>
References: <E1N2lFk-0002i1-00@mta2.cl.cam.ac.uk>	<CFA39A71D77840739E33CBC90E80694A@your41b8d18ede>	<DC7CBB7C-D7D1-4684-B0D8-E9DFB492DBDC@batten.eu.org>	<4AE8A3E9.8020004@gmx.co.uk>	<20091028210831.GX84856@nerds.org.uk>	<20091028224348.66ffa672@peterson.fenrir.org.uk>	<D65A6685-F143-4A44-9DDC-CAECE8D12D6B@batten.eu.org>	<20091029090132.GZ84856@nerds.org.uk>	<02e601ca588b$1de49ae0$59add0a0$@net>	<87A6D89C0D9E3E4E94253D25B8F9B2E7113356@DB3EX14MBXC316.europe.corp.microsoft.com>
	<8799112C-9B21-4A29-9DE8-E83ACB33A9D2@googlemail.com>
Message-ID: <4AEA8FD3.9040009@iosis.co.uk>

It seems that the problem is the word 'interception', which carries the 
connotation of intention. Could it be that they are really trying to 
make us tougher on accidental monitoring? Or even on exposure of the 
information to others?

(Virgin - the blueyonder part - has recently had some problems with 
corruption of emails: header of one email with body of another, header 
downloaded for preview but following in its wake a different email, 
header a repeat of a previous email but no body following. So far I have 
no evidence that an email has got lost, and also I have not detected my 
receipt of anyone else's email - but it might happen. There again, its 
not the ISP that I generally use for receiving serious stuff, so I might 
have not realised that I'm missing emails - but my sending gets routed 
through them, and I wonder if anything got screwed on the way out.)

Peter

Joel Harrison wrote:
> The intent issue is a bit of a non-point as far as I'm concerned. Are 
> cases of inadvertent or accidental interception really all that common?
>
> A person might not realise that the acts he's performing amount to an 
> interception. But as long as he intends to perform those acts, he has 
> intentionally carried out an interception within the meaning of RIPA 
> s1.  It doesn't matter whether he knows the legal definition of 
> "interception".
>
> Similarly, a person may believe, reasonably but wrongly, that he has 
> lawful authority for carrying out an interception (e.g. he may 
> mistakenly believe both sender and recipient have consented to the 
> interception). But, again, the interception is intentional.
>
> I really don't see that the communicating public in the UK is beseiged 
> by interceptions that are unintentional and, for that reason, cannot 
> be prosecuted.  The other issue - whether reasonable belief of consent 
> should be sufficient to make an intentional interception lawful - is 
> much more significant IMO.
>
> Joel
>
> On 29 Oct 2009, at 19:03, Caspar Bowden <casparb at microsoft.com> wrote:
>
>> Just fancy that ;-)
>> ...
>>> The RIPA provisions prohibiting and providing sanctions in case of 
>>> unlawful >interception are limited to 'intentional' interception 
>>> only, whereas the EU law >requires Members States to prohibit and to 
>>> ensure sanctions against any unlawful >interception regardless of 
>>> whether committed intentionally or not.
>>
>> admin at chiark.greenend.org.uk] On Behalf Of Caspar Bowden
>> Sent: 16 April 2008 15:22
>> To: ukcrypto at chiark.greenend.org.uk
>> Subject: RE: EU says URLS and Search Terms _are_ PECR data
>>
>> <<<Recital (21) Measures should be taken to prevent unauthorised 
>> access to communications in order to protect the confidentiality of 
>> communications, ***INCLUDING BOTH THE CONTENTS AND ANY DATA RELATED 
>> TO SUCH COMMUNICATIONS***, by means of public communications networks 
>> and publicly available electronic communications services. National 
>> legislation in some Member States only prohibits INTENTIONAL 
>> unauthorised access to communications.
>>
>> Article 5 - Confidentiality of the communications
>>
>> 1. Member States shall ensure the confidentiality of communications 
>> and the related traffic data by means of a public communications 
>> network and publicly available electronic communications services, 
>> through national legislation. In particular, they shall prohibit 
>> listening, tapping, storage OR OTHER KINDS OF INTERCEPTION OR 
>> SURVEILLANCE OF COMMUNICATIONS AND THE RELATED TRAFFIC DATA BY 
>> PERSONS OTHER THAN USERS, WITHOUT THE CONSENT OF THE USERS CONCERNED, 
>> except when legally authorised to do so in accordance with Article 
>> 15(1). This paragraph shall not prevent technical storage which is 
>> necessary for the conveyance of a communication without prejudice to 
>> the principle of confidentiality>>>
>>
>> So there's an interesting twist here: Recital 21 flags up that some 
>> member states only prohibit INTENTIONAL unauthorised access (with the 
>> implication that those Member States should fix their laws). And yea 
>> verily, S.1(1) of RIPA says
>>
>> <<< Unlawful interception
>> 1(1) It shall be an offence for a person intentionally and without 
>> lawful authority to intercept>>>
>>
>> So
>>
>> Q1. Was the end bit of Recital 21 having a dig at RIPA (amongst other 
>> national laws)?
>>
>
>



From joeldharrison at googlemail.com  Fri Oct 30 08:39:29 2009
From: joeldharrison at googlemail.com (Joel Harrison)
Date: Fri, 30 Oct 2009 08:39:29 +0000
Subject: EC Infringement Proceedings Against UK Electronic Privacy Move to
	"Phase 2"
In-Reply-To: <4AEA8FD3.9040009@iosis.co.uk>
References: <E1N2lFk-0002i1-00@mta2.cl.cam.ac.uk>
	<CFA39A71D77840739E33CBC90E80694A@your41b8d18ede>
	<DC7CBB7C-D7D1-4684-B0D8-E9DFB492DBDC@batten.eu.org>
	<4AE8A3E9.8020004@gmx.co.uk>	<20091028210831.GX84856@nerds.org.uk>
	<20091028224348.66ffa672@peterson.fenrir.org.uk>
	<D65A6685-F143-4A44-9DDC-CAECE8D12D6B@batten.eu.org>
	<20091029090132.GZ84856@nerds.org.uk>	<02e601ca588b$1de49ae0$59add0a0$@net>
	<87A6D89C0D9E3E4E94253D25B8F9B2E7113356@DB3EX14MBXC316.europe.corp.microsoft.com>
	<8799112C-9B21-4A29-9DE8-E83ACB33A9D2@googlemail.com>
	<4AEA8FD3.9040009@iosis.co.uk>
Message-ID: <455D42BE-26D4-43C9-883B-38E15C0E7D9F@googlemail.com>

Well, art 5 of the Directive requires prohibition of listening,  
tapping, storage "or other kinds of interception or surveillance", so  
there's no point in the Commission getting sniffy. I don't think  
surveillance is any less loaded a word than interception.

On 30 Oct 2009, at 07:03, Peter Tomlinson <pwt at iosis.co.uk> wrote:

> It seems that the problem is the word 'interception', which carries  
> the connotation of intention. Could it be that they are really  
> trying to make us tougher on accidental monitoring? Or even on  
> exposure of the information to others?
>
> (Virgin - the blueyonder part - has recently had some problems with  
> corruption of emails: header of one email with body of another,  
> header downloaded for preview but following in its wake a different  
> email, header a repeat of a previous email but no body following. So  
> far I have no evidence that an email has got lost, and also I have  
> not detected my receipt of anyone else's email - but it might  
> happen. There again, its not the ISP that I generally use for  
> receiving serious stuff, so I might have not realised that I'm  
> missing emails - but my sending gets routed through them, and I  
> wonder if anything got screwed on the way out.)
>
> Peter
>
> Joel Harrison wrote:
>> The intent issue is a bit of a non-point as far as I'm concerned.  
>> Are cases of inadvertent or accidental interception really all that  
>> common?
>>
>> A person might not realise that the acts he's performing amount to  
>> an interception. But as long as he intends to perform those acts,  
>> he has intentionally carried out an interception within the meaning  
>> of RIPA s1.  It doesn't matter whether he knows the legal  
>> definition of "interception".
>>
>> Similarly, a person may believe, reasonably but wrongly, that he  
>> has lawful authority for carrying out an interception (e.g. he may  
>> mistakenly believe both sender and recipient have consented to the  
>> interception). But, again, the interception is intentional.
>>
>> I really don't see that the communicating public in the UK is  
>> beseiged by interceptions that are unintentional and, for that  
>> reason, cannot be prosecuted.  The other issue - whether reasonable  
>> belief of consent should be sufficient to make an intentional  
>> interception lawful - is much more significant IMO.
>>
>> Joel
>>
>> On 29 Oct 2009, at 19:03, Caspar Bowden <casparb at microsoft.com>  
>> wrote:
>>
>>> Just fancy that ;-)
>>> ...
>>>> The RIPA provisions prohibiting and providing sanctions in case  
>>>> of unlawful >interception are limited to 'intentional'  
>>>> interception only, whereas the EU law >requires Members States to  
>>>> prohibit and to ensure sanctions against any unlawful  
>>>> >interception regardless of whether committed intentionally or not.
>>>
>>> admin at chiark.greenend.org.uk] On Behalf Of Caspar Bowden
>>> Sent: 16 April 2008 15:22
>>> To: ukcrypto at chiark.greenend.org.uk
>>> Subject: RE: EU says URLS and Search Terms _are_ PECR data
>>>
>>> <<<Recital (21) Measures should be taken to prevent unauthorised  
>>> access to communications in order to protect the confidentiality  
>>> of communications, ***INCLUDING BOTH THE CONTENTS AND ANY DATA  
>>> RELATED TO SUCH COMMUNICATIONS***, by means of public  
>>> communications networks and publicly available electronic  
>>> communications services. National legislation in some Member  
>>> States only prohibits INTENTIONAL unauthorised access to  
>>> communications.
>>>
>>> Article 5 - Confidentiality of the communications
>>>
>>> 1. Member States shall ensure the confidentiality of  
>>> communications and the related traffic data by means of a public  
>>> communications network and publicly available electronic  
>>> communications services, through national legislation. In  
>>> particular, they shall prohibit listening, tapping, storage OR  
>>> OTHER KINDS OF INTERCEPTION OR SURVEILLANCE OF COMMUNICATIONS AND  
>>> THE RELATED TRAFFIC DATA BY PERSONS OTHER THAN USERS, WITHOUT THE  
>>> CONSENT OF THE USERS CONCERNED, except when legally authorised to  
>>> do so in accordance with Article 15(1). This paragraph shall not  
>>> prevent technical storage which is necessary for the conveyance of  
>>> a communication without prejudice to the principle of  
>>> confidentiality>>>
>>>
>>> So there's an interesting twist here: Recital 21 flags up that  
>>> some member states only prohibit INTENTIONAL unauthorised access  
>>> (with the implication that those Member States should fix their  
>>> laws). And yea verily, S.1(1) of RIPA says
>>>
>>> <<< Unlawful interception
>>> 1(1) It shall be an offence for a person intentionally and without  
>>> lawful authority to intercept>>>
>>>
>>> So
>>>
>>> Q1. Was the end bit of Recital 21 having a dig at RIPA (amongst  
>>> other national laws)?
>>>
>>
>>
>
>


From james2 at jfirth.net  Fri Oct 30 08:51:29 2009
From: james2 at jfirth.net (James Firth)
Date: Fri, 30 Oct 2009 08:51:29 -0000
Subject: EC Infringement Proceedings Against UK Electronic Privacy
	Move	to	"Phase 2"
In-Reply-To: <4AEA8FD3.9040009@iosis.co.uk>
References: <E1N2lFk-0002i1-00@mta2.cl.cam.ac.uk>	<CFA39A71D77840739E33CBC90E80694A@your41b8d18ede>	<DC7CBB7C-D7D1-4684-B0D8-E9DFB492DBDC@batten.eu.org>	<4AE8A3E9.8020004@gmx.co.uk>	<20091028210831.GX84856@nerds.org.uk>	<20091028224348.66ffa672@peterson.fenrir.org.uk>	<D65A6685-F143-4A44-9DDC-CAECE8D12D6B@batten.eu.org>	<20091029090132.GZ84856@nerds.org.uk>	<02e601ca588b$1de49ae0$59add0a0$@net>	<87A6D89C0D9E3E4E94253D25B8F9B2E7113356@DB3EX14MBXC316.europe.corp.microsoft.com>	<8799112C-9B21-4A29-9DE8-E83ACB33A9D2@googlemail.com>
	<4AEA8FD3.9040009@iosis.co.uk>
Message-ID: <012f01ca593e$2c1a3580$844ea080$@net>

Peter Tomlinson
> 
> It seems that the problem is the word 'interception', which carries the
> connotation of intention. Could it be that they are really trying to
> make us tougher on accidental monitoring? Or even on exposure of the
> information to others?

The EC action was apparently triggered by the BT trials of Phorm and the
subsequent refusal of all the relevant bodies to act, the police reportedly
citing the bizarre reason of lack of "criminal intent" (ref:
http://www.theregister.co.uk/2009/04/14/eu_phorm_formal/)

I can see why the EC has jumped on this loophole but the issue of "criminal
intent" should definitely not be confused with wilful unlawful interception.

Did you intend to intercept this traffic? Yes

Was there reasonable grounds to believe this would be a legally contentious
area? Yes

Did you believe you were authorised by warrant or had the consent of BOTH
parties to the communication? No

Okay, so they thought actually they didn't need consent of either party
because of some bizarre "implied consent" argument for what was described as
analogous to published content.  So they intended to intercept but didn't
intend to commit a crime.

--

Also I wonder why no mention of PECR (EC Directive) Regulations 2003 in the
EC press release, since the ICO has taken no action and the EC seem
concerned that transgressions of law should be punished.





From chris-ukcrypto at lists.skipnote.org  Fri Oct 30 09:18:47 2009
From: chris-ukcrypto at lists.skipnote.org (Chris Edwards)
Date: Fri, 30 Oct 2009 09:18:47 +0000 (GMT)
Subject: Wifi hot spots - 'not secure'
Message-ID: <Pine.SOC.4.64.0910300916200.20354@bowling.cent.gla.ac.uk>

What attack do we recon is performed here ?

 http://news.bbc.co.uk/1/hi/sci/tech/8332689.stm

Initially expected to see an SSL middle-person attack used to sniff passwd, 
with user clicking past a "bad-certificate warning".  But on watching, I 
think they took advantage of webmail services that by default use https 
for the login, then plain http thereafter (e.g hotmail).  Sniffing an 
authentication cookie, as transmitted with every request after the initial 
login, is sufficient to hijack the webmail session.

In which case, the open letter referred to in Richard Clayton's blog 
discussed the issues well:

 http://www.lightbluetouchpaper.org/2009/06/16/open-letter-to-google/

Then again, the inability of the victim to log out suggests the scammers 
are in the path, somehow.


From Ian.Johnson at uwe.ac.uk  Fri Oct 30 11:22:13 2009
From: Ian.Johnson at uwe.ac.uk (Ian Johnson)
Date: Fri, 30 Oct 2009 11:22:13 +0000
Subject: Wifi hot spots - 'not secure'
In-Reply-To: <Pine.SOC.4.64.0910300916200.20354@bowling.cent.gla.ac.uk>
References: <Pine.SOC.4.64.0910300916200.20354@bowling.cent.gla.ac.uk>
Message-ID: <1256901733.13238.7.camel@emperor.cems.uwe.ac.uk>

On Fri, 2009-10-30 at 09:18 +0000, Chris Edwards wrote:
> Initially expected to see an SSL middle-person attack used to sniff passwd, 
> with user clicking past a "bad-certificate warning".  

Which is extremely common - people are trained to do this.  All of my
employers wi-fi authentication servers present bad certificates. I doubt
more than a couple of people have even examined them.

Ian



This email was independently scanned for viruses by McAfee anti-virus software and none were found