From igb at batten.eu.org  Sun Aug  1 07:58:43 2010
From: igb at batten.eu.org (Ian Batten)
Date: Sun, 01 Aug 2010 06:58:43 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it interception?)
In-Reply-To: <4C542A2C.5010706@pelicancrossing.net>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<4C542A2C.5010706@pelicancrossing.net>
Message-ID: <7ACD6A7F-2551-4669-AAE2-50A7B1EBAB18@batten.eu.org>

I got the impression at the time that the logic was that anything that tripped an ids was an intrusion, and the harm lay in the fact that the operators had the analyse the logs. which is total madness. 

ian

(mobile, sorry for typos)

On 31 Jul 2010, at 14:50, "Wendy M. Grossman" <wendyg at pelicancrossing.net> wrote:

> Peter Tomlinson wrote:
>> Mary Hawking wrote:
>>> In message <mailman.0.1280559135.19741.ukcrypto at chiark.greenend.org.uk>, ukcrypto-request at chiark.greenend.org.uk writes
>>> 
>>>> On Fri, 30 Jul 2010, Peter Fairbrother wrote:
>>>> 
>>>> | I don't get it.
>>>> |
>>>> | If I want to find out whether a site allows directory traversal - some sites | do, some don't - how else am I going to find out other than adding a "/.." ?
>>>> 
>>>> And it seems the tsunami hacker didn't even add "/.."
>>>> 
>>>> - he simply truncated the URL, to find a parent or root page.
>>> 
>>> I'm not sure I can get my head around the laws making this illegal - but I am sure that if truncating a URL to find a home page *is* illegal, the majority of ordinary internet users are criminals!
>>> 
>>> I do it all the time - and it is often the *only* way to find the home page if you have been sent the URL for a document on a website, rather than the website itself.
>>> 
>> I find it unbelievable that its illegal, if only because it is so easy to do by mistake - so I do not even support the conditional discharge, because the prosecution should never have been brought. I suppose that the physical world analogue is that you are tampering with a locked door if you send that message - but really you are just trying a doorknob, and thus the prosecutor should have to provide evidence that you have malicious intent. So you need to find an internet police person and report that somebody is tampering with your internet access - fat chance.
> 
> It's not even trying a doorknob. It's more like finding two pages stuck together in a magazine and separating them, or finding a public street blocked and taking a detour to get to the street you're trying to get to.
> 
> wg
> 


From peter at pmsommer.com  Sun Aug  1 08:17:16 2010
From: peter at pmsommer.com (Peter Sommer)
Date: Sun, 01 Aug 2010 07:17:16 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP
	DPI,butis it interception?)
Message-ID: <16664076.427600.1280647030580.JavaMail.servlet@pustefix160.kundenserver.de>

You got the wrong impression.  The judge's reasoning was that in the circumstances the directory traversal was an unauthorised access.  Cuthbert was "authorised" to type in a valid URL and to move around the website via links,  but not to re-form a URL for the purposes of exploring the contents of the web-server.

But, as I said,  what set the police and the judge against him was his initial lack of candour and the attempt to suggest that the actions recorded by the IDS were the result of proxy server activity.

And can I repeat - this case sets no precedents:  the judge decided on the day on the facts in front of him.   All the points made in this thread why he could have decided otherwise were made by counsel and in my own evidence.

Peter Sommer



>I got the impression at the time that the logic was that anything that tripped 
>an ids was an intrusion, and the harm lay in the fact that the operators had 
>the analyse the logs. which is total madness. 
>
>ian
>


From james2 at jfirth.net  Sun Aug  1 11:10:33 2010
From: james2 at jfirth.net (James Firth)
Date: Sun, 01 Aug 2010 10:10:33 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it interception?)
In-Reply-To: <4C54293C.1000901@iosis.co.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
Message-ID: <003001cb3161$c42d8f60$4c88ae20$@net>

Peter Tomlinson wrote:
> Recently I was at an IAAC Working Group about being safe on the
> internet, and there the nature of the internet (wild and woolly) was
> discussed, and whether it could be made tame. Having thought about it
> both then and later, I'm of the opinion that the protection should be
> in
> both web server and user system, and that it should be routinely
> installed and configured in both, and be ubiquitous in its operation.
> So
> protection against inadvertent illegality needs to be there in the
> protection software in the user system, and the web server's system
> should protect against a user doing the illegal thing.

It already is and it's called protocols/standards/RFCs.

The server, as in a dedicated host offering professional services should
protect itself against anything the "internet" throws against it, with the
exception possibly of denial-of-service type attacks, which require some
level of network protection.

Up list the mention of "anything else is unauthorised access": not under the
CMA, unless it could be proved the attacker knew the consequences of his/her
actions could prove denial of service, loss of data etc.

"anything else is..." perhaps a breach of contract depending on the Ts & Cs
(and how enforceable those Ts & Cs are) of the website being visited (eg
robots.txt etc).

The internet is doing a remarkable job protecting itself without government
interference, considering the potential for harm and the likely rewards from
certain large-scale attacks.

I wish the police would be as proactive in investigating fraud using the
internet as they were in this case.  From basic auction seller fraud to
phishing and in particular the hacking of home PCs.

Large corporations like BT can afford to and should be responsible for their
own server resilience.  The police simply should never have been involved.

In fact the payment industry gets very little truck from the police in
investigating e.g. credit card fraud, as I found out from my personal
experience when I tried to get the police to take further action in
prosecuting the gang they uncovered in relation to my own losses.  Too
complex to track across national borders, they said. (All within the EU).

However the "little guy" who's home PC comes under daily bombardment from
vulnerability probes and phishing emails gets very little help from law
enforcement, even when they attempt to make a complaint(*)

James Firth



From Andrew.Cormack at ja.net  Sun Aug  1 14:03:52 2010
From: Andrew.Cormack at ja.net (Andrew Cormack)
Date: Sun, 01 Aug 2010 13:03:52 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP
	DPI,butis it interception?)
In-Reply-To: <16664076.427600.1280647030580.JavaMail.servlet@pustefix160.kundenserver.de>
References: <16664076.427600.1280647030580.JavaMail.servlet@pustefix160.kundenserver.de>
Message-ID: <24863A0F31158440B4B9417A02BCA4C0048BB8@EXC001.atlas.ukerna.ac.uk>

Also worth re-reading the definition of the offence in the CMA: there's no requirement for harm to be caused. 

From http://www.opsi.gov.uk/acts/acts1990/ukpga_19900018_en_1#pb1-l1g1

"1 Unauthorised access to computer material
(1) A person is guilty of an offence if?
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case."

There is some assistance in interpretation provided by sections 1(2) and 17, but those don't change the requirements for the offence. 

As I read the judgment, the judge went through each of 1(1)(a) (b) & (c), concluded that all of them were true, and therefore the offence had been committed. Incidentally there are plenty of other offences that don't require harm to have occurred: driving past a red traffic light is a crime whether or not you run into anyone.

Andrew

--
Andrew Cormack, Chief Regulatory Adviser
JANET(UK), Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, OX11 0SG, UK
Phone: +44 (0) 1235 822302
Fax: +44 (0) 1235 822399

JANET, the UK's education and research network

JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Science and Innovation Campus, Didcot, Oxfordshire. OX11 0SG

> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Peter Sommer
> Sent: 01 August 2010 08:17
> To: ukcrypto at chiark.greenend.org.uk
> Subject: Re: Being safe on the internet (was Re: Here we go again - ISP
> DPI,butis it interception?)
> 
> You got the wrong impression.  The judge's reasoning was that in the
> circumstances the directory traversal was an unauthorised access.
> Cuthbert was "authorised" to type in a valid URL and to move around the
> website via links,  but not to re-form a URL for the purposes of
> exploring the contents of the web-server.
> 
> But, as I said,  what set the police and the judge against him was his
> initial lack of candour and the attempt to suggest that the actions
> recorded by the IDS were the result of proxy server activity.
> 
> And can I repeat - this case sets no precedents:  the judge decided on
> the day on the facts in front of him.   All the points made in this
> thread why he could have decided otherwise were made by counsel and in
> my own evidence.
> 
> Peter Sommer
> 
> 
> 
> >I got the impression at the time that the logic was that anything that
> tripped
> >an ids was an intrusion, and the harm lay in the fact that the
> operators had
> >the analyse the logs. which is total madness.
> >
> >ian
> >


From igb at batten.eu.org  Sun Aug  1 21:40:30 2010
From: igb at batten.eu.org (Ian Batten)
Date: Sun, 01 Aug 2010 20:40:30 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it interception?)
In-Reply-To: <003001cb3161$c42d8f60$4c88ae20$@net>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
Message-ID: <F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>

>
> The server, as in a dedicated host offering professional services  
> should
> protect itself against anything the "internet" throws against it,

Except that's both contrary to the law in every other field, and  
incredibly elitist.  Either it's an argument that the only people who  
should publish content on the Internet have to be elite security  
ninjas, or that the severity of the crime is inversely proportional to  
the presumed competence of the victim.   Banks should be expected to  
protect their branches, but shoving a shotgun into the face of the  
cashier is nonetheless a crime.    I suspect James Firth's front door  
isn't JCB-proof, but I assume he'd regard someone who used a bulldozer  
to break into his house as a potential criminal.

ian



From pwt at iosis.co.uk  Sun Aug  1 21:40:44 2010
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Sun, 01 Aug 2010 20:40:44 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it interception?)
In-Reply-To: <003001cb3161$c42d8f60$4c88ae20$@net>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
Message-ID: <4C55DBC5.5060808@iosis.co.uk>

James Firth wrote:
> Peter Tomlinson wrote:
>   
>> Recently I was at an IAAC Working Group about being safe on the
>> internet, and there the nature of the internet (wild and woolly) was
>> discussed, and whether it could be made tame. Having thought about it
>> both then and later, I'm of the opinion that the protection should be
>> in
>> both web server and user system, and that it should be routinely
>> installed and configured in both, and be ubiquitous in its operation.
>> So
>> protection against inadvertent illegality needs to be there in the
>> protection software in the user system, and the web server's system
>> should protect against a user doing the illegal thing.
>>     
>
> It already is and it's called protocols/standards/RFCs.
>
> The server, as in a dedicated host offering professional services should
> protect itself against anything the "internet" throws against it, with the
> exception possibly of denial-of-service type attacks, which require some
> level of network protection.
>
> Up list the mention of "anything else is unauthorised access": not under the
> CMA, unless it could be proved the attacker knew the consequences of his/her
> actions could prove denial of service, loss of data etc.
>
> "anything else is..." perhaps a breach of contract depending on the Ts & Cs
> (and how enforceable those Ts & Cs are) of the website being visited (eg
> robots.txt etc).
>
> The internet is doing a remarkable job protecting itself without government
> interference, considering the potential for harm and the likely rewards from
> certain large-scale attacks.
>
> I wish the police would be as proactive in investigating fraud using the
> internet as they were in this case.  From basic auction seller fraud to
> phishing and in particular the hacking of home PCs.
>
> Large corporations like BT can afford to and should be responsible for their
> own server resilience.  The police simply should never have been involved.
>
> In fact the payment industry gets very little truck from the police in
> investigating e.g. credit card fraud, as I found out from my personal
> experience when I tried to get the police to take further action in
> prosecuting the gang they uncovered in relation to my own losses.  Too
> complex to track across national borders, they said. (All within the EU).
>
> However the "little guy" who's home PC comes under daily bombardment from
> vulnerability probes and phishing emails gets very little help from law
> enforcement, even when they attempt to make a complaint(*)
>
> James Firth
James, you well illustrate the position that our discussion got to 
(although not everyone agreed). The line that I took is that the 
specifications and tools and internet best practice are there, so we 
should use them. Then you get to the point that was the starting 
assumption for the discussion: the problem for the little guy - so we 
need to ensure that its routine to deploy the tools at millions of end 
points, and do so at low cost. After discussing this with a couple of 
people not part of the IAAC discussion, I'm trying to write a paper 
suggesting a way forward. This is expected to be published on a web site 
operated by one of those other two.

Peter



From james2 at jfirth.net  Sun Aug  1 23:27:05 2010
From: james2 at jfirth.net (James Firth)
Date: Sun, 01 Aug 2010 22:27:05 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it interception?)
In-Reply-To: <F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk> <4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
Message-ID: <54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>

>>
>> The server, as in a dedicated host offering professional services
>> should
>> protect itself against anything the "internet" throws against it,
>
> Except that's both contrary to the law in every other field, and
> incredibly elitist.

Did you read my whole post? And previous messages? I've been questioning
why BT should be able to get police action in this case yet many smaller
companies and private individuals are unable to get police action for
these crimes.

In fact I'd say the tone of my messages was more socialist than elitist,
yet if you'd suggested this it would have been equally insulting.

Thanks also for the selective quoting.  Let's fill the gaps a bit:

> The server, as in a dedicated host offering professional services should
> protect itself against anything the "internet" throws against it, with the
> exception possibly of denial-of-service type attacks, which require some
> level of network protection.

- The exception of DDoS is my get out of jail free card for the JCB attack
on my front door.

> I wish the police would be as proactive in investigating fraud using the
> internet as they were in this case.  From basic auction seller fraud to
> phishing and in particular the hacking of home PCs.

- Elitist how?

> Large corporations like BT can afford to and should be responsible for
their
> own server resilience.  The police simply should never have been involved.

Large corporations shouldn't need to involve the police for minor
questionable transgressions. Again, how is this elitist?

> However the "little guy" who's home PC comes under daily bombardment from
> vulnerability probes and phishing emails gets very little help from law
> enforcement, even when they attempt to make a complaint(*)

So I'm raising concerns that those who can't afford security are vulnerable.

I'm sorry but I really have to take issue with how my views can be seen as
elitist simply because I suggest that most professional uses of the
internet - especially involving organisations as large as BT - only have
themselves to blame if their servers are vulnerable to common attack
vectors of the kind hinted at in the case under discussion.

James Firth


From igb at batten.eu.org  Mon Aug  2 07:43:08 2010
From: igb at batten.eu.org (Ian Batten)
Date: Mon, 02 Aug 2010 06:43:08 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it interception?)
In-Reply-To: <54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>
Message-ID: <3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>


On 1 Aug 2010, at 23:27, James Firth wrote:

>>>
>>> The server, as in a dedicated host offering professional services
>>> should
>>> protect itself against anything the "internet" throws against it,
>>
>> Except that's both contrary to the law in every other field, and
>> incredibly elitist.
>
> Did you read my whole post? And previous messages? I've been  
> questioning
> why BT should be able to get police action in this case yet many  
> smaller
> companies and private individuals are unable to get police action for
> these crimes.

Do you know that to be true?  And even accepting, arguendo, that it  
is, why would the two be mutually exclusive?

A more likely proposition would be that BT are in a position to frame  
actions as crimes, have people who understand both the law and  
evidence collection, have people who can give credible testimony in  
court and are unlikely to have been using compromised systems to store  
porn, warez and pirated films so are therefore willing to permit  
forensic examination.   They are therefore able to work with the  
police effectively to bring a prosecution in a way individuals rarely  
can.

Moreover, as a large part of Internet crime --- including the attacks  
on the little man you mention --- equally besets large companies,  
isn't helping bring a prosecution against a miscreant also helping the  
people who cannot bring prosecutions?  When Microsoft used the law to  
deal with a major spam operation last year, did you argue that they  
should just have used technical precautions because they are well able  
to deal with the problem, or did you applaud their showing solidarity  
with smaller operators upon whom the burden falls more heavily?  I  
know I did the latter.

[[ Note that the precise details of the crime that raised this issue  
are irrelevant: you're arguing that BT should not be able to use the  
law to enforce much of anything outside major DDoS ]]

> I'm sorry but I really have to take issue with how my views can be  
> seen as
> elitist simply because I suggest that most professional uses of the
> internet - especially involving organisations as large as BT - only  
> have
> themselves to blame if their servers are vulnerable to common attack
> vectors of the kind hinted at in the case under discussion.

No, the people to blame for crimes are the criminals.  As to whether a  
crime was committed in the instant case, well, the magistrate held  
there had been (and Peter Sommer is saying that the accused was not  
transparent about the events).  Blaming the victim is rarely  
acceptable (theft from unlocked cars is still theft).  If you wave an  
unconvincing imitation firearm in a bank and then run off as the  
bandit screens descend, your proferssional target (the bank) has been  
able to defend itself against a common attack vector (incompetent  
stick-ups).  You'll still get five years.

ian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100802/decc407a/attachment.htm>

From maryhawking at tigers.demon.co.uk  Mon Aug  2 08:45:34 2010
From: maryhawking at tigers.demon.co.uk (Mary Hawking)
Date: Mon, 02 Aug 2010 07:45:34 -0000
Subject: Blackberries , encryption and other mobile phones
Message-ID: <u$SWsGBOdnVMFw0R@tigers.demon.co.uk>

According to Radio 4 Today this morning, the UAE is banning some 
functions of Blackberries because they are encrypted, the servers are 
outside the UAE and Blackberry has refused to allow access to the 
encrypted messages and calls and regard this as a security threat.
The piece also said that they are not banning iPhones and, by 
implication, other mobiles: does this mean that the traffic on these is 
available to the UAE security forces, at any rate, when used within 
their territory?

I'm about to change from an ancient Nokia and have been considering 
Blackberry, iPhone and Android (not necessarily in that order): what are 
the security models of each, and do they depend on the handset or the 
network?
I.e. if I continue with O2 and get a Blackberry, does the handling of 
the messages depend on the device (Blackberry) or the network supplier 
(O2), and would it be different if I got an iPhone (or one of the 
Android phones) but still stayed with O2?

Confused.

Mary Hawking
non-techie GP
-- 
Mary Hawking



From pwt at iosis.co.uk  Mon Aug  2 09:11:46 2010
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Mon, 02 Aug 2010 08:11:46 -0000
Subject: Blackberries , encryption and other mobile phones
In-Reply-To: <u$SWsGBOdnVMFw0R@tigers.demon.co.uk>
References: <u$SWsGBOdnVMFw0R@tigers.demon.co.uk>
Message-ID: <4C567D98.5060806@iosis.co.uk>

This topic rattled around on R4 Today programme, and seemed to settle on:

- Blackberry emails are encrypted (nothing mentioned about any network 
provider effects)

- not just UAE but also Abu Dhabi have announced bans, with different 
dates for implementing

- India was also concerned but appears to have come to some arrangement 
with Blackberry

So maybe UAE and AD are posturing, and want the same deal that India has 
got.

I know nothing about the activities of national security organisations...

Peter

Mary Hawking wrote:
> According to Radio 4 Today this morning, the UAE is banning some 
> functions of Blackberries because they are encrypted, the servers are 
> outside the UAE and Blackberry has refused to allow access to the 
> encrypted messages and calls and regard this as a security threat.
> The piece also said that they are not banning iPhones and, by 
> implication, other mobiles: does this mean that the traffic on these 
> is available to the UAE security forces, at any rate, when used within 
> their territory?
>
> I'm about to change from an ancient Nokia and have been considering 
> Blackberry, iPhone and Android (not necessarily in that order): what 
> are the security models of each, and do they depend on the handset or 
> the network?
> I.e. if I continue with O2 and get a Blackberry, does the handling of 
> the messages depend on the device (Blackberry) or the network supplier 
> (O2), and would it be different if I got an iPhone (or one of the 
> Android phones) but still stayed with O2?
>
> Confused.
>
> Mary Hawking
> non-techie GP


From james2 at jfirth.net  Mon Aug  2 09:34:46 2010
From: james2 at jfirth.net (James Firth)
Date: Mon, 02 Aug 2010 08:34:46 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it interception?)
In-Reply-To: <3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk> <4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>
	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>
Message-ID: <50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>

Ian Batten wrote:

> A more likely proposition would be that BT are in a position to frame
> actions as crimes,

I don't accept your analogies to imitation firearms or even thefts from
cars, locked or unlocked.  As you succinctly put it "BT are in a position
to *frame* actions as crimes".

It is this which I object to.  A Tesco employee is (was at least) given
comprehensive training on how to deal with shoplifters.

Merely acting suspiciously, even taking products and hiding them under
coats, nests of bags or even ones hat should not be acted upon - even
thought I suspect this could be shown as conspiracy to commit theft.  The
employee is trained to gather any available evidence and wait until the
point which a crime is committed - the items are removed from the shop.

It is my view that BT are a large organisation and should therefore be in
a position to understand the CMA and take proportionate action, only
involving the police where necessary.

Unless the actions a.) did cause harm (cf. goods have been taken from the
shop) or b.) there is clear and overwhelming evidence of a substantial
attack which if left unchecked could cause damage (cf. clear evidence of a
conspiracy to commit theft) large operators should know full well that
sending correctly-formed protocol requests is not sufficient evidence to
bother wasting the police or court time.

This is the gist of my clearly elitist argument.

James Firth


From pwt at iosis.co.uk  Mon Aug  2 10:09:56 2010
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Mon, 02 Aug 2010 09:09:56 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it interception?)
In-Reply-To: <50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>
	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>
Message-ID: <4C568B59.1030500@iosis.co.uk>

James Firth wrote:
> Ian Batten wrote:
>   
>> A more likely proposition would be that BT are in a position to frame
>> actions as crimes,
>>     
> I don't accept your analogies to imitation firearms or even thefts from
> cars, locked or unlocked.  As you succinctly put it "BT are in a position
> to *frame* actions as crimes".
>
> It is this which I object to.  A Tesco employee is (was at least) given
> comprehensive training on how to deal with shoplifters.
>
> Merely acting suspiciously, even taking products and hiding them under
> coats, nests of bags or even ones hat should not be acted upon - even
> thought I suspect this could be shown as conspiracy to commit theft.  The
> employee is trained to gather any available evidence and wait until the
> point which a crime is committed - the items are removed from the shop.
>
> It is my view that BT are a large organisation and should therefore be in
> a position to understand the CMA and take proportionate action, only
> involving the police where necessary.
>
> Unless the actions a.) did cause harm (cf. goods have been taken from the
> shop) or b.) there is clear and overwhelming evidence of a substantial
> attack which if left unchecked could cause damage (cf. clear evidence of a
> conspiracy to commit theft) large operators should know full well that
> sending correctly-formed protocol requests is not sufficient evidence to
> bother wasting the police or court time.
>
> This is the gist of my clearly elitist argument.
>   
And my argument is that protective measures for the user should be 
ubiquitous, free of charge for the core protection service, routinely 
installed and automatic in operation [1]. Thus not elitist. This is 
because the physical world analogies don't really have force in cyberspace.

Whether, in the light of the current Blackberry fuss about encrypted 
email (UAE, Abu Dhabi, India - according to R4 Today), one's email 
service should routinely turn you on to encrypted email, is a discussion 
topic.

Peter

[1] I wish that Firefox would get its act together on certificate 
checking (either fix it or tell me clearly if I can configure it 
differently) - after getting a strong warning that the IAAC web site's 
https certificate provider was not known, I contacted the organisation 
and was told that they have a bona fide certificate from a bona fide CA 
(was given the basic details).


From matthew at pemble.net  Mon Aug  2 11:35:22 2010
From: matthew at pemble.net (Matthew Pemble)
Date: Mon, 02 Aug 2010 10:35:22 -0000
Subject: Blackberries , encryption and other mobile phones
In-Reply-To: <4C567D98.5060806@iosis.co.uk>
References: <u$SWsGBOdnVMFw0R@tigers.demon.co.uk>
	<4C567D98.5060806@iosis.co.uk>
Message-ID: <AANLkTikd-9CJhT-3JubbvPa5ACn60TwNn2OxjCcVZR0G@mail.gmail.com>

Folks,

On 2 August 2010 09:11, Peter Tomlinson <pwt at iosis.co.uk> wrote:

>
> - not just UAE but also Abu Dhabi have announced bans, with different dates
> for implementing
>

I didn't listen to Today - but surely Abu Dhabi is the largest of the UA
Emirates? The BBC News page (
http://www.bbc.co.uk/news/world-middle-east-10830485) mentions Saudi
instead.

Mary Hawking wrote:
>
>>
>> I'm about to change from an ancient Nokia and have been considering
>> Blackberry, iPhone and Android (not necessarily in that order): what are the
>> security models of each, and do they depend on the handset or the network?
>>
>
Both - and the precise way you implement (or purchase) them.


> I.e. if I continue with O2 and get a Blackberry, does the handling of the
>> messages depend on the device (Blackberry) or the network supplier (O2), and
>> would it be different if I got an iPhone (or one of the Android phones) but
>> still stayed with O2?
>>
>
It rather depends (unfortunately, for the non-techies amongst us). If you
run your own email server and pick mail up via HTTPS or, with a Blackberry,
you run your own Blackberry Enterprise Server (I don't know what happens
with the free "BES Express" package", your email is protected from snooping
over the mobile connection.

Obviously, if you use a service provider email account (including consumer
Blackberry packages) or a non-encrypted connection, then your mail can be
snooped by the provider (obviously) and, potentially, by people with radio
intercept capabilities.

Of course, if the email comes to you clear-text, it can be snooped (the
non-triviality of fishing your particular email out of the millions not
withstanding) before it gets into your protected environment. There is a
general, albeit low-scale still, move towards encrypting mail server to mail
server comms (now using the STARTTLS SMTP extension, rather than GPG/PGPing
sensitive things up like the more paranoid of us have from some time.)

M.



-- 
Matthew Pemble
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100802/73b7188f/attachment-0001.htm>

From james2 at jfirth.net  Mon Aug  2 11:51:33 2010
From: james2 at jfirth.net (James Firth)
Date: Mon, 02 Aug 2010 10:51:33 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it interception?)
In-Reply-To: <4C568B59.1030500@iosis.co.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>
	<4C568B59.1030500@iosis.co.uk>
Message-ID: <139101cb3230$a8de21a0$fa9a64e0$@net>

Peter Tomlinson wrote:
> And my argument is that protective measures for the user should be
> ubiquitous, free of charge for the core protection service, routinely
> installed and automatic in operation [1]. Thus not elitist. 

Elitism was an aside thrown in by Ian but with such systems I would tend to
look for any civil liberties issues associated with ubiquitous facilities
attached to networked public communications systems.  Obviously I can't
comment without further details and look forward to reading your paper when
completed.

James Firth




From jon+ukcrypto at unequivocal.co.uk  Mon Aug  2 12:00:24 2010
From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens)
Date: Mon, 02 Aug 2010 11:00:24 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP
	DPI, but is it interception?)
In-Reply-To: <4C568B59.1030500@iosis.co.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>
	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>
	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>
	<4C568B59.1030500@iosis.co.uk>
Message-ID: <20100802110024.GR29810@snowy.squish.net>

On Mon, Aug 02, 2010 at 10:09:45AM +0100, Peter Tomlinson wrote:
> [1] I wish that Firefox would get its act together on certificate  
> checking (either fix it or tell me clearly if I can configure it  
> differently) - after getting a strong warning that the IAAC web site's  
> https certificate provider was not known, I contacted the organisation  
> and was told that they have a bona fide certificate from a bona fide CA  
> (was given the basic details).

Could you give an example URL? Personally I would not trust a CA if
Firefox doesn't know it. I wouldn't necessarily trust a CA if Firefox
*does* know it, for that matter, but we don't get much choice.


From lists at barnfather.net  Mon Aug  2 12:27:22 2010
From: lists at barnfather.net (Paul Barnfather)
Date: Mon, 02 Aug 2010 11:27:22 -0000
Subject: Blackberries , encryption and other mobile phones
In-Reply-To: <u$SWsGBOdnVMFw0R@tigers.demon.co.uk>
References: <u$SWsGBOdnVMFw0R@tigers.demon.co.uk>
Message-ID: <AANLkTimV-KM+_fv2bKHSQVnCsa+Q5qkNCUxeSk_ZQrMK@mail.gmail.com>

On 2 August 2010 08:44, Mary Hawking <maryhawking at tigers.demon.co.uk> wrote:

> would it be different if I got an iPhone (or one of the Android phones) but
> still stayed with O2?

On my Android phone, the email client is set (by default) to send and
receive mail via Google using SSL-encrypted protocols.

Intercepting the (email) communication on this device would presumably
present a similar challenge to the UAE authorities.


From tugwilson at gmail.com  Mon Aug  2 13:02:36 2010
From: tugwilson at gmail.com (John Wilson)
Date: Mon, 02 Aug 2010 12:02:36 -0000
Subject: Blackberries , encryption and other mobile phones
In-Reply-To: <u$SWsGBOdnVMFw0R@tigers.demon.co.uk>
References: <u$SWsGBOdnVMFw0R@tigers.demon.co.uk>
Message-ID: <AANLkTikxiDRLnh_Z4eMsp8X7Xvxd0zc7Fb55XLabYipr@mail.gmail.com>

On 2 August 2010 08:44, Mary Hawking <maryhawking at tigers.demon.co.uk> wrote:
> According to Radio 4 Today this morning, the UAE is banning some functions
> of Blackberries because they are encrypted, the servers are outside the UAE
> and Blackberry has refused to allow access to the encrypted messages and
> calls and regard this as a security threat.
> The piece also said that they are not banning iPhones and, by implication,
> other mobiles: does this mean that the traffic on these is available to the
> UAE security forces, at any rate, when used within their territory?

As I understand it Blackberry uses a proprietary protocol for email
(and, I think, IM). This is always encrypted (see
http://na.blackberry.com/eng/ataglance/security/). The UAE blocks
quite a few sites and seems to stop SSL access to some sites (see
http://stuffmideast.com/2010/05/25/11864/google-gets-around-uae-web-ban/).
I'm guessing that they will block SSL access to Google mail but allow
non SSL access, they don't have that option with the Blackberry as
there's no non encrypted version of the protocol.

>
> I'm about to change from an ancient Nokia and have been considering
> Blackberry, iPhone and Android (not necessarily in that order): what are the
> security models of each, and do they depend on the handset or the network?
> I.e. if I continue with O2 and get a Blackberry, does the handling of the
> messages depend on the device (Blackberry) or the network supplier (O2), and
> would it be different if I got an iPhone (or one of the Android phones) but
> still stayed with O2?

There's some interesting work going on to produce secure Android
phones. See http://guardianproject.info/

John Wilson


From tony.naggs at googlemail.com  Mon Aug  2 13:17:45 2010
From: tony.naggs at googlemail.com (Tony Naggs)
Date: Mon, 02 Aug 2010 12:17:45 -0000
Subject: Blackberries , encryption and other mobile phones
In-Reply-To: <u$SWsGBOdnVMFw0R@tigers.demon.co.uk>
References: <u$SWsGBOdnVMFw0R@tigers.demon.co.uk>
Message-ID: <AANLkTinQ4D0QBvFaGOVmDpQZy96gsD4kdPssA33xU+Es@mail.gmail.com>

Hi

Well that is quite a few questions bundled together, so I will try to
unpick them a little...


RIM (Research in Motion) Blackberry email uses a proprietary system to
"push" notifications of new email to phones.

Larger businesses using RIM will typically license and run their own
Blackberry Enterprise Server email service, sitting on a computer next
to their mail servers. (Or possibly on the same computer these days?)
The business manages their own security configuration, such as whether
encryption is used, pay RIM handsomely and are responsible for
conforming to local laws such as responding to search warrants. (E.g.
where an employee is suspected of doing something illegal, such as
drug dealing, where the police believe there may be evidence in the
employee's emails.)

Smaller businesses pay RIM to use their regional servers. For their
Blackberry users they forward emails to RIM, and the email arrival &
content is notified to the user over an encrypted connection. Like any
other communications provider RIM must conform to local rules on
providing law enforcement access to the content of the communications.

As UAE, India and Saudi Arabia appear unhappy with the kind of
cooperation of RIM must surely be giving in other territories the
inference is that these countries actually want blanket access to all
email. (They would most likely say that this is justified by the local
threat of terrorism.)

I am not sure how email works on the newer Blackberry devices being
sold to consumers, I thought they use the standard Internet protocols
that other phones use. These are very often not encrypted, but the
actual security will depend on combinations of configuration of the
device and the remote access email service offered by your ISP.


I hope that clarifies things somewhat.


Cheers,
Tony

On 2 August 2010 08:44, Mary Hawking <maryhawking at tigers.demon.co.uk> wrote:
> According to Radio 4 Today this morning, the UAE is banning some functions
> of Blackberries because they are encrypted, the servers are outside the UAE
> and Blackberry has refused to allow access to the encrypted messages and
> calls and regard this as a security threat.
> The piece also said that they are not banning iPhones and, by implication,
> other mobiles: does this mean that the traffic on these is available to the
> UAE security forces, at any rate, when used within their territory?
>
> I'm about to change from an ancient Nokia and have been considering
> Blackberry, iPhone and Android (not necessarily in that order): what are the
> security models of each, and do they depend on the handset or the network?
> I.e. if I continue with O2 and get a Blackberry, does the handling of the
> messages depend on the device (Blackberry) or the network supplier (O2), and
> would it be different if I got an iPhone (or one of the Android phones) but
> still stayed with O2?
>
> Confused.
>
> Mary Hawking
> non-techie GP
> --
> Mary Hawking
>
>
>


From adrianhayter at gmail.com  Mon Aug  2 13:37:24 2010
From: adrianhayter at gmail.com (Adrian Hayter)
Date: Mon, 02 Aug 2010 12:37:24 -0000
Subject: Blackberries , encryption and other mobile phones
In-Reply-To: <u$SWsGBOdnVMFw0R@tigers.demon.co.uk>
References: <u$SWsGBOdnVMFw0R@tigers.demon.co.uk>
Message-ID: <F11FBEC3-10F0-4E43-98B4-BC26C911F407@gmail.com>

In terms of email, it would depend on the protocol used, and the configuration of the protocol. For instance, I have an Android phone that is synced to my Google account, and Google Email uses SSL to encrypt mail both ways (sending & receiving). This is the case regardless if you use POP3 or IMAP. However, encryption isn't a requirement for the POP3 and IMAP protocols to work, so it would depend on the email provider in that case.

-Adrian

On 2 Aug 2010, at 08:44, Mary Hawking wrote:

> According to Radio 4 Today this morning, the UAE is banning some functions of Blackberries because they are encrypted, the servers are outside the UAE and Blackberry has refused to allow access to the encrypted messages and calls and regard this as a security threat.
> The piece also said that they are not banning iPhones and, by implication, other mobiles: does this mean that the traffic on these is available to the UAE security forces, at any rate, when used within their territory?
> 
> I'm about to change from an ancient Nokia and have been considering Blackberry, iPhone and Android (not necessarily in that order): what are the security models of each, and do they depend on the handset or the network?
> I.e. if I continue with O2 and get a Blackberry, does the handling of the messages depend on the device (Blackberry) or the network supplier (O2), and would it be different if I got an iPhone (or one of the Android phones) but still stayed with O2?
> 
> Confused.
> 
> Mary Hawking
> non-techie GP
> -- 
> Mary Hawking
> 
> 



From igb at batten.eu.org  Mon Aug  2 14:13:26 2010
From: igb at batten.eu.org (Ian Batten)
Date: Mon, 02 Aug 2010 13:13:26 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it interception?)
In-Reply-To: <50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>
	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>
	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>
Message-ID: <8DD401C9-BBD1-44A5-9132-63FD41F6C33A@batten.eu.org>


On 2 Aug 2010, at 09:34, James Firth wrote:
>
> It is this which I object to.  A Tesco employee is (was at least)  
> given
> comprehensive training on how to deal with shoplifters.
>
> Merely acting suspiciously, even taking products and hiding them under
> coats, nests of bags or even ones hat should not be acted upon - even
> thought I suspect this could be shown as conspiracy to commit  
> theft.  The
> employee is trained to gather any available evidence and wait until  
> the
> point which a crime is committed - the items are removed from the  
> shop.

I don't follow the argument.  Tescos have a policy of always  
prosecuting shoplifting, as theft.  Theft requires that the goods have  
left the shop.  However, there are plenty of ways in which Tesco could  
reduce theft by customers to zero: mostly, they could put all the  
goods on one side of a wall, all the customers on the other, and only  
pass goods through a swing-bin in return for immediate payment.  They  
don't: they put the stuff out on shelves, just asking to be stolen,  
and rely on the force of the law to deal with people that do so.   
There is an externality to their tempting array of goods, and they use  
the law to reduce some of that.

> It is my view that BT are a large organisation and should therefore  
> be in
> a position to understand the CMA and take proportionate action, only
> involving the police where necessary.

Neither you nor I were in the court to judge "proportionate" and  
"necessary".

> Unless the actions a.) did cause harm (cf. goods have been taken  
> from the
> shop) or b.) there is clear and overwhelming evidence of a substantial
> attack which if left unchecked could cause damage (cf. clear  
> evidence of a
> conspiracy to commit theft) large operators should know full well that
> sending correctly-formed protocol requests is not sufficient  
> evidence to
> bother wasting the police or court time.

The police and the CPS can, and often do, refuse to prosecute on the  
grounds of it not being worthwhile.  On this occasion they took the  
prosecution to court.  Had they thought it was a waste of time, they  
have the absolute right to say so and send BT away with a flea in  
their ear.

ian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100802/3400dc52/attachment-0001.htm>

From clive at davros.org  Mon Aug  2 14:22:50 2010
From: clive at davros.org (Clive D.W. Feather)
Date: Mon, 02 Aug 2010 13:22:50 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it interception?)
In-Reply-To: <8DD401C9-BBD1-44A5-9132-63FD41F6C33A@batten.eu.org>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>
	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>
	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>
	<8DD401C9-BBD1-44A5-9132-63FD41F6C33A@batten.eu.org>
Message-ID: <20100802132248.GF10354@davros.org>

Ian Batten said:
> I don't follow the argument.  Tescos have a policy of always  
> prosecuting shoplifting, as theft.  Theft requires that the goods have  
> left the shop.

Nitpick: theft requires that there be an intent to permanently deprive.

It is a lot easier to convince a jury that said intent exists if the person
is stopped after leaving the shop, but the offence is committed as soon as
they put the item in their bag without the intent of paying.

For example, if someone takes a swimming costume into the changing room,
puts it on under their clothes, and then continues shopping, the elements
of the offence are all there even if they haven't left the shop, and you
you could probably get a conviction in practice.

-- 
Clive D.W. Feather          | If you lie to the compiler,
Email: clive at davros.org     | it will get its revenge.
Web: http://www.davros.org  |   - Henry Spencer
Mobile: +44 7973 377646


From clive at davros.org  Mon Aug  2 14:25:47 2010
From: clive at davros.org (Clive D.W. Feather)
Date: Mon, 02 Aug 2010 13:25:47 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it interception?)
In-Reply-To: <F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
Message-ID: <20100802132545.GG10354@davros.org>

Ian Batten said:
>> The server, as in a dedicated host offering professional services  
>> should
>> protect itself against anything the "internet" throws against it,
> Except that's both contrary to the law in every other field, and  
> incredibly elitist.

I disagree with you and agree with the intent of the statement.

A URL is a string of (to a first approximation) printable characters. A web
server should be able to handle any string of printable characters in the
URL field of the GET request and do something sensible with it. This might
be a 403 or a 404, but it shouldn't be accessing files that it's not
supposed to return to the user and it shouldn't do anything unauthorized.

-- 
Clive D.W. Feather          | If you lie to the compiler,
Email: clive at davros.org     | it will get its revenge.
Web: http://www.davros.org  |   - Henry Spencer
Mobile: +44 7973 377646


From james2 at jfirth.net  Mon Aug  2 14:37:13 2010
From: james2 at jfirth.net (James Firth)
Date: Mon, 02 Aug 2010 13:37:13 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it interception?)
In-Reply-To: <20100802132248.GF10354@davros.org>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>	<8DD401C9-BBD1-44A5-9132-63FD41F6C33A@batten.eu.org>
	<20100802132248.GF10354@davros.org>
Message-ID: <13d501cb3247$cd597590$680c60b0$@net>

Clive D.W. Feather wrote:
> Ian Batten said:
> > I don't follow the argument.  Tescos have a policy of always
> > prosecuting shoplifting, as theft.  Theft requires that the goods
> have
> > left the shop.
> 
> Nitpick: theft requires that there be an intent to permanently deprive.
> 
> It is a lot easier to convince a jury that said intent exists if the
> person
> is stopped after leaving the shop, but the offence is committed as soon
> as
> they put the item in their bag without the intent of paying.
> 

Thank you, this is my point.  That even though technically an offence
*could* have been committed at the stage the item is taken and hidden from
view, it is clearly in everyone's interest not to involve the police at this
stage.

I for example am absent minded and have on several occasions picked up a
small product, such as a battery, and continued to walk around the store. A
few times I've found myself without forethought placing the item in my
pocket, only to recover and purchase the item.  I have never to this date
proceeded to leave the store. 

I don't think it's in the public interest to involve the police at the first
sign of anything that *might* be a crime.  The smart thing for any company
to do would be to monitor the situation; to wait and see, using my analogy,
whether the intent translates into a clear crime as the shoplifter leaves
the store.

James Firth 



From igb at batten.eu.org  Mon Aug  2 14:40:24 2010
From: igb at batten.eu.org (Ian Batten)
Date: Mon, 02 Aug 2010 13:40:24 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it interception?)
In-Reply-To: <20100802132545.GG10354@davros.org>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
Message-ID: <116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>


On 2 Aug 2010, at 14:25, Clive D.W. Feather wrote:

> Ian Batten said:
>>> The server, as in a dedicated host offering professional services
>>> should
>>> protect itself against anything the "internet" throws against it,
>> Except that's both contrary to the law in every other field, and
>> incredibly elitist.
>
> I disagree with you and agree with the intent of the statement.
>
> A URL is a string of (to a first approximation) printable  
> characters. A web
> server should be able to handle any string of printable characters  
> in the
> URL field of the GET request and do something sensible with it. This  
> might
> be a 403 or a 404, but it shouldn't be accessing files that it's not
> supposed to return to the user and it shouldn't do anything  
> unauthorized.

Sure, and as an engineer I agree with you.  And my immediate reaction  
was that the Cuthbert case was an over-reaction, and I think the  
precise details of the case make for a tangential discussion.   I'm  
very, very nervous about the idea that somehow attempting to break  
into computer systems should have a defence of (in essence) "had they  
wanted to secure it they should have done a better job" when that is  
not the case with any analogous crime.  It smacks of blame the victim.

A door lock should be able to cope with any key being inserted and  
only open when the correct one is used, but wandering around with a  
set of lock picks is liable to get you prosecuted for "going  
equipped", and attempting to actually use them would be a further crime.

If I lock my front door with a hypothetic one-lever lock that can be  
picked in a second while wearing boxing gloves, that might cause  
people to be less sympathetic when my house gets broken into and might  
lead to an interesting conversation with my insurance company if I  
tried to claim; it would not, however, be a defence for the burglar to  
say that it was my fault for not fitting a better lock.

Similarly bike locks, car alarms, etc: if I want to prevent the thing  
being stolen, it behoves me to use security measures suitable for the  
job, because having your stuff stolen is a pain.  If I want my  
insurance to compensate me, they will set a minimum level of  
protection they expect me to use, and will potentially give me a  
discount for having more (my car has a magic-string-of-letters  
accredited immobiliser, and that's worth a few quid off the insurance).

However, whether I take those precautions or not is not at issue when  
someone is prosecuted - it's not a bigger offence to steal a bike  
secured with a bloody great big Kryptonite chain than it is to steal a  
bike secured with a lock from Poundland.

ian


From james2 at jfirth.net  Mon Aug  2 14:41:22 2010
From: james2 at jfirth.net (James Firth)
Date: Mon, 02 Aug 2010 13:41:22 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it interception?)
In-Reply-To: <20100802132545.GG10354@davros.org>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
Message-ID: <13d801cb3248$61d1bac0$25753040$@net>

Clive D.W. Feather wrote:
> Ian Batten said:
> >> The server, as in a dedicated host offering professional services
> >> should
> >> protect itself against anything the "internet" throws against it,
> > Except that's both contrary to the law in every other field, and
> > incredibly elitist.

Thank you for banking home your point but I have to respectfully disagree.
I argue it's a pragmatic approach and in no way elitist.

> I disagree with you and agree with the intent of the statement.
> 
> A URL is a string of (to a first approximation) printable characters. A
> web
> server should be able to handle any string of printable characters in
> the
> URL field of the GET request and do something sensible with it. This
> might
> be a 403 or a 404, but it shouldn't be accessing files that it's not
> supposed to return to the user and it shouldn't do anything
> unauthorized.

Also springs to mind the oft-used example of a person attempting to
transport an open and unprotected case of gold coins through a crowded
market.  Is it criminal intent if otherwise law-abiding townsfolk attempt to
grab a handful of coins?

James Firth



From igb at batten.eu.org  Mon Aug  2 14:48:47 2010
From: igb at batten.eu.org (Ian Batten)
Date: Mon, 02 Aug 2010 13:48:47 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it interception?)
In-Reply-To: <13d801cb3248$61d1bac0$25753040$@net>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
	<13d801cb3248$61d1bac0$25753040$@net>
Message-ID: <E31BC379-3F3B-4F22-9933-2FFAC9475197@batten.eu.org>

>>
>
> Also springs to mind the oft-used example of a person attempting to
> transport an open and unprotected case of gold coins through a crowded
> market.  Is it criminal intent if otherwise law-abiding townsfolk  
> attempt to
> grab a handful of coins?

Yes.  Is this supposed to be something that requires deep thought?

ian


From james2 at jfirth.net  Mon Aug  2 15:03:53 2010
From: james2 at jfirth.net (James Firth)
Date: Mon, 02 Aug 2010 14:03:53 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it interception?)
In-Reply-To: <E31BC379-3F3B-4F22-9933-2FFAC9475197@batten.eu.org>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<20100802132545.GG10354@davros.org>	<13d801cb3248$61d1bac0$25753040$@net>
	<E31BC379-3F3B-4F22-9933-2FFAC9475197@batten.eu.org>
Message-ID: <13de01cb324b$86d122e0$947368a0$@net>

> Yes.  Is this supposed to be something that requires deep thought?

Clearly so.

I'm a believer in small state - I don't think the state needs to be involved
as a first resort in so many areas of life.  Society is surprising capable,
to a degree, of organising its own affairs with an excellent degree of
fairness and democracy, given a robust legislative framework and judicial
backstop.

This has proved to be the case to date with the internet.  Structures
outside of government with very few real powers have emerged to deal with
the organisational issues of managing the global network across
jurisdictions.

Cyber crime happens because it's currently easy.  It would happen far less
if it were less so.  The best way to prevent hacking is to build reliable
systems, not a police state.

But many thanks for your own thoughts on police involvement as a first
resort.  I look forward to the day when the UK has enough dedicated police
resources to deal with every CMA transgression and the necessary safeguards
in place to protect misuse of this vast army of cyber police by the
incumbent government for its own ends.

James Firth 



From adam at doublegeek.com  Mon Aug  2 15:24:10 2010
From: adam at doublegeek.com (Adam Bradley)
Date: Mon, 02 Aug 2010 14:24:10 -0000
Subject: Blackberries , encryption and other mobile phones
In-Reply-To: <AANLkTinQ4D0QBvFaGOVmDpQZy96gsD4kdPssA33xU+Es@mail.gmail.com>
References: <u$SWsGBOdnVMFw0R@tigers.demon.co.uk>
	<AANLkTinQ4D0QBvFaGOVmDpQZy96gsD4kdPssA33xU+Es@mail.gmail.com>
Message-ID: <AANLkTin+_gZB_Du_7+HJbVP85nEwyfatLfxAPD3eVq8-@mail.gmail.com>

On Mon, Aug 2, 2010 at 12:12 PM, Tony Naggs <tony.naggs at googlemail.com>wrote:

> I am not sure how email works on the newer Blackberry devices being
> sold to consumers, I thought they use the standard Internet protocols
> that other phones use. These are very often not encrypted, but the
> actual security will depend on combinations of configuration of the
> device and the remote access email service offered by your ISP.
>

As I understand it, the consumer devices use the same encrypted protocols to
talk to RIM, and RIM (or possibly the network provider running some of RIM's
software) then talk via the standard POP/IMAP to the email server.

Even when you run your own Blackberry Enterprise Server on site
communication is via RIM's infrastructure rather than direct from the device
to the BES, though messages are encrypted at the BES so that even RIM cannot
intercept them.

It's not clear from the stories I've read whether UAE is blocking the use of
the servers or the devices - the latter could perhaps impact visitors with
Blackberries.

  Adam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100802/23c4af60/attachment-0001.htm>

From otcbn at callnetuk.com  Mon Aug  2 16:31:29 2010
From: otcbn at callnetuk.com (Peter Mitchell)
Date: Mon, 02 Aug 2010 15:31:29 -0000
Subject: Here we go again - ISP DPI, but is it interception?
In-Reply-To: <20100730115101.00007a9e@surtees.fenrir.org.uk>
References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk>	<4C4E16F5.10400@zen.co.uk>
	<4C4E314E.7000609@zen.co.uk>	<op.vgjxa70l6hl8nm@clerew.man.ac.uk>	<20100730101500.GC46989@davros.org>
	<4C52ABC6.5080908@ernest.net>
	<20100730115101.00007a9e@surtees.fenrir.org.uk>
Message-ID: <4C56E53B.2090209@callnetuk.com>

Brian Morrison wrote  on 30-07-10 11:51:
> On Fri, 30 Jul 2010 11:39:02 +0100
> Nicholas Bohm <nbohm at ernest.net> wrote:
>>> No they aren't. You may recall that, a couple of years ago, someone
>>> was convicted of computer misuse because he probed a site for
>>> malware - to be precise, he put "/.." on an URL.
>> Useful point: do you have a reference?
> 
> Dan Cuthbert. He was trying to make a donation to a Tsunami relief
> charity web site and noted that the site was very slow and thought
> perhaps he might be being phished, so he truncated the URL back to just
> the host name. He was prosecuted for purely that action, possibly
> because as an IT professional the police thought he should realise that
> such an action would be unauthorised.


Which prompts three questions. How was it proved that such an action was indeed unauthorised? Why would Cuthbert think (a priori) that it was unauthorised? Why did the police think that Cuthbert would think that it was unauthorised? 

A preposterous conviction and an even more preposterous prosecution. 

-- 
Pete Mitchell


From bdm at fenrir.org.uk  Mon Aug  2 16:46:58 2010
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Mon, 02 Aug 2010 15:46:58 -0000
Subject: Here we go again - ISP DPI, but is it interception?
In-Reply-To: <4C56E53B.2090209@callnetuk.com>
References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk>
	<4C4E16F5.10400@zen.co.uk> <4C4E314E.7000609@zen.co.uk>
	<op.vgjxa70l6hl8nm@clerew.man.ac.uk>
	<20100730101500.GC46989@davros.org> <4C52ABC6.5080908@ernest.net>
	<20100730115101.00007a9e@surtees.fenrir.org.uk>
	<4C56E53B.2090209@callnetuk.com>
Message-ID: <20100802164651.00003dee@surtees.fenrir.org.uk>

On Mon, 02 Aug 2010 16:33:15 +0100
Peter Mitchell <otcbn at callnetuk.com> wrote:

> Brian Morrison wrote  on 30-07-10 11:51:
> > On Fri, 30 Jul 2010 11:39:02 +0100
> > Nicholas Bohm <nbohm at ernest.net> wrote:
> >>> No they aren't. You may recall that, a couple of years ago,
> >>> someone was convicted of computer misuse because he probed a site
> >>> for malware - to be precise, he put "/.." on an URL.
> >> Useful point: do you have a reference?
> > 
> > Dan Cuthbert. He was trying to make a donation to a Tsunami relief
> > charity web site and noted that the site was very slow and thought
> > perhaps he might be being phished, so he truncated the URL back to
> > just the host name. He was prosecuted for purely that action,
> > possibly because as an IT professional the police thought he should
> > realise that such an action would be unauthorised.
> 
> 
> Which prompts three questions. How was it proved that such an action
> was indeed unauthorised? Why would Cuthbert think (a priori) that it
> was unauthorised? Why did the police think that Cuthbert would think
> that it was unauthorised? 
> 
> A preposterous conviction and an even more preposterous prosecution. 
> 

I think it's crazy too, even in the light of Cuthbert's change of line
when interviewed.

-- 

Brian Morrison


From cryptome at earthlink.net  Mon Aug  2 17:18:19 2010
From: cryptome at earthlink.net (John Young)
Date: Mon, 02 Aug 2010 16:18:19 -0000
Subject: Blackberries , encryption and other mobile phones
In-Reply-To: <AANLkTikd-9CJhT-3JubbvPa5ACn60TwNn2OxjCcVZR0G@mail.gmail.c
 om>
References: <u$SWsGBOdnVMFw0R@tigers.demon.co.uk>
	<4C567D98.5060806@iosis.co.uk>
	<AANLkTikd-9CJhT-3JubbvPa5ACn60TwNn2OxjCcVZR0G@mail.gmail.com>
Message-ID: <E1Ofvel-0001uM-00@pop04.mail.atl.earthlink.net>

The laws of a country determine security of communications,
not matter the promises of the service provider and its technical
profferings.

Arrangements with countries are never truthful by arrangement,
indeed by law and in most cases by secret law.

This is conventional wisdom of comsec experts, not a few of whom
are complicit, indeed, love the indeeds, few of whom are not
complicit and those are in jail, dead broke, soon to be dead, or
dead.

One dog whistle to recognize a die-hard comsec collaborator
with governments is to have alluring claims of public interest and
opposition to government surveillance loudly shouted, lectured
about, advertised, long-resumed, most cited by the trustingg
gullible, and correlatively admired, envied, copied and collaborated
with by those aspiring to the same booty.

These comsec charlatans, they call themselves falsely immodestly
bragging of double-crossing nefaria essential to the industry,
compete with one another by fierce attacks to expose one another's
vulnerabilities, some openly via scam openness, with the ostensible
public interest of revealing what some want desperately to hide,
all the while aiming to hide what is not to be revealed except to
those willing to pay very well for access.

A few countries publish almost credible accounts of law governing
these matters. What is lacking in all cases is what the wizards
writing the law know about misleading the public for what else,
very good pay to keep the secrets among themselves, more or
less.

The scoundrels do not trust one another for they know what lies
within their scheming breasts: fear, uncertainty and doubt about
the other schemers exceptionally eager to demolish the very
best protection and lay the blame on the target.

The very characteristics of public servants, professionals the
vilest.

I am an unpaid amateur wishing to be of help thus a snitch.



From pwt at iosis.co.uk  Tue Aug  3 07:32:07 2010
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Tue, 03 Aug 2010 06:32:07 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <20100802110024.GR29810@snowy.squish.net>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>	<4C568B59.1030500@iosis.co.uk>
	<20100802110024.GR29810@snowy.squish.net>
Message-ID: <4C57B7D9.2040403@iosis.co.uk>

Jon Ribbens wrote:
> On Mon, Aug 02, 2010 at 10:09:45AM +0100, Peter Tomlinson wrote:
>   
>> [1] I wish that Firefox would get its act together on certificate  
>> checking (either fix it or tell me clearly if I can configure it  
>> differently) - after getting a strong warning that the IAAC web site's  
>> https certificate provider was not known, I contacted the organisation  
>> and was told that they have a bona fide certificate from a bona fide CA  
>> (was given the basic details).
>>     
> Could you give an example URL? Personally I would not trust a CA if
> Firefox doesn't know it. I wouldn't necessarily trust a CA if Firefox
> *does* know it, for that matter, but we don't get much choice.
https://cybersecuritychallenge.org.uk/

Peter



From colinthomson1 at o2.co.uk  Tue Aug  3 14:48:05 2010
From: colinthomson1 at o2.co.uk (Tom Thomson)
Date: Tue, 03 Aug 2010 13:48:05 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <4C57B7D9.2040403@iosis.co.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>	<4C568B59.1030500@iosis.co.uk><20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
Message-ID: <F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>

Peter Tomlinson wrote:
> Jon Ribbens wrote:
> > On Mon, Aug 02, 2010 at 10:09:45AM +0100, Peter Tomlinson wrote:
> >
> >> [1] I wish that Firefox would get its act together on certificate
> >> checking (either fix it or tell me clearly if I can configure it
> >> differently) - after getting a strong warning that the IAAC web site's
> >> https certificate provider was not known, I contacted the organisation
> >> and was told that they have a bona fide certificate from a bona fide CA
> >> (was given the basic details).
> >>
> > Could you give an example URL? Personally I would not trust a CA if
> > Firefox doesn't know it. I wouldn't necessarily trust a CA if Firefox
> > *does* know it, for that matter, but we don't get much choice.
> https://cybersecuritychallenge.org.uk/
> 
> Peter
> 
Firefox doesn't have any problems with that site's certificate when I try it.  

M.




From k.brown at bbk.ac.uk  Tue Aug  3 15:05:35 2010
From: k.brown at bbk.ac.uk (ken)
Date: Tue, 03 Aug 2010 14:05:35 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it         interception?)
In-Reply-To: <116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
Message-ID: <4C582229.3070908@bbk.ac.uk>

On 30/07/2010 12:31, Wendy M. Grossman wrote:

 > How did they find out? I think we've
 > all often done that kind of thing.

So is it as if, faced with a URL like:

//jrandomserver.com/~user/directory/interestingdocument.html

he then tried to browse:

//jrandomserver.com/~user/directory/
//jrandomserver.com/~user/
//jrandomserver.com/

?

Because as Wendy says, we all do that. Its a normal way to use 
the Internet. Its probably my default action if I read an 
interesting post on a blog I haven't read before, or see a 
useful paper on something on an academic site. And sometimes 
lookign for with music files or images. I might not do it every 
day of my life, but I probably do it a number of times a week 
and have been for going on twenty years.

On 02/08/2010 14:40, Ian Batten wrote:

> I'm very, very
> nervous about the idea that somehow attempting to break into computer
> systems should have a defence of (in essence) "had they wanted to secure
> it they should have done a better job" when that is not the case with
> any analogous crime. It smacks of blame the victim.

Yes, but if Cuthbert just moved up the tree to look at directory 
roots as in my example than that isn't obviously non-authorised. 
Some website owners want you to do that and provide a helpful 
menu or index for you. Some website owners don't want you to do 
that. The way to tell which is which is by trying.



From lists at internetpolicyagency.com  Tue Aug  3 15:33:26 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Tue, 03 Aug 2010 14:33:26 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk> <4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>
	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>
	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>
	<4C568B59.1030500@iosis.co.uk>
	<20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
Message-ID: <N5AkxUNohCWMFAI4@perry.co.uk>

In article <F83296DFE4A84016BC63F8053B95AAE5 at your41b8d18ede>, Tom 
Thomson <colinthomson1 at o2.co.uk> writes

>> https://cybersecuritychallenge.org.uk/

>Firefox doesn't have any problems with that site's certificate when I try it.

OK here as well (v3.6.7 for PC).
-- 
Roland Perry


From james2 at jfirth.net  Tue Aug  3 15:35:21 2010
From: james2 at jfirth.net (James Firth)
Date: Tue, 03 Aug 2010 14:35:21 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <N5AkxUNohCWMFAI4@perry.co.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>	<4C568B59.1030500@iosis.co.uk>	<20100802110024.GR29810@snowy.squish.net>	<4C57B7D9.2040403@iosis.co.uk>	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>
Message-ID: <142201cb3319$124fa6c0$36eef440$@net>

> In article <F83296DFE4A84016BC63F8053B95AAE5 at your41b8d18ede>, Tom
> Thomson <colinthomson1 at o2.co.uk> writes
> 
> >> https://cybersecuritychallenge.org.uk/
> 
> >Firefox doesn't have any problems with that site's certificate when I
> try it.
> 
> OK here as well (v3.6.7 for PC).

OK here too.  Can you post the fingerprint you're getting from the
certificate?  There's 2 options: MitM (unlikely) or certificate missing from
your client (likely)

James Firth




From igb at batten.eu.org  Tue Aug  3 16:27:38 2010
From: igb at batten.eu.org (Ian Batten)
Date: Tue, 03 Aug 2010 15:27:38 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>	<4C568B59.1030500@iosis.co.uk><20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
Message-ID: <D2135C5D-7D6B-4149-B2D6-90C90D1653C0@batten.eu.org>

>>>
>> https://cybersecuritychallenge.org.uk/
>>
>> Peter
>>
> Firefox doesn't have any problems with that site's certificate when  
> I try it.

Fine on Safari 5 on OSX, too.

ian



From igb at batten.eu.org  Tue Aug  3 16:28:55 2010
From: igb at batten.eu.org (Ian Batten)
Date: Tue, 03 Aug 2010 15:28:55 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it         interception?)
In-Reply-To: <4C582229.3070908@bbk.ac.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
	<4C582229.3070908@bbk.ac.uk>
Message-ID: <84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>

>
> Yes, but if Cuthbert just moved up the tree to look at directory  
> roots as in my example than that isn't obviously non-authorised.  
> Some website owners want you to do that and provide a helpful menu  
> or index for you. Some website owners don't want you to do that. The  
> way to tell which is which is by trying.

Peter Sommer said that rather than say what he'd done, he instead  
presented some story about proxy activity.  That does rather  
complicate the story.

ian



From nbohm at ernest.net  Tue Aug  3 16:29:07 2010
From: nbohm at ernest.net (Nicholas Bohm)
Date: Tue, 03 Aug 2010 15:29:07 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it         interception?)
In-Reply-To: <4C582229.3070908@bbk.ac.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<20100802132545.GG10354@davros.org>	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
	<4C582229.3070908@bbk.ac.uk>
Message-ID: <4C5835C0.9020803@ernest.net>

An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100803/0eee8799/attachment-0001.htm>

From pwt at iosis.co.uk  Tue Aug  3 16:34:50 2010
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Tue, 03 Aug 2010 15:34:50 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <142201cb3319$124fa6c0$36eef440$@net>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>	<4C568B59.1030500@iosis.co.uk>	<20100802110024.GR29810@snowy.squish.net>	<4C57B7D9.2040403@iosis.co.uk>	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>	<N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net>
Message-ID: <4C58370C.3030006@iosis.co.uk>

James Firth wrote:
>> In article <F83296DFE4A84016BC63F8053B95AAE5 at your41b8d18ede>, Tom
>> Thomson <colinthomson1 at o2.co.uk> writes
>>
>>     
>>>> https://cybersecuritychallenge.org.uk/
>>>>         
>>> Firefox doesn't have any problems with that site's certificate when I
>>>       
>> try it.
>>
>> OK here as well (v3.6.7 for PC).
>>     
>
> OK here too.  Can you post the fingerprint you're getting from the
> certificate?  There's 2 options: MitM (unlikely) or certificate missing from
> your client (likely)
>
> James Firth
Thanks all for the help.

When I had the problems with several sites (which wasn't with v3.6.7 but 
with a slightly earlier version of FF), I created an exception for each 
of them - that put each cert in my list of certs accepted as exceptions, 
and indeed cybersec went in there.

So now I have deleted the cybersec cert from the exceptions list and 
tried again - and now FF doesn't complain. So it looks like something in 
FF got altered/updated in the transition from v3.6.x (whatever it was 
that I had) to v3.6.7. As I think I noted earlier, I haven't had the 
shower of complaints from FF about certs since I upgraded.

Peter



From ukcrypto at philipkatz.eu  Tue Aug  3 17:58:27 2010
From: ukcrypto at philipkatz.eu (ukcrypto at philipkatz.eu)
Date: Tue, 03 Aug 2010 16:58:27 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <4C58370C.3030006@iosis.co.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>	<4C568B59.1030500@iosis.co.uk>	<20100802110024.GR29810@snowy.squish.net>	<4C57B7D9.2040403@iosis.co.uk>	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>	<N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
Message-ID: <000901cb3324$b2b61df0$182259d0$@philipkatz.eu>

> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Peter Tomlinson
> So now I have deleted the cybersec cert from the exceptions list and
> tried again - and now FF doesn't complain. So it looks like something in
> FF got altered/updated in the transition from v3.6.x (whatever it was
> that I had) to v3.6.7. As I think I noted earlier, I haven't had the
> shower of complaints from FF about certs since I upgraded.

I am surprised that so many people here are still using Firefox 3.6.7, when
3.6.8 has been out for a while ...

When I try to view https://cybersecuritychallenge.org.uk/, Firefox displays
the page, but I do get a warning (Red exclamation mark in the status bar)
which warns me that "This page does not supply ownership information" and
also that (despite the HTTPS) "Parts of the page you are viewing were not
encrypted before being transmitted over the Internet".
-- 
Philip



From lists at internetpolicyagency.com  Tue Aug  3 18:08:06 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Tue, 03 Aug 2010 17:08:06 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it         interception?)
In-Reply-To: <4C5835C0.9020803@ernest.net>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk> <4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
	<4C582229.3070908@bbk.ac.uk> <4C5835C0.9020803@ernest.net>
Message-ID: <Y7dBhPdcyEWMFAK4@perry.co.uk>

In article <4C5835C0.9020803 at ernest.net>, Nicholas Bohm 
<nbohm at ernest.net> writes
>If the CMA makes it an offence to do the unauthorised (knowingly), and 
>we now know that the only things that give us authority is the use of 
>links provided by the webhost, then the CMA is producing a most 
>unsatisfactory result.? The problem is its inbuilt assumption that 
>there is some easily ascertained distinction between what is authorised 
>and what is not, whereas in many cases it is hard to be sure

My common sense says that if I am unauthorised to view a web page, then 
it will return some kind of error which demonstrates that I have not 
presented valid credentials.

Although I am aware that this falls foul of the Law Enforcement model 
that if you stumble over an unlocked door, that doesn't mean you are 
allowed to open it and go inside. Although I might characterise it more 
as looking through a window where someone has failed to draw the 
curtains.

I'm sure that risk (passers-by seeing what is on a computer screen) is 
one of those which businesses are advised to pay attention to, by the 
ICO, in their advice about complying with the seventh Data Protection 
principle.

I'm also reminded of those council snoopers who are sent round to peer 
inside a house to see if it's really unoccupied (when the owner claims 
an exemption). Or are such expeditions authorised as RIPA surveillance 
these days?
-- 
Roland Perry


From lists at internetpolicyagency.com  Tue Aug  3 18:12:46 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Tue, 03 Aug 2010 17:12:46 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk> <4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>
	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>
	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>
	<4C568B59.1030500@iosis.co.uk>
	<20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk> <142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
Message-ID: <+b3IJFf22EWMFANs@perry.co.uk>

In article <000901cb3324$b2b61df0$182259d0$@philipkatz.eu>, 
ukcrypto at philipkatz.eu writes
>I am surprised that so many people here are still using Firefox 3.6.7, when
>3.6.8 has been out for a while ...

I'm surprised too... because Firefox nags me almost daily to download 
one kind of patch or another; yet hasn't told me about that update yet.

My PC is less than a month old, and I installed whatever was the claimed 
latest version when setting it up. This churn of application versions is 
becoming a serious irritant.
-- 
Roland Perry


From nbohm at ernest.net  Tue Aug  3 18:53:31 2010
From: nbohm at ernest.net (Nicholas Bohm)
Date: Tue, 03 Aug 2010 17:53:31 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it         interception?)
In-Reply-To: <Y7dBhPdcyEWMFAK4@perry.co.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<20100802132545.GG10354@davros.org>	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>	<4C582229.3070908@bbk.ac.uk>
	<4C5835C0.9020803@ernest.net> <Y7dBhPdcyEWMFAK4@perry.co.uk>
Message-ID: <4C58579A.40208@ernest.net>

Roland Perry wrote:
> In article <4C5835C0.9020803 at ernest.net>, Nicholas Bohm
> <nbohm at ernest.net> writes
>> If the CMA makes it an offence to do the unauthorised (knowingly),
>> and we now know that the only things that give us authority is the
>> use of links provided by the webhost, then the CMA is producing a
>> most unsatisfactory result.  The problem is its inbuilt assumption
>> that there is some easily ascertained distinction between what is
>> authorised and what is not, whereas in many cases it is hard to be sure
>
> My common sense says that if I am unauthorised to view a web page,
> then it will return some kind of error which demonstrates that I have
> not presented valid credentials.

That occurred to me too, after I wrote previously.  It happens from time
to time that I'm told I'm not authorised to see a page.  Although I
don't know the procedure for protecting a page or folder in this way, I
imagine it's trivial to find out and apply it when wanted.

It seems arguable that it isn't unauthorised to access a page unless an
attempt at access is met with a notice to that effect.

> Although I am aware that this falls foul of the Law Enforcement model
> that if you stumble over an unlocked door, that doesn't mean you are
> allowed to open it and go inside. Although I might characterise it
> more as looking through a window where someone has failed to draw the
> curtains.

This does rather illustrate the limitations of analogies.  But it's at
least worth noting that entering a house through an unlocked door isn't
"breaking and entering", precisely because no breaking was involved.

> I'm sure that risk (passers-by seeing what is on a computer screen) is
> one of those which businesses are advised to pay attention to, by the
> ICO, in their advice about complying with the seventh Data Protection
> principle.
>
> I'm also reminded of those council snoopers who are sent round to peer
> inside a house to see if it's really unoccupied (when the owner claims
> an exemption). Or are such expeditions authorised as RIPA surveillance
> these days?

I suspect they're "directed surveillance" and an appropriate
authorisation is required.

(Where Poole messed up was that no surveillance to find out where
someone was currently living could be proportionate where the issue was
where they had been living at some earlier qualifying date.  Against
stupidity the gods themselves etc.)

Nicholas
-- 
Contact and PGP key here <http://www.ernest.net/contact/index.htm>


From bdm at fenrir.org.uk  Tue Aug  3 18:59:44 2010
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Tue, 03 Aug 2010 17:59:44 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <+b3IJFf22EWMFANs@perry.co.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>
	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>
	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>
	<4C568B59.1030500@iosis.co.uk>
	<20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
Message-ID: <20100803185937.00007a49@surtees.fenrir.org.uk>

On Tue, 3 Aug 2010 18:11:18 +0100
Roland Perry <lists at internetpolicyagency.com> wrote:

> This churn of application versions is becoming a serious irritant.

Just as well that it only takes a minute or two to update and restart
then. I find the MS updates far more annoying, and even my Linux boxes
need rebooting due to the spread of dbus message passing when updates
are made.

-- 

Brian Morrison


From james2 at jfirth.net  Tue Aug  3 20:11:07 2010
From: james2 at jfirth.net (James Firth)
Date: Tue, 03 Aug 2010 19:11:07 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it         interception?)
In-Reply-To: <4C58579A.40208@ernest.net>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<20100802132545.GG10354@davros.org>	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>	<4C582229.3070908@bbk.ac.uk>	<4C5835C0.9020803@ernest.net>
	<Y7dBhPdcyEWMFAK4@perry.co.uk> <4C58579A.40208@ernest.net>
Message-ID: <144901cb333f$978d57d0$c6a80770$@net>

> >
> > My common sense says that if I am unauthorised to view a web page,
> > then it will return some kind of error which demonstrates that I have
> > not presented valid credentials.
> 
> That occurred to me too, after I wrote previously.  It happens from
> time
> to time that I'm told I'm not authorised to see a page.  Although I
> don't know the procedure for protecting a page or folder in this way, I
> imagine it's trivial to find out and apply it when wanted.
> 

This thinking formed the basis of my original assertion that 

a.) most if not all attempts to use protocols, standards and RFCs should be
exempt from "unauthorised use" prosecution since systems should protect
themselves, with two key exemptions and one clarification:

i.) the entry of username, password, credentials or any field used to
uniquely identify a user or account, when it can be shown that a systematic
attempt has been mate to enter multiple differing combinations of username
and password that could not otherwise be explained eg. by absent mindedness
or use of wrong credentials

ii.) bombardment of packets, correctly formed or otherwise, in an attempt to
cause denial of service

iii.) (clarification) the sending of malformed protocol packets with an
attempt to circumvent security measures.

- Upon further thinking I still cannot see ant truck in running with the
locked/unlocked door analogies.  There are too many differences between the
real and virtual world.

Any attempt to regulate use via established protocols, eg spidering a site
which does not want to be spidered, should be dealt with in the civil courts
as a breach of terms, not a criminal offence under the CMA.

James Firth



From brian at thejohnsons.co.uk  Tue Aug  3 20:13:49 2010
From: brian at thejohnsons.co.uk (Brian L Johnson)
Date: Tue, 03 Aug 2010 19:13:49 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk> <4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>
	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>
	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>
	<4C568B59.1030500@iosis.co.uk>
	<20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk> <142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
Message-ID: <op.vgvjdgb7c3r7hz@thedell>

Philip <ukcrypto at philipkatz.eu>, wrote:

>> -----Original Message-----
>> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
>> bounces at chiark.greenend.org.uk] On Behalf Of Peter Tomlinson
>> So now I have deleted the cybersec cert from the exceptions list and
>> tried again - and now FF doesn't complain. So it looks like something in
>> FF got altered/updated in the transition from v3.6.x (whatever it was
>> that I had) to v3.6.7. As I think I noted earlier, I haven't had the
>> shower of complaints from FF about certs since I upgraded.
>
> I am surprised that so many people here are still using Firefox 3.6.7,  
> when 3.6.8 has been out for a while ...
>
> When I try to view https://cybersecuritychallenge.org.uk/, Firefox  
> displays
> the page, but I do get a warning (Red exclamation mark in the status bar)
> which warns me that "This page does not supply ownership information" and
> also that (despite the HTTPS) "Parts of the page you are viewing were not
> encrypted before being transmitted over the Internet".

Interesting.  I don't see any warnings from Firefox 3.6.8 nor do I get any  
warnings with Opera 10.61 b3476 or Chrome 5.0.375.125

No, the website's owners don't have extended validation (not a big deal  
for such a site) but none of my browsers reports a part-encrypted web page  
- and I know that Opera in particular is hot on that.

I can't see how you got a red exclam.

-- 
brianlj


From pwt at iosis.co.uk  Tue Aug  3 20:23:08 2010
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Tue, 03 Aug 2010 19:23:08 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <+b3IJFf22EWMFANs@perry.co.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>	<4C568B59.1030500@iosis.co.uk>	<20100802110024.GR29810@snowy.squish.net>	<4C57B7D9.2040403@iosis.co.uk>	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>	<N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net>	<4C58370C.3030006@iosis.co.uk>	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
Message-ID: <4C586C8D.5070601@iosis.co.uk>

I had the same experience of not being reminded to download the update, 
and I was more than one update behind.

Peter

Roland Perry wrote:
> In article <000901cb3324$b2b61df0$182259d0$@philipkatz.eu>, 
> ukcrypto at philipkatz.eu writes
>> I am surprised that so many people here are still using Firefox 
>> 3.6.7, when
>> 3.6.8 has been out for a while ...
>
> I'm surprised too... because Firefox nags me almost daily to download 
> one kind of patch or another; yet hasn't told me about that update yet.
>
> My PC is less than a month old, and I installed whatever was the 
> claimed latest version when setting it up. This churn of application 
> versions is becoming a serious irritant.


From ukcrypto at originalthinktank.org.uk  Tue Aug  3 20:47:37 2010
From: ukcrypto at originalthinktank.org.uk (Chris Salter)
Date: Tue, 03 Aug 2010 19:47:37 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP
	DPI, but is it interception?)
In-Reply-To: <4C58370C.3030006@iosis.co.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk> <4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>
	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>
	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>
	<4C568B59.1030500@iosis.co.uk>
	<20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk> <142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
Message-ID: <347812177.20100803191627@originalthinktank.org.uk>

Hello Peter and UKCrypto,

Tuesday, August 3, 2010, 4:34:36 PM, you wrote:

> James Firth wrote:
>>> In article <F83296DFE4A84016BC63F8053B95AAE5 at your41b8d18ede>, Tom
>>> Thomson <colinthomson1 at o2.co.uk> writes
>>>
>>>     
>>>>> https://cybersecuritychallenge.org.uk/
>>>>>         
>>>> Firefox doesn't have any problems with that site's certificate when I
>>>>       
>>> try it.
>>>
>>> OK here as well (v3.6.7 for PC).
>>>     
>>
>> OK here too.  Can you post the fingerprint you're getting from the
>> certificate?  There's 2 options: MitM (unlikely) or certificate missing from
>> your client (likely)
>>
>> James Firth
> Thanks all for the help.

> When I had the problems with several sites (which wasn't with v3.6.7 but
> with a slightly earlier version of FF), I created an exception for each
> of them - that put each cert in my list of certs accepted as exceptions,
> and indeed cybersec went in there.

> So now I have deleted the cybersec cert from the exceptions list and 
> tried again - and now FF doesn't complain. So it looks like something in
> FF got altered/updated in the transition from v3.6.x (whatever it was 
> that I had) to v3.6.7. As I think I noted earlier, I haven't had the 
> shower of complaints from FF about certs since I upgraded.

Just to muddy the water I accessed the site in question with Opera
10.60. It also passed the connection as secure but the security status
window added the following qualifier: "The server does not support
secure TLS renegotiation. The site owner should upgrade the server."

My 'ill-informed' interpretation is that Opera is stating that the
site is vulnerable to the 'TLS Renegotiation Attack'?

http://www.entrust.net/advisories/tls-mitm.htm

http://isc.sans.edu/diary.html?storyid=7534

I employ a basic phalanx of browsers (MSIE, Opera, Firefox, Chrome and
Safari) with Chrome being my current default (it's the fastest of the
bunch at the moment). However, I tend to revert to Opera where
security issues are paramount.

Regards to All,

Chris

-- 
 Chris Salter                      mailto:ukcrypto at originalthinktank.org.uk
 Cornwall United Kingdom        http://www.originalthinktank.org.uk/



From amidgley at gmail.com  Tue Aug  3 21:53:06 2010
From: amidgley at gmail.com (Adrian Midgley (Gmail))
Date: Tue, 03 Aug 2010 20:53:06 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP
	DPI, but	is it interception?)
In-Reply-To: <E31BC379-3F3B-4F22-9933-2FFAC9475197@batten.eu.org>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
	<13d801cb3248$61d1bac0$25753040$@net>
	<E31BC379-3F3B-4F22-9933-2FFAC9475197@batten.eu.org>
Message-ID: <1280868777.31073.114.camel@lyrae>

On Mon, 2010-08-02 at 14:48 +0100, Ian Batten wrote:

> > market.  Is it criminal intent if otherwise law-abiding townsfolk  
> > attempt to
> > grab a handful of coins?
> 
> Yes.  Is this supposed to be something that requires deep thought?


OTOH, if you walk up and politely and from a distance - let us even say 
in a bank which is open, across their counter with their glass shields
etc etc, "May I have some coins" I think this is not criminal.

If you happen to be holding a weapon the appearance might change.

-- 
A




From colinthomson1 at o2.co.uk  Tue Aug  3 23:56:28 2010
From: colinthomson1 at o2.co.uk (Tom Thomson)
Date: Tue, 03 Aug 2010 22:56:28 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it         interception?)
In-Reply-To: <84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk><LVJ$W0Bl09UMFw6A@tigers.demon.co.uk><4C54293C.1000901@iosis.co.uk><003001cb3161$c42d8f60$4c88ae20$@net><F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org><20100802132545.GG10354@davros.org><116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org><4C582229.3070908@bbk.ac.uk>
	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>
Message-ID: <2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>

> > Yes, but if Cuthbert just moved up the tree to look at directory
> > roots as in my example than that isn't obviously non-authorised.
> > Some website owners want you to do that and provide a helpful menu
> > or index for you. Some website owners don't want you to do that. The
> > way to tell which is which is by trying.
> 
> Peter Sommer said that rather than say what he'd done, he instead
> presented some story about proxy activity.  That does rather
> complicate the story.
> 
I wonder if the dialogue went like this:

	Plod: But you attempted an unauthorised directory transfer.
	C: No - if anything like that happened it must have been something done by a 	proxy server, I didn't do it.
	Plod: But we can clearly see from the log on your PC that you were at 	http://someserver.org/things/this.html and the typed http://someserver.org/.
	C: Yes, of course I did that.  That's the natural thing to do.

Or something pretty close to that, adapted by Plod to look a little more incriminating (that sort of adaptation is what used to be known as a "verbal" - and for it to have a commonly used name it probably had to be a commonly occurring thing; and far worse things happen even today).

M.





From pwt at iosis.co.uk  Wed Aug  4 07:13:12 2010
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Wed, 04 Aug 2010 06:13:12 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it         interception?)
In-Reply-To: <2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk><LVJ$W0Bl09UMFw6A@tigers.demon.co.uk><4C54293C.1000901@iosis.co.uk><003001cb3161$c42d8f60$4c88ae20$@net><F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org><20100802132545.GG10354@davros.org><116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org><4C582229.3070908@bbk.ac.uk>	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>
	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>
Message-ID: <4C5904E9.7040102@iosis.co.uk>

Tom Thomson wrote:
>>> Yes, but if Cuthbert just moved up the tree to look at directory
>>> roots as in my example than that isn't obviously non-authorised.
>>> Some website owners want you to do that and provide a helpful menu
>>> or index for you. Some website owners don't want you to do that. The
>>> way to tell which is which is by trying.
>>>       
>> Peter Sommer said that rather than say what he'd done, he instead
>> presented some story about proxy activity.  That does rather
>> complicate the story.
>>
>>     
> I wonder if the dialogue went like this:
>
> 	Plod: But you attempted an unauthorised directory transfer.
> 	C: No - if anything like that happened it must have been something done by a 	proxy server, I didn't do it.
> 	Plod: But we can clearly see from the log on your PC that you were at 	http://someserver.org/things/this.html and the typed http://someserver.org/.
> 	C: Yes, of course I did that.  That's the natural thing to do.
>
> Or something pretty close to that, adapted by Plod to look a little more incriminating (that sort of adaptation is what used to be known as a "verbal" - and for it to have a commonly used name it probably had to be a commonly occurring thing; and far worse things happen even today).
>
> M.
>   
I take the same line with this "unauthorised access" argument as I do 
with the problem of restrictions on the validity of off peak tickets on 
UK trains: if the restriction is not declared to me at the time of 
purchase of the ticket (and done so in writing in a form that I can 
conveniently carry with me), then the restriction is not valid.

(No, I have not been caught out on a train, but was recently on a train 
at 0945 when the Train Manager accepted my valid after 0900 ticket but 
told a lady sitting two seats ahead of me that her ticket was not valid 
until after 1000 - and he made her pay a surcharge.)

Peter



From fjmd1a at gmail.com  Wed Aug  4 08:15:19 2010
From: fjmd1a at gmail.com (Francis Davey)
Date: Wed, 04 Aug 2010 07:15:19 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI, 
	but is it interception?)
In-Reply-To: <4C5904E9.7040102@iosis.co.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
	<4C582229.3070908@bbk.ac.uk>
	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>
	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>
	<4C5904E9.7040102@iosis.co.uk>
Message-ID: <AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>

On 4 August 2010 07:12, Peter Tomlinson <pwt at iosis.co.uk> wrote:
>
> I take the same line with this "unauthorised access" argument as I do with
> the problem of restrictions on the validity of off peak tickets on UK
> trains: if the restriction is not declared to me at the time of purchase of
> the ticket (and done so in writing in a form that I can conveniently carry
> with me), then the restriction is not valid.
>

I once approached the ticket office in Ealing Broadway, said "A ticket
to XXXX please" and was handed a ticket in return for payment. I
headed towards the barriers and the person who sold me the ticket
yelled "Hey! You can't use that ticket yet." At the time I thought it
was extraordinary that he had assumed I wanted anything other than to
buy a ticket and get on a train.

However, that's all beside the point. This thread seems to be
wandering all over the place and this is partly because there's
confusion between:

* what people think might or might not be morally right in general
concerning URL truncation
* whether URL truncation constitutes unauthorized access within the
meaning of section 1 of the Computer Misuse Act 1990

I think the first point is simply unarguable: if you run a HTTP server
then its up to you to cope with any reasonable HTTP request that is
sent to you (i.e. I am not saying anything about malicious requests
such as denial of service attacks). You don't have to answer a request
at all (you don't have to run a server of course) or you can return a
404 or anything else you like.

This has nothing to do with a victim's possible responsibility (or
otherwise) for criminal activity - in the gold example for instance
(curiously one of the examples given by the Anglo-Saxon Chronicle of
the good that William I did was that one could safely traverse the
country with gold in one's possession without fear). Analogies with
real-world activities (tickets, houses etc) really don't help, since
they are all quite different and do not take place in a protocol
governed, voluntarily joined, organised structure like the internet.

The second point is specific to the CDA. Analogies with other
activities are unhelpful because they are covered by other statutes
with very different requirements for mental involvement.

For example theft requires not only that I intend to permanently
deprive the owner of property belonging to them, but also that I do so
dishonestly. "dishonesty" has a subjective/objective test (at least
for criminal liability): that is did the defendant know that the act
in question was objectively dishonest (i.e. that the generality of the
population would consider it dishonest)?

Another example: walking into someone's property through an open door
is, of course, not by itself a criminal offence. It would almost
always be a trespass to land - there is (unless otherwise specified)
an implied license to pass from the highway to someone's front door
for a lawful purpose, but there is not to do so into their premises
and trespass is a civil wrong of strict liability so without a licence
a mistaken belief as to right is no defence.

NB: there is no crime of "breaking and entering", there is an offence
of burglary, which may be committed by entering as a trespasser with
intent to commit (for instance) theft or rape, Breaking would be
criminal damage (which has a different species of mental involvement).

Train tickets are, of course, regulated. The contractual situation
would be (absent statute) that a company was entitled to publish all
its terms and conditions in a book which you could pay for, but you
would be bound by them if you bought a ticket stating it was subject
to those conditions. I doubt this corresponds to many posters moral
view of the situation but its a well established principle in English
law having been hammered out in the "railway ticket" cases of the 19th
century. Consumer law is an overlay and may alter the position, but
private law aside, tickets are regulated by statute and so one can
find oneself in unfair and unjust situations quite easily because the
law is drafted to be generally unjust so as to be effective.

There is no dishonesty requirement in the CDA. The requirement is that
the defendant subjectively know that the access is objectively
unauthorised. URL shortening on a site without any reason to believe
that it is "unauthorised" could not, in my view, ever be a s1 offence
because of the way in which the internet operates and is known by
those involved to operate. Things would be different if a website
(which you had read) had a disclaimer to the contrary, or you had read
terms and conditions which told you not to do the very thing you did.

You would not, as a defendant, have to prove that what you did was
authorised, but rather the prosecution would have the burden of
proving that you knew it wasn't. That strikes me as a difficult thing
to do in the case of URL shortening.

There are always mad decisions by judges. Some of them area appealed
(against a magistrates conviction you have a statutory appeal as of
right to the Crown Court which helps a bit), many of them are not
because the loser gets fed up, doesn't have the energy for a further
fight, or simply because they are badly advised.

I often tell of a case where I convinced my opponent that I was right
before the hearing (I was clearly right) but we were jointly unable to
convince the judge that I was. My opponent was quite eloquent on my
behalf as well. The judge's decision was appealable on its face but
(for whatever reason) we made no appeal. Perhaps my client was fed up
with the process. I certainly might have been.

-- 
Francis Davey


From lists at internetpolicyagency.com  Wed Aug  4 08:54:49 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 04 Aug 2010 07:54:49 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <20100803185937.00007a49@surtees.fenrir.org.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk> <4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>
	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>
	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>
	<4C568B59.1030500@iosis.co.uk>
	<20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk> <142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
Message-ID: <XpriFyBEyRWMFAb5@perry.co.uk>

In article <20100803185937.00007a49 at surtees.fenrir.org.uk>, Brian 
Morrison <bdm at fenrir.org.uk> writes
>> This churn of application versions is becoming a serious irritant.
>
>Just as well that it only takes a minute or two to update and restart
>then. I find the MS updates far more annoying

Firefox is by far the worst, because you can't postpone it. If you are 
on the phone talking to someone, and there's something to be looked up - 
you start Firefox and quite often it will say "hang on for a minute or 
two while I download and install an update". This is the precise reason 
I now use Chrome for much of my less serious browsing!
-- 
Roland Perry


From matthew at pemble.net  Wed Aug  4 08:57:35 2010
From: matthew at pemble.net (Matthew Pemble)
Date: Wed, 04 Aug 2010 07:57:35 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI, 
	but is it interception?)
In-Reply-To: <AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
	<4C582229.3070908@bbk.ac.uk>
	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>
	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>
	<4C5904E9.7040102@iosis.co.uk>
	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
Message-ID: <AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>

On 4 August 2010 08:15, Francis Davey <fjmd1a at gmail.com> wrote:

>
> However, that's all beside the point. This thread seems to be
> wandering all over the place and this is partly because there's
> confusion between:
>
> * what people think might or might not be morally right in general
> concerning URL truncation
> * whether URL truncation constitutes unauthorized access within the
> meaning of section 1 of the Computer Misuse Act 1990
>
>
Or is the point that people are becoming confused between URL truncation and
a "Directory Traversal Attack", using the well-known '/../' syntax (just the
same as, at the time, appending '.' to a .php URL often gave you the script
source rather than the product)? Although Peter's pdf doesn't make it clear
although other contemporaneous sources (
http://www.samizdata.net/blog/archives/008118.html) do mention the method.

I would agree with the general comment here that URL truncation is a
perfectly legitimate web browsing method (especially when you are following
a link that gives you an error page.)  I wouldn't agree that discussion of
URL truncation in respect of the Cuthbert case (regardless of whether his
conviction was sound either in law or in morality) is particularly relevant.

Matthew


-- 
Matthew Pemble
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100804/f994965d/attachment-0001.htm>

From fjmd1a at gmail.com  Wed Aug  4 09:00:53 2010
From: fjmd1a at gmail.com (Francis Davey)
Date: Wed, 04 Aug 2010 08:00:53 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI, 
	but is it interception?)
In-Reply-To: <AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
	<4C582229.3070908@bbk.ac.uk>
	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>
	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>
	<4C5904E9.7040102@iosis.co.uk>
	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>
Message-ID: <AANLkTi=Z_ovrQi9VkXXGZAksTjEffrsoDPi3jwAQ-_oY@mail.gmail.com>

On 4 August 2010 08:57, Matthew Pemble <matthew at pemble.net> wrote:
>
>
> Or is the point that people are becoming confused between URL truncation and
> a "Directory Traversal Attack", using the well-known '/../' syntax (just the
> same as, at the time, appending '.' to a .php URL often gave you the script
> source rather than the product)? Although Peter's pdf doesn't make it clear
> although other contemporaneous sources
> (http://www.samizdata.net/blog/archives/008118.html) do mention the method.
>

Could be. I was careful not to comment on that particular case because
the details are so unclear. Peter's pdf is, as you say, short on
detail. Its the kind of thing that's easy to misreport I suspect.

-- 
Francis Davey


From lists at internetpolicyagency.com  Wed Aug  4 09:10:49 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 04 Aug 2010 08:10:49 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <4C586C8D.5070601@iosis.co.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk> <4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>
	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>
	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>
	<4C568B59.1030500@iosis.co.uk>
	<20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk> <142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk> <4C586C8D.5070601@iosis.co.uk>
Message-ID: <8qRYlUAsASWMFAvy@perry.co.uk>

In article <4C586C8D.5070601 at iosis.co.uk>, Peter Tomlinson 
<pwt at iosis.co.uk> writes
>I had the same experience of not being reminded to download the update, 
>and I was more than one update behind.

Looking around, I see that one of my other PCs is "stuck" on 3.6.2, and 
believe it or not, the other is right in the middle of downloading 3.6.8 
all by itself!

>Roland Perry wrote:
>> In article <000901cb3324$b2b61df0$182259d0$@philipkatz.eu>, 
>>ukcrypto at philipkatz.eu writes
>>> I am surprised that so many people here are still using Firefox 
>>>3.6.7, when
>>> 3.6.8 has been out for a while ...
>>
>> I'm surprised too... because Firefox nags me almost daily to download 
>>one kind of patch or another; yet hasn't told me about that update 
>>yet.
>>
>> My PC is less than a month old, and I installed whatever was the 
>>claimed latest version when setting it up. This churn of application 
>>versions is becoming a serious irritant.
>

-- 
Roland Perry


From jon+ukcrypto at unequivocal.co.uk  Wed Aug  4 09:18:25 2010
From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens)
Date: Wed, 04 Aug 2010 08:18:25 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP
	DPI, but is it interception?)
In-Reply-To: <XpriFyBEyRWMFAb5@perry.co.uk>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
Message-ID: <20100804081824.GU29810@snowy.squish.net>

On Wed, Aug 04, 2010 at 08:53:40AM +0100, Roland Perry wrote:
> Firefox is by far the worst, because you can't postpone it. If you are  
> on the phone talking to someone, and there's something to be looked up -  
> you start Firefox and quite often it will say "hang on for a minute or  
> two while I download and install an update".

Tools->Options->Advanced->Update. You can tell it to ask you what to
do, or to not check for updates at all.


From lists at internetpolicyagency.com  Wed Aug  4 09:28:49 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 04 Aug 2010 08:28:49 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it         interception?)
In-Reply-To: <4C58579A.40208@ernest.net>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk> <4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
	<4C582229.3070908@bbk.ac.uk> <4C5835C0.9020803@ernest.net>
	<Y7dBhPdcyEWMFAK4@perry.co.uk> <4C58579A.40208@ernest.net>
Message-ID: <GKyWd4CiRSWMFALA@perry.co.uk>

In article <4C58579A.40208 at ernest.net>, Nicholas Bohm <nbohm at ernest.net> 
writes
>(Where Poole messed up was that no surveillance to find out where
>someone was currently living could be proportionate where the issue was
>where they had been living at some earlier qualifying date.  Against
>stupidity the gods themselves etc.)

Straying a bit off topic, but my school solves the "Poole Problem" by 
putting the burden of proof [of residence at a specific address on the 
qualifying date - which is typically in October the *previous* year] 
onto the applicant.

But proving actual residence, rather than simply the existence of a 
pied-?-terre, is realised to be difficult; so for rented accommodation 
the school now asks for sight of a "minimum 12 months tenancy" 
agreement. Which I have always felt to be an unusual animal, and 
something an innocent person moving to the area and getting housed, 
before approaching the school, might find caused some difficulty.

In my own case, for example, I moved to the town in June, then had two 
different six month rentals inside the catchment area, before buying a 
house just one street outside the catchment area. However, at the time, 
the tail end of the first six month rental was sufficient - had I been 
asked to produce some credentials - even though by the time my child 
entered the school we'd been living outside for three months (but 
because the area is oddly-shaped, actually closer to the school than 
other streets that are inside!)
-- 
Roland Perry


From lists at internetpolicyagency.com  Wed Aug  4 09:36:51 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 04 Aug 2010 08:36:51 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <20100804081824.GU29810@snowy.squish.net>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk> <142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
Message-ID: <obbNJiEHZSWMFAO1@perry.co.uk>

In article <20100804081824.GU29810 at snowy.squish.net>, Jon Ribbens 
<jon+ukcrypto at unequivocal.co.uk> writes
>> Firefox is by far the worst, because you can't postpone it. If you are
>> on the phone talking to someone, and there's something to be looked up -
>> you start Firefox and quite often it will say "hang on for a minute or
>> two while I download and install an update".
>
>Tools->Options->Advanced->Update. You can tell it to ask you what to
>do, or to not check for updates at all.

Thanks for that - I'll tick immediately.

ps. The PC automatically downloading 3.6.8 this morning is doing it from 
a base of 3.6.6, so it's skipped a version. And I see from the 'Update 
History' that this is the 11th version it has installed in a little 
under a year!
-- 
Roland Perry


From lists at internetpolicyagency.com  Wed Aug  4 09:55:32 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 04 Aug 2010 08:55:32 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk> <4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
	<4C582229.3070908@bbk.ac.uk>
	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>
	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>
	<4C5904E9.7040102@iosis.co.uk>
	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
Message-ID: <xLGLdJGyqSWMFAsR@perry.co.uk>

In article 
<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_ at mail.gmail.com>, Francis 
Davey <fjmd1a at gmail.com> writes
>There is no dishonesty requirement in the CDA. The requirement is that
>the defendant subjectively know that the access is objectively
>unauthorised. URL shortening on a site without any reason to believe
>that it is "unauthorised" could not, in my view, ever be a s1 offence
>because of the way in which the internet operates and is known by
>those involved to operate. Things would be different if a website
>(which you had read) had a disclaimer to the contrary, or you had read
>terms and conditions which told you not to do the very thing you did.

The hierarchical nature of most websites means that if you go up a layer 
you expect to find an index of some sort, although many modern content 
management systems don't work like that, and will give an error. Not so 
much because it's "unauthorised" but because on their website "that url 
makes no sense".

Where it becomes trickier is if you go fishing for urls. I'll give an 
example from my day-job, where one of my tasks is to monitor the process 
of governments giving advice to ICANN. At the end of every meeting they 
publish a communiqu?, and its arrival is keenly awaited (if only because 
it might give some opportunity to discuss the contents before everyone 
on-site disperses). One day they'll get around to tweeting its 
publication, but we aren't there yet.

The last two have had urls of:

http://gac.icann.org/system/files/Nairobi_Communique.pdf
http://gac.icann.org/system/files/Brussels-communique.pdf

The next meeting is in Cartagena.
-- 
Roland Perry


From jon+ukcrypto at unequivocal.co.uk  Wed Aug  4 10:14:43 2010
From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens)
Date: Wed, 04 Aug 2010 09:14:43 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP
	DPI, but is it interception?)
In-Reply-To: <obbNJiEHZSWMFAO1@perry.co.uk>
References: <F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
Message-ID: <20100804091443.GV29810@snowy.squish.net>

On Wed, Aug 04, 2010 at 09:35:19AM +0100, Roland Perry wrote:
> ps. The PC automatically downloading 3.6.8 this morning is doing it from  
> a base of 3.6.6, so it's skipped a version. And I see from the 'Update  
> History' that this is the 11th version it has installed in a little  
> under a year!

There were two updates in very quick succession recently, because of
the BlackHat conference.


From David_Biggins at usermgmt.com  Wed Aug  4 10:16:09 2010
From: David_Biggins at usermgmt.com (David Biggins)
Date: Wed, 04 Aug 2010 09:16:09 -0000
Subject: Here we go again - ISP DPI, but is it interception?
In-Reply-To: <005001cb2f22$b47633b0$1d629b10$@net>
References: <58600.78.86.197.160.1280179559.squirrel@drop.daltonfirth.co.uk>	<4C4E16F5.10400@zen.co.uk>	<4C4E314E.7000609@zen.co.uk><op.vgjxa70l6hl8nm@clerew.man.ac.uk>	<4C50677C.60705@zen.co.uk><018501cb2e7b$c0927570$41b76050$@net><C6F343320DAC194BA010FD66AD493623392470@home.usermgmt.local>
	<005001cb2f22$b47633b0$1d629b10$@net>
Message-ID: <C6F343320DAC194BA010FD66AD49362339248F@home.usermgmt.local>

> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of James Firth
> Sent: 29 July 2010 14:34
> To: 'UK Cryptography Policy Discussion Group'
> Subject: RE: Here we go again - ISP DPI, but is it interception?
> 
> David Biggins wrote:
> > Hmmmm.....
> >
> > The other week, I requested some data from a SOAP web service...
> >
> > The XML response arrived, interestingly, broken, with javascript
> > embedded in it.
> >
> > The client and server machines are both clean, and the server most
> > assuredly does not send script in its responses.
> >
> > Regrettably, I didn't keep the response - deadlines loomed, so I
> > repeated the request, which arrived clean.
> >
> > Virgin Media is my ISP, and the last time I saw something like this
> was
> > during the Phorm trials.
> 
> The last 2 cases of this I investigated turned out to be down to
Norton
> Internet Security running on the client machine.  I assume you've
> already
> considered this and will keep my ear to the ground.
> 
> James Firth
> 
> 

Hi James,

Specifically to avoid such issues, this was part of a dedicated test
setup, with just the basic Vista 64 firewall, Avast AV (just the AV, no
additional "security suite" tools), and no other resident anti-malware
tools were running.

I guess it's possible that Avast's monitoring was somehow responsible.
I would have expected the problem to have been likely to recur since, in
such a case,  but I'll keep an open mind.

Thanks for the feedback.

D.


From nbohm at ernest.net  Wed Aug  4 10:44:16 2010
From: nbohm at ernest.net (Nicholas Bohm)
Date: Wed, 04 Aug 2010 09:44:16 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<20100802132545.GG10354@davros.org>	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>	<4C582229.3070908@bbk.ac.uk>	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>	<4C5904E9.7040102@iosis.co.uk>	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>
Message-ID: <4C59366F.6050504@ernest.net>

Matthew Pemble wrote:
>
>
> On 4 August 2010 08:15, Francis Davey <fjmd1a at gmail.com
> <mailto:fjmd1a at gmail.com>> wrote:
>
>
>     However, that's all beside the point. This thread seems to be
>     wandering all over the place and this is partly because there's
>     confusion between:
>
>     * what people think might or might not be morally right in general
>     concerning URL truncation
>     * whether URL truncation constitutes unauthorized access within the
>     meaning of section 1 of the Computer Misuse Act 1990
>
>
> Or is the point that people are becoming confused between URL
> truncation and a "Directory Traversal Attack", using the well-known
> '/../' syntax (just the same as, at the time, appending '.' to a .php
> URL often gave you the script source rather than the product)?
> Although Peter's pdf doesn't make it clear although other
> contemporaneous sources
> (http://www.samizdata.net/blog/archives/008118.html) do mention the
> method.

Yes, I certainly confused the two.  What exactly does the "/../" syntax
do, and why does it matter to the host?  (The article you link isn't
explicit enough for me to follow.)

Nicholas
-- 
Contact and PGP key here <http://www.ernest.net/contact/index.htm>


From adrianhayter at gmail.com  Wed Aug  4 11:41:45 2010
From: adrianhayter at gmail.com (Adrian Hayter)
Date: Wed, 04 Aug 2010 10:41:45 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <4C59366F.6050504@ernest.net>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<20100802132545.GG10354@davros.org>	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>	<4C582229.3070908@bbk.ac.uk>	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>	<4C5904E9.7040102@iosis.co.uk>	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>
	<4C59366F.6050504@ernest.net>
Message-ID: <2F795C58-60C2-48E7-92CA-FD45D97E568D@gmail.com>

> Yes, I certainly confused the two.  What exactly does the "/../" syntax
> do, and why does it matter to the host?  (The article you link isn't
> explicit enough for me to follow.)
> 
> Nicholas
> -- 
> Contact and PGP key here <http://www.ernest.net/contact/index.htm>
> 

Consider that the url http://example.com/stuff/morestuff/ pointed to the location /var/www/example.com/public/stuff/morestuff/ on a server. Doing a directory traversal on the url (such as: http://example.com/stuff/morestuff/../../../ ) would (on some insecure servers) get the location /var/www/example.com/. Now we know from the previous location that the directory 'public' is contained here, but so could some other directories, such as 'logs' or even important private information.

As you can see, this would matter to the host, since a lot of webservers are configured to display the contents of directories when they do not come across a specified index file (such as index.html or index.php). If you have a folder that is meant to be publicly accessible, you do not want people to be able to traverse out of that directory and into one that contains private data.

-Adrian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100804/fcbbc504/attachment-0001.htm>

From bdm at fenrir.org.uk  Wed Aug  4 11:45:59 2010
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Wed, 04 Aug 2010 10:45:59 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <XpriFyBEyRWMFAb5@perry.co.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<54456.78.86.197.160.1280701624.squirrel@drop.daltonfirth.co.uk>
	<3EDE2FD8-1D5C-4B38-A48B-B3DAE2155CC3@batten.eu.org>
	<50854.78.86.197.160.1280738084.squirrel@drop.daltonfirth.co.uk>
	<4C568B59.1030500@iosis.co.uk>
	<20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
Message-ID: <20100804114552.00002403@surtees.fenrir.org.uk>

On Wed, 4 Aug 2010 08:53:40 +0100
Roland Perry <lists at internetpolicyagency.com> wrote:

> In article <20100803185937.00007a49 at surtees.fenrir.org.uk>, Brian 
> Morrison <bdm at fenrir.org.uk> writes
> >> This churn of application versions is becoming a serious irritant.
> >
> >Just as well that it only takes a minute or two to update and restart
> >then. I find the MS updates far more annoying
> 
> Firefox is by far the worst, because you can't postpone it.

Really? I find that Firefox will usually download an update in the
background but it does not force you to apply it until you're ready.

> If you
> are on the phone talking to someone, and there's something to be
> looked up - you start Firefox and quite often it will say "hang on
> for a minute or two while I download and install an update".

As I say above, I've never seen it do that, only offer to apply one
already downloaded.

> This is
> the precise reason I now use Chrome for much of my less serious
> browsing!

It's fast, I'll give it that.

-- 

Brian Morrison


From bdm at fenrir.org.uk  Wed Aug  4 11:47:08 2010
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Wed, 04 Aug 2010 10:47:08 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <obbNJiEHZSWMFAO1@perry.co.uk>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
Message-ID: <20100804114701.00003c52@surtees.fenrir.org.uk>

On Wed, 4 Aug 2010 09:35:19 +0100
Roland Perry <lists at internetpolicyagency.com> wrote:

> And I see from the 'Update 
> History' that this is the 11th version it has installed in a little 
> under a year!

You should be pleased that they fix the things they know about....

-- 

Brian Morrison


From nbohm at ernest.net  Wed Aug  4 11:53:29 2010
From: nbohm at ernest.net (Nicholas Bohm)
Date: Wed, 04 Aug 2010 10:53:29 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <2F795C58-60C2-48E7-92CA-FD45D97E568D@gmail.com>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<20100802132545.GG10354@davros.org>	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>	<4C582229.3070908@bbk.ac.uk>	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>	<4C5904E9.7040102@iosis.co.uk>	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>
	<4C59366F.6050504@ernest.net>
	<2F795C58-60C2-48E7-92CA-FD45D97E568D@gmail.com>
Message-ID: <4C5946A8.5080604@ernest.net>

Adrian Hayter wrote:
>> Yes, I certainly confused the two.  What exactly does the "/../" syntax
>> do, and why does it matter to the host?  (The article you link isn't
>> explicit enough for me to follow.)
>>
>> Nicholas
>> -- 
>> Contact and PGP key here <http://www.ernest.net/contact/index.htm>
>>
>
> Consider that the url http://example.com/stuff/morestuff/ pointed to
> the location /var/www/example.com/public/stuff/morestuff/ on a server.
> Doing a directory traversal on the url (such as:
> http://example.com/stuff/morestuff/../../../ ) would (on some insecure
> servers) get the location /var/www/example.com/. Now we know from the
> previous location that the directory 'public' is contained here, but
> so could some other directories, such as 'logs' or even important
> private information.
>
> As you can see, this would matter to the host, since a lot of
> webservers are configured to display the contents of directories when
> they do not come across a specified index file (such as index.html or
> index.php). If you have a folder that is meant to be publicly
> accessible, you do not want people to be able to traverse out of that
> directory and into one that contains private data.

Most helpful - thank you.

Taking the above example, could you explain the difference in effect
between http://example.com/stuff/morestuff/../../../ and
http://example.com/ <http://example.com/stuff/morestuff/>?  Do they not
lead to the same location on the server, namely /var/www/example.com/?

Nicholas
-- 
Contact and PGP key here <http://www.ernest.net/contact/index.htm>


From matthew at pemble.net  Wed Aug  4 11:53:30 2010
From: matthew at pemble.net (Matthew Pemble)
Date: Wed, 04 Aug 2010 10:53:30 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI, 
	but is it interception?)
In-Reply-To: <4C59366F.6050504@ernest.net>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
	<4C582229.3070908@bbk.ac.uk>
	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>
	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>
	<4C5904E9.7040102@iosis.co.uk>
	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>
	<4C59366F.6050504@ernest.net>
Message-ID: <AANLkTikSMPhvqZER+1Cz5bFgEFaZr=cmkrn-SWVdk7FC@mail.gmail.com>

On 4 August 2010 10:44, Nicholas Bohm <nbohm at ernest.net> wrote:

> Matthew Pemble wrote:
>
>  Or is the point that people are becoming confused between URL
> > truncation and a "Directory Traversal Attack", using the well-known
> > '/../' syntax (just the same as, at the time, appending '.' to a .php
> > URL often gave you the script source rather than the product)?
> > Although Peter's pdf doesn't make it clear although other
> > contemporaneous sources
> > (http://www.samizdata.net/blog/archives/008118.html) do mention the
> > method.
>
> Yes, I certainly confused the two.  What exactly does the "/../" syntax
> do, and why does it matter to the host?  (The article you link isn't
> explicit enough for me to follow.)
>

Apologies to those folks on-list for whom this is sucking on a "thousand
year egg".

"Directory Traversal" is a penetration testing technique where you attempt
to gain access to parts of the server file system that are not supposed to
be shared online - in this case ones outside of the context of the
web-server files.

".." normally (i.e. in common Unix and Microsoft filesystems) means "parent
directory" - so "cd .." should take you back up one level in the filesystem.
However. a well-engineered (and configured) webserver should never provide
information outside of the "webroot" - either returning an error (RFC
compliant behaviour - I'd guess at a 403 error) or simply returning the
default page (normal behaviour).

However, IIS 4 and 5 had a number of problems that Microsoft classified
variously as "File Permission Canonicalization" and "Web Server Folder
Traversal" patched from Aug 2000 to Aug 2001 (although the first patch was
against a completely different problem.)  Essentially, if you encoded '/..'
in Unicode and included it in a URL, you could would be returned files
outside of the webroot, including critical system configuration files and
you could also run programs on the local machine.

At the time, a well known vulnerability and, I believe, exploited by the
Nimda worm.


-- 
Matthew Pemble
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100804/1385567a/attachment-0001.htm>

From nbohm at ernest.net  Wed Aug  4 12:01:23 2010
From: nbohm at ernest.net (Nicholas Bohm)
Date: Wed, 04 Aug 2010 11:01:23 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <AANLkTikSMPhvqZER+1Cz5bFgEFaZr=cmkrn-SWVdk7FC@mail.gmail.com>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<20100802132545.GG10354@davros.org>	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>	<4C582229.3070908@bbk.ac.uk>	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>	<4C5904E9.7040102@iosis.co.uk>	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>	<4C59366F.6050504@ernest.net>
	<AANLkTikSMPhvqZER+1Cz5bFgEFaZr=cmkrn-SWVdk7FC@mail.gmail.com>
Message-ID: <4C594882.7070200@ernest.net>

Matthew Pemble wrote:
> On 4 August 2010 10:44, Nicholas Bohm <nbohm at ernest.net
> <mailto:nbohm at ernest.net>> wrote:
>
>     Matthew Pemble wrote:
>
>      Or is the point that people are becoming confused between URL
>     > truncation and a "Directory Traversal Attack", using the well-known
>     > '/../' syntax (just the same as, at the time, appending '.' to a
>     .php
>     > URL often gave you the script source rather than the product)?
>     > Although Peter's pdf doesn't make it clear although other
>     > contemporaneous sources
>     > (http://www.samizdata.net/blog/archives/008118.html) do mention the
>     > method.
>
>     Yes, I certainly confused the two.  What exactly does the "/../"
>     syntax
>     do, and why does it matter to the host?  (The article you link isn't
>     explicit enough for me to follow.)
>
>
> Apologies to those folks on-list for whom this is sucking on a
> "thousand year egg".

This is a policy list; I don't think you need apologise!

> "Directory Traversal" is a penetration testing technique where you
> attempt to gain access to parts of the server file system that are not
> supposed to be shared online - in this case ones outside of the
> context of the web-server files.
>
> ".." normally (i.e. in common Unix and Microsoft filesystems) means
> "parent directory" - so "cd .." should take you back up one level in
> the filesystem. However. a well-engineered (and configured) webserver
> should never provide information outside of the "webroot" - either
> returning an error (RFC compliant behaviour - I'd guess at a 403
> error) or simply returning the default page (normal behaviour).
>
> However, IIS 4 and 5 had a number of problems that Microsoft
> classified variously as "File Permission Canonicalization" and "Web
> Server Folder Traversal" patched from Aug 2000 to Aug 2001 (although
> the first patch was against a completely different problem.) 
> Essentially, if you encoded '/..' in Unicode and included it in a URL,
> you could would be returned files outside of the webroot, including
> critical system configuration files and you could also run programs on
> the local machine.
>
> At the time, a well known vulnerability and, I believe, exploited by
> the Nimda worm.
>

That suggests to me that entering a URL designed to exploit a weakness
in order to get "behind" the root of a server for a particular site is
doing something very different from truncating a URL in order to explore
a site.  I can much more easily see why it might be concluded a
particular user knew it was unauthorised.

Nicholas
-- 
Contact and PGP key here <http://www.ernest.net/contact/index.htm>


From matthew at pemble.net  Wed Aug  4 12:10:46 2010
From: matthew at pemble.net (Matthew Pemble)
Date: Wed, 04 Aug 2010 11:10:46 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI, 
	but is it interception?)
In-Reply-To: <4C5946A8.5080604@ernest.net>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
	<4C582229.3070908@bbk.ac.uk>
	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>
	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>
	<4C5904E9.7040102@iosis.co.uk>
	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>
	<4C59366F.6050504@ernest.net>
	<2F795C58-60C2-48E7-92CA-FD45D97E568D@gmail.com>
	<4C5946A8.5080604@ernest.net>
Message-ID: <AANLkTi=OxNxRxPejpOimFvFDHTjMe6okby5QsnCgFMVv@mail.gmail.com>

On 4 August 2010 11:53, Nicholas Bohm <nbohm at ernest.net> wrote:

>
> Taking the above example, could you explain the difference in effect
> between http://example.com/stuff/morestuff/../../../ and
> http://example.com/ ?  Do they not
> lead to the same location on the server, namely /var/www/example.com/?
>
>
Not quite - the first has 3 'parents' - so should aim you at the parent
directory above the defined webroot for example.com (which might be /var/www
or, more usually, /var/www/example.com/) and lead you, swiftly, to an error
page. The second should take you to the default file in the webroot
directory defined below /var/www/example.com - e.g. /var/www/
example.com/webroot/index.html.

I think? It always used to hurt my brain when doing this, especially once
you unicoded everything, so I generally used 'cut and paste' from a
pre-prepared attack script.

-- 
Matthew Pemble
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100804/315e714d/attachment-0001.htm>

From peter at pmsommer.com  Wed Aug  4 12:18:34 2010
From: peter at pmsommer.com (Peter Sommer)
Date: Wed, 04 Aug 2010 11:18:34 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <4C5946A8.5080604@ernest.net>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<20100802132545.GG10354@davros.org>	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>	<4C582229.3070908@bbk.ac.uk>	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>	<4C5904E9.7040102@iosis.co.uk>	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>	<4C59366F.6050504@ernest.net>	<2F795C58-60C2-48E7-92CA-FD45D97E568D@gmail.com>
	<4C5946A8.5080604@ernest.net>
Message-ID: <4C594C83.4090704@pmsommer.com>

Gosh:

What an astonishing level of interest in a case from 2005 that doesn't 
really set a precedent!

My PDF is of an article for "Computers and Law" and had to be of limited 
length.

Daniel Cuthbert's aim in executing the directory traversal was not 
simply to truncate the URL to explore the website (which would have been 
legitimate)  but to explore the computer holding the webserver (which 
was not).   The court decided that he must have known at the time he did 
it that this action was not authorised - thus s 1 CMA is satisfied.

Any appeal would have had to be on the basis either that the judge was 
wrong in law or that he reached a conclusion on the facts that no 
reasonable judge could have made.

(For the avoidance of doubt:  I am simply reporting what the court decided)

Peter Sommer

On 04/08/2010 11:53, Nicholas Bohm wrote:
> Adrian Hayter wrote:
>    
>>> Yes, I certainly confused the two.  What exactly does the "/../" syntax
>>> do, and why does it matter to the host?  (The article you link isn't
>>> explicit enough for me to follow.)
>>>
>>> Nicholas
>>> m>
>>>        




From fjmd1a at gmail.com  Wed Aug  4 12:30:23 2010
From: fjmd1a at gmail.com (Francis Davey)
Date: Wed, 04 Aug 2010 11:30:23 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI, 
	but is it interception?)
In-Reply-To: <4C594C83.4090704@pmsommer.com>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
	<4C582229.3070908@bbk.ac.uk>
	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>
	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>
	<4C5904E9.7040102@iosis.co.uk>
	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>
	<4C59366F.6050504@ernest.net>
	<2F795C58-60C2-48E7-92CA-FD45D97E568D@gmail.com>
	<4C5946A8.5080604@ernest.net> <4C594C83.4090704@pmsommer.com>
Message-ID: <AANLkTinn9DU6F1Ph_PfEHMkqReV1xpRe4fvAqkt5jzo5@mail.gmail.com>

On 4 August 2010 12:18, Peter Sommer <peter at pmsommer.com> wrote:

[snip]

>
> Daniel Cuthbert's aim in executing the directory traversal was not simply to
> truncate the URL to explore the website (which would have been legitimate)
> ?but to explore the computer holding the webserver (which was not). ? The
> court decided that he must have known at the time he did it that this action
> was not authorised - thus s 1 CMA is satisfied.

Right. If he was doing directory traversal using ".." to see if the
site had a security vulnerability then he must _ex hypothesi_ have
known that such an access would not be authorised (otherwise it
wouldn't be a vulnerability). Moral: don't probe for exploits.

>
> Any appeal would have had to be on the basis either that the judge was wrong
> in law or that he reached a conclusion on the facts that no reasonable judge
> could have made.
>

Not in this case, no. An appeal under s.108 of the Magistrates' Courts
Act 1980 results in a re-hearing of the case, i.e. a fresh trial in
the Crown Court.

Trust me, I'm a lawyer 8-).

-- 
Francis Davey


From james2 at jfirth.net  Wed Aug  4 12:36:04 2010
From: james2 at jfirth.net (James Firth)
Date: Wed, 04 Aug 2010 11:36:04 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <4C594882.7070200@ernest.net>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<20100802132545.GG10354@davros.org>	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>	<4C582229.3070908@bbk.ac.uk>	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>	<4C5904E9.7040102@iosis.co.uk>	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>	<4C59366F.6050504@ernest.net>	<AANLkTikSMPhvqZER+1Cz5bFgEFaZr=cmkrn-SWVdk7FC@mail.gmail.com>
	<4C594882.7070200@ernest.net>
Message-ID: <005d01cb33c9$34184540$9c48cfc0$@net>

Nicolas Bohm wrote:
> That suggests to me that entering a URL designed to exploit a weakness
> in order to get "behind" the root of a server for a particular site is
> doing something very different from truncating a URL in order to
> explore
> a site.  I can much more easily see why it might be concluded a
> particular user knew it was unauthorised.
> 

Not according to RFC 1738 it's not.

Just because there is a weakness there it doesn't necessarily mean anyone
using the syntax should be prosecuted for attempting unauthorised access.

A url http://ejf.me/../../ is perfectly valid. 

If the server does not intend to provide access above "document root" then
the server must handle rejection.

If the server does provide access above "document root" then by the server's
own admission through issuing a 200 OK response is indicating that access is
AUTHORISED.

It's not just an unlocked door, it's a shop with a sign outside saying "We
accept all visitors who conform to RFC 1738 - feel free to walk through the
door corresponding to your valid request".

If the server operator did not intend to provide access above server root,
then they should have configured their server to provide an appropriate
(4xx) denial.

In this case it's the victim who cannot claim ignorance of the protocol is a
valid excuse for launching a prosecution for something which ultimately is
their own fault.

It's NOT even due to a bug in the software the server using.  It's a failure
to understand the services the server operator is willingly offering.

 - As you can tell I have very strong views on this subject.

James Firth




From adrianhayter at gmail.com  Wed Aug  4 13:01:20 2010
From: adrianhayter at gmail.com (Adrian Hayter)
Date: Wed, 04 Aug 2010 12:01:20 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <4C5946A8.5080604@ernest.net>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<20100802132545.GG10354@davros.org>	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>	<4C582229.3070908@bbk.ac.uk>	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>	<4C5904E9.7040102@iosis.co.uk>	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>
	<4C59366F.6050504@ernest.net>
	<2F795C58-60C2-48E7-92CA-FD45D97E568D@gmail.com>
	<4C5946A8.5080604@ernest.net>
Message-ID: <71FD4F01-3A88-4732-9FF9-47E917119956@gmail.com>

>> Consider that the url http://example.com/stuff/morestuff/ pointed to
>> the location /var/www/example.com/public/stuff/morestuff/ on a server.
>> Doing a directory traversal on the url (such as:
>> http://example.com/stuff/morestuff/../../../ ) would (on some insecure
>> servers) get the location /var/www/example.com/. Now we know from the
>> previous location that the directory 'public' is contained here, but
>> so could some other directories, such as 'logs' or even important
>> private information.
>> 
>> As you can see, this would matter to the host, since a lot of
>> webservers are configured to display the contents of directories when
>> they do not come across a specified index file (such as index.html or
>> index.php). If you have a folder that is meant to be publicly
>> accessible, you do not want people to be able to traverse out of that
>> directory and into one that contains private data.
> 
> Most helpful - thank you.
> 
> Taking the above example, could you explain the difference in effect
> between http://example.com/stuff/morestuff/../../../ and
> http://example.com/ <http://example.com/stuff/morestuff/>?  Do they not
> lead to the same location on the server, namely /var/www/example.com/?
> 
> Nicholas
> -- 
> Contact and PGP key here <http://www.ernest.net/contact/index.htm>

Since ../ means "go up one directory in the tree", it is perhaps simpler to imagine that you are at the url http://example.com/stuff/morestuff/ and are applying these ../ 'commands' one by one. So we are at the url, and we are going to apply ../ three times. Currently we are in the directory 'morestuff', and so applying the first ../ will take up up one directory to 'stuff'. The second ../ will take us up another level to the root directory of example.com. The third ../ will then take us up a further directory, but this can't be represented as a url, because we are going above the url root as it were, and into the realm of the actual filesystem itself.

If the url http://example.com/ points to /var/www/example.com/, then the following is true (assuming the webserver is set up in a simple manner):

http://example.com/stuff/morestuff/ => /var/www/example.com/stuff/morestuff/
http://example.com/stuff/morestuff/../ => /var/www/example.com/stuff/
http://example.com/stuff/morestuff/../../ => /var/www/example.com/
http://example.com/stuff/morestuff/../../../ => /var/www/

So whilst http://example.com/stuff/morestuff/../../ points to the same thing as http://example.com/, three directory traversals will go up even further.

On most webservers I've come across, there are systems in place to prevent this, and it doesn't matter how many times you add an extra ../, the furthest you can traverse is to the root of the actual URL (i.e. http://example.com). As a matter of interest, I applied this to my own website, and if you visit this link: http://adrianhayter.com/documents/../../../../ you should get the homepage (i.e. http://adrianhayter.com). Adding extra ../ doesn't change this behaviour.

-Adrian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100804/e4c9bf77/attachment-0001.htm>

From fjmd1a at gmail.com  Wed Aug  4 13:32:21 2010
From: fjmd1a at gmail.com (Francis Davey)
Date: Wed, 04 Aug 2010 12:32:21 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI, 
	but is it interception?)
In-Reply-To: <005d01cb33c9$34184540$9c48cfc0$@net>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
	<4C582229.3070908@bbk.ac.uk>
	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>
	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>
	<4C5904E9.7040102@iosis.co.uk>
	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>
	<4C59366F.6050504@ernest.net>
	<AANLkTikSMPhvqZER+1Cz5bFgEFaZr=cmkrn-SWVdk7FC@mail.gmail.com>
	<4C594882.7070200@ernest.net> <005d01cb33c9$34184540$9c48cfc0$@net>
Message-ID: <AANLkTi=zDCjqopT1ASfrBJDmpcFp1Ox8maWzDko2q+WW@mail.gmail.com>

On 4 August 2010 12:35, James Firth <james2 at jfirth.net> wrote:
>
> Not according to RFC 1738 it's not.

For reasons I'll explain, that may not be relevant.

>
> Just because there is a weakness there it doesn't necessarily mean anyone
> using the syntax should be prosecuted for attempting unauthorised access.

Agreed and I don't think anyone on this list disagrees. Note that you
elide "should be prosecuted" with "is committing a criminal offence":
the former is normative, the latter is not. I agree with you on both
points because you qualify it with "necessarily". Of course.

>
> A url http://ejf.me/../../ is perfectly valid.
>
> If the server does not intend to provide access above "document root" then
> the server must handle rejection.
>
> If the server does provide access above "document root" then by the server's
> own admission through issuing a 200 OK response is indicating that access is
> AUTHORISED.

Not as the law understands it. Merely because something is possible
doesn't mean that it is therefore permissible.

Section 17(5) either defines or amplifies the definition of authorisation:

"(5) Access of any kind by any person to any program or data held in a
computer is unauthorised if?

(a) he is not himself entitled to control access of the kind in
question to the program or data; and

(b) he does not have consent to access by him of the kind in question
to the program or data from any person who is so entitled."

If you happen to believe that a website has been compromised and
"know" (which is a strong statement and will be hard for the
prosecution to prove) that a particular URL (whether malformed or not)
will permit you to gain access to a part of the website you should not
- or better that it will give you access you should not have (since
websites don't have parts) and you know also that you don't have
consent to do it, then trying that URL to see if it works would
constitute a s.1 offence.

Its irrelevant whether or not the owners of the website are at fault
for permitting you to do so and irrelevant whether or not they have
permitted (since you may still be guilty of the attempt even if the
action is impossible).

So the moral is: don't supply a URL to a website where you know that
success will give you access to data to which you are not entitled,
for whatever reason.

>
> It's not just an unlocked door, it's a shop with a sign outside saying "We
> accept all visitors who conform to RFC 1738 - feel free to walk through the
> door corresponding to your valid request".

As I tried to say earlier, trying to use other world examples of
situations when arguing about what the law actually says is misleading
and unhelpful. The law won't proceed by analogy in that way, and if
you tried it in any senior court, you'd get short shrift. The law on
access to property is not the same as the law on computer misuse. It
could have been drafted so it was, but it wasn't.

Morality is different: we could take the view (as the common law did
in the past about fraud) that the criminal law won't help you out if
people try to do things you don't want them to - i.e. its up to you to
protect yourself - but that is a different question.

>
> If the server operator did not intend to provide access above server root,
> then they should have configured their server to provide an appropriate
> (4xx) denial.

Do we know they did not? You commit an offence of attempt if you try
to do this even if the server operator has indeed secured themselves
against unauthorised access. What the web server does or does not do
is not nearly as important as one might think because of the Criminal
Attempts Act.

>
> In this case it's the victim who cannot claim ignorance of the protocol is a
> valid excuse for launching a prosecution for something which ultimately is
> their own fault.
>
> It's NOT even due to a bug in the software the server using. ?It's a failure
> to understand the services the server operator is willingly offering.

I'm not sure what "it" is in this context, but in order to succeed a
prosecutor has to prove that defendant _knows_ that their access is
unauthorised. If you think your access is authorised you are quite
safe.

-- 
Francis Davey


From lists at internetpolicyagency.com  Wed Aug  4 14:21:19 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 04 Aug 2010 13:21:19 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <20100804114701.00003c52@surtees.fenrir.org.uk>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk> <142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
Message-ID: <EHaGemlCkWWMFAqV@perry.co.uk>

In article <20100804114701.00003c52 at surtees.fenrir.org.uk>, Brian 
Morrison <bdm at fenrir.org.uk> writes
>> And I see from the 'Update  History' that this is the 11th version it 
>>has installed in a little  under a year!
>
>You should be pleased that they fix the things they know about....

On the contrary, I'm displeased they have so many vulnerabilities in the 
base product.
-- 
Roland Perry


From jon+ukcrypto at unequivocal.co.uk  Wed Aug  4 14:29:14 2010
From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens)
Date: Wed, 04 Aug 2010 13:29:14 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP
	DPI, but is it interception?)
In-Reply-To: <AANLkTi=zDCjqopT1ASfrBJDmpcFp1Ox8maWzDko2q+WW@mail.gmail.com>
References: <84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>
	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>
	<4C5904E9.7040102@iosis.co.uk>
	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>
	<4C59366F.6050504@ernest.net>
	<AANLkTikSMPhvqZER+1Cz5bFgEFaZr=cmkrn-SWVdk7FC@mail.gmail.com>
	<4C594882.7070200@ernest.net> <005d01cb33c9$34184540$9c48cfc0$@net>
	<AANLkTi=zDCjqopT1ASfrBJDmpcFp1Ox8maWzDko2q+WW@mail.gmail.com>
Message-ID: <20100804132914.GW29810@snowy.squish.net>

On Wed, Aug 04, 2010 at 01:32:14PM +0100, Francis Davey wrote:
> > If the server operator did not intend to provide access above server root,
> > then they should have configured their server to provide an appropriate
> > (4xx) denial.
> 
> Do we know they did not? You commit an offence of attempt if you try
> to do this even if the server operator has indeed secured themselves
> against unauthorised access. What the web server does or does not do
> is not nearly as important as one might think because of the Criminal
> Attempts Act.

Personally, I think that (attempting to) access http://example.com/
or http://example.com/../ shows little-to-no evidence of knowingly
attempting to access unauthorised data. If however, as is seen
commonly, someone attempts to access something like
http://example.com/../../../etc/passwd or
http://example.com/index.php?include=http://1.2.3.4/hax0r.inc
or similar, then the user is quite blatantly attempting unauthorised
access and can most certainly be regarded as a criminal.


From lists at internetpolicyagency.com  Wed Aug  4 14:29:22 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 04 Aug 2010 13:29:22 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <4C594882.7070200@ernest.net>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk> <4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
	<4C582229.3070908@bbk.ac.uk>
	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>
	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>
	<4C5904E9.7040102@iosis.co.uk>
	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>
	<4C59366F.6050504@ernest.net>
	<AANLkTikSMPhvqZER+1Cz5bFgEFaZr=cmkrn-SWVdk7FC@mail.gmail.com>
	<4C594882.7070200@ernest.net>
Message-ID: <+3xIiwmtrWWMFAPD@perry.co.uk>

In article <4C594882.7070200 at ernest.net>, Nicholas Bohm 
<nbohm at ernest.net> writes

>> ".." normally (i.e. in common Unix and Microsoft filesystems) means
>> "parent directory" - so "cd .." should take you back up one level in
>> the filesystem. However. a well-engineered (and configured) webserver
>> should never provide information outside of the "webroot" - either
>> returning an error (RFC compliant behaviour - I'd guess at a 403
>> error) or simply returning the default page (normal behaviour).

...

>That suggests to me that entering a URL designed to exploit a weakness
>in order to get "behind" the root of a server for a particular site is
>doing something very different from truncating a URL in order to explore
>a site.  I can much more easily see why it might be concluded a
>particular user knew it was unauthorised.

I agree that these are very different activities. And will therefore 
fail to lose sleep when experimenting with truncated urls which are 
*below* (rather than *above*) the root of a server.
-- 
Roland Perry


From peter at pmsommer.com  Wed Aug  4 14:30:01 2010
From: peter at pmsommer.com (Peter Sommer)
Date: Wed, 04 Aug 2010 13:30:01 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <AANLkTinn9DU6F1Ph_PfEHMkqReV1xpRe4fvAqkt5jzo5@mail.gmail.com>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<20100802132545.GG10354@davros.org>	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>	<4C582229.3070908@bbk.ac.uk>	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>	<4C5904E9.7040102@iosis.co.uk>	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>	<4C59366F.6050504@ernest.net>	<2F795C58-60C2-48E7-92CA-FD45D97E568D@gmail.com>	<4C5946A8.5080604@ernest.net>	<4C594C83.4090704@pmsommer.com>
	<AANLkTinn9DU6F1Ph_PfEHMkqReV1xpRe4fvAqkt5jzo5@mail.gmail.com>
Message-ID: <4C596B51.9040302@pmsommer.com>

On 04/08/2010 12:30, Francis Davey wrote:
> Not in this case, no. An appeal under s.108 of the Magistrates' Courts
> Act 1980 results in a re-hearing of the case, i.e. a fresh trial in
> the Crown Court.
>
> Trust me, I'm a lawyer8-).
>    

I stand corrected - very very few of my cases are in the magistrates' 
courts.

  But I think you are referring to the procedure - surely there have to 
be thresh-hold tests for an appeal to be allowed (other than that the 
defendant didn't like the initial outcome).? And presumably they would 
have to be very similar to the ones I outlined - wrong in law or a 
bizarre finding of fact (though I have to say I can't see this 
immediately in the 1980 Act),



-- 
THE INFORMATION CONTAINED IN THIS E-MAIL IS CONFIDENTIAL AND LEGALLY PRIVILEGED.  IT IS INTENDED ONLY FOR THE ADDRESSEE NAMED ABOVE. IF YOU ARE NOT THE ADDRESSEE ANY DISTRIBUTION, COPYING OR DISCLOSURE OF THIS E-MAIL IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED IT IN ERROR PLEASE NOTIFY THE SENDER BY E-MAIL IMMEDIATELY AND DESTROY THE ORIGINAL



From lists at internetpolicyagency.com  Wed Aug  4 14:36:02 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 04 Aug 2010 13:36:02 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <AANLkTi=zDCjqopT1ASfrBJDmpcFp1Ox8maWzDko2q+WW@mail.gmail.com>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk> <4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
	<4C582229.3070908@bbk.ac.uk>
	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>
	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>
	<4C5904E9.7040102@iosis.co.uk>
	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>
	<4C59366F.6050504@ernest.net>
	<AANLkTikSMPhvqZER+1Cz5bFgEFaZr=cmkrn-SWVdk7FC@mail.gmail.com>
	<4C594882.7070200@ernest.net> <005d01cb33c9$34184540$9c48cfc0$@net>
	<AANLkTi=zDCjqopT1ASfrBJDmpcFp1Ox8maWzDko2q+WW@mail.gmail.com>
Message-ID: <3XiKa8njxWWMFAMy@perry.co.uk>

In article 
<AANLkTi=zDCjqopT1ASfrBJDmpcFp1Ox8maWzDko2q+WW at mail.gmail.com>, Francis 
Davey <fjmd1a at gmail.com> writes
>So the moral is: don't supply a URL to a website where you know that
>success will give you access to data to which you are not entitled,
>for whatever reason.

As long as the url is pointing to something on the public side of the 
url's root, I may have no idea whether or not the content I will find is 
something the website considers me unauthorised to view. It may well be 
the case that a combination of sloth and incompetence has merely 
rendered that content inaccessible to visitors.
-- 
Roland Perry


From fjmd1a at gmail.com  Wed Aug  4 14:39:59 2010
From: fjmd1a at gmail.com (Francis Davey)
Date: Wed, 04 Aug 2010 13:39:59 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI, 
	but is it interception?)
In-Reply-To: <4C596B51.9040302@pmsommer.com>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
	<4C582229.3070908@bbk.ac.uk>
	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>
	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>
	<4C5904E9.7040102@iosis.co.uk>
	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>
	<4C59366F.6050504@ernest.net>
	<2F795C58-60C2-48E7-92CA-FD45D97E568D@gmail.com>
	<4C5946A8.5080604@ernest.net> <4C594C83.4090704@pmsommer.com>
	<AANLkTinn9DU6F1Ph_PfEHMkqReV1xpRe4fvAqkt5jzo5@mail.gmail.com>
	<4C596B51.9040302@pmsommer.com>
Message-ID: <AANLkTikiMCB-6Fbu0uvyT3t76RUcJBBHVuF5mWzcexEu@mail.gmail.com>

On 4 August 2010 14:29, Peter Sommer <peter at pmsommer.com> wrote:
>
> I stand corrected - very very few of my cases are in the magistrates'
> courts.
>
> ?But I think you are referring to the procedure - surely there have to be
> thresh-hold tests for an appeal to be allowed (other than that the defendant
> didn't like the initial outcome).? And presumably they would have to be very
> similar to the ones I outlined - wrong in law or a bizarre finding of fact
> (though I have to say I can't see this immediately in the 1980 Act),

No, really, its a complete re-hearing.

If you look at part 63 of the criminal procedure rules, you will see
that you don't have to give any *grounds* for appeal as you might have
to do in most civil appeals.

I always wonder why more aggrieved people don't do it.

-- 
Francis Davey


From fjmd1a at gmail.com  Wed Aug  4 14:41:49 2010
From: fjmd1a at gmail.com (Francis Davey)
Date: Wed, 04 Aug 2010 13:41:49 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI, 
	but is it interception?)
In-Reply-To: <3XiKa8njxWWMFAMy@perry.co.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
	<4C582229.3070908@bbk.ac.uk>
	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>
	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>
	<4C5904E9.7040102@iosis.co.uk>
	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>
	<4C59366F.6050504@ernest.net>
	<AANLkTikSMPhvqZER+1Cz5bFgEFaZr=cmkrn-SWVdk7FC@mail.gmail.com>
	<4C594882.7070200@ernest.net> <005d01cb33c9$34184540$9c48cfc0$@net>
	<AANLkTi=zDCjqopT1ASfrBJDmpcFp1Ox8maWzDko2q+WW@mail.gmail.com>
	<3XiKa8njxWWMFAMy@perry.co.uk>
Message-ID: <AANLkTi=AngVGZifVkX1w1_a_+0piV+w_H856Hx=k06Tn@mail.gmail.com>

On 4 August 2010 14:34, Roland Perry <lists at internetpolicyagency.com> wrote:
> In article <AANLkTi=zDCjqopT1ASfrBJDmpcFp1Ox8maWzDko2q+WW at mail.gmail.com>,
> Francis Davey <fjmd1a at gmail.com> writes
>>
>> So the moral is: don't supply a URL to a website where you know that
>> success will give you access to data to which you are not entitled,
>> for whatever reason.
>
> As long as the url is pointing to something on the public side of the url's
> root, I may have no idea whether or not the content I will find is something
> the website considers me unauthorised to view. It may well be the case that
> a combination of sloth and incompetence has merely rendered that content
> inaccessible to visitors.

Right, which is why its a crime which requires you to "know" that
access is unauthorised. If you have no idea, you aren't committing an
offence (at least under s.1)

-- 
Francis Davey


From bdm at fenrir.org.uk  Wed Aug  4 15:03:50 2010
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Wed, 04 Aug 2010 14:03:50 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <EHaGemlCkWWMFAqV@perry.co.uk>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
Message-ID: <20100804150343.00007a3f@surtees.fenrir.org.uk>

On Wed, 4 Aug 2010 14:20:02 +0100
Roland Perry <lists at internetpolicyagency.com> wrote:

> In article <20100804114701.00003c52 at surtees.fenrir.org.uk>, Brian 
> Morrison <bdm at fenrir.org.uk> writes
> >> And I see from the 'Update  History' that this is the 11th version
> >> it 
> >>has installed in a little  under a year!
> >
> >You should be pleased that they fix the things they know about....
> 
> On the contrary, I'm displeased they have so many vulnerabilities in
> the base product.

*Everybody* has many vulnerabilities in their products, so getting them
fixed is better than not doing so.

But like you, it does depress me that amount of updating I have to do.
With 4 laptops running Windows at home it makes for a lot of work, at
least my Linux machines update with effectively 1 click.

-- 

Brian Morrison


From lists at internetpolicyagency.com  Wed Aug  4 15:09:23 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 04 Aug 2010 14:09:23 -0000
Subject: Government monitoring requests rise for phone, email
In-Reply-To: <C6F343320DAC194BA010FD66AD493623392471@home.usermgmt.local>
References: <C6F343320DAC194BA010FD66AD493623392471@home.usermgmt.local>
Message-ID: <al4h2KrIRXWMFAaZ@perry.co.uk>

In article <C6F343320DAC194BA010FD66AD493623392471 at home.usermgmt.local>,
David Biggins <David_Biggins at usermgmt.com> writes
>http://www.zdnet.co.uk/news/security-management/2010/07/29/government-monitoring-requests-rise-for-phone-email-40089682/
>
>?The Interception of Communications Commissioner has revealed that
>police and other agencies made 21,000 more requests for citizens'
>communications data in 2009 than the previous year.
>?Sir Paul Kennedy disclosed in his annual report that in 2009, public
>authorities made 525,130 data requests to ISPs to view people's phone
>and email records. That figure compares with a total of 504,073
>requests in 2008.

        3.41  During   the   period   covered   by   this   report   131
        local   authorities   notified me   that   they   had   made use
        of   their   powers   to   acquire   communications data, and
        this is slightly more than last year. A total of 1,756
        requests...

Which is about 0.3% of the total.

        ... were made for communications data and the vast majority were
        for basic subscriber information, although 24 Councils reported
        that they had acquired some service use data under Section
        21(4)(b) of the Act.

It's good to see a reference to the different categories within 21(4),
because they were introduced specifically to provide some graduation in
the ability of public authorities to request data (and ultimately in the
ability to report it). I think (although Sir Paul clearly disagrees)
that mentioning how many of the 525k are requests for simply "reverse
DQ" would be a help in understanding the impact of the legislation.

Although "reverse DQ" [type (c)] is admittedly classed as "comms data",
it's not really "viewing phone and email records", as suggested by
ZDnet. And as Sir Paul points out later on, even the access to type (b)
data is limited to *outgoing* phone bills (not incoming calls) and *no*
IP related transactions at all, for the majority of public authorities.

And in other news... I see that RIPA is being misreported again, in the
Poole school-snooping case, as an Act that gave councils powers. When in
fact it's quite the reverse - as this Tribunal case shows, in fact it's
regulating (and slapping on the wrists when misused) the surveillance
activity which has always taken place.
-- 
Roland Perry


From chl at clerew.man.ac.uk  Wed Aug  4 15:11:30 2010
From: chl at clerew.man.ac.uk (Charles Lindsey)
Date: Wed, 04 Aug 2010 14:11:30 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it         interception?)
In-Reply-To: <Y7dBhPdcyEWMFAK4@perry.co.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
	<4C582229.3070908@bbk.ac.uk> <4C5835C0.9020803@ernest.net>
	<Y7dBhPdcyEWMFAK4@perry.co.uk>
Message-ID: <op.vgw21f126hl8nm@clerew.man.ac.uk>

On Tue, 03 Aug 2010 18:06:36 +0100, Roland Perry  
<lists at internetpolicyagency.com> wrote:

> My common sense says that if I am unauthorised to view a web page, then  
> it will return some kind of error which demonstrates that I have not  
> presented valid credentials.
>
> Although I am aware that this falls foul of the Law Enforcement model  
> that if you stumble over an unlocked door, that doesn't mean you are  
> allowed to open it and go inside. Although I might characterise it more  
> as looking through a window where someone has failed to draw the  
> curtains.

But where there is a well understood convention/understanding that  
unlocked doors in a particular street inply an invitation to enter, that  
would not apply.

In the case of the WWW, that convention is widely understood to apply.

-- 
Charles?H.?Lindsey?---------At?Home,?doing?my?own?thing------------------------
Tel:?+44?161?436?6131?                      
???Web:?http://www.cs.man.ac.uk/~chl
Email:?chl at clerew.man.ac.uk??????Snail:?5?Clerewood?Ave,?CHEADLE,?SK8?3JU,?U.K.
PGP:?2C15F1A9??????Fingerprint:?73?6D?C2?51?93?A0?01?E7?65?E8?64?7E?14?A4?AB?A5


From lists at internetpolicyagency.com  Wed Aug  4 17:25:36 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 04 Aug 2010 16:25:36 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <20100804150343.00007a3f@surtees.fenrir.org.uk>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk> <142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
Message-ID: <u$wMwc4pQZWMFAdl@perry.co.uk>

In article <20100804150343.00007a3f at surtees.fenrir.org.uk>, Brian 
Morrison <bdm at fenrir.org.uk> writes
>> >> And I see from the 'Update  History' that this is the 11th version 
>> >>it has installed in a little  under a year!
>> >
>> >You should be pleased that they fix the things they know about....
>>
>> On the contrary, I'm displeased they have so many vulnerabilities in
>> the base product.
>
>*Everybody* has many vulnerabilities in their products, so getting them
>fixed is better than not doing so.

It seems to be worse than that... why are these products so susceptible 
to vulnerabilities? For example, one that used to occur over and over 
again was "buffer overflow". Surely there must be programming (or memory 
management) techniques that could eliminate them entirely?
-- 
Roland Perry


From lists at internetpolicyagency.com  Wed Aug  4 17:31:36 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 04 Aug 2010 16:31:36 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but	is it         interception?)
In-Reply-To: <op.vgw21f126hl8nm@clerew.man.ac.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>
	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk> <4C54293C.1000901@iosis.co.uk>
	<003001cb3161$c42d8f60$4c88ae20$@net>
	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>
	<20100802132545.GG10354@davros.org>
	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
	<4C582229.3070908@bbk.ac.uk> <4C5835C0.9020803@ernest.net>
	<Y7dBhPdcyEWMFAK4@perry.co.uk> <op.vgw21f126hl8nm@clerew.man.ac.uk>
Message-ID: <4PSJcc5iWZWMFAdf@perry.co.uk>

In article <op.vgw21f126hl8nm at clerew.man.ac.uk>, Charles Lindsey 
<chl at clerew.man.ac.uk> writes
>> Although I am aware that this falls foul of the Law Enforcement model 
>>that if you stumble over an unlocked door, that doesn't mean you are 
>>allowed to open it and go inside. Although I might characterise it 
>>more   as looking through a window where someone has failed to draw 
>>the   curtains.
>
>But where there is a well understood convention/understanding that 
>unlocked doors in a particular street inply an invitation to enter, 
>that  would not apply.
>
>In the case of the WWW, that convention is widely understood to apply.

As it is (or perhaps used to be - I'm showing my age) in Oxbridge 
college rooms. "Sporting the Oak" being the reverse.
-- 
Roland Perry


From colinthomson1 at o2.co.uk  Wed Aug  4 19:59:40 2010
From: colinthomson1 at o2.co.uk (Tom Thomson)
Date: Wed, 04 Aug 2010 18:59:40 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISPDPI,
	but is it interception?)
In-Reply-To: <20100804132914.GW29810@snowy.squish.net>
References: <84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org><2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede><4C5904E9.7040102@iosis.co.uk><AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com><AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com><4C59366F.6050504@ernest.net><AANLkTikSMPhvqZER+1Cz5bFgEFaZr=cmkrn-SWVdk7FC@mail.gmail.com><4C594882.7070200@ernest.net>
	<005d01cb33c9$34184540$9c48cfc0$@net><AANLkTi=zDCjqopT1ASfrBJDmpcFp1Ox8maWzDko2q+WW@mail.gmail.com>
	<20100804132914.GW29810@snowy.squish.net>
Message-ID: <067893A219954873AF892D30E5941E0A@your41b8d18ede>

When I first come across link to a website, say http://www.example.com/something/ it may give me a 404 error response (meaning that the directory something has no default file in it).  At that point I don't know whether access to http://www.example.com/ is authorised or not - and the advice most commonly given for dealing with 404 responses of this sort (and often contained in a custom 404 error page) is to go to the root: http://www.example.com/.  That may deliver a 403 response - if it does, I now know that access to the root is not authorised - but that is in fact very unusual, it may deliver me another 404 response (quite common, bad website design), or it may put me on the websites default page (this is the norm and is actually good design).  I think that no-one with any understanding of the web (and in their right mind) would suggest that I knew access was not authorised when I first tried access to that website root.

Now I'm at the root http://www.example.com/ and I have an unhelpful page of some sort, perhaps a 404 error page.  I don't know whether http://www.example.com/../ is authorised or not.  If it is, I may find a useful page there that is (or enables me to find) either the site's default page or the page I was originally directed to (through the link which delivered a 404 error, presumably either because the page had been moved since the link was created or because a typing error was made in creating the link).  If it isn't, I may get a 403 error response to tell me that it isn't authorised.  But in what sense could I be said to know that access to http://www.example.com/../ was unauthorised before I tried it to see?

A bit closer to the case in hand: suppose I have some reason to think that the site may have been compromised, and one likely way in which that could happen is that the site owner foolishly authorised access to http://www.example.com/../ as a directory listing with write access permitted.  I don't know whether the owner has indeed granted this access, so I navigate to http://www.example.com/../ to see whether access is authorised and if so in what form it is authorised. I may get a meaningful web page (which doesn't tell me access to this location is unauthorised, since (a) the web page may be in this location and (b) I may be allowed to access to this location in order to get redirected to that page), I may get a 403 error telling me access is unauthorised (but I clearly couldn't know that before I got the error) or I may get a directory listing (which tells me directory access is authorised - whether intentionally or by mistake) and that listing may indicate that from here I have write access to file-store - in which case I will contact the site owners and advise them both of this access being authorised (in case it was authorised by mistake) and of my suspicions that the site has been compromised, and give them notice to remove all my personal data from their systems and cease processing it in any manner (I can't off-hand remember which section of the DPA this notice comes under).

Since I'm a computer professional with a good understanding of website security (amongst other things) if I did what is described in the last paragraph above presumably a magistrate like the one in the case that's been being discussed would presumably find me guilty of a section 1 CMA offense, despite my not having any knowledge of the fact that access was unauthorised, just because at some point in the past some very bad tools made it easy for people to mistakenly permit access that they didn't want to permit, even though anyone using a more modern tool would have to go out of his way and jump through all sorts of hoops to allow this access so that if it were permitted it would (almost) certainly be deliberately authorised.

M









From dfawcus+lists-ukcrypto at employees.org  Wed Aug  4 20:58:56 2010
From: dfawcus+lists-ukcrypto at employees.org (Derek Fawcus)
Date: Wed, 04 Aug 2010 19:58:56 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <4C594882.7070200@ernest.net>
References: <116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
	<4C582229.3070908@bbk.ac.uk>
	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>
	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>
	<4C5904E9.7040102@iosis.co.uk>
	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>
	<4C59366F.6050504@ernest.net>
	<AANLkTikSMPhvqZER+1Cz5bFgEFaZr=cmkrn-SWVdk7FC@mail.gmail.com>
	<4C594882.7070200@ernest.net>
Message-ID: <20100804162809.GA22482@willers.employees.org>

On Wed, Aug 04, 2010 at 12:01:22PM +0100, Nicholas Bohm wrote:
> 
> That suggests to me that entering a URL designed to exploit a weakness
> in order to get "behind" the root of a server for a particular site is
> doing something very different from truncating a URL in order to explore
> a site.  I can much more easily see why it might be concluded a
> particular user knew it was unauthorised.

But is it designed to exploit a weakness,  or is it simply a convenient shortcut?

Depending upon browser, client OS,  and server,  going up the tree can be achieved by:

  1) Append '../'
  2) Use backspace/delete to remove the characters at the tail of the URL
  3) Use the mouse to sweep out (select) the the tail of the URL,  then press backspace/delete.
  4) Some combination of double/triple click on the last component to select it,  then backspace/delete.

Of these,  when available 4 is the easiest,  followed by 1.

I can use 4 in firebox (or safari) on a mac,  but the 'word' selected will only include alphanumeric chars.

I have to use one of the other methods in firefox on Linux.
Of those,  2 or 3 would be used to remove a terminal 'file' part,  then one of 1-3 for each
directory component,  with method 1 being the easiest/fastest.

Then if one is appending a bunch of '../' strings,  it would be easy to unintentionally ascend too high.


From uk-crypto at singularis.ltd.uk  Thu Aug  5 01:02:28 2010
From: uk-crypto at singularis.ltd.uk (Ian Miller)
Date: Thu, 05 Aug 2010 00:02:28 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP
	DPI, 	but is it interception?)
In-Reply-To: <20100804162809.GA22482@willers.employees.org>
References: <4C594882.7070200@ernest.net>
	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>
	<4C582229.3070908@bbk.ac.uk>
	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>
	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>
	<4C5904E9.7040102@iosis.co.uk>
	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>
	<4C59366F.6050504@ernest.net>
	<AANLkTikSMPhvqZER+1Cz5bFgEFaZr=cmkrn-SWVdk7FC@mail.gmail.com>
	<4C594882.7070200@ernest.net>
Message-ID: <l03102801c87f970f2c64@[192.168.1.2]>

At 17:28 +0100 4/8/10, Derek Fawcus wrote:
>Depending upon browser, client OS,  and server,  going up the tree
>can be achieved by:
>
>  1) Append '../'
>  2) Use backspace/delete to remove the characters at the tail of the URL
>  3) Use the mouse to sweep out (select) the the tail of the URL,
>     then press backspace/delete.
>  4) Some combination of double/triple click on the last component to
>     select it,  then backspace/delete.
>
>Of these,  when available 4 is the easiest,  followed by 1.

Actually there is (when available) an even easier method:-
   5) Click on the "Up" button.

Konqueror is the only browser that I know for sure has this, but there may
well be other browsers that do.  Browsers that, like Konqueror, are
designed to work both as web and file-system browser are more likely to
have such a facility.

With Konqueror I have on occasion truncated a URI by accidently hitting the
up-button.  Being next to the back-button, and the same colour it is very
easy to do.


Ian









From colinthomson1 at o2.co.uk  Thu Aug  5 01:59:55 2010
From: colinthomson1 at o2.co.uk (Tom Thomson)
Date: Thu, 05 Aug 2010 00:59:55 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <u$wMwc4pQZWMFAdl@perry.co.uk>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
Message-ID: <ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>

Roland Perry wrote:

> It seems to be worse than that... why are these products so susceptible
> to vulnerabilities? For example, one that used to occur over and over
> again was "buffer overflow". Surely there must be programming (or memory
> management) techniques that could eliminate them entirely?

There are indeed appropriate techniques, but these techniques involve either or both of using hardware which supports memory management (as implemented by old-fashioned mainframe providers and some old-fashioned mini-computer providers) and programming in languages whose operational semantics requires bound checking and separation of code and data.  Systems using the technologies developed in the late 1960s and the 1970s by companies such as Burroughs, ICL, and even CTL could not have suffered from most of the vulnerabilities that we see today.  

However, all this sound practise was thrown away - following the "cheaper is better, regardless of safety and security, and theoretical soundness is undesirable because it costs more" philosophy which was illustrated by the invention of insecure (and indeed un-securable) languages like C, operating systems like Unix, and hardware that was designed to support only these minimal cost languages and operating systems.  Even worse, the people who led this appalling rush towards unsoundness became (and still are) revered idols of the IT industry.  Over time the situation became worse - C++ was invented but the inventors chose to keep all the insecurity built into C,  the MS Windows operating system was created when total disregard for security had become the norm with what one might expect to be the result, and many more idiocies were perpetrated.  The result is a bunch of excessively vulnerable software, which mostly can't rely on any useful security support from the underlying hardware, that we have to live with today.

M




From james2 at jfirth.net  Thu Aug  5 08:08:21 2010
From: james2 at jfirth.net (James Firth)
Date: Thu, 05 Aug 2010 07:08:21 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <AANLkTi=zDCjqopT1ASfrBJDmpcFp1Ox8maWzDko2q+WW@mail.gmail.com>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<20100802132545.GG10354@davros.org>	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>	<4C582229.3070908@bbk.ac.uk>	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>	<4C5904E9.7040102@iosis.co.uk>	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>	<4C59366F.6050504@ernest.net>	<AANLkTikSMPhvqZER+1Cz5bFgEFaZr=cmkrn-SWVdk7FC@mail.gmail.com>	<4C594882.7070200@ernest.net>
	<005d01cb33c9$34184540$9c48cfc0$@net>
	<AANLkTi=zDCjqopT1ASfrBJDmpcFp1Ox8maWzDko2q+WW@mail.gmail.com>
Message-ID: <001e01cb346c$f6664180$e332c480$@net>

Francis Davey wrote:
> Not as the law understands it. Merely because something is possible
> doesn't mean that it is therefore permissible.
> 
> Section 17(5) either defines or amplifies the definition of
> authorisation:

Apologies I didn't make this clear.  I was speaking from a "where I think
the law should go" perspective.  I'm all too well aware of the broad nature
of the existing legislation.

James Firth



From james2 at jfirth.net  Thu Aug  5 08:14:11 2010
From: james2 at jfirth.net (James Firth)
Date: Thu, 05 Aug 2010 07:14:11 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <20100804132914.GW29810@snowy.squish.net>
References: <84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>	<4C5904E9.7040102@iosis.co.uk>	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>	<4C59366F.6050504@ernest.net>	<AANLkTikSMPhvqZER+1Cz5bFgEFaZr=cmkrn-SWVdk7FC@mail.gmail.com>	<4C594882.7070200@ernest.net>
	<005d01cb33c9$34184540$9c48cfc0$@net>	<AANLkTi=zDCjqopT1ASfrBJDmpcFp1Ox8maWzDko2q+WW@mail.gmail.com>
	<20100804132914.GW29810@snowy.squish.net>
Message-ID: <002101cb346d$c75d9630$5618c290$@net>

Jon Ribbens wrote:
> Personally, I think that (attempting to) access http://example.com/
> or http://example.com/../ shows little-to-no evidence of knowingly
> attempting to access unauthorised data. If however, as is seen
> commonly, someone attempts to access something like
> http://example.com/../../../etc/passwd or
> http://example.com/index.php?include=http://1.2.3.4/hax0r.inc
> or similar, then the user is quite blatantly attempting unauthorised
> access and can most certainly be regarded as a criminal.

I see attacks on my servers on a daily basis - literally.

As you perhaps hinted the intent can best be shown through a sustained
attack, and this in probably all cases is script driven.

So - a machine-driven attack containing hundreds and usually thousands of
requests across various known vulnerabilities is a clear line.
Unfortunately such attacks usually come from compromised machines, although
I'm possibly in breach of the law even going back to the source IP to
establish whether it's been compromised using any well-known method.

In my view attempting to exploit any one or more of the vulnerabilities "by
hand" using mainstream commercial tools should not be actionable.

James Firth



From james2 at jfirth.net  Thu Aug  5 08:23:49 2010
From: james2 at jfirth.net (James Firth)
Date: Thu, 05 Aug 2010 07:23:49 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <3XiKa8njxWWMFAMy@perry.co.uk>
References: <mailman.0.1280559135.19741.ukcrypto@chiark.greenend.org.uk>	<LVJ$W0Bl09UMFw6A@tigers.demon.co.uk>
	<4C54293C.1000901@iosis.co.uk>	<003001cb3161$c42d8f60$4c88ae20$@net>	<F3442658-A0ED-4CAA-97AF-4BE0AD04116A@batten.eu.org>	<20100802132545.GG10354@davros.org>	<116FC0E0-B077-4A96-95D8-5D44FF32F42E@batten.eu.org>	<4C582229.3070908@bbk.ac.uk>	<84A18D9E-6744-4CBE-B1C2-FA7065DA4CD8@batten.eu.org>	<2A1B5AB5488D43D4BBE3138C1A73BBCC@your41b8d18ede>	<4C5904E9.7040102@iosis.co.uk>	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>	<4C59366F.6050504@ernest.net>	<AANLkTikSMPhvqZER+1Cz5bFgEFaZr=cmkrn-SWVdk7FC@mail.gmail.com>	<4C594882.7070200@ernest.net>
	<005d01cb33c9$34184540$9c48cfc0$@net>	<AANLkTi=zDCjqopT1ASfrBJDmpcFp1Ox8maWzDko2q+WW@mail.gmail.com>
	<3XiKa8njxWWMFAMy@perry.co.uk>
Message-ID: <002401cb346f$1fea3cd0$5fbeb670$@net>

> As long as the url is pointing to something on the public side of the
> url's root, I may have no idea whether or not the content I will find
> is

Where are you getting the definition of "public side"?

If I choose to configure my web server to serve pages "below root" -
perfectly valid by protocol - then anyone who accesses these pages are de
facto authorised in doing so.

***

The ** only way ** one can establish whether a request is authorised is to
send the actual request and look at the response.

***

This is a key fact applicable to request-response protocols.  Just look at a
[non-exhaustive] selection of response codes for HTTP/1.1 in RFC2616


200 OK
201 Created
202 Accepted
203 Non-Authoritative Information (since HTTP/1.1)
204 No Content

...


300 Multiple Choices
301 Moved Permanently
302 Found
303 See Other (since HTTP/1.1)

...

400 Bad Request
401 Unauthorized  (*)
402 Payment Required  (*)
403 Forbidden  (*)
404 Not Found
405 Method Not Allowed
406 Not Acceptable
407 Proxy Authentication Required[2]
408 Request Timeout
409 Conflict
410 Gone

There is a definition 401 UNAUTHORIZED and one cannot establish that the
request is unauthorized without sending the request.

Clearly applicable in such judgements.

James Firth



From jon+ukcrypto at unequivocal.co.uk  Thu Aug  5 10:29:48 2010
From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens)
Date: Thu, 05 Aug 2010 09:29:48 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP
	DPI, but is it interception?)
In-Reply-To: <002101cb346d$c75d9630$5618c290$@net>
References: <4C5904E9.7040102@iosis.co.uk>
	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>
	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>
	<4C59366F.6050504@ernest.net>
	<AANLkTikSMPhvqZER+1Cz5bFgEFaZr=cmkrn-SWVdk7FC@mail.gmail.com>
	<4C594882.7070200@ernest.net> <005d01cb33c9$34184540$9c48cfc0$@net>
	<AANLkTi=zDCjqopT1ASfrBJDmpcFp1Ox8maWzDko2q+WW@mail.gmail.com>
	<20100804132914.GW29810@snowy.squish.net>
	<002101cb346d$c75d9630$5618c290$@net>
Message-ID: <20100805092947.GZ29810@snowy.squish.net>

On Thu, Aug 05, 2010 at 08:14:00AM +0100, James Firth wrote:
> Jon Ribbens wrote:
> > Personally, I think that (attempting to) access http://example.com/
> > or http://example.com/../ shows little-to-no evidence of knowingly
> > attempting to access unauthorised data. If however, as is seen
> > commonly, someone attempts to access something like
> > http://example.com/../../../etc/passwd or
> > http://example.com/index.php?include=http://1.2.3.4/hax0r.inc
> > or similar, then the user is quite blatantly attempting unauthorised
> > access and can most certainly be regarded as a criminal.
> 
> I see attacks on my servers on a daily basis - literally.

Yes, this is what I meant by "seen commonly" ;-)

> As you perhaps hinted the intent can best be shown through a sustained
> attack, and this in probably all cases is script driven.

Yes, clearly the volume scattergun attacks are automated.

> So - a machine-driven attack containing hundreds and usually thousands of
> requests across various known vulnerabilities is a clear line.
> Unfortunately such attacks usually come from compromised machines, although
> I'm possibly in breach of the law even going back to the source IP to
> establish whether it's been compromised using any well-known method.

I would think you might be.

> In my view attempting to exploit any one or more of the vulnerabilities "by
> hand" using mainstream commercial tools should not be actionable.

Sorry, you think it should be illegal if automated but legal if done
manually? How do you come to that conclusion? If the prosecution can
show that a person deliberately attempted to fetch one of the latter
two URLs I gave above, there can honestly be no reasonable doubt that
they were attempting something they knew was unauthorised, and I don't
see any particular reason that that should not be illegal.


From igb at batten.eu.org  Thu Aug  5 10:39:49 2010
From: igb at batten.eu.org (Ian Batten)
Date: Thu, 05 Aug 2010 09:39:49 -0000
Subject: Ofcom Do Security
Message-ID: <09961A39-A259-4755-A3DE-877A6CE029F2@batten.eu.org>

When you register on the Ofcom site, you are forced to choose a  
complex password: mixed case, 7--12 characters, must contain digits.

Which is then mailed to you as plaintext for confirmation.

Hmm.

ian



From james2 at jfirth.net  Thu Aug  5 11:17:12 2010
From: james2 at jfirth.net (James Firth)
Date: Thu, 05 Aug 2010 10:17:12 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <20100805092947.GZ29810@snowy.squish.net>
References: <4C5904E9.7040102@iosis.co.uk>	<AANLkTi=1mvY2qcJp0+QozvKQm+_4EHe9L0qvjNvPNBP_@mail.gmail.com>	<AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>	<4C59366F.6050504@ernest.net>	<AANLkTikSMPhvqZER+1Cz5bFgEFaZr=cmkrn-SWVdk7FC@mail.gmail.com>	<4C594882.7070200@ernest.net>
	<005d01cb33c9$34184540$9c48cfc0$@net>	<AANLkTi=zDCjqopT1ASfrBJDmpcFp1Ox8maWzDko2q+WW@mail.gmail.com>	<20100804132914.GW29810@snowy.squish.net>	<002101cb346d$c75d9630$5618c290$@net>
	<20100805092947.GZ29810@snowy.squish.net>
Message-ID: <006701cb3487$59d0b330$0d721990$@net>

Jon Ribbens wrote:
> Sorry, you think it should be illegal if automated but legal if done
> manually? 

Not quite.  In the event security is not actually breached, ie probing
attacks made but machine not compromised, I think in order to objectively
show intent to gain unauthorised access it should be proved there was a
repeated and systematic attempt.

Whether this was entered manually or by hand is irrelevant but to get cross
a threshold for clear and systematic realistically it would be script
driven.

> How do you come to that conclusion? If the prosecution can
> show that a person deliberately attempted to fetch one of the latter
> two URLs I gave above, there can honestly be no reasonable doubt that
> they were attempting something they knew was unauthorised, 

I see where you're coming from but I don't think anyone should risk
prosecution for URLs typed into a web browser, even if it was driven by an
attempt to gain unauthorised access.

To my mind the aim should be to catch criminals, not criminalise the
curious.

If server owners don't secure their servers how is the law to establish
whether some oddball actually wants to serve a file /etc/passwd ?  The
protocol is clear - the requestor is able to establish whether any arbitrary
URL is valid by sending a request.  The response code indicates whether
access is authorised.

As others have said there really is no real-world analogy.  The law should
reflect and respect the protocols.

I'm also reminded of crazy attempted prosecutions for those using unsecured
WiFi.  How else is one to differentiate between me offering free WiFi to my
neighbours (no security) or me not offering free WiFi (security).

Yes we could start talking about elitism and protection of vulnerable tech
users left in the lurch by the equipment providers' failure to make security
default-on and easy to use.  But surely this is a civil issue of
manufacturers selling equipment "fit for purpose".  And if these vulnerable
users suffer material loss or damage as a result, then why not leave redress
to the civil courts?

James Firth




From jon+ukcrypto at unequivocal.co.uk  Thu Aug  5 11:51:18 2010
From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens)
Date: Thu, 05 Aug 2010 10:51:18 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP
	DPI, but is it interception?)
In-Reply-To: <006701cb3487$59d0b330$0d721990$@net>
References: <AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>
	<4C59366F.6050504@ernest.net>
	<AANLkTikSMPhvqZER+1Cz5bFgEFaZr=cmkrn-SWVdk7FC@mail.gmail.com>
	<4C594882.7070200@ernest.net> <005d01cb33c9$34184540$9c48cfc0$@net>
	<AANLkTi=zDCjqopT1ASfrBJDmpcFp1Ox8maWzDko2q+WW@mail.gmail.com>
	<20100804132914.GW29810@snowy.squish.net>
	<002101cb346d$c75d9630$5618c290$@net>
	<20100805092947.GZ29810@snowy.squish.net>
	<006701cb3487$59d0b330$0d721990$@net>
Message-ID: <20100805105117.GC29810@snowy.squish.net>

On Thu, Aug 05, 2010 at 11:17:03AM +0100, James Firth wrote:
> If server owners don't secure their servers how is the law to establish
> whether some oddball actually wants to serve a file /etc/passwd ?

Because it's blatantly obvious that any reasonable person must assume
that the server operator does *not* want to serve /etc/passwd,
unless they have specific information to the contrary.

> The protocol is clear - the requestor is able to establish whether
> any arbitrary URL is valid by sending a request.  The response code
> indicates whether access is authorised.

You are assuming all security is perfect, and it obviously isn't.
"Yes your honour, I did kick his door in, but if he had a proper door
it wouldn't have broken when I kicked it" is not a defence.

> I'm also reminded of crazy attempted prosecutions for those using unsecured
> WiFi.  How else is one to differentiate between me offering free WiFi to my
> neighbours (no security) or me not offering free WiFi (security).

That's completely different, because people very commonly do offer
unencrypted WiFi that the public are expected to connect to.

> And if these vulnerable users suffer material loss or damage as a
> result, then why not leave redress to the civil courts?

You might as well say why not make burglary legal and the victims
must sue in civil court for trespass and conversion.


From james2 at jfirth.net  Thu Aug  5 12:05:53 2010
From: james2 at jfirth.net (James Firth)
Date: Thu, 05 Aug 2010 11:05:53 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <20100805105117.GC29810@snowy.squish.net>
References: <AANLkTim4sj450YQ9HmjHN-Z-uSpahvtna935nuETux7S@mail.gmail.com>	<4C59366F.6050504@ernest.net>	<AANLkTikSMPhvqZER+1Cz5bFgEFaZr=cmkrn-SWVdk7FC@mail.gmail.com>	<4C594882.7070200@ernest.net>
	<005d01cb33c9$34184540$9c48cfc0$@net>	<AANLkTi=zDCjqopT1ASfrBJDmpcFp1Ox8maWzDko2q+WW@mail.gmail.com>	<20100804132914.GW29810@snowy.squish.net>	<002101cb346d$c75d9630$5618c290$@net>	<20100805092947.GZ29810@snowy.squish.net>	<006701cb3487$59d0b330$0d721990$@net>
	<20100805105117.GC29810@snowy.squish.net>
Message-ID: <008b01cb348e$26c3fd10$744bf730$@net>

Jon Ribbens wrote:
> You might as well say why not make burglary legal and the victims
> must sue in civil court for trespass and conversion.

No, I'm not.

I'm saying that the virtual world in this respect is different from the real
world.

Anyhow I'm not even sure that entering through an unlocked door in the
physical world is illegal, isn't this just a case of civil trespass?  It's
certainly not B&E or burglary if nothing it taken.

As I said, the aim of the law should be to catch criminals, not criminalise
the curious.  In order to strike a fair balance I don't think we should be
criminalising highly subjective actions.

James Firth



From brg at gladman.plus.com  Thu Aug  5 12:26:48 2010
From: brg at gladman.plus.com (Brian Gladman)
Date: Thu, 05 Aug 2010 11:26:48 -0000
Subject: Ofcom Do Security
In-Reply-To: <09961A39-A259-4755-A3DE-877A6CE029F2@batten.eu.org>
References: <09961A39-A259-4755-A3DE-877A6CE029F2@batten.eu.org>
Message-ID: <E9B0C81B39B243EE96E883C5D1DA1A13@MobileSlave>



--------------------------------------------------
From: "Ian Batten" <igb at batten.eu.org>
Sent: Thursday, August 05, 2010 10:39 AM
To: "UK Cryptography Policy Discussion Group" 
<ukcrypto at chiark.greenend.org.uk>
Subject: Ofcom Do Security

> When you register on the Ofcom site, you are forced to choose a  complex 
> password: mixed case, 7--12 characters, must contain digits.

I REALLY loathe sites that enforce their own ideas on what should be in 
passwords.

I have a carefully worked out scheme for setting my passwords and I very 
often find that I cannot choose the password I want because it does not meet 
the 'house rules' even though it is far stronger than most passwords that 
would meet their rules.

If it is a commercial site I almost always go elsewhere but this is not 
always possible with public service organisations.

    Brian
 



From adrianhayter at gmail.com  Thu Aug  5 16:07:29 2010
From: adrianhayter at gmail.com (Adrian Hayter)
Date: Thu, 05 Aug 2010 15:07:29 -0000
Subject: Ofcom Do Security
In-Reply-To: <09961A39-A259-4755-A3DE-877A6CE029F2@batten.eu.org>
References: <09961A39-A259-4755-A3DE-877A6CE029F2@batten.eu.org>
Message-ID: <27128353-B823-40EB-9F5C-DE1B0C5DE517@gmail.com>

Usually you will find that the password that was emailed to you isn't actually stored on the server in plaintext, but is stored as a variable in the registration process, and then that variable is used in the confirmation email and scrapped afterwards. The password is still stored as a hash on the server. Of course, emailing it as plaintext is a stupid thing to do, but I've come across several websites recently which send me emails every few days with my password in them, showing that the server performs no one-way hash function at all on this information.

-Adrian

On 5 Aug 2010, at 10:39, Ian Batten wrote:

> When you register on the Ofcom site, you are forced to choose a complex password: mixed case, 7--12 characters, must contain digits.
> 
> Which is then mailed to you as plaintext for confirmation.
> 
> Hmm.
> 
> ian
> 
> 



From igb at batten.eu.org  Fri Aug  6 08:00:35 2010
From: igb at batten.eu.org (Ian Batten)
Date: Fri, 06 Aug 2010 07:00:35 -0000
Subject: Ofcom Do Security
In-Reply-To: <E9B0C81B39B243EE96E883C5D1DA1A13@MobileSlave>
References: <09961A39-A259-4755-A3DE-877A6CE029F2@batten.eu.org>
	<E9B0C81B39B243EE96E883C5D1DA1A13@MobileSlave>
Message-ID: <F2A3D1DD-4D91-489D-9ACD-05B9EE6CCCBA@batten.eu.org>


On 5 Aug 2010, at 10:51, Brian Gladman wrote:
>
> I REALLY loathe sites that enforce their own ideas on what should be  
> in passwords.

Birmingham Town Hall has a ticket booking system which enforces  
inappropriately strong passwords and, worse, a ten-password "cannot  
change to previous values" history.  The former means that you forget  
your password because you can't use your usual way of deriving one,  
the latter means that when you perform a password reset you can't set  
it to anything sensible.  The net result is that every time I buy a  
ticket I have to do a password reset.  I use Safari's password storage  
mechanism, but as clicking on the "reset" link in the reset mail also  
logs you in, I never actually log in using the new credentials and  
therefore am never offered the chance the save them.  You can only log  
in as part of buying a ticket, so you can't easily immediately log in  
manually with the newly set password so as to get your browser to  
offer to save it.  To get the password into the browser would involve  
buying a ticket, forcing a password reset, carrying it out, completing  
the sale, shutting down my browser, restarting and then going all the  
way through the purchase of another ticket up to the point of  
completion, and then cancelling right at the end.

The end result is that their elaborate password "security" is reduced  
to the password on my email account, which they cannot know the  
strength of, because I am resettting for every purchase.  I've  
complained, but they haven't had the courtesy to do more than forward  
it to their developers.   Guidelines for systems handling sensitive  
personal data or protectively marked material are I think less  
stringent.  It's a classic case of letting the geeks play at security  
without actually thinking about usability issues.

ian



From fjmd1a at gmail.com  Fri Aug  6 08:23:41 2010
From: fjmd1a at gmail.com (Francis Davey)
Date: Fri, 06 Aug 2010 07:23:41 -0000
Subject: Ofcom Do Security
In-Reply-To: <F2A3D1DD-4D91-489D-9ACD-05B9EE6CCCBA@batten.eu.org>
References: <09961A39-A259-4755-A3DE-877A6CE029F2@batten.eu.org>
	<E9B0C81B39B243EE96E883C5D1DA1A13@MobileSlave>
	<F2A3D1DD-4D91-489D-9ACD-05B9EE6CCCBA@batten.eu.org>
Message-ID: <AANLkTikJoqTOWDi2ojjWq6qDS+v2-eZ8=t2XBaj=jwwt@mail.gmail.com>

On 6 August 2010 08:00, Ian Batten <igb at batten.eu.org> wrote:
>
> The end result is that their elaborate password "security" is reduced to the
> password on my email account, which they cannot know the strength of,
> because I am resettting for every purchase. ?I've complained, but they
> haven't had the courtesy to do more than forward it to their developers.
> Guidelines for systems handling sensitive personal data or protectively
> marked material are I think less stringent. ?It's a classic case of letting
> the geeks play at security without actually thinking about usability issues.
>

This was (roughly) the casus belli that caused me to give up my career
as a sysadmin.

A new boss had appeared in the firm - the "deployment manager" - but
we weren't quite ready to deploy so he was bored and had nothing to
do. He was given my team to manage and managed to do considerable
damage in his short career.

One day he breezed in and said "right, we are going to have a password
system that resets everyone's password on the first of each month and
that will store all previous passwords and prevent you from re-using
any". He absolutely could not see any problem with this. Anyone I'd
hire as a sysadmin should see instinctively that why this is almost
certainly wrong (with exceptional rare cases perhaps).

Worse, we had a mixture of machines using NT style windows passwords
and linux/solaris boxes. At the time there was no straightforward way
of managing passwords for both sets of systems and so everyone
resetting their passwords would have to do so twice and in about 50%
of cases where they had no easy access to NT systems would have to ask
me to do so (or ask a friend who did).

Even this didn't persuade him at first. Initially he tried a "and
that's an order" (her literally used those words - amazing) on me.
Eventually he conceded that it might not be our first priority.

I was by that time convinced that I wanted to do a job that was (a)
less stressful (b) less complicated and (c) where people would respect
my expertise rather than ignore it. So I became a barrister.

(he was dismissed from the company a relatively short time after I
left, so there's a happy ending 8-).

-- 
Francis Davey


From jon+ukcrypto at unequivocal.co.uk  Fri Aug  6 11:28:49 2010
From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens)
Date: Fri, 06 Aug 2010 10:28:49 -0000
Subject: Ofcom Do Security
In-Reply-To: <AANLkTikJoqTOWDi2ojjWq6qDS+v2-eZ8=t2XBaj=jwwt@mail.gmail.com>
References: <09961A39-A259-4755-A3DE-877A6CE029F2@batten.eu.org>
	<E9B0C81B39B243EE96E883C5D1DA1A13@MobileSlave>
	<F2A3D1DD-4D91-489D-9ACD-05B9EE6CCCBA@batten.eu.org>
	<AANLkTikJoqTOWDi2ojjWq6qDS+v2-eZ8=t2XBaj=jwwt@mail.gmail.com>
Message-ID: <20100806102849.GL29810@snowy.squish.net>

On Fri, Aug 06, 2010 at 08:23:13AM +0100, Francis Davey wrote:
> On 6 August 2010 08:00, Ian Batten <igb at batten.eu.org> wrote:
> > The end result is that their elaborate password "security" is reduced to the
> > password on my email account, which they cannot know the strength of,
> > because I am resettting for every purchase. ?I've complained, but they
> > haven't had the courtesy to do more than forward it to their developers.
> > Guidelines for systems handling sensitive personal data or protectively
> > marked material are I think less stringent. ?It's a classic case of letting
> > the geeks play at security without actually thinking about usability issues.
> 
> This was (roughly) the casus belli that caused me to give up my career
> as a sysadmin.
> 
> A new boss had appeared in the firm - the "deployment manager" - but
> we weren't quite ready to deploy so he was bored and had nothing to
> do. He was given my team to manage and managed to do considerable
> damage in his short career.
> 
> One day he breezed in and said "right, we are going to have a password
> system that resets everyone's password on the first of each month and
> that will store all previous passwords and prevent you from re-using
> any". He absolutely could not see any problem with this.

Well this matches my suspicion, contrary to what Ian assumes above,
that most of the time that such stupid anti-security policies exist
they have come from management and not from the "geeks".


From igb at batten.eu.org  Fri Aug  6 13:46:36 2010
From: igb at batten.eu.org (Ian Batten)
Date: Fri, 06 Aug 2010 12:46:36 -0000
Subject: Ofcom Do Security
In-Reply-To: <20100806102849.GL29810@snowy.squish.net>
References: <09961A39-A259-4755-A3DE-877A6CE029F2@batten.eu.org>
	<E9B0C81B39B243EE96E883C5D1DA1A13@MobileSlave>
	<F2A3D1DD-4D91-489D-9ACD-05B9EE6CCCBA@batten.eu.org>
	<AANLkTikJoqTOWDi2ojjWq6qDS+v2-eZ8=t2XBaj=jwwt@mail.gmail.com>
	<20100806102849.GL29810@snowy.squish.net>
Message-ID: <DEB719A2-56D4-48D1-A0B1-7FA49665D0C6@batten.eu.org>

>
> Well this matches my suspicion, contrary to what Ian assumes above,
> that most of the time that such stupid anti-security policies exist
> they have come from management and not from the "geeks".
>

The CEO is unlikely to care about password policy.  The IT department,  
both hands on keyboards and management (I've been both), are all  
collectively geeks of greater and lesser natures.


From colinthomson1 at o2.co.uk  Fri Aug  6 15:19:54 2010
From: colinthomson1 at o2.co.uk (Tom Thomson)
Date: Fri, 06 Aug 2010 14:19:54 -0000
Subject: Ofcom Do Security
In-Reply-To: <DEB719A2-56D4-48D1-A0B1-7FA49665D0C6@batten.eu.org>
References: <09961A39-A259-4755-A3DE-877A6CE029F2@batten.eu.org><E9B0C81B39B243EE96E883C5D1DA1A13@MobileSlave><F2A3D1DD-4D91-489D-9ACD-05B9EE6CCCBA@batten.eu.org><AANLkTikJoqTOWDi2ojjWq6qDS+v2-eZ8=t2XBaj=jwwt@mail.gmail.com><20100806102849.GL29810@snowy.squish.net>
	<DEB719A2-56D4-48D1-A0B1-7FA49665D0C6@batten.eu.org>
Message-ID: <CF6DAADE3BBB403386759AD51339D5DA@your41b8d18ede>

> The CEO is unlikely to care about password policy.  The IT department,
> both hands on keyboards and management (I've been both), are all
> collectively geeks of greater and lesser natures.

I've known managers in IT departments who were not the least bit geekish, and others who were thoroughly geekish, and the whole range in between.  The ones who have caused (or tried to cause) the most damage (with idiotic password policies, for example) have been the non-geeks.  Some of the geeks have not been good at management, but they didn't try to introduce technical insanities like monthly password resets (if you are going to require frequent resets, you do it on the basis of number of times the password is used, not on the basis of a short time period, since each use is a chance for a shoulder-surfer to watch finger movements or for the password to be intercepted by technical means). 

Now I am a bit of a geek, and I've been in senior management positions for a lot of my career, and only once have I imposed a password policy change: when the organisation was running not only its own servers but also its customer's servers with a database sysadmin account which (a) had a blank password and (b) provided OS level sysadmin privileged shell access.  You can see why that had to be changed.

So I agree with Francis - it's usually not the geeks who introduce idiotic rules that fly in the face of usability and best practise.

M.
 




From k.brown at bbk.ac.uk  Fri Aug  6 15:34:26 2010
From: k.brown at bbk.ac.uk (ken)
Date: Fri, 06 Aug 2010 14:34:26 -0000
Subject: Ofcom Do Security
In-Reply-To: <20100806102849.GL29810@snowy.squish.net>
References: <09961A39-A259-4755-A3DE-877A6CE029F2@batten.eu.org>
	<E9B0C81B39B243EE96E883C5D1DA1A13@MobileSlave>
	<F2A3D1DD-4D91-489D-9ACD-05B9EE6CCCBA@batten.eu.org>
	<AANLkTikJoqTOWDi2ojjWq6qDS+v2-eZ8=t2XBaj=jwwt@mail.gmail.com>
	<20100806102849.GL29810@snowy.squish.net>
Message-ID: <4C5C1D6C.5080804@bbk.ac.uk>


> On Fri, Aug 06, 2010 at 08:23:13AM +0100, Francis Davey wrote:
> He was given my team to manage and managed to do considerable
> damage in his short career.

We had one of those last year.

> One day he breezed in and said "right, we are going
 > to have a password system that resets everyone's password
 > on the first of each month and that will store all
 > previous passwords and prevent you from re-using
> any". He absolutely could not see any problem with this.

We got handed one of those systems that lets you change your 
forgotten password if you can answer certain questions. The 
questions the manager wanted to use  included date and place  of 
birth, school attended and so on, EVERY SINGLE ONE OF WHICH 
could be answered with information on the student database, 
available to almost all staff (we are a university) and easily 
guessible to anyone who knew the user personally. Or was 
reasonably skilled at using Google. And he didn't see the 
privacy problem with this.

 > Even this didn't persuade him at first. Initially he tried a
 > "and that's an order" (her literally used those words -
 > amazing)

Our bloke tried that too (tho not on me as he managed a 
different team). When it didn't work to his satisfaction he took 
to making changes himself and not telling anybody.  He also 
ordered his staff not to talk to other groups in the department 
and not to attend any meeting he hadn't been invited to himself. 
Really.

 > Worse, we had a mixture of machines using NT style
 > windows passwords and linux/solaris boxes. At the
 > time there was no straightforward way of managing
 > passwords for both sets of systems

Same. Except we did have a home-grown system for distributing 
encrypted passwords, and we could also use new features of 
Windows AD to do it by LDAP (this was only last year!) But 
instead got lumbered with a method that not only briefly stored 
the new password in a database but also showed in clear on the 
server console logs. Again, this manager (and some of his 
colleagues) simply didn't see why this might be a bad idea.

On 06/08/2010 11:28, Jon Ribbens wrote:

> Well this matches my suspicion, contrary to what Ian assumes above,
> that most of the time that such stupid anti-security policies exist
> they have come from management and not from the "geeks".

More than "most". Damn near 100% I think.













From David_Biggins at usermgmt.com  Fri Aug  6 19:27:31 2010
From: David_Biggins at usermgmt.com (David Biggins)
Date: Fri, 06 Aug 2010 18:27:31 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk><142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk><u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
Message-ID: <C6F343320DAC194BA010FD66AD49362339249F@home.usermgmt.local>

> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Tom Thomson
> Sent: 05 August 2010 01:56
> To: 'UK Cryptography Policy Discussion Group'
> Subject: RE: Being safe on the internet (was Re: Here we go again - ISP
> DPI,but is it interception?)
> 
> There are indeed appropriate techniques, but these techniques involve
> either or both of using hardware which supports memory management 

<>snip<>

> However, all this sound practise was thrown away - following the
> "cheaper is better, regardless of safety and security, and theoretical
> soundness is undesirable because it costs more" philosophy which was
> illustrated by the invention of insecure (and indeed un-securable)
> languages like C, operating systems like Unix, and hardware that was
> designed to support only these minimal cost languages and operating
> systems.

<>snip<>

> The result is a bunch of
> excessively vulnerable software, which mostly can't rely on any useful
> security support from the underlying hardware, that we have to live
> with today.
> 

Three such factors in particular formed an interesting collision of decisions by three separate groups, that combined to form a serious security problem.

The first is the classic 'C' "null terminated string" in which there is no standard (or efficient) tracking in the language of either the current length of a string or the space allocated to it.  

For non-programmers here, that means that the standard library operations to copy or concatenate a string have no intrinsic way of knowing whether or not the space that a string is being copied to, is actually big enough to hold it.  They just copy bytes until one of the bytes is a zero.  So if you have a kilobyte of string before that zero, and there's only 256 bytes of space reserved where you're copying to, then tough.  768 bytes of whatever follows, are going to get trampled.

It is perhaps a pity that a "strcpy() considered harmful" didn't appear before billions of lines of code were written using it.

The second was adoption by Intel of the "top down" hardware stack

In this, the "base" of the stack is high in memory and the stack grows downwards as you push values, rather than starting at the bottom of memory and growing upwards.

The nasty effect of this was that if you overflow the target buffer in a string copy as above, when the destination is a local variable on the stack, you don't just overwrite a few values then unused stack space - which would have been far harder to exploit.

Instead, you can overwrite much of the existing stack.  

Which includes the place where the currently-executing subroutine's own return address is stored.  Which means that provided the current subroutine does not crash as a result of the overwriting of the other values, when it comes to return, its return address will be whatever the values from the overflow were... which an attacker can choose.  These are normally picked to point into another part of that same string data that caused the overflow, which lets the attacker effectively get the program running his/her own code.

The third was Microsoft giving in to some unfortunate market pressure.  

For some time, Apple/Motorola proponents had ridiculed the segmented architecture of the Intel CPUs (particularly in the way that 16-bit code used it), in which memory was accessed by a segment address pointing to a segment descriptor, and an offset within the block that the segment descriptor described.  

The frequent criticism that "you can't address all the memory in one go" was rarely answered with any reasoned discussion, but mostly a sheepish "sure, well, maybe one day...".  

When 32-bit Windows 95 came out, one of the more trumpeted features of the day was that they had allowed this criticism to push them into using the "flat memory model", in which all the segment registers pointed to the same segment descriptor, and the single segment descriptor was set to cover the full range of memory.  

This of course meant that you could ignore the segment system, and memory appeared as a single linear block, just as critics had demanded.  After that, of course, every other 32-bit x86 operating system maker, did the same thing;  after all... "If MS do it"...

It's just such a great pity that Intel hardware's read/write/execute permission settings were in the segment descriptor...  

Since the single descriptor was being used for all purposes, it had to be given all rights.

So sadly, this move completely bypassed the hardware protection mechanisms that were actually in the CPU.   This has given rise to the claim that there was no security support in the underlying hardware - that's not quite true,  it's just that a single misguided marketing decision in the OS design did such a magnificent job of trashing it.  Otherwise, even if an attacker had managed to get their own code onto the stack, it would not have been executable.

The combination of these three made a "perfect storm" for buffer overflow - a widespread data copying mechanism that lacked overflow protection, a stack system that made overflows far more exploitable, and a design decision that effectively disabled the hardware protection.

The vast majority of overflows use this combination.

It wasn't until modern 64-bit CPUs that hardware protection  mechanisms were added (again) into the memory management system - this time in the virtual memory page tables, so that they could be used in flat model systems.
 
{I'll forestall one criticism if I may:  It's been suggested that upward growing stacks are not part of the problem;  a buffer overflow from a subroutine when copying back to parameters on a parent stack frame could still overwrite the current subroutine's return address.  This is true, but such copies of a string back to a parent's stacked variables are very much rarer than string copies to local variables;  while I agree the upward stack does not prevent such vulnerabilities, the downward stack most assuredly massively increases the number of exploitable opportunities}


D.

From pwt at iosis.co.uk  Sat Aug  7 07:08:05 2010
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Sat, 07 Aug 2010 06:08:05 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk>	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
Message-ID: <4C5CF83E.5000804@iosis.co.uk>

Tom Thomson wrote:
> Roland Perry wrote:
>   
>> It seems to be worse than that... why are these products so susceptible
>> to vulnerabilities? For example, one that used to occur over and over
>> again was "buffer overflow". Surely there must be programming (or memory
>> management) techniques that could eliminate them entirely?
>>     
> There are indeed appropriate techniques, but these techniques involve either or both of using hardware which supports memory management (as implemented by old-fashioned mainframe providers and some old-fashioned mini-computer providers) and programming in languages whose operational semantics requires bound checking and separation of code and data.  Systems using the technologies developed in the late 1960s and the 1970s by companies such as Burroughs, ICL, and even CTL could not have suffered from most of the vulnerabilities that we see today.  
>   
The memory stirs, taking me back to 1968 when I designed the very simple 
memory management hardware for the ICL 1904A (and in the process fixed 
an error in the 1906A's MMU). Took the software people another 2 years 
to get George 4 running. So that was old-fashioned, was it, Tom? It was 
state of the art then, in the commercial environment that soon after 
took a wrong turn...

Peter



From igb at batten.eu.org  Sat Aug  7 10:45:12 2010
From: igb at batten.eu.org (Ian Batten)
Date: Sat, 07 Aug 2010 09:45:12 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <4C5CF83E.5000804@iosis.co.uk>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk>	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
Message-ID: <41BDD2E0-CDC3-44AF-BAA7-BA904C1E1C36@batten.eu.org>

http://dreamsongs.com/WIB.html

"Now I want to argue that worse-is-better is better. C is a  
programming language designed for writing Unix, and it was designed  
using the New Jersey approach. C is therefore a language for which it  
is easy to write a decent compiler, and it requires the programmer to  
write text that is easy for the compiler to interpret. Some have  
called C a fancy assembly language. Both early Unix and C compilers  
had simple structures, are easy to port, require few machine resources  
to run, and provide about 50%-80% of what you want from an operating  
system and programming language.
Half the computers that exist at any point are worse than median  
(smaller or slower). Unix and C work fine on them. The worse-is-better  
philosophy means that implementation simplicity has highest priority,  
which means Unix and C are easy to port on such machines. Therefore,  
one expects that if the 50% functionality Unix and C support is  
satisfactory, they will start to appear everywhere. And they have,  
haven?t they?

Unix and C are the ultimate computer viruses.

A further benefit of the worse-is-better philosophy is that the  
programmer is conditioned to sacrifice some safety, convenience, and  
hassle to get good performance and modest resource use. Programs  
written using the New Jersey approach will work well both in small  
machines and large ones, and the code will be portable because it is  
written on top of a virus.

It is important to remember that the initial virus has to be basically  
good. If so, the viral spread is assured as long as it is portable.  
Once the virus has spread, there will be pressure to improve it,  
possibly by increasing its functionality closer to 90%, but users have  
already been conditioned to accept worse than the right thing.  
Therefore, the worse-is-better software first will gain acceptance,  
second will condition its users to expect less, and third will be  
improved to a point that is almost the right thing. In concrete terms,  
even though Lisp compilers in 1987 were about as good as C compilers,  
there are many more compiler experts who want to make C compilers  
better than want to make Lisp compilers better.

The good news is that in 1995 we will have a good operating system and  
programming language; the bad news is that they will be Unix and C++."


On 7 Aug 2010, at 07:07, Peter Tomlinson wrote:

> Tom Thomson wrote:
>> Roland Perry wrote:
>>
>>> It seems to be worse than that... why are these products so  
>>> susceptible
>>> to vulnerabilities? For example, one that used to occur over and  
>>> over
>>> again was "buffer overflow". Surely there must be programming (or  
>>> memory
>>> management) techniques that could eliminate them entirely?
>>>
>> There are indeed appropriate techniques, but these techniques  
>> involve either or both of using hardware which supports memory  
>> management (as implemented by old-fashioned mainframe providers and  
>> some old-fashioned mini-computer providers) and programming in  
>> languages whose operational semantics requires bound checking and  
>> separation of code and data.  Systems using the technologies  
>> developed in the late 1960s and the 1970s by companies such as  
>> Burroughs, ICL, and even CTL could not have suffered from most of  
>> the vulnerabilities that we see today.
> The memory stirs, taking me back to 1968 when I designed the very  
> simple memory management hardware for the ICL 1904A (and in the  
> process fixed an error in the 1906A's MMU). Took the software people  
> another 2 years to get George 4 running. So that was old-fashioned,  
> was it, Tom? It was state of the art then, in the commercial  
> environment that soon after took a wrong turn...
>
> Peter
>
>



From igb at batten.eu.org  Sat Aug  7 10:47:26 2010
From: igb at batten.eu.org (Ian Batten)
Date: Sat, 07 Aug 2010 09:47:26 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <4C5CF83E.5000804@iosis.co.uk>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk>	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
Message-ID: <FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>

So, if I'm three weeks from starting a PhD in which the production of  
a large slab of secure code (let us gloss over whether that's formally  
secure or pragmatically secure), what toolchain should I use?  I'm  
guessing my favoured "first to reach for" tools at my advanced age of  
C and Perl aren't cool, C++ horrifies me aesthetically, Java is dull.

I think it's time for a Lisp revival.

ian


On 7 Aug 2010, at 07:07, Peter Tomlinson wrote:

> Tom Thomson wrote:
>> Roland Perry wrote:
>>
>>> It seems to be worse than that... why are these products so  
>>> susceptible
>>> to vulnerabilities? For example, one that used to occur over and  
>>> over
>>> again was "buffer overflow". Surely there must be programming (or  
>>> memory
>>> management) techniques that could eliminate them entirely?
>>>
>> There are indeed appropriate techniques, but these techniques  
>> involve either or both of using hardware which supports memory  
>> management (as implemented by old-fashioned mainframe providers and  
>> some old-fashioned mini-computer providers) and programming in  
>> languages whose operational semantics requires bound checking and  
>> separation of code and data.  Systems using the technologies  
>> developed in the late 1960s and the 1970s by companies such as  
>> Burroughs, ICL, and even CTL could not have suffered from most of  
>> the vulnerabilities that we see today.
> The memory stirs, taking me back to 1968 when I designed the very  
> simple memory management hardware for the ICL 1904A (and in the  
> process fixed an error in the 1906A's MMU). Took the software people  
> another 2 years to get George 4 running. So that was old-fashioned,  
> was it, Tom? It was state of the art then, in the commercial  
> environment that soon after took a wrong turn...
>
> Peter
>
>



From tugwilson at gmail.com  Sat Aug  7 11:05:11 2010
From: tugwilson at gmail.com (John Wilson)
Date: Sat, 07 Aug 2010 10:05:11 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI, 
	but is it interception?)
In-Reply-To: <FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
Message-ID: <AANLkTim=zeu-g+09DdUBJUbf2wRzy=TB0188Q5kcJH3+@mail.gmail.com>

On 7 August 2010 10:47, Ian Batten <igb at batten.eu.org> wrote:
> So, if I'm three weeks from starting a PhD in which the production of a
> large slab of secure code (let us gloss over whether that's formally secure
> or pragmatically secure), what toolchain should I use? ?I'm guessing my
> favoured "first to reach for" tools at my advanced age of C and Perl aren't
> cool, C++ horrifies me aesthetically, Java is dull.
>
> I think it's time for a Lisp revival.


Well there's Erlang which is having something of a revival.

There's something to be said for the JVM if you wish to write secure
code (all array access is bound checked, you can to a certain extent
enforce tighter security than you get out of the box - disallowing
introspection, for example). Class loaders can give you some
Capability like behaviour. Garbage collection helps too. There are
quite a few options for languages on the JVM.

Not very interesting (implementations of existing languages)

JRuby
Jython

More interesting (languages specifically designed to run on the JVM)
Groovy
Clojure
Scala

There are tons more but most of the rest are toys or dead (and
Jython's looking a bit peaky at the moment)

If you insist on trying to prove that Lisp is not dead then take a
look at Clojure (it's a Lisp dialect).


John Wilson


From brg at gladman.plus.com  Sat Aug  7 12:02:42 2010
From: brg at gladman.plus.com (PlusNet)
Date: Sat, 07 Aug 2010 11:02:42 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk>	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
Message-ID: <D8D4B034-C006-4C0A-9CA5-56D6252099DA@gladman.plus.com>



Sent from my iPad

On 7 Aug 2010, at 10:47, Ian Batten <igb at batten.eu.org> wrote:

> So, if I'm three weeks from starting a PhD in which the production of a large slab of secure code (let us gloss over whether that's formally secure or pragmatically secure), what toolchain should I use?  I'm guessing my favoured "first to reach for" tools at my advanced age of C and Perl aren't cool, C++ horrifies me aesthetically, Java is dull.
> 
> I think it's time for a Lisp revival.

The implementation language would not be high up my list of issues at this stage but if you pushed me to make a choice and security was critical, Ada or SPARK.

      Brian Gladman
> 
> ian
> 
> 
> On 7 Aug 2010, at 07:07, Peter Tomlinson wrote:
> 
>> Tom Thomson wrote:
>>> Roland Perry wrote:
>>> 
>>>> It seems to be worse than that... why are these products so susceptible
>>>> to vulnerabilities? For example, one that used to occur over and over
>>>> again was "buffer overflow". Surely there must be programming (or memory
>>>> management) techniques that could eliminate them entirely?
>>>> 
>>> There are indeed appropriate techniques, but these techniques involve either or both of using hardware which supports memory management (as implemented by old-fashioned mainframe providers and some old-fashioned mini-computer providers) and programming in languages whose operational semantics requires bound checking and separation of code and data.  Systems using the technologies developed in the late 1960s and the 1970s by companies such as Burroughs, ICL, and even CTL could not have suffered from most of the vulnerabilities that we see today.
>> The memory stirs, taking me back to 1968 when I designed the very simple memory management hardware for the ICL 1904A (and in the process fixed an error in the 1906A's MMU). Took the software people another 2 years to get George 4 running. So that was old-fashioned, was it, Tom? It was state of the art then, in the commercial environment that soon after took a wrong turn...
>> 
>> Peter
>> 
>> 
> 
> 


From mjdb at dorevale.demon.co.uk  Sat Aug  7 16:12:22 2010
From: mjdb at dorevale.demon.co.uk (M J D Brown)
Date: Sat, 07 Aug 2010 15:12:22 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk>	<u$wMwc4pQZWMFAdl@perry.co.uk><ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede><4C5CF83E.5000804@iosis.co.uk>
	<FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
Message-ID: <36D03D97F98C4E89805E727D73958F8C@Powerstation>

We could debate the difference between 'safe' and 'secure' code, but 
assuming that you will be working and researching in the open arena for 
a publishable PhD thesis, you might care to take a hard look at the 
functional safety domain covered by the IEC 61508 standard.  The 
normative parts of that standard may not be relevant to your subject 
area, but I think you will find Part 7 of the Standard  'Overview of 
Techniques and Measures' of particular interest.

One method that has its adherents is to employ a widely-used language 
and compiler (on the basis that compiler faults may well have been 
exposed in the course of widespread use), in conjuction with a 
pre-processor that detects and thus excludes defined dangerous language 
constructs.  Annotated Verifiable ADA (AVA), for example, employs the 
'significant comment' concept to provide semantic instruction of the 
programmer's intentions.

Mike.

----- Original Message ----- 
From: "Ian Batten" <igb at batten.eu.org>
To: "UK Cryptography Policy Discussion Group" 
<ukcrypto at chiark.greenend.org.uk>
Sent: Saturday, August 07, 2010 10:47 AM
Subject: Re: Being safe on the internet (was Re: Here we go again - ISP 
DPI,but is it interception?)


> So, if I'm three weeks from starting a PhD in which the production of 
> a large slab of secure code (let us gloss over whether that's formally 
> secure or pragmatically secure), what toolchain should I use?  I'm 
> guessing my favoured "first to reach for" tools at my advanced age of 
> C and Perl aren't cool, C++ horrifies me aesthetically, Java is dull.
>
> I think it's time for a Lisp revival.
-- 




From DaveHowe at gmx.co.uk  Sat Aug  7 20:11:25 2010
From: DaveHowe at gmx.co.uk (Dave Howe)
Date: Sat, 07 Aug 2010 19:11:25 -0000
Subject: Ofcom Do Security
In-Reply-To: <E9B0C81B39B243EE96E883C5D1DA1A13@MobileSlave>
References: <09961A39-A259-4755-A3DE-877A6CE029F2@batten.eu.org>
	<E9B0C81B39B243EE96E883C5D1DA1A13@MobileSlave>
Message-ID: <4C5D9E1C.7070503@gmx.co.uk>

Brian Gladman wrote:
> I REALLY loathe sites that enforce their own ideas on what should be in
> passwords.

I find the ones that enforce rules on recovery password answers even
more annoying.

"wife's maiden name" - I have seen it complain it doesn't like a
character (it has a - in it) or is too short/too long.

WTF?

should she have retroactively had a different maiden name so that their
site validation rules can be obeyed?


From ukcrypto at sourcetagged.ian.co.uk  Sat Aug  7 20:17:29 2010
From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason)
Date: Sat, 07 Aug 2010 19:17:29 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <36D03D97F98C4E89805E727D73958F8C@Powerstation>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk>	<u$wMwc4pQZWMFAdl@perry.co.uk><ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede><4C5CF83E.5000804@iosis.co.uk>
	<FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
	<36D03D97F98C4E89805E727D73958F8C@Powerstation>
Message-ID: <1B296629-F2EB-4A8D-8540-6912FC8E457F@sourcetagged.ian.co.uk>


On 7 Aug 2010, at 14:50, M J D Brown wrote:

>
> One method that has its adherents is to employ a widely-used language
> and compiler (on the basis that compiler faults may well have been
> exposed in the course of widespread use),

About 5 years ago I hit a bug in the gcc C compiler that mis-codes  
certain 64 bit arithmetic operations when compiling in 32 bit mode  
(i.e. 'long long int' handling where 'long int' is 32 bits), When  
compiling the latest Asterisk beta the other day I hit it again. I  
can't think of a more widely distributed and used C compiler.

Talking of safe languages no one has mentioned my old personal  
favourite Algol 68. it was even used as the systems programming  
language for a capability architecture processor and OS by Maurice  
Wilkes, the late Roger Needham, and others. Cue Dr. Gladman...



From pwt at iosis.co.uk  Sat Aug  7 20:47:16 2010
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Sat, 07 Aug 2010 19:47:16 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <1B296629-F2EB-4A8D-8540-6912FC8E457F@sourcetagged.ian.co.uk>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk>	<u$wMwc4pQZWMFAdl@perry.co.uk><ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede><4C5CF83E.5000804@iosis.co.uk>	<FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>	<36D03D97F98C4E89805E727D73958F8C@Powerstation>
	<1B296629-F2EB-4A8D-8540-6912FC8E457F@sourcetagged.ian.co.uk>
Message-ID: <4C5DB841.9090806@iosis.co.uk>

Ian Mason wrote:
> On 7 Aug 2010, at 14:50, M J D Brown wrote:
>> One method that has its adherents is to employ a widely-used language
>> and compiler (on the basis that compiler faults may well have been
>> exposed in the course of widespread use),
> About 5 years ago I hit a bug in the gcc C compiler that mis-codes 
> certain 64 bit arithmetic operations when compiling in 32 bit mode 
> (i.e. 'long long int' handling where 'long int' is 32 bits), When 
> compiling the latest Asterisk beta the other day I hit it again. I 
> can't think of a more widely distributed and used C compiler.
>
> Talking of safe languages no one has mentioned my old personal 
> favourite Algol 68. it was even used as the systems programming 
> language for a capability architecture processor and OS by Maurice 
> Wilkes, the late Roger Needham, and others. Cue Dr. Gladman...
What was that other one? AlgolW comes to mind. Perhaps it was just for 
teaching.

Peter


From brg at gladman.plus.com  Sun Aug  8 09:27:02 2010
From: brg at gladman.plus.com (PlusNet)
Date: Sun, 08 Aug 2010 08:27:02 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <1B296629-F2EB-4A8D-8540-6912FC8E457F@sourcetagged.ian.co.uk>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk>	<u$wMwc4pQZWMFAdl@perry.co.uk><ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede><4C5CF83E.5000804@iosis.co.uk>
	<FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
	<36D03D97F98C4E89805E727D73958F8C@Powerstation>
	<1B296629-F2EB-4A8D-8540-6912FC8E457F@sourcetagged.ian.co.uk>
Message-ID: <3E0971F6-68A0-43B1-8E22-5E3EDD9E32E6@gladman.plus.com>



Sent from my iPad

On 7 Aug 2010, at 17:15, Ian Mason <ukcrypto at sourcetagged.ian.co.uk> wrote:

> 
> On 7 Aug 2010, at 14:50, M J D Brown wrote:
> 
>> 
>> One method that has its adherents is to employ a widely-used language
>> and compiler (on the basis that compiler faults may well have been
>> exposed in the course of widespread use),
> 
> About 5 years ago I hit a bug in the gcc C compiler that mis-codes certain 64 bit arithmetic operations when compiling in 32 bit mode (i.e. 'long long int' handling where 'long int' is 32 bits), When compiling the latest Asterisk beta the other day I hit it again. I can't think of a more widely distributed and used C compiler.
> 
> Talking of safe languages no one has mentioned my old personal favourite Algol 68. it was even used as the systems programming language for a capability architecture processor and OS by Maurice Wilkes, the late Roger Needham, and others. Cue Dr. Gladman...
> 
Charles Lindsey could say a lot more than I could about Algol 68.  I did spend a fair amount of time while I was at the Royal Signals and Radar Establishment in trying to persuade Peter Gershon (when he was with ICL) to implement it on their then new range of machines. We also attempted to get the US Dept of Defense to adopt it but they decided that they needed a new language, which emerged as Ada.   

Aesthetically I much prefer Algol 68 over Ada but it's not a practical choice these days. In contrast, although few realise it, Ada is still widely used where either safety or security are critical.  

I have multiple precision libraries now written in C but I built them in Ada and then translated them into C.  I trust them a great deal more for my crypto work than earlier ones that i wrote from scratch in C.

       Brian 
> 


From dom at earth.li  Sun Aug  8 10:01:42 2010
From: dom at earth.li (Dominic Hargreaves)
Date: Sun, 08 Aug 2010 09:01:42 -0000
Subject: Ofcom Do Security
In-Reply-To: <4C5D9E1C.7070503@gmx.co.uk>
References: <09961A39-A259-4755-A3DE-877A6CE029F2@batten.eu.org>
	<E9B0C81B39B243EE96E883C5D1DA1A13@MobileSlave>
	<4C5D9E1C.7070503@gmx.co.uk>
Message-ID: <20100808090141.GQ547@urchin.earth.li>

On Sat, Aug 07, 2010 at 06:55:40PM +0100, Dave Howe wrote:
> Brian Gladman wrote:
> > I REALLY loathe sites that enforce their own ideas on what should be in
> > passwords.
> 
> I find the ones that enforce rules on recovery password answers even
> more annoying.
> 
> "wife's maiden name" - I have seen it complain it doesn't like a
> character (it has a - in it) or is too short/too long.

Since password recovery phrases only serve to diminish the security of
the overall account, if I'm forced to use them I'll just pick a random
string rather than a piece of information which is, in principle at
least, a matter of public record. I then store my made up answer in a
trusted secrets store, of course.

You do get all sorts of bizzare combinations on web sites though.

Dominic.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)


From tugwilson at gmail.com  Sun Aug  8 10:26:35 2010
From: tugwilson at gmail.com (John Wilson)
Date: Sun, 08 Aug 2010 09:26:35 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI, 
	but is it interception?)
In-Reply-To: <3E0971F6-68A0-43B1-8E22-5E3EDD9E32E6@gladman.plus.com>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
	<36D03D97F98C4E89805E727D73958F8C@Powerstation>
	<1B296629-F2EB-4A8D-8540-6912FC8E457F@sourcetagged.ian.co.uk>
	<3E0971F6-68A0-43B1-8E22-5E3EDD9E32E6@gladman.plus.com>
Message-ID: <AANLkTin=qDOnsu-duViR_hK79TLs5B4cyDb_8Nrv=uQ5@mail.gmail.com>

On 8 August 2010 09:30, PlusNet <brg at gladman.plus.com> wrote:
> Charles Lindsey could say a lot more than I could about Algol 68. ?I did spend a fair amount of time while I was at the Royal Signals and Radar Establishment in trying to persuade Peter Gershon (when he was with ICL) to implement it on their then new range of machines. We also attempted to get the US Dept of Defense to adopt it but they decided that they needed a new language, which emerged as Ada.

ICL had the S3 language which was highly influenced by Algol 68 and
was used to implement the systems software for the "new range"
mainframes - I worked on the first S3 compiler. There was some talk
about doing a "proper" Algol 68 implementation but the suits wanted a
PL/1 compiler so it was never funded.

Whilst Jean Ichbiah was the chief designer of Ada, John Barnes
(designer of the very beautiful RTL/2 language) contributed quite a
bit. Apparently Ichbiah was a little difficult to work with having
quite a high option of himself and his abilities. Barnes took revenge
by getting Ichbiah to give a public talk entitled "Ada's private
parts" (referring to the visibility/access control mechanism in the
language). The audience reaction was what you might expect. Apparently
it took quite a long time before Ichbiah spoke to Barnes again.


John Wilson


From pwt at iosis.co.uk  Sun Aug  8 11:46:12 2010
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Sun, 08 Aug 2010 10:46:12 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <AANLkTin=qDOnsu-duViR_hK79TLs5B4cyDb_8Nrv=uQ5@mail.gmail.com>
References: <20100802110024.GR29810@snowy.squish.net>	<4C57B7D9.2040403@iosis.co.uk>	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>	<N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net>	<4C58370C.3030006@iosis.co.uk>	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>	<+b3IJFf22EWMFANs@perry.co.uk>	<20100803185937.00007a49@surtees.fenrir.org.uk>	<XpriFyBEyRWMFAb5@perry.co.uk>	<20100804081824.GU29810@snowy.squish.net>	<obbNJiEHZSWMFAO1@perry.co.uk>	<20100804114701.00003c52@surtees.fenrir.org.uk>	<EHaGemlCkWWMFAqV@perry.co.uk>	<20100804150343.00007a3f@surtees.fenrir.org.uk>	<u$wMwc4pQZWMFAdl@perry.co.uk>	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>	<4C5CF83E.5000804@iosis.co.uk>	<FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>	<36D03D97F98C4E89805E727D73958F8C@Powerstation>	<1B296629-F2EB-4A8D-8540-6912FC8E457F@sourcetagged.ian.co.uk>	<3E0971F6-68A0-43B1-8E22-5E3EDD9E32E6@gladman.plus.com>
	<AANLkTin=qDOnsu-duViR_hK79TLs5B4cyDb_8Nrv=uQ5@mail.gmail.com>
Message-ID: <4C5E8AEB.4020508@iosis.co.uk>

John Wilson wrote:
> ICL had the S3 language which was highly influenced by Algol 68 and
> was used to implement the systems software for the "new range"
> mainframes - I worked on the first S3 compiler. There was some talk
> about doing a "proper" Algol 68 implementation but the suits wanted a
> PL/1 compiler so it was never funded.
>   
And Alan Chambers also worked on or with S3 I learned when later I 
encountered him at Bristol University - but he wasn't happy with changes 
made later, and left.

Peter



From maryhawking at tigers.demon.co.uk  Mon Aug  9 08:40:07 2010
From: maryhawking at tigers.demon.co.uk (Mary Hawking)
Date: Mon, 09 Aug 2010 07:40:07 -0000
Subject: Civil Evidence Act 1995 and changing GP systems
Message-ID: <34FDBD09AF834939BF3B67393ACFABFD@MaryPC>

GPs were allowed to keep their patient records electronically by Statutory
Instrument in 2000, and the law that allowed the electronic EPR in evidence
was the Civil Evidence Act of 1995.

 

GP practices change systems over the years, sometimes several times, and
patients move between practices: some systems only transfer the records of
current patients - i.e. if a patient leaves the list the day before the data
is downloaded for transfer to the new GP system, the only place that the
record will be preserved is on that practice's old system.(apart from any
print-outs or GP2GP record transfers which lack audit trails).

 

How does the CEA deal with computer evidence when the
organisation/individual concerned has changed systems - and does anyone have
any references to cases which might be relevant to the GP situation?

The additional twist in GP records is that for an infant at birth, problems
can be raised up to 3 years after the age of maturity - or indefinitely if
the infant is sufficiently damaged to never reach mental competence.

 

Genuine enquiry - topic was raised regarding GP records and keeping a copy
of the database in an old system: I don't think it has been decided in court
- yet - so I wondered whether there was non-medical case law which might be
applicable.

 

Mary Hawking

GP

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100809/cdaedb99/attachment-0001.htm>

From peter at pmsommer.com  Mon Aug  9 10:27:00 2010
From: peter at pmsommer.com (Peter Sommer)
Date: Mon, 09 Aug 2010 09:27:00 -0000
Subject: Civil Evidence Act 1995 and changing GP systems
In-Reply-To: <34FDBD09AF834939BF3B67393ACFABFD@MaryPC>
References: <34FDBD09AF834939BF3B67393ACFABFD@MaryPC>
Message-ID: <4C5FC9DC.7090208@pmsommer.com>

The main purpose of the Civil Evidence Act 1995 was to admit hearsay 
evidence and to provide associated conditions.  Section 7 made it 
possible to admit copies of documents and section 8 allowed for the 
admission of "records" of a business or public authority provided there 
was an affidavit / certificate that the records formed part of the 
regular business activity.

Thus,  the law is about allowing such records to be admitted (whereas 
before much more complicated forms of proof were required).   Once the 
evidence is admitted it is still open to challenge on the grounds of 
weight (eg that in some respect it is not accurate).  However normally 
there will be a rebuttable presumtion in favour of reliablity.

The Civil Evidence Act does not prescribe standards by which records in 
electronic form  should be kept.   There are some applicable 
international standards:  ISO 18492:2005 and 15801:2009.  There are also 
some BSI documents:  BS 10008:2008.

I don't know if elsewhere there are specific requirements for the 
maintenance of medical records.

Off the top of my head,  I would guess that the obligation would be to 
keep old records in their original electronic format plus the software 
necessary to read them.  And probably have more than one copy kept in 
more than one place for safety's sake.   An audit trail in the form of a 
document saying when the archive was created and by whom would also seem 
to be a good plan.

Unless some-one else here knows better?




On 09/08/2010 08:40, Mary Hawking wrote:
>
> GPs were allowed to keep their patient records electronically by 
> Statutory Instrument in 2000, and the law that allowed the electronic 
> EPR in evidence was the Civil Evidence Act of 1995.
>
> GP practices change systems over the years, sometimes several times, 
> and patients move between practices: some systems only transfer the 
> records of current patients -- i.e. if a patient leaves the list the 
> day before the data is downloaded for transfer to the new GP system, 
> the only place that the record will be preserved is on that practice's 
> old system.(apart from any print-outs or GP2GP record transfers which 
> lack audit trails).
>
> How does the CEA deal with computer evidence when the 
> organisation/individual concerned has changed systems -- and does 
> anyone have any references to cases which might be relevant to the GP 
> situation?
>
> The additional twist in GP records is that for an infant at birth, 
> problems can be raised up to 3 years after the age of maturity -- or 
> indefinitely if the infant is sufficiently damaged to never reach 
> mental competence...
>
> Genuine enquiry -- topic was raised regarding GP records and keeping a 
> copy of the database in an old system: I don't think it has been 
> decided in court -- yet -- so I wondered whether there was non-medical 
> case law which might be applicable.
>
> Mary Hawking
>
> GP
>
>
>    

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100809/3408029d/attachment-0001.htm>

From nbohm at ernest.net  Mon Aug  9 11:19:08 2010
From: nbohm at ernest.net (Nicholas Bohm)
Date: Mon, 09 Aug 2010 10:19:08 -0000
Subject: Civil Evidence Act 1995 and changing GP systems
In-Reply-To: <4C5FC9DC.7090208@pmsommer.com>
References: <34FDBD09AF834939BF3B67393ACFABFD@MaryPC>
	<4C5FC9DC.7090208@pmsommer.com>
Message-ID: <4C5FD61A.4000303@ernest.net>

 On 09/08/2010 10:26, Peter Sommer wrote:
> The main purpose of the Civil Evidence Act 1995 was to admit hearsay
> evidence and to provide associated conditions.  Section 7 made it
> possible to admit copies of documents and section 8 allowed for the
> admission of "records" of a business or public authority provided
> there was an affidavit / certificate that the records formed part of
> the regular business activity.
>
> Thus,  the law is about allowing such records to be admitted (whereas
> before much more complicated forms of proof were required).   Once the
> evidence is admitted it is still open to challenge on the grounds of
> weight (eg that in some respect it is not accurate).  However normally
> there will be a rebuttable presumtion in favour of reliablity.   
>
> The Civil Evidence Act does not prescribe standards by which records
> in electronic form  should be kept.   There are some applicable
> international standards:  ISO 18492:2005 and 15801:2009.  There are
> also some BSI documents:  BS 10008:2008.
>
> I don't know if elsewhere there are specific requirements for the
> maintenance of medical records.
>
> Off the top of my head,  I would guess that the obligation would be to
> keep old records in their original electronic format plus the software
> necessary to read them.  And probably have more than one copy kept in
> more than one place for safety's sake.   An audit trail in the form of
> a document saying when the archive was created and by whom would also
> seem to be a good plan.
>
> Unless some-one else here knows better? 

I don't know better; but I don't think it's a matter of obligation so
much as incentivised by self-interest. 

The law, as Peter says, is about admissibility of what is there.  Apart
from tax-related obligations to keep some records, a GP practice that
wants to be able to defend itself against clinical negligence claims
needs to have its old records available, admissible and reliable. 
Compliance with standards must be a help.

The ISO and BSI standards are probably elaborate, but I suspect they
come down to very much what Peter describes.

Nicholas
-- 
Contact and PGP key here <http://www.ernest.net/contact/index.htm>


From chl at clerew.man.ac.uk  Mon Aug  9 11:29:29 2010
From: chl at clerew.man.ac.uk (Charles Lindsey)
Date: Mon, 09 Aug 2010 10:29:29 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <1B296629-F2EB-4A8D-8540-6912FC8E457F@sourcetagged.ian.co.uk>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
	<36D03D97F98C4E89805E727D73958F8C@Powerstation>
	<1B296629-F2EB-4A8D-8540-6912FC8E457F@sourcetagged.ian.co.uk>
Message-ID: <op.vg513cri6hl8nm@clerew.man.ac.uk>

On Sat, 07 Aug 2010 17:15:05 +0100, Ian Mason  
<ukcrypto at sourcetagged.ian.co.uk> wrote:

> Talking of safe languages no one has mentioned my old personal favourite  
> Algol 68. it was even used as the systems programming language for a  
> capability architecture processor and OS by Maurice Wilkes, the late  
> Roger Needham, and others. Cue Dr. Gladman...

No, the safety in ALGOL 68 is too strong for systems programming work,  
where you have a definite requirement to "cheat" (i.e. to treat some bit  
pattern as being of different data types for different purposes - e.g. how  
else can one construct machine code and expect to be able to obey it?).

If you build in a few critical "cheating machanisms", then what you have  
is S3 (actually, that opened up more holes than it need have dome). And I  
expect that Roger Needham et al were using ALGOL 68C, which they were in a  
position to hack to provide such back doors as they found necessary.

My own ALGOL 68 compiler uses a specially hacked version of Pascal, for  
exactly the same reason.

-- 
Charles?H.?Lindsey?---------At?Home,?doing?my?own?thing------------------------
Tel:?+44?161?436?6131?                      
???Web:?http://www.cs.man.ac.uk/~chl
Email:?chl at clerew.man.ac.uk??????Snail:?5?Clerewood?Ave,?CHEADLE,?SK8?3JU,?U.K.
PGP:?2C15F1A9??????Fingerprint:?73?6D?C2?51?93?A0?01?E7?65?E8?64?7E?14?A4?AB?A5


From colinthomson1 at o2.co.uk  Mon Aug  9 14:11:09 2010
From: colinthomson1 at o2.co.uk (Tom Thomson)
Date: Mon, 09 Aug 2010 13:11:09 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <4C5CF83E.5000804@iosis.co.uk>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk>	<u$wMwc4pQZWMFAdl@perry.co.uk><ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
Message-ID: <AB66CB51919848D197BCBECBB0610453@your41b8d18ede>

Peter Tomlinson wrote:
> The memory stirs, taking me back to 1968 when I designed the very simple
> memory management hardware for the ICL 1904A (and in the process fixed
> an error in the 1906A's MMU). Took the software people another 2 years
> to get George 4 running. So that was old-fashioned, was it, Tom? It was
> state of the art then, in the commercial environment that soon after
> took a wrong turn...

No, I don't think the 1904A memory management system was old-fashioned in 1968, although machines with safe memory management had by then been around for at least 5 years, for example both versions of Atlas antedated it and were in some respects more advanced (as was the memory management on its contemporary English Electric 4-75) and at least some 360s that predated it had decently secure memory management.  The disasters didn't happen until quite a few years later when the segmented memory and hard distinction between programme and data of early mini-processors (such as the CTL Modular 1) went out of fashion, and new fashions decreed that memory management systems like those were the province only of that unfashionable creature "the mainframe", ICL with its 1900, System 4, and 2900 ranges, Burroughs, IBM and so on were all makers of those unfashionable mainframes, academic projects like Multics and MU5 were not trendy because they insisted on trying to do verifiable security somewhere near right, and even Intel (quite a bit more later) with its segmented memory  was undesirable (until MS decided to completely bypass the memory protection) compared to the fashionable exploitation of cheap hardware using cheap and sloppy programming standards.  
Was it a commercial pressure that brought us to a wrong turn, or was it the flight of the crowd towards the fashionable?  My feeling is the latter - I saw the pressures to follow fashion with good money being thrown after bad at doomed projects because they were thought to be fashionable, you must have seen that too. 

M.




From colinthomson1 at o2.co.uk  Mon Aug  9 14:21:09 2010
From: colinthomson1 at o2.co.uk (Tom Thomson)
Date: Mon, 09 Aug 2010 13:21:09 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <D8D4B034-C006-4C0A-9CA5-56D6252099DA@gladman.plus.com>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk>	<u$wMwc4pQZWMFAdl@perry.co.uk><ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede><4C5CF83E.5000804@iosis.co.uk><FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
	<D8D4B034-C006-4C0A-9CA5-56D6252099DA@gladman.plus.com>
Message-ID: <96C78C0A6E7347EC9D2EFC86702BF554@your41b8d18ede>

> On 7 Aug 2010, at 10:47, Ian Batten <igb at batten.eu.org> wrote:
> 
> > So, if I'm three weeks from starting a PhD in which the production of a large slab of
> secure code (let us gloss over whether that's formally secure or pragmatically secure),
> what toolchain should I use?  I'm guessing my favoured "first to reach for" tools at my
> advanced age of C and Perl aren't cool, C++ horrifies me aesthetically, Java is dull.
> >
> > I think it's time for a Lisp revival.
> 
> The implementation language would not be high up my list of issues at this stage but
> if you pushed me to make a choice and security was critical, Ada or SPARK.
> 
>       Brian Gladman
> >
> > ian
> >
How about one of the ML dialects?  Or Haskell?

Of course you can write secure stuff I any language - it's just that it's extremely difficult in things like C++ and others of that ilk (and you have to avoid use of some of its features)

M.




From igb at batten.eu.org  Mon Aug  9 19:35:35 2010
From: igb at batten.eu.org (Ian Batten)
Date: Mon, 09 Aug 2010 18:35:35 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <96C78C0A6E7347EC9D2EFC86702BF554@your41b8d18ede>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk>	<u$wMwc4pQZWMFAdl@perry.co.uk><ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede><4C5CF83E.5000804@iosis.co.uk><FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
	<D8D4B034-C006-4C0A-9CA5-56D6252099DA@gladman.plus.com>
	<96C78C0A6E7347EC9D2EFC86702BF554@your41b8d18ede>
Message-ID: <8934B06A-5C6F-410B-9A82-EA8ADB0F8A65@batten.eu.org>


> Of course you can write secure stuff I any language - it's just that  
> it's extremely difficult in things like C++ and others of that ilk  
> (and you have to avoid use of some of its features)

And, by extension, you can write FORTRAN in anything, although I was  
impressed by this: http://queue.acm.org/detail.cfm?id=1039535

If there's anyone alive that hasn't read the original "real  
programmers" article, which opens

> The easiest way to tell a Real Programmer from the crowd is by the  
> programming language he (or she) uses. Real Programmers use Fortran.  
> Quiche Eaters use Pascal. Nicklaus Wirth, the designer of Pascal,  
> gave a talk once at which he was asked, "How do you pronounce your  
> name?". He replied, "You can either call me by name, pronouncing it  
> 'Veert', or call me by value, 'Worth'." One can tell immediately by  
> this comment that Nicklaus Wirth is a Quiche Eater. The only  
> parameter passing mechanism endorsed by Real Programmers is call-by- 
> value-return, as implemented in the IBM/370 Fortran G and H  
> compilers. Real Programmers don't need all these abstract concepts  
> to get their jobs done-- they are perfectly happy with a keypunch, a  
> Fortran IV compiler, and a beer.

it's currently available at http://www.pbm.com/~lindahl/real.programmers.html


Although I notice one irony, after our friends in the US lost a probe  
through confusing imperial and metric units (and one is reminded of  
Benneton F1, who when they had US-designed Ford engines opted to  
replace all the external fasteners with custom-made ones with imperial  
threads and metric heads, so as to only need one set of spanners for  
fly-aways).

> The current plan for the Galileo spacecraft is to use a gravity  
> assist trajectory past Mars on the way to Jupiter. This trajectory  
> passes within 80 +/- 3 kilometers of the surface of Mars. Nobody is  
> going to trust a Pascal program (or Pascal programmer) for  
> navigation to these tolerances.
>

How did that work out later?



ian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100809/b6525de1/attachment-0001.htm>

From lists at internetpolicyagency.com  Mon Aug  9 19:41:04 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Mon, 09 Aug 2010 18:41:04 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <1B296629-F2EB-4A8D-8540-6912FC8E457F@sourcetagged.ian.co.uk>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk> <142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
	<36D03D97F98C4E89805E727D73958F8C@Powerstation>
	<1B296629-F2EB-4A8D-8540-6912FC8E457F@sourcetagged.ian.co.uk>
Message-ID: <fZqgZuW6NEYMFAZi@perry.co.uk>

In article 
<1B296629-F2EB-4A8D-8540-6912FC8E457F at sourcetagged.ian.co.uk>, Ian Mason 
<ukcrypto at sourcetagged.ian.co.uk> writes
>Talking of safe languages no one has mentioned my old personal 
>favourite Algol 68. it was even used as the systems programming 
>language for a capability architecture processor and OS by Maurice 
>Wilkes, the late Roger Needham, and others.

I learnt most of my high level programming using Algol, in the late 60's 
(on an ICL 4100). I even started a project to write my own compiler for 
it. Hence my despair at the apparent inadequacies of C.
-- 
Roland Perry


From lists at internetpolicyagency.com  Mon Aug  9 19:41:08 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Mon, 09 Aug 2010 18:41:08 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <C6F343320DAC194BA010FD66AD49362339249F@home.usermgmt.local>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk> <142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<C6F343320DAC194BA010FD66AD49362339249F@home.usermgmt.local>
Message-ID: <R5PjB3XsVEYMFAbO@perry.co.uk>

In article <C6F343320DAC194BA010FD66AD49362339249F at home.usermgmt.local>, 
David Biggins <David_Biggins at usermgmt.com> writes
>Three such factors in particular formed an interesting collision of 
>decisions by three separate groups, that combined to form a serious 
>security problem.
>
>The first is the classic 'C' "null terminated string" in which there is 
>no standard (or efficient) tracking in the language of either the 
>current length of a string or the space allocated to it.
>
>For non-programmers here, that means that the standard library 
>operations to copy or concatenate a string have no intrinsic way of 
>knowing whether or not the space that a string is being copied to, is 
>actually big enough to hold it.  They just copy bytes until one of the 
>bytes is a zero.  So if you have a kilobyte of string before that zero, 
>and there's only 256 bytes of space reserved where you're copying to, 
>then tough.  768 bytes of whatever follows, are going to get trampled.
>
>It is perhaps a pity that a "strcpy() considered harmful" didn't appear 
>before billions of lines of code were written using it.

Would it not be possible to have an enhanced operation which you send, 
by way of a parameter, the maximum number of characters you are prepared 
to allow it to copy/concatenate. Cunningly, that might usefully be the 
remaining size of buffer that you've allocated.

Obviously(?) there must be a simple reason why not.

>The second was adoption by Intel of the "top down" hardware stack
>
>In this, the "base" of the stack is high in memory and the stack grows 
>downwards as you push values, rather than starting at the bottom of 
>memory and growing upwards.
>
>The nasty effect of this was that if you overflow the target buffer in 
>a string copy as above, when the destination is a local variable on the 
>stack, you don't just overwrite a few values then unused stack space - 
>which would have been far harder to exploit.

Another naive question: Why not position the stack at the lower end of 
the memory map, so that nothing can rise up and bite it?
-- 
Roland Perry


From matthew at pemble.net  Mon Aug  9 20:00:21 2010
From: matthew at pemble.net (Matthew Pemble)
Date: Mon, 09 Aug 2010 19:00:21 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI, 
	but is it interception?)
In-Reply-To: <R5PjB3XsVEYMFAbO@perry.co.uk>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<C6F343320DAC194BA010FD66AD49362339249F@home.usermgmt.local>
	<R5PjB3XsVEYMFAbO@perry.co.uk>
Message-ID: <AANLkTi=X5YVME5VjfrCv7f3T=V1BHyK6bkre60XjZ7Yx@mail.gmail.com>

Folks,


> Would it not be possible to have an enhanced operation which you send, by
> way of a parameter, the maximum number of characters you are prepared to
> allow it to copy/concatenate. Cunningly, that might usefully be the
> remaining size of buffer that you've allocated.
>
> Obviously(?) there must be a simple reason why not.
>

? Yes, they didn't think about it at the time. If they had, they would have.
As 'they' have now.

So, you now have the option of using strcpy_s(var, maxlen, value), having
malloced the var to give you the space. Except most of the textbooks don't
mention the newer, possibly secure, functions.

M.



-- 
Matthew Pemble
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100809/0a87eab5/attachment-0001.htm>

From paul at leyland.vispa.com  Mon Aug  9 20:48:21 2010
From: paul at leyland.vispa.com (Paul Leyland)
Date: Mon, 09 Aug 2010 19:48:21 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP
	DPI, but is it interception?)
In-Reply-To: <AB66CB51919848D197BCBECBB0610453@your41b8d18ede>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<AB66CB51919848D197BCBECBB0610453@your41b8d18ede>
Message-ID: <1281383286.1868.12.camel@imhotep.brnikat.com>

On Mon, 2010-08-09 at 14:10 +0100, Tom Thomson wrote:

> No, I don't think the 1904A memory management system was old-fashioned
> in 1968, although machines with safe memory management had by then
> been around for at least 5 years, for example both versions of Atlas
> antedated it and were in some respects more advanced (as was the
> memory management on its contemporary English Electric 4-75) and at
> least some 360s that predated it had decently secure memory
> management.  The disasters didn't happen until quite a few years later
> when the segmented memory and hard distinction between programme and
> data of early mini-processors (such as the CTL Modular 1) went out of
> fashion, and new fashions decreed that memory management systems like 

Now there's a blast from the past.  I cut my programming teeth on a CTL
Mod 1, in both BASIC and Algol68R.  Although I used a 1906A with both
FORTRAN4 and Algol60, it wasn't until the 2980 came along (to Oxford
where I met those machines) that I did any serious work in Algol68.

I still think Algol68 is the nicest language I ever learned and I
greatly regret that it never caught on in a big way.  Perhaps an effort
could be made to re-popularize it.  If so, the IO library needs to be
dragged out of the 1960's.


Paul




From paul at leyland.vispa.com  Mon Aug  9 20:52:42 2010
From: paul at leyland.vispa.com (Paul Leyland)
Date: Mon, 09 Aug 2010 19:52:42 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP
	DPI, but is it interception?)
In-Reply-To: <96C78C0A6E7347EC9D2EFC86702BF554@your41b8d18ede>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
	<D8D4B034-C006-4C0A-9CA5-56D6252099DA@gladman.plus.com>
	<96C78C0A6E7347EC9D2EFC86702BF554@your41b8d18ede>
Message-ID: <1281383549.1868.17.camel@imhotep.brnikat.com>

On Mon, 2010-08-09 at 14:20 +0100, Tom Thomson wrote:

> Of course you can write secure stuff I any language - it's just that
> it's extremely difficult in things like C++ and others of that ilk
> (and you have to avoid use of some of its features)

As has been observed many times over the years, you can write FORTRAN in
any language, and you can write anything in FORTRAN.

In the same spirit and as you note, it is possible (I would say
straightforward) to write secure code in most anything.  All you need is
knowledge, experience and discipline.  Unfortunately, very few
programmers possess all qualities at the same time.


Paul




From amidgley at gmail.com  Tue Aug 10 00:44:50 2010
From: amidgley at gmail.com (Adrian Midgley (Gmail))
Date: Mon, 09 Aug 2010 23:44:50 -0000
Subject: Civil Evidence Act 1995 and changing GP systems
In-Reply-To: <4C5FD61A.4000303@ernest.net>
References: <34FDBD09AF834939BF3B67393ACFABFD@MaryPC>
	<4C5FC9DC.7090208@pmsommer.com>  <4C5FD61A.4000303@ernest.net>
Message-ID: <1281397481.4330.58.camel@lyrae>

One of the selection criteria I had for the first clinical record system
we installed was that I should be able to get all data out of it,
myself.

I satisfied that.

We now have EMIS, which I can't get data out of.


I retain the entire data files of the previous system and have open
source-based tools to read them.  The original software is encumbered by
security features and being a very large DOS Clipper program I would not
care to guarantee it will always be runnable on currently available
hardware.



I agree, a pragmatic interest compels keeping this.


I think it is fairly stupid for conversions to only take across
currently registered patients.  People go away and come back.

However, I'm not keen on conversions that make the notes appear as if
they had been made in the new system in the first place.  They should
carry on looking as similar as reasonably possible to their original
shape.

-- 
A



From igb at batten.eu.org  Tue Aug 10 07:39:36 2010
From: igb at batten.eu.org (Ian Batten)
Date: Tue, 10 Aug 2010 06:39:36 -0000
Subject: Secure Programming Practices (Was Re: Being safe on the internet (was
	Re: Here we go again - ISP DPI, but is it interception?))
In-Reply-To: <1281383549.1868.17.camel@imhotep.brnikat.com>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
	<D8D4B034-C006-4C0A-9CA5-56D6252099DA@gladman.plus.com>
	<96C78C0A6E7347EC9D2EFC86702BF554@your41b8d18ede>
	<1281383549.1868.17.camel@imhotep.brnikat.com>
Message-ID: <65A9AD7E-3BE1-4471-9C1B-076592CB6B2D@batten.eu.org>

>
> In the same spirit and as you note, it is possible (I would say
> straightforward) to write secure code in most anything.  All you  
> need is
> knowledge, experience and discipline.  Unfortunately, very few
> programmers possess all qualities at the same time.


In part, I think, because a lot of secure practices rely in an  
infinite capacity for believing the worst of things, a cynicism that  
comes with age, and one of the things that tends to happen to  
experienced and competent codes is that they end up doing things one  
or more steps removed from the code face instead.

I guess we all acquire habits that help over the years.  Personally,  
whatever language I'm working in I use a very poor man's version of  
programming by contract and throw assertions all over the place, on  
the assumption that calling conventions into every block will be  
abused.  And slightly more unusually, for any code with non-trivial  
memory requirements I write my own allocate/de-allocate wrapper around  
the local mechanism in order to count creation and destruction, and  
write a structure walker than will count everything that's in use.   
This comes from doing my undergrad project on Multics, where each  
invocation of a program is a subroutine call rather than a Unix-style  
new process, and therefore where a long day's coding is made far more  
tedious by slowly leaking memory and having to create a new process,  
which takes ages.




From lists at internetpolicyagency.com  Tue Aug 10 09:15:28 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Tue, 10 Aug 2010 08:15:28 -0000
Subject: Ofcom Do Security
In-Reply-To: <4C5D9E1C.7070503@gmx.co.uk>
References: <09961A39-A259-4755-A3DE-877A6CE029F2@batten.eu.org>
	<E9B0C81B39B243EE96E883C5D1DA1A13@MobileSlave>
	<4C5D9E1C.7070503@gmx.co.uk>
Message-ID: <TXmDaN8LpQYMFAY0@perry.co.uk>

In article <4C5D9E1C.7070503 at gmx.co.uk>, Dave Howe <DaveHowe at gmx.co.uk> 
writes
>"wife's maiden name" - I have seen it complain it doesn't like a
>character (it has a - in it) or is too short/too long.

So it doesn't like double-barrelled maiden names, maybe the designers 
don't realise they exist? Which is a shame, because double-barrelled 
surnames inherently somewhat weaken the shared 'secret' of a mother's 
maiden name.
-- 
Roland Perry


From David_Biggins at usermgmt.com  Tue Aug 10 10:12:11 2010
From: David_Biggins at usermgmt.com (David Biggins)
Date: Tue, 10 Aug 2010 09:12:11 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <R5PjB3XsVEYMFAbO@perry.co.uk>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk><u$wMwc4pQZWMFAdl@perry.co.uk><ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede><C6F343320DAC194BA010FD66AD49362339249F@home.usermgmt.local>
	<R5PjB3XsVEYMFAbO@perry.co.uk>
Message-ID: <C6F343320DAC194BA010FD66AD4936233924AE@home.usermgmt.local>

> Would it not be possible to have an enhanced operation which you send,
> by way of a parameter, the maximum number of characters you are
> prepared
> to allow it to copy/concatenate. Cunningly, that might usefully be the
> remaining size of buffer that you've allocated.

Oh certainly - and the enhanced operation has existed for some time, and
modern languages don't just use zero-terminated strings and so on.

Back in 'C', using the strncpy() function to copy with a size limit,
there are a few minor problems - with not-so-minor impact.  You have to
set the parameter to the buffer size explicitly, everywhere it is used.


One problem is that while you can work out how long a string is by
counting the characters before the zero, you can't work out how long the
buffer it's stored in, is - so you have to store it yourself, and pass
it round as a parameter everywhere you pass the buffer to...  Which was
always good practice, but sadly ignored by many programmers when it was
thought that it was only a crash risk, not a point of attack.

Trivial to sort out when writing new code (and if you're writing new
code, you'd use an intelligent class or a structure that avoided the
problem),  but a nightmare if it becomes necessary to refactor existing
software.

And that still doesn't solve the real problem, which remains in the
millions of lines of code out there, in standard libraries and in the
operating system, using the original version, and imposing the
vulnerability on you, every time you call them...

> >The second was adoption by Intel of the "top down" hardware stack
> >
> Another naive question: Why not position the stack at the lower end of
> the memory map, so that nothing can rise up and bite it?

Ah - I see I haven't explained myself clearly enough.  

The problem is not something below the stack rising to bite it.  It's
from something "newer" on the stack (i.e. low in memory) overflowing its
reserved space on the stack to rise up and bite something "older" on the
stack (i.e. higher in memory).

I agree with you that none of these issues are inherently that hard to
solve.  In an object-based language, you build a standard string object
that wraps a string with its actual length and buffer length, and pass
that, and so on.

Even then, the problem comes when your shiny new "secured" string object
has to be passed to an operating system function or third-party library,
that is just expecting the null-terminated string, so you pass it the
address of the string part of your object...  


D.


From David_Biggins at usermgmt.com  Tue Aug 10 10:16:06 2010
From: David_Biggins at usermgmt.com (David Biggins)
Date: Tue, 10 Aug 2010 09:16:06 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <R5PjB3XsVEYMFAbO@perry.co.uk>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk><u$wMwc4pQZWMFAdl@perry.co.uk><ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede><C6F343320DAC194BA010FD66AD49362339249F@home.usermgmt.local>
	<R5PjB3XsVEYMFAbO@perry.co.uk>
Message-ID: <C6F343320DAC194BA010FD66AD4936233924AF@home.usermgmt.local>

Somehow I seem to have accidentally chopped that my last post was a
reply to Roland's questions.

My apologies.

D.


From lists at internetpolicyagency.com  Tue Aug 10 11:05:41 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Tue, 10 Aug 2010 10:05:41 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <C6F343320DAC194BA010FD66AD4936233924AE@home.usermgmt.local>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk> <142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<C6F343320DAC194BA010FD66AD49362339249F@home.usermgmt.local>
	<R5PjB3XsVEYMFAbO@perry.co.uk>
	<C6F343320DAC194BA010FD66AD4936233924AE@home.usermgmt.local>
Message-ID: <poM91DIgQSYMFAdL@perry.co.uk>

In article <C6F343320DAC194BA010FD66AD4936233924AE at home.usermgmt.local>, 
David Biggins <David_Biggins at usermgmt.com> writes
>And that still doesn't solve the real problem, which remains in the
>millions of lines of code out there, in standard libraries and in the
>operating system, using the original version, and imposing the
>vulnerability on you, every time you call them...

Time to re-write the operating system then. As it's well past the 
classic version 3, how about getting this right in version 6? Failing 
that, version 7 :)

>> >The second was adoption by Intel of the "top down" hardware stack
>> >
>> Another naive question: Why not position the stack at the lower end of
>> the memory map, so that nothing can rise up and bite it?
>
>Ah - I see I haven't explained myself clearly enough.
>
>The problem is not something below the stack rising to bite it.  It's
>from something "newer" on the stack (i.e. low in memory) overflowing its
>reserved space on the stack to rise up and bite something "older" on the
>stack (i.e. higher in memory).

But if stacks grow downwards, how can a newer item rise upwards?
-- 
Roland Perry


From mikie.simpson at gmail.com  Tue Aug 10 12:47:42 2010
From: mikie.simpson at gmail.com (Michael Simpson)
Date: Tue, 10 Aug 2010 11:47:42 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <poM91DIgQSYMFAdL@perry.co.uk>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<C6F343320DAC194BA010FD66AD49362339249F@home.usermgmt.local>
	<R5PjB3XsVEYMFAbO@perry.co.uk>
	<C6F343320DAC194BA010FD66AD4936233924AE@home.usermgmt.local>
	<poM91DIgQSYMFAdL@perry.co.uk>
Message-ID: <AANLkTin66NHvN3b3=xXAdy5oLd70ABbq831jzFFEO04N@mail.gmail.com>

On 10 August 2010 11:04, Roland Perry <lists at internetpolicyagency.com> wrote:
> In article <C6F343320DAC194BA010FD66AD4936233924AE at home.usermgmt.local>,
> David Biggins <David_Biggins at usermgmt.com> writes
>>
>> And that still doesn't solve the real problem, which remains in the
>> millions of lines of code out there, in standard libraries and in the
>> operating system, using the original version, and imposing the
>> vulnerability on you, every time you call them...
>
> Time to re-write the operating system then. As it's well past the classic
> version 3, how about getting this right in version 6? Failing that, version
> 7 :)
>
>>> >The second was adoption by Intel of the "top down" hardware stack
>>> >
>>> Another naive question: Why not position the stack at the lower end of
>>> the memory map, so that nothing can rise up and bite it?
>>
>> Ah - I see I haven't explained myself clearly enough.
>>
>> The problem is not something below the stack rising to bite it. ?It's
>> from something "newer" on the stack (i.e. low in memory) overflowing its
>> reserved space on the stack to rise up and bite something "older" on the
>> stack (i.e. higher in memory).
>
> But if stacks grow downwards, how can a newer item rise upwards?
> --
> Roland Perry
>

Aleph One wrote an excellent paper on this a while ago that is worth a read

http://www.phrack.com/issues.html?issue=49&id=14

"smashing the stack for fun and profit"

It might fill out the also excellent "buffer overflow in a nutshell"
that the list has been treated to in recent days.

mike


From jon+ukcrypto at unequivocal.co.uk  Tue Aug 10 12:55:50 2010
From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens)
Date: Tue, 10 Aug 2010 11:55:50 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP
	DPI, but is it interception?)
In-Reply-To: <poM91DIgQSYMFAdL@perry.co.uk>
References: <obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<C6F343320DAC194BA010FD66AD49362339249F@home.usermgmt.local>
	<R5PjB3XsVEYMFAbO@perry.co.uk>
	<C6F343320DAC194BA010FD66AD4936233924AE@home.usermgmt.local>
	<poM91DIgQSYMFAdL@perry.co.uk>
Message-ID: <20100810115549.GG29810@snowy.squish.net>

On Tue, Aug 10, 2010 at 11:04:16AM +0100, Roland Perry wrote:
>> The problem is not something below the stack rising to bite it.  It's
>> from something "newer" on the stack (i.e. low in memory) overflowing its
>> reserved space on the stack to rise up and bite something "older" on the
>> stack (i.e. higher in memory).
>
> But if stacks grow downwards, how can a newer item rise upwards?

The code thinks it's going to write, say, a string of 20 bytes, so the
stack pointer is reduced by 20 bytes to provide this space. The code
is then persuaded to write a string, started at the lowest address of
that space and continuing upwards, of more than 20 bytes, thus
overwriting the older/higher part of the stack.


From pwt at iosis.co.uk  Tue Aug 10 13:12:03 2010
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Tue, 10 Aug 2010 12:12:03 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <20100810115549.GG29810@snowy.squish.net>
References: <obbNJiEHZSWMFAO1@perry.co.uk>	<20100804114701.00003c52@surtees.fenrir.org.uk>	<EHaGemlCkWWMFAqV@perry.co.uk>	<20100804150343.00007a3f@surtees.fenrir.org.uk>	<u$wMwc4pQZWMFAdl@perry.co.uk>	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>	<C6F343320DAC194BA010FD66AD49362339249F@home.usermgmt.local>	<R5PjB3XsVEYMFAbO@perry.co.uk>	<C6F343320DAC194BA010FD66AD4936233924AE@home.usermgmt.local>	<poM91DIgQSYMFAdL@perry.co.uk>
	<20100810115549.GG29810@snowy.squish.net>
Message-ID: <4C614207.2000908@iosis.co.uk>

Jon Ribbens wrote:
> On Tue, Aug 10, 2010 at 11:04:16AM +0100, Roland Perry wrote:
>   
>>> The problem is not something below the stack rising to bite it.  It's
>>> from something "newer" on the stack (i.e. low in memory) overflowing its
>>> reserved space on the stack to rise up and bite something "older" on the
>>> stack (i.e. higher in memory).
>>>       
>> But if stacks grow downwards, how can a newer item rise upwards?
>>     
> The code thinks it's going to write, say, a string of 20 bytes, so the
> stack pointer is reduced by 20 bytes to provide this space. The code
> is then persuaded to write a string, started at the lowest address of
> that space and continuing upwards, of more than 20 bytes, thus
> overwriting the older/higher part of the stack.
That is a method that is just asking for trouble...

Peter



From jon+ukcrypto at unequivocal.co.uk  Tue Aug 10 13:16:16 2010
From: jon+ukcrypto at unequivocal.co.uk (Jon Ribbens)
Date: Tue, 10 Aug 2010 12:16:16 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP
	DPI, but is it interception?)
In-Reply-To: <4C614207.2000908@iosis.co.uk>
References: <EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<C6F343320DAC194BA010FD66AD49362339249F@home.usermgmt.local>
	<R5PjB3XsVEYMFAbO@perry.co.uk>
	<C6F343320DAC194BA010FD66AD4936233924AE@home.usermgmt.local>
	<poM91DIgQSYMFAdL@perry.co.uk>
	<20100810115549.GG29810@snowy.squish.net>
	<4C614207.2000908@iosis.co.uk>
Message-ID: <20100810121615.GH29810@snowy.squish.net>

On Tue, Aug 10, 2010 at 01:11:51PM +0100, Peter Tomlinson wrote:
>> The code thinks it's going to write, say, a string of 20 bytes, so the
>> stack pointer is reduced by 20 bytes to provide this space. The code
>> is then persuaded to write a string, started at the lowest address of
>> that space and continuing upwards, of more than 20 bytes, thus
>> overwriting the older/higher part of the stack.
> That is a method that is just asking for trouble...

Possibly true, but that's how it works.


From lists at internetpolicyagency.com  Tue Aug 10 13:27:52 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Tue, 10 Aug 2010 12:27:52 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <20100810115549.GG29810@snowy.squish.net>
References: <obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<C6F343320DAC194BA010FD66AD49362339249F@home.usermgmt.local>
	<R5PjB3XsVEYMFAbO@perry.co.uk>
	<C6F343320DAC194BA010FD66AD4936233924AE@home.usermgmt.local>
	<poM91DIgQSYMFAdL@perry.co.uk>
	<20100810115549.GG29810@snowy.squish.net>
Message-ID: <uJ5stKU2VUYMFAey@perry.co.uk>

In article <20100810115549.GG29810 at snowy.squish.net>, Jon Ribbens 
<jon+ukcrypto at unequivocal.co.uk> writes
>>> The problem is not something below the stack rising to bite it.  It's
>>> from something "newer" on the stack (i.e. low in memory) overflowing its
>>> reserved space on the stack to rise up and bite something "older" on the
>>> stack (i.e. higher in memory).
>>
>> But if stacks grow downwards, how can a newer item rise upwards?
>
>The code thinks it's going to write, say, a string of 20 bytes, so the
>stack pointer is reduced by 20 bytes to provide this space. The code
>is then persuaded to write a string, started at the lowest address of
>that space and continuing upwards, of more than 20 bytes, thus
>overwriting the older/higher part of the stack.

Ah, so you are using standard write operations to put stuff into the 
stack area. Not a PUSH or a CALL (both of which would automatically grow 
the stack downwards only). That explains it.
-- 
Roland Perry


From zenadsl6186 at zen.co.uk  Tue Aug 10 17:03:53 2010
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Tue, 10 Aug 2010 16:03:53 -0000
Subject: Experian and benefit fraud
Message-ID: <4C617869.9040506@zen.co.uk>

http://www.bbc.co.uk/news/uk-10922261

The Gubbmint plans to get credit rating firms to check benefit claimants.

"One firm, Experian, said it was in talks over a deal which could see it 
get a "bounty" for cheats it uncovers."

"Experian said it already had a contract to look into new housing 
benefit claimants, in a deal agreed by the previous government. It 
expects the annual saving to be ?17m."



"Asked about civil liberty fears about the government using firms to 
look into benefit claimants' spending, [David Cameron] said: "I do not 
think people should be concerned."

"If you are entitled to welfare and can claim it then you should claim 
it but if you are not entitled to it you should not get and should not 
claim it."


Pity nobody asked him more directly about the privacy implications. If 
Experian are to check benefits claimants, they will need to cross check 
the claimants with Experian's records.

Which means that Experian will need to have access to a constantly 
updated list of all claimants, and how much they get  ... wonder how 
much Experian are paying for *that* access?


-- Peter Fairbrother


From ukcrypto at sourcetagged.ian.co.uk  Tue Aug 10 17:19:23 2010
From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason)
Date: Tue, 10 Aug 2010 16:19:23 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <8934B06A-5C6F-410B-9A82-EA8ADB0F8A65@batten.eu.org>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk>	<u$wMwc4pQZWMFAdl@perry.co.uk><ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede><4C5CF83E.5000804@iosis.co.uk><FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
	<D8D4B034-C006-4C0A-9CA5-56D6252099DA@gladman.plus.com>
	<96C78C0A6E7347EC9D2EFC86702BF554@your41b8d18ede>
	<8934B06A-5C6F-410B-9A82-EA8ADB0F8A65@batten.eu.org>
Message-ID: <8A557A12-CB73-4343-AAF9-8BB57D722463@sourcetagged.ian.co.uk>


On 9 Aug 2010, at 19:35, Ian Batten wrote:
>
> If there's anyone alive that hasn't read the original "real  
> programmers" article, which opens
>
>> The easiest way to tell a Real Programmer from the crowd is by the  
>> programming language he (or she)
[snip]
>> Programmers don't need all these abstract concepts to get their  
>> jobs done-- they are perfectly happy with a keypunch, a Fortran IV  
>> compiler, and a beer.
>

It also contains the immortal line:

> Real Programmers do Artificial Intelligence programs in Fortran.

And once that was exactly what I was employed to do. Thus I feel that  
have some justification to consider myself a cut above the rest. :-)

IanM




From pwt at iosis.co.uk  Tue Aug 10 17:27:54 2010
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Tue, 10 Aug 2010 16:27:54 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <AB66CB51919848D197BCBECBB0610453@your41b8d18ede>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk>	<u$wMwc4pQZWMFAdl@perry.co.uk><ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>	<4C5CF83E.5000804@iosis.co.uk>
	<AB66CB51919848D197BCBECBB0610453@your41b8d18ede>
Message-ID: <4C617DFC.4050705@iosis.co.uk>

Tom Thomson wrote:
> Peter Tomlinson wrote:
>   
>> The memory stirs, taking me back to 1968 when I designed the very simple
>> memory management hardware for the ICL 1904A (and in the process fixed
>> an error in the 1906A's MMU). Took the software people another 2 years
>> to get George 4 running. So that was old-fashioned, was it, Tom? It was
>> state of the art then, in the commercial environment that soon after
>> took a wrong turn...
>>     
> No, I don't think the 1904A memory management system was old-fashioned in 1968, although machines with safe memory management had by then been around for at least 5 years, for example both versions of Atlas antedated it and were in some respects more advanced (as was the memory management on its contemporary English Electric 4-75) and at least some 360s that predated it had decently secure memory management.  The disasters didn't happen until quite a few years later when the segmented memory and hard distinction between programme and data of early mini-processors (such as the CTL Modular 1) went out of fashion, and new fashions decreed that memory management systems like those were the province only of that unfashionable creature "the mainframe", ICL with its 1900, System 4, and 2900 ranges, Burroughs, IBM and so on were all makers of those unfashionable mainframes, academic projects like Multics and MU5 were not trendy because they insisted on trying to do verifiable security somewhere near right, and even Intel (quite a bit more later) with its segmented memory  was undesirable (until MS decided to completely bypass the memory protection) compared to the fashionable exploitation of cheap hardware using cheap and sloppy programming standards.  
> Was it a commercial pressure that brought us to a wrong turn, or was it the flight of the crowd towards the fashionable?  My feeling is the latter - I saw the pressures to follow fashion with good money being thrown after bad at doomed projects because they were thought to be fashionable, you must have seen that too. 
In my view it was first the merger creating ICL that caused a loss of 
the ICT determination to keep on forging ahead and succeeding 
financially. And, despite the problems of getting the 1906A finished, 
plus the delays to first George 3 and then 4, before the merger we were 
hearing of worse problems at Kidsgrove. Engineers who were supposed to 
be designing the 4-85 being diverted to 4-70 / 4-75... [1]

But I left in autumn 68, although I spent the following summer doing a 
little work on NR ideas.

NR should, in my view, have had a soft microcode, i.e. stored in 
rewriteable memory. Instead it seemed to plod on with hard coding (maybe 
someone can confirm or contradict my assumption). And then the 
engineering discipline that had dominated West Gorton failed in the 
combined company - that was the real commercial wrong turn. Eventually 
the Chinese Army syndrome set in. I remember visiting West Gorton when 
there was the first small batch of 2970s being commissioned - by chance 
Alan Chambers and I, in the area for a meeting at Daresbury, just walked 
in through the door, asked for Rob, and he said to come in - the 
shutters had only gone up that week [2]. He had  worked under me in my 
last 6 months at West Gorton, and hinted at a certain amount of chaos as 
we gazed at a 2970 doing nothing. In 67/68 we built one 1904A prototype, 
made it work (very quickly), then it went to manufacture, but it seemed 
that NR went into pre-production before it was ready. Later I remember 
visiting the 2980 installed at Bath [3], seeing the Chinese Army in 
action, testing (sic) software that didn't work properly.

Peter

[1] Floating Point Unit was specifically mentioned (and later I heard 
that its error distribution was asymmetrical, causing problems with 
scientific libraries - it probably needed an extra bit or 2 in the FP 
unit). Curiously the FPU was the most problematic part of the 1904A, the 
small team working on that having deigned to use Charles Lindsey's 
Simbol simulation system running on the Manchester Atlas (as I have 
noted before, I wrote the CPU simulation model).

[2] That we had been let in caused a certain amount of fluttering in a 
dovecote elsewhere, and led to a very interesting encounter some time later.

[3] The South West Regional Centre - again management mistakes as well, 
with almost all of the Bath team recruited from outside rather than from 
the 5 client HE institutions who had been working closely together for 
several years.




From colinthomson1 at o2.co.uk  Tue Aug 10 17:48:36 2010
From: colinthomson1 at o2.co.uk (Tom Thomson)
Date: Tue, 10 Aug 2010 16:48:36 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <8934B06A-5C6F-410B-9A82-EA8ADB0F8A65@batten.eu.org>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk>	<u$wMwc4pQZWMFAdl@perry.co.uk><ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede><4C5CF83E.5000804@iosis.co.uk><FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
	<D8D4B034-C006-4C0A-9CA5-56D6252099DA@gladman.plus.com>
	<96C78C0A6E7347EC9D2EFC86702BF554@your41b8d18ede>
	<8934B06A-5C6F-410B-9A82-EA8ADB0F8A65@batten.eu.org>
Message-ID: <294181533FCB45449DDDAF2BDB1D2CB7@your41b8d18ede>



Ian Batten  wrote:
> 
> And, by extension, you can write FORTRAN in anything, although I was impressed by 
> this: http://queue.acm.org/detail.cfm?id=1039535

Actually it's pretty hard to write Fortran in Pascal version 1.  That's because Pascal 1 is a BAD thing, not because it provides useful extra protection.  

Pascal v1 did exclude some of the worst security errors, but it precluded use of a very large number of useful, safe and secure (and for an engineer, essential[note 1] algorithms. 

Kernighan's critique is on the web at http://www.lysator.liu.se/c/bwk-on-pascal.html.

M.

[note 1] Something I have often had to have is a means of getting the inverse and/or the eigenvectors  of a linear transformation. In Fortran I can easily write a subroutine that accepts an  array, checks that it's 2 dimensional, square, and not degenerate, returns an error indication if it fails the check, and returns its (approximate because of rounding errors) inverse if it passes the check (or, often more usefully, returns its decomposition into primitive matrices: those representing operations of vector exchange within a matrix [note 2], scalar multiplication of a vector within a matrix, and vector addition within a matrix).  In Pascal you can't do that at all because it's impossible, for example, to write a routine that will accept both a 2-element vector and a 3-element vector as parameter (the stupidest type system ever invented actively prevents this) so to solve the general problem you need an unbounded number of programmes (one for 2X2 matrices, one for 3X3 matrices, one for 4X4 matrices, and so on ad infinitum).  Pascal is the only language I know [note 3] in which this subroutine is impossible to write.
[note 2]Vector exchange is used in this subroutine only to minimise rounding errors caused by the use of finite precision arithmetic. If full precision is maintained throughout it isn't needed.






From colinthomson1 at o2.co.uk  Tue Aug 10 18:27:43 2010
From: colinthomson1 at o2.co.uk (Tom Thomson)
Date: Tue, 10 Aug 2010 17:27:43 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <8A557A12-CB73-4343-AAF9-8BB57D722463@sourcetagged.ian.co.uk>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk>	<u$wMwc4pQZWMFAdl@perry.co.uk><ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede><4C5CF83E.5000804@iosis.co.uk><FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org><D8D4B034-C006-4C0A-9CA5-56D6252099DA@gladman.plus.com><96C78C0A6E7347EC9D2EFC86702BF554@your41b8d18ede><8934B06A-5C6F-410B-9A82-EA8ADB0F8A65@batten.eu.org>
	<8A557A12-CB73-4343-AAF9-8BB57D722463@sourcetagged.ian.co.uk>
Message-ID: <83944DF7585743478D7A47F8BDE18D5C@your41b8d18ede>

> Programmers don't need all these abstract concepts to get their
> jobs done-- they are perfectly happy with a keypunch, a Fortran IV
> compiler, and a beer.

Fortran IV?!*%!???

Real Programmers hated it.

The standards committee met and discussed what should be in the standard.  Manufacturer A didn't have Z in his compiler, so would make the committee sessions hell if Z were not excluded.  Manufacturer B didn't have Y in his compiler, so would ...
And so on.  And so on.  Ad nauseam.

And lo and behold, the Fortran IV standard was published.  And instead of consolidating those things that most manufacturers had done (no-one expected it to include things that most manufacturer's had not done) it threw away ALL the advances that had been made in the preceding years, and gave us a language that was hated by every Fortran programmer in the world, except those for whom Fortran IV was their first language.

M.








From tugwilson at gmail.com  Tue Aug 10 18:29:12 2010
From: tugwilson at gmail.com (John Wilson)
Date: Tue, 10 Aug 2010 17:29:12 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI, 
	but is it interception?)
In-Reply-To: <4C617DFC.4050705@iosis.co.uk>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<AB66CB51919848D197BCBECBB0610453@your41b8d18ede>
	<4C617DFC.4050705@iosis.co.uk>
Message-ID: <AANLkTikzqWhKHg8mdrAv=Hg0-tV9E0twyj85WLNWyfeH@mail.gmail.com>

On 10 August 2010 17:27, Peter Tomlinson <pwt at iosis.co.uk> wrote:

> In my view it was first the merger creating ICL that caused a loss of the
> ICT determination to keep on forging ahead and succeeding financially. And,
> despite the problems of getting the 1906A finished, plus the delays to first
> George 3 and then 4, before the merger we were hearing of worse problems at
> Kidsgrove. Engineers who were supposed to be designing the 4-85 being
> diverted to 4-70 / 4-75... [1]

I wasn't in Kidsgrove then (joined in 1971) but if it was an FP
accuracy problem then it was probably the Amdahl's big mistake when
designing the 360 FPU (the exponent was scaled giving "jitter" in
precision - pretty much gave the scientific market to CDC and Cray for
decades). I believe there were attempts to partially fix the problem
by holding more bits in the registers - didn't really solve the
problem, though.
>
> But I left in autumn 68, although I spent the following summer doing a
> little work on NR ideas.
>
> NR should, in my view, have had a soft microcode, i.e. stored in rewriteable
> memory. Instead it seemed to plod on with hard coding (maybe someone can
> confirm or contradict my assumption).

The 2980 was not microcoded but the 2970 and 2960 were.

> And then the engineering discipline
> that had dominated West Gorton failed in the combined company - that was the
> real commercial wrong turn. Eventually the Chinese Army syndrome set in. I
> remember visiting West Gorton when there was the first small batch of 2970s
> being commissioned - by chance Alan Chambers and I, in the area for a
> meeting at Daresbury, just walked in through the door, asked for Rob, and he
> said to come in - the shutters had only gone up that week [2]. He had
> ?worked under me in my last 6 months at West Gorton, and hinted at a certain
> amount of chaos as we gazed at a 2970 doing nothing. In 67/68 we built one
> 1904A prototype, made it work (very quickly), then it went to manufacture,
> but it seemed that NR went into pre-production before it was ready. Later I
> remember visiting the 2980 installed at Bath [3], seeing the Chinese Army in
> action, testing (sic) software that didn't work properly.

ICL kind of lost focus on the NR mainframes when they launched the
2903 (designed in Stevenage - a small business machine). It did
extremely well for a while and may well have saved the company's bacon
at the time. Most of the company's sales and marketing effort went
into the 2903 and the senior management forgot about the mainframes
for a while.

My time at Kidsgrove was technically exciting but the senior
management was sclerotic. The pettiness was amazing even in the early
1970's (you could only get a pencil from the stores if you took a
suitably short pencil stub back - of course we sawed new pencils into
4 parts, sharpened them and rapidly emptied the stores of pencils). I
remember the MD decreeing that you could only use lifts to go up "to
save electricity".

John Wilson


From colinthomson1 at o2.co.uk  Tue Aug 10 20:44:10 2010
From: colinthomson1 at o2.co.uk (Tom Thomson)
Date: Tue, 10 Aug 2010 19:44:10 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <AANLkTikzqWhKHg8mdrAv=Hg0-tV9E0twyj85WLNWyfeH@mail.gmail.com>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk><142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk><u$wMwc4pQZWMFAdl@perry.co.uk><ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede><4C5CF83E.5000804@iosis.co.uk><AB66CB51919848D197BCBECBB0610453@your41b8d18ede><4C617DFC.4050705@iosis.co.uk>
	<AANLkTikzqWhKHg8mdrAv=Hg0-tV9E0twyj85WLNWyfeH@mail.gmail.com>
Message-ID: <8147C9A1F9354BE7B6894771FD5D83D9@your41b8d18ede>



John Wilson wrote:
or contradict my assumption).
> 
> The 2980 was not microcoded but the 2970 and 2960 were.

As were also the 2966 and 2956 (both soft microcoded).
 
> ICL kind of lost focus on the NR mainframes when they launched the
> 2903 (designed in Stevenage - a small business machine). It did
> extremely well for a while and may well have saved the company's bacon
> at the time. Most of the company's sales and marketing effort went
> into the 2903 and the senior management forgot about the mainframes
> for a while.

That was partly a question of "what is fashionable" - at the time mini-computers were fashionable and mainframes were not.  Of course the 2903 was tried and tested hardware - the microcode to emulate a 1900 series machine was new.
We developed a 2905 - same hardware as 2903, emulating an NR machine - in Dalkeith, and the Bracknell ME29 team started a 2900 emulator on their new hardware (but their real aim was to do a 1900 emulator and kill the 2903, so they never completed their NR emulator although they managed to fake up some demonstrations). Our 2905 never got released (would have needed to add more store than the hardware could take so that it could run VME-B, or write a new 2900 OS; it did run VME-K - or VME-T if the name had changed by then, I can't remember which we ran -  but to be useful it needed to run something sensible).

> My time at Kidsgrove was technically exciting but the senior
> management was sclerotic. The pettiness was amazing even in the early
> 1970's (you could only get a pencil from the stores if you took a
> suitably short pencil stub back - of course we sawed new pencils into
> 4 parts, sharpened them and rapidly emptied the stores of pencils). I
> remember the MD decreeing that you could only use lifts to go up "to
> save electricity".

I joined ICL (in Dalkeith) in late 1971 (having left English Electric about 3 years earlier; I was offered an ICL job on the GE takeover of English Electric, but had heard so much griping from people from both ICL parent companies about how awful the merger was doing - and the pay ICL offered wasn't really an incentive - so I tried other pastures for a while) and didn't see anything like the sort of petty stupidity you describe.  I transferred officially to Kidsgrove four years later but spent the first 5 months of my "Kidsgrove" time in Bracknell.  I ran into some nonsense in 1976, but it was more of a turf war than petty stinginess (and was quickly sorted out).

The senior management I knew in the early and mid 70s were generally quite bright - people like Ed Mac, Syl Stefani, Mike Forest, Bruce Stuart - none of them Kidsgrove based, though. OK, Ed was almost blind but none of them seemed sclerotic (except a Technical Director whose name I can't remember who was fired by Geoff Cross).  I don't recall any really senior management in Kidsgrove (I worked for Dave McElfresh when I first went there; for Clem Jones in Dalkeith; not sure how senior Brian Warboys was then, but he became Director of Methodology long before I moved from Kidsgrove to West Gorton, and we still worked together on joint ICL-MU projects after he became head of CS at MU; he was an exciting guy to be around, far from sclerotic). 

I never heard of the lifts decree - but we didn't have lifts in Dalkeith so it wasn't relevant.  It wasn't in force in Kidsgrove in Nov 1975, as far as I can tell.

M.




From David_Biggins at usermgmt.com  Tue Aug 10 20:45:10 2010
From: David_Biggins at usermgmt.com (David Biggins)
Date: Tue, 10 Aug 2010 19:45:10 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <poM91DIgQSYMFAdL@perry.co.uk>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk><u$wMwc4pQZWMFAdl@perry.co.uk><ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede><C6F343320DAC194BA010FD66AD49362339249F@home.usermgmt.local><R5PjB3XsVEYMFAbO@perry.co.uk><C6F343320DAC194BA010FD66AD4936233924AE@home.usermgmt.local>
	<poM91DIgQSYMFAdL@perry.co.uk>
Message-ID: <C6F343320DAC194BA010FD66AD4936233924B0@home.usermgmt.local>

> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Roland Perry
> Sent: 10 August 2010 11:04
> To: ukcrypto at chiark.greenend.org.uk
> Subject: Re: Being safe on the internet (was Re: Here we go again -
ISP
> DPI,but is it interception?)
> 
> Time to re-write the operating system then. As it's well past the
> classic version 3, how about getting this right in version 6? Failing
> that, version 7 :)

Hi Roland,

Oh, yes. But it's not just the OS (and not just Windows).  And if we're
going to do that, we really ought to fix all the hardware, too....

> But if stacks grow downwards, how can a newer item rise upwards?

Stacks are not the idealised "just push/just pop" system.

Say a function requires two local variables - a fixed string buffer of
256 bytes, and a four-byte integer.

When the function is called, code in the caller, and standard header
code at the function entry point, will push a "stack frame" containing
the parameters to the function, the return address, and the current
value of a register called BP.

The header will then subtract 260 (the total size of your two local
variables) from current stack pointer and set the BP register equal to
the stack pointer.  

Then [BP] (the area pointed to by BP), for 256 bytes upwards, is your
local string, and [BP]+256 for four bytes is your integer.  

+-------------------------------------+
+     Parameter 1                     +
+-------------------------------------+
+     Parameter 2                     +
+-------------------------------------+
+     Return address                  +
+-------------------------------------+
+     Old BP register                 +
+-------------------------------------+
+     Integer local variable          +
+-------------------------------------+
+                                     +
+                                     +
+     256 bytes of string variable    +
+                                     +
+                                     + 
+-------------------------------------+

So anything copying to that string buffer or writing to the integer will
actually be writing to the stack.  

And if the string write, writes more than 256 bytes,  whoops, there goes
your integer...  and if it writes more than 260 bytes, there goes your
subroutine return address....  and so on.

So the standard form of a buffer overflow attack is to find where a
programme is likely to be writing to a local string, stored on the
stack, and to try to fool the code into writing more than 256 bytes to
the string...  and by rigging the bytes that will overwrite the stack
pointer so that when the subroutine returns, the return address points
into your string, and starts executing it as code.  Getting this return
address right, and crafting the string so that the bytes perform some
useful exploit is not quite that trivial.

The problem is not, incidentally, just confined to strings,  though
strcpy is probably on its own a very substantial proportion of such
overflow attacks.

I believe that some of the attacks we've had where "specially crafted
images" in TIFF, GIF and JPEG files, have involved cases where say the
sum of the specified lengths of several "child" blocks, add up to more
than the specified length of a "parent".

The code reserves a new block the same size as the parent specifies, and
then copies each child in turn into it, using the child's stated length
each time... which of course makes the copy overflow the reserved space.

Or...   say a decompression routine which looks at the stated original
size of a compressed block, reserves that, and then decompresses the
compressed block - which has been rigged to decompress to something
longer than the stated size.

The problem is that it requires a very much less trusting view of data,
not just code, than has been traditional in much of the IT market,
particularly the PC market.

The current main mitigations for this are:

"stack canaries" - values written to various locations on the stack;  if
they change, you have a problem.  Various hardware debug mechanisms
could be used to detect such changes without code overhead...

DEP - the ability to mark various parts of memory (once more) as not
being allowed to be executed.

But I might even question whether or not it is safe to continue to use
the same stack for code pointers and for data.


D.



From David_Biggins at usermgmt.com  Tue Aug 10 20:47:42 2010
From: David_Biggins at usermgmt.com (David Biggins)
Date: Tue, 10 Aug 2010 19:47:42 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <poM91DIgQSYMFAdL@perry.co.uk>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk><u$wMwc4pQZWMFAdl@perry.co.uk><ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede><C6F343320DAC194BA010FD66AD49362339249F@home.usermgmt.local><R5PjB3XsVEYMFAbO@perry.co.uk><C6F343320DAC194BA010FD66AD4936233924AE@home.usermgmt.local>
	<poM91DIgQSYMFAdL@perry.co.uk>
Message-ID: <C6F343320DAC194BA010FD66AD4936233924B1@home.usermgmt.local>

I should have read on before replying, shouldn't I?

Ah well...

:-)

D. 



From igb at batten.eu.org  Tue Aug 10 22:43:55 2010
From: igb at batten.eu.org (Ian Batten)
Date: Tue, 10 Aug 2010 21:43:55 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <8147C9A1F9354BE7B6894771FD5D83D9@your41b8d18ede>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk><142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk><u$wMwc4pQZWMFAdl@perry.co.uk><ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede><4C5CF83E.5000804@iosis.co.uk><AB66CB51919848D197BCBECBB0610453@your41b8d18ede><4C617DFC.4050705@iosis.co.uk>
	<AANLkTikzqWhKHg8mdrAv=Hg0-tV9E0twyj85WLNWyfeH@mail.gmail.com>
	<8147C9A1F9354BE7B6894771FD5D83D9@your41b8d18ede>
Message-ID: <4EA4AF39-B514-4D60-A4E5-D8CA03010486@batten.eu.org>


On 10 Aug 2010, at 20:43, Tom Thomson wrote:
> Bracknell ...  Kidsgrove ...  West Gorton ... Dalkeith

With the exception of the last, all of them part of the psycho- 
geography of Fujitsu (as inheritors of ICL) up until recently.   
Bracknell's still there, with the former machine room now a staging  
area for shipping equipment.  Kidsgrove and West Gorton I think closed  
recently (I went to West Gorton in its dying days).  I think you've  
also mentioned Stevenage, which is still there.

My experience also was that if you wanted anything done in Fujitsu  
Services, a good place to start was an ex-ICL guy.   Hindsight allows  
one to see the inevitability of the demise, but still, lots of good  
guys.

ian



From lists at internetpolicyagency.com  Wed Aug 11 08:31:58 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 11 Aug 2010 07:31:58 -0000
Subject: Experian and benefit fraud
In-Reply-To: <4C617869.9040506@zen.co.uk>
References: <4C617869.9040506@zen.co.uk>
Message-ID: <7qmZVRcLGlYMFAuG@perry.co.uk>

In article <4C617869.9040506 at zen.co.uk>, Peter Fairbrother 
<zenadsl6186 at zen.co.uk> writes
>http://www.bbc.co.uk/news/uk-10922261
>
>The Gubbmint plans to get credit rating firms to check benefit claimants.
>
>"One firm, Experian, said it was in talks over a deal which could see 
>it get a "bounty" for cheats it uncovers."
>
>"Experian said it already had a contract to look into new housing 
>benefit claimants, in a deal agreed by the previous government. It 
>expects the annual saving to be ?17m."
>
>"Asked about civil liberty fears about the government using firms to 
>look into benefit claimants' spending, [David Cameron] said: "I do not 
>think people should be concerned."
>
>"If you are entitled to welfare and can claim it then you should claim 
>it but if you are not entitled to it you should not get and should not 
>claim it."
>
>Pity nobody asked him more directly about the privacy implications. If 
>Experian are to check benefits claimants, they will need to cross check 
>the claimants with Experian's records.
>
>Which means that Experian will need to have access to a constantly 
>updated list of all claimants, and how much they get  ... wonder how 
>much Experian are paying for *that* access?

I'm not sure why you assume that the claimant data will be "pulled" off 
the local authority databases rather than (as happens today) the client 
(LA) pushing the data to Experian for them to run through their existing 
systems.

It's not clear what Experian will be checking, perhaps just that the 
claimant really does exist, and lives where he says on the application 
form - although ironically many HB claimants won't have a particularly 
permanent address, nor one suspects very many of the sorts of credit 
account that would be populating the Experian database.

There's a subtext that perhaps Experian will be reporting back on the 
"lifestyle/spending patterns" of the claimants, although there's two 
problems with that - it's only the fact they bought on *credit* from 
Experian's subscribing lenders (although that includes utility/phone 
bills), and new claims for HB may reflect that someone has recently 
fallen upon hard times, which could be disjoint from their previous 
lifestyle (indeed, the more they overspent before, the less they might 
be able to support themselves today).

Other things that the Experian check may not resolve is the extent of a 
claimants savings, but there's a possibility that it could smoke out one 
of the other cheating modalities, which is people renting off a relative 
(which isn't allowed).
-- 
Roland Perry


From lists at internetpolicyagency.com  Wed Aug 11 08:55:19 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 11 Aug 2010 07:55:19 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <4EA4AF39-B514-4D60-A4E5-D8CA03010486@batten.eu.org>
References: <20100802110024.GR29810@snowy.squish.net>
	<N5AkxUNohCWMFAI4@perry.co.uk> <142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<AB66CB51919848D197BCBECBB0610453@your41b8d18ede>
	<4C617DFC.4050705@iosis.co.uk>
	<AANLkTikzqWhKHg8mdrAv=Hg0-tV9E0twyj85WLNWyfeH@mail.gmail.com>
	<8147C9A1F9354BE7B6894771FD5D83D9@your41b8d18ede>
	<4EA4AF39-B514-4D60-A4E5-D8CA03010486@batten.eu.org>
Message-ID: <6q0Z19dDclYMFAux@perry.co.uk>

In article <4EA4AF39-B514-4D60-A4E5-D8CA03010486 at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>> Bracknell ...  Kidsgrove ...  West Gorton ... Dalkeith

Different buildings used to be known internally by their street, not 
town. So until you got familiar with the mapping you would hear people 
referring to (eg) Cavendish Rd; and have no idea where it was. There was 
also an extensive internal phone system, which also tended to obfuscate 
peoples' location, as you never needed[1] to dial out on the public 
network.

>With the exception of the last, all of them part of the psycho- 
>geography of Fujitsu (as inheritors of ICL) up until recently. 
>Bracknell's still there, with the former machine room now a staging 
>area for shipping equipment.  Kidsgrove and West Gorton I think closed 
>recently (I went to West Gorton in its dying days).  I think you've 
>also mentioned Stevenage, which is still there.

There were also plants spread around Letchworth. I worked (as a 2980 
systems specialist) at the Engineering Training Centre for a short 
period in 77/78. Last time I looked on Google Maps the site was a 
housing estate.

And yes, lots of pettiness I'm afraid.

[1] Nor was one allowed to without permission. No private calls during 
the day either, which is instrumental in why I campaign about such 
things even today.
-- 
Roland Perry


From bdm at fenrir.org.uk  Wed Aug 11 09:10:15 2010
From: bdm at fenrir.org.uk (Brian Morrison)
Date: Wed, 11 Aug 2010 08:10:15 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <6q0Z19dDclYMFAux@perry.co.uk>
References: <20100802110024.GR29810@snowy.squish.net>
	<N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<AB66CB51919848D197BCBECBB0610453@your41b8d18ede>
	<4C617DFC.4050705@iosis.co.uk>
	<AANLkTikzqWhKHg8mdrAv=Hg0-tV9E0twyj85WLNWyfeH@mail.gmail.com>
	<8147C9A1F9354BE7B6894771FD5D83D9@your41b8d18ede>
	<4EA4AF39-B514-4D60-A4E5-D8CA03010486@batten.eu.org>
	<6q0Z19dDclYMFAux@perry.co.uk>
Message-ID: <20100811090958.15af4629@peterson.fenrir.org.uk>

On Wed, 11 Aug 2010 08:53:39 +0100
Roland Perry <lists at internetpolicyagency.com> wrote:

> No private calls during 
> the day either, which is instrumental in why I campaign about such 
> things even today.

For or against?

-- 

Brian Morrison

bdm at fenrir dot org dot uk

   "Arguing with an engineer is like wrestling with a pig in the mud;
    after a while you realize you are muddy and the pig is enjoying it."
    
GnuPG key ID DE32E5C5 - http://wwwkeys.uk.pgp.net/pgpnet/wwwkeys.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100811/e87df776/attachment-0001.pgp>

From lists at andros.org.uk  Wed Aug 11 13:06:04 2010
From: lists at andros.org.uk (Andrew McLean)
Date: Wed, 11 Aug 2010 12:06:04 -0000
Subject: Experian and benefit fraud
In-Reply-To: <4C617869.9040506@zen.co.uk>
References: <4C617869.9040506@zen.co.uk>
Message-ID: <4C628114.2060206@andros.org.uk>

  On 10/08/2010 17:03, Peter Fairbrother wrote:
> http://www.bbc.co.uk/news/uk-10922261
>
> The Gubbmint plans to get credit rating firms to check benefit claimants.
>
> "One firm, Experian, said it was in talks over a deal which could see
> it get a "bounty" for cheats it uncovers."
>
> "Experian said it already had a contract to look into new housing
> benefit claimants, in a deal agreed by the previous government. It
> expects the annual saving to be ?17m."
>
>
>
> "Asked about civil liberty fears about the government using firms to
> look into benefit claimants' spending, [David Cameron] said: "I do not
> think people should be concerned."
>
> "If you are entitled to welfare and can claim it then you should claim
> it but if you are not entitled to it you should not get and should not
> claim it."
>
>
> Pity nobody asked him more directly about the privacy implications. If
> Experian are to check benefits claimants, they will need to cross
> check the claimants with Experian's records.
>
> Which means that Experian will need to have access to a constantly
> updated list of all claimants, and how much they get  ... wonder how
> much Experian are paying for *that* access?
>
>
> -- Peter Fairbrother
>

This sort of thing in already happening on quite a large scale. The 
biggest example is probably the Audit Commission's National Fraud 
Initiative (NFI). The official line will be found here:

http://www.audit-commission.gov.uk/nfi/Pages/default.aspx

A quick web search will turn up a lot of additional information, 
including responses to FOI requests at www.whatdotheyknow.com

One example of the NFI process involves the Council Tax (so called) 
Single Occupant Discount of 25%. The way the exercise works is that 
local councils are required by the Audit Commission to provide them with 
copies of both the (full) Electoral Register and the Council Tax 
Register. The Audit Commission then pay Experian to undertake a data 
matching exercise looking for properties in respect of with the 25% 
discount is claimed and where there is more than one person on the 
electoral register. A list of the "matches" is then provided to the 
relevant local authority to follow up.

It should be noted that there are perfectly valid circumstances where 
there will be more than one person on the electoral register at an 
address and where the 25% "single occupant" discount can be claimed 
(e.g. where all but one of the occupants is a student).  I think the 
Audit Commission take the view that the "matches" should be investigated 
because they have a higher risk of being fraudulent claims than 
non-matches. This seems plausible, although I haven't seen any evidence, 
not that I looked too hard.

I'm also not clear whether Experian are bringing anything to Council Tax 
Discount exercise other than their expertise at matching this sort of 
data. Although, matching addresses from two different databases like 
this may sound straightforward, believe me, I've tried it, it isn't. In 
contrast, it seems that the proposed exercises looking for benefit fraud 
may involve Credit Reference Agencies exploiting other data they have 
access to. I think my main concern about the latest proposal is 
information leakage to the Credit Reference agencies. Even if they don't 
directly exploit the information they are provided in order to carry out 
this exercise, might they be able to exploit "derived data"?

Andrew McLean



From igb at batten.eu.org  Wed Aug 11 14:13:44 2010
From: igb at batten.eu.org (Ian Batten)
Date: Wed, 11 Aug 2010 13:13:44 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <6q0Z19dDclYMFAux@perry.co.uk>
References: <20100802110024.GR29810@snowy.squish.net>
	<N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<AB66CB51919848D197BCBECBB0610453@your41b8d18ede>
	<4C617DFC.4050705@iosis.co.uk>
	<AANLkTikzqWhKHg8mdrAv=Hg0-tV9E0twyj85WLNWyfeH@mail.gmail.com>
	<8147C9A1F9354BE7B6894771FD5D83D9@your41b8d18ede>
	<4EA4AF39-B514-4D60-A4E5-D8CA03010486@batten.eu.org>
	<6q0Z19dDclYMFAux@perry.co.uk>
Message-ID: <4D33AB46-D7AA-4685-8BE2-18550F311D50@batten.eu.org>


>
> [1] Nor was one allowed to without permission. No private calls  
> during the day either, which is instrumental in why I campaign about  
> such things even today.

Although at 10p/min it's easy to see why it was an issue in those  
days, and the massive prevalence of mobile phones makes it much less  
of an issue than it used to be.  Since I left Fujitsu I've been going  
around replacing "daytime contact" for things associated with the  
children to my mobile number, and I've found that I'd actually  
provided my mobile number for most of them anyway.

ian


From pwt at iosis.co.uk  Wed Aug 11 14:25:17 2010
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Wed, 11 Aug 2010 13:25:17 -0000
Subject: Experian and benefit fraud
In-Reply-To: <4C628114.2060206@andros.org.uk>
References: <4C617869.9040506@zen.co.uk> <4C628114.2060206@andros.org.uk>
Message-ID: <4C62A4AF.3080006@iosis.co.uk>

Andrew McLean wrote:
>  On 10/08/2010 17:03, Peter Fairbrother wrote:
>> http://www.bbc.co.uk/news/uk-10922261
>>
>> The Gubbmint plans to get credit rating firms to check benefit 
>> claimants.
>>
>> "One firm, Experian, said it was in talks over a deal which could see
>> it get a "bounty" for cheats it uncovers."
>>
>> "Experian said it already had a contract to look into new housing
>> benefit claimants, in a deal agreed by the previous government. It
>> expects the annual saving to be ?17m."
>>
>> "Asked about civil liberty fears about the government using firms to
>> look into benefit claimants' spending, [David Cameron] said: "I do not
>> think people should be concerned."
>>
>> "If you are entitled to welfare and can claim it then you should claim
>> it but if you are not entitled to it you should not get and should not
>> claim it."
>>
>> Pity nobody asked him more directly about the privacy implications. If
>> Experian are to check benefits claimants, they will need to cross
>> check the claimants with Experian's records.
>>
>> Which means that Experian will need to have access to a constantly
>> updated list of all claimants, and how much they get  ... wonder how
>> much Experian are paying for *that* access?
>>
>> -- Peter Fairbrother
>>
> This sort of thing in already happening on quite a large scale. The 
> biggest example is probably the Audit Commission's National Fraud 
> Initiative (NFI). The official line will be found here:
>
> http://www.audit-commission.gov.uk/nfi/Pages/default.aspx
>
> A quick web search will turn up a lot of additional information, 
> including responses to FOI requests at www.whatdotheyknow.com
>
> One example of the NFI process involves the Council Tax (so called) 
> Single Occupant Discount of 25%. The way the exercise works is that 
> local councils are required by the Audit Commission to provide them 
> with copies of both the (full) Electoral Register and the Council Tax 
> Register. The Audit Commission then pay Experian to undertake a data 
> matching exercise looking for properties in respect of with the 25% 
> discount is claimed and where there is more than one person on the 
> electoral register. A list of the "matches" is then provided to the 
> relevant local authority to follow up.
>
> It should be noted that there are perfectly valid circumstances where 
> there will be more than one person on the electoral register at an 
> address and where the 25% "single occupant" discount can be claimed 
> (e.g. where all but one of the occupants is a student).  I think the 
> Audit Commission take the view that the "matches" should be 
> investigated because they have a higher risk of being fraudulent 
> claims than non-matches. This seems plausible, although I haven't seen 
> any evidence, not that I looked too hard.
>
> I'm also not clear whether Experian are bringing anything to Council 
> Tax Discount exercise other than their expertise at matching this sort 
> of data. Although, matching addresses from two different databases 
> like this may sound straightforward, believe me, I've tried it, it 
> isn't. In contrast, it seems that the proposed exercises looking for 
> benefit fraud may involve Credit Reference Agencies exploiting other 
> data they have access to. I think my main concern about the latest 
> proposal is information leakage to the Credit Reference agencies. Even 
> if they don't directly exploit the information they are provided in 
> order to carry out this exercise, might they be able to exploit 
> "derived data"?
>
It is the lack of accountability of these private companies that is the 
real problem. I have just been reading in the Independent the story of 
the man who is credit blacklisted because some years ago he was studying 
in France and received regular funds transfer from relatives in the UK - 
he has a 'money laundering' flag against him. And the blog on the web 
site of Lynne Featherstone MP, Equalities Minister, has many compalints 
about the reassessment of disability benefit claimants - due process not 
followed, and, it seems, no independent auditor present at the 
assessments. All these contracts that potentially affect the lives of 
individuals need a visible and robust accountability process in place 
before they are actioned.

Peter



From igb at batten.eu.org  Wed Aug 11 14:26:33 2010
From: igb at batten.eu.org (Ian Batten)
Date: Wed, 11 Aug 2010 13:26:33 -0000
Subject: Experian and benefit fraud
In-Reply-To: <4C628114.2060206@andros.org.uk>
References: <4C617869.9040506@zen.co.uk> <4C628114.2060206@andros.org.uk>
Message-ID: <D58B6DFF-2619-407F-9E5B-8B92DC02B96D@batten.eu.org>


On 11 Aug 2010, at 11:53, Andrew McLean wrote:

> It should be noted that there are perfectly valid circumstances  
> where there will be more than one person on the electoral register  
> at an address and where the 25% "single occupant" discount can be  
> claimed (e.g. where all but one of the occupants is a student).

I was under the impression you also needed to be on benefit or  
somesuch to claim, but now I've looked you don't.  So thanks for that  
reminded: we've just saved ?315 a year!

ian


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100811/1866884b/attachment-0001.htm>

From lists at internetpolicyagency.com  Wed Aug 11 17:25:30 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 11 Aug 2010 16:25:30 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <20100811090958.15af4629@peterson.fenrir.org.uk>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<AB66CB51919848D197BCBECBB0610453@your41b8d18ede>
	<4C617DFC.4050705@iosis.co.uk>
	<AANLkTikzqWhKHg8mdrAv=Hg0-tV9E0twyj85WLNWyfeH@mail.gmail.com>
	<8147C9A1F9354BE7B6894771FD5D83D9@your41b8d18ede>
	<4EA4AF39-B514-4D60-A4E5-D8CA03010486@batten.eu.org>
	<6q0Z19dDclYMFAux@perry.co.uk>
	<20100811090958.15af4629@peterson.fenrir.org.uk>
Message-ID: <phBtnoWX6sYMFA9G@perry.co.uk>

In article <20100811090958.15af4629 at peterson.fenrir.org.uk>, Brian 
Morrison <bdm at fenrir.org.uk> writes
>> No private calls during  the day either, which is instrumental in why 
>>I campaign about such  things even today.
>
>For or against?

For - the ability of employees to make private calls and have private 
email facilities - at work.
-- 
Roland Perry


From lists at internetpolicyagency.com  Wed Aug 11 17:33:32 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 11 Aug 2010 16:33:32 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <4D33AB46-D7AA-4685-8BE2-18550F311D50@batten.eu.org>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<AB66CB51919848D197BCBECBB0610453@your41b8d18ede>
	<4C617DFC.4050705@iosis.co.uk>
	<AANLkTikzqWhKHg8mdrAv=Hg0-tV9E0twyj85WLNWyfeH@mail.gmail.com>
	<8147C9A1F9354BE7B6894771FD5D83D9@your41b8d18ede>
	<4EA4AF39-B514-4D60-A4E5-D8CA03010486@batten.eu.org>
	<6q0Z19dDclYMFAux@perry.co.uk>
	<4D33AB46-D7AA-4685-8BE2-18550F311D50@batten.eu.org>
Message-ID: <Hwq2T+X6BtYMFAIc@perry.co.uk>

In article <4D33AB46-D7AA-4685-8BE2-18550F311D50 at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>> [1] Nor was one allowed to without permission. No private calls 
>>during the day either, which is instrumental in why I campaign about 
>>such things even today.
>
>Although at 10p/min

For local calls, weren't they like 2p for unlimited time then?

>it's easy to see why it was an issue in those  days,

No incoming calls either... from estate agents who were trying to find 
me somewhere to live... so that ICL could stop having to pay me to stay 
somewhere at their expense... as part of the relocation package.

>and the massive prevalence of mobile phones makes it much less  of an 
>issue than it used to be.  Since I left Fujitsu I've been going  around 
>replacing "daytime contact" for things associated with the  children to 
>my mobile number, and I've found that I'd actually  provided my mobile 
>number for most of them anyway.

I've used my mobile number for that since I first had an Orange phone 
(which for various reasons was a little before they launched). But that 
was 16 years after I left ICL!
-- 
Roland Perry


From lists at internetpolicyagency.com  Wed Aug 11 17:39:31 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Wed, 11 Aug 2010 16:39:31 -0000
Subject: Experian and benefit fraud
In-Reply-To: <4C628114.2060206@andros.org.uk>
References: <4C617869.9040506@zen.co.uk> <4C628114.2060206@andros.org.uk>
Message-ID: <0zTKDoYeHtYMFAPd@perry.co.uk>

In article <4C628114.2060206 at andros.org.uk>, Andrew McLean 
<lists at andros.org.uk> writes
>I think my main concern about the latest proposal is information 
>leakage to the Credit Reference agencies. Even if they don't directly 
>exploit the information they are provided in order to carry out this 
>exercise, might they be able to exploit "derived data"?

If they were allowed to, it might be tempting for agencies to reveal to 
their lender-clients that a person had fallen on hard times. Arguably 
those persons ought to tell the lenders this anyway (in some sort of 
"utmost good faith" sense), but there are some transparency issues.
-- 
Roland Perry


From nbohm at ernest.net  Wed Aug 11 17:53:20 2010
From: nbohm at ernest.net (Nicholas Bohm)
Date: Wed, 11 Aug 2010 16:53:20 -0000
Subject: Experian and benefit fraud
In-Reply-To: <0zTKDoYeHtYMFAPd@perry.co.uk>
References: <4C617869.9040506@zen.co.uk> <4C628114.2060206@andros.org.uk>
	<0zTKDoYeHtYMFAPd@perry.co.uk>
Message-ID: <4C62D57C.2070809@ernest.net>

 On 11/08/2010 17:37, Roland Perry wrote:
> In article <4C628114.2060206 at andros.org.uk>, Andrew McLean
> <lists at andros.org.uk> writes
>> I think my main concern about the latest proposal is information
>> leakage to the Credit Reference agencies. Even if they don't directly
>> exploit the information they are provided in order to carry out this
>> exercise, might they be able to exploit "derived data"?
>
> If they were allowed to, it might be tempting for agencies to reveal
> to their lender-clients that a person had fallen on hard times.
> Arguably those persons ought to tell the lenders this anyway (in some
> sort of "utmost good faith" sense), but there are some transparency
> issues.

Borrowers don't have any general law disclosure obligation to their
lenders (loan agreements, unlike insurance ones, are not "utmost good
faith"); but some will have contractual duties under their loan agreements.

However, the fact that you may owe a contractual duty of disclosure to a
lender is no justification in law for a third party breaking a duty of
confidence owed to you for the purpose of making the disclosure you
ought to make, since the third party is a stranger to the contract.

Nicholas
-- 
Contact and PGP key here <http://www.ernest.net/contact/index.htm>


From tony.naggs at googlemail.com  Wed Aug 11 18:18:59 2010
From: tony.naggs at googlemail.com (Tony Naggs)
Date: Wed, 11 Aug 2010 17:18:59 -0000
Subject: Experian and benefit fraud
In-Reply-To: <7qmZVRcLGlYMFAuG@perry.co.uk>
References: <4C617869.9040506@zen.co.uk>
	<7qmZVRcLGlYMFAuG@perry.co.uk>
Message-ID: <AANLkTinpYmSTh7OVYniVyAwdWcDkfsTD0__9LTKr33vJ@mail.gmail.com>

On 11 August 2010 08:30, Roland Perry <lists at internetpolicyagency.com> wrote:
>
> It's not clear what Experian will be checking, perhaps just that the
> claimant really does exist, and lives where he says on the application form
> - although ironically many HB claimants won't have a particularly permanent
> address, nor one suspects very many of the sorts of credit account that
> would be populating the Experian database.

As a matter of practicality I would not expect the details of the
checking methodology
to be public.

I expect in the first place that reference to these agencies would be
made as part
of a benefits fraud investigation rather than pro forma for every claimant.

E.g. to check whether the claimant has applied for credit cards or loans during
the period of their benefits claim, perhaps giving an emloyer's address in the
process! Or as part of an investigation into whether a claimant may be sharing
a property with someone who is emloyed, which could invalidate their claim for
Housing Benefit.


Cheers,
Tony


From igb at batten.eu.org  Wed Aug 11 18:43:44 2010
From: igb at batten.eu.org (Ian Batten)
Date: Wed, 11 Aug 2010 17:43:44 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <Hwq2T+X6BtYMFAIc@perry.co.uk>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<AB66CB51919848D197BCBECBB0610453@your41b8d18ede>
	<4C617DFC.4050705@iosis.co.uk>
	<AANLkTikzqWhKHg8mdrAv=Hg0-tV9E0twyj85WLNWyfeH@mail.gmail.com>
	<8147C9A1F9354BE7B6894771FD5D83D9@your41b8d18ede>
	<4EA4AF39-B514-4D60-A4E5-D8CA03010486@batten.eu.org>
	<6q0Z19dDclYMFAux@perry.co.uk>
	<4D33AB46-D7AA-4685-8BE2-18550F311D50@batten.eu.org>
	<Hwq2T+X6BtYMFAIc@perry.co.uk>
Message-ID: <0BD2D72A-8B4C-4ED3-B263-1C4B857786BD@batten.eu.org>


On 11 Aug 2010, at 17:31, Roland Perry wrote:

> In article <4D33AB46-D7AA-4685-8BE2-18550F311D50 at batten.eu.org>, Ian  
> Batten <igb at batten.eu.org> writes
>>> [1] Nor was one allowed to without permission. No private calls  
>>> during the day either, which is instrumental in why I campaign  
>>> about such things even today.
>>
>> Although at 10p/min
>
> For local calls, weren't they like 2p for unlimited time then?

I can't remember.  They certainly weren't unlimited time: calls then  
were costed as minutes per unit.

>
>> it's easy to see why it was an issue in those  days,
>
> No incoming calls either... from estate agents who were trying to  
> find me somewhere to live... so that ICL could stop having to pay me  
> to stay somewhere at their expense... as part of the relocation  
> package.

Well, unless you were unusual and had DDI, incoming calls consumed  
operator time back then, so there's a thin argument.  But as you  
imply, it's almost certainly mill-owner attitudes.

>
>> and the massive prevalence of mobile phones makes it much less  of  
>> an issue than it used to be.  Since I left Fujitsu I've been going   
>> around replacing "daytime contact" for things associated with the   
>> children to my mobile number, and I've found that I'd actually   
>> provided my mobile number for most of them anyway.
>
> I've used my mobile number for that since I first had an Orange  
> phone (which for various reasons was a little before they launched).  
> But that was 16 years after I left ICL!

Quite, there were ludicrousnesses back then.  But today, employee  
access to phones and email is something of a dead issue, as you have  
it in your pocket.  And in environments where it would be reasonable  
to bar mobile phones, there would be deeper issues about pstn and  
email as well.

ian


From clive at davros.org  Wed Aug 11 19:14:38 2010
From: clive at davros.org (Clive D.W. Feather)
Date: Wed, 11 Aug 2010 18:14:38 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <0BD2D72A-8B4C-4ED3-B263-1C4B857786BD@batten.eu.org>
References: <4C5CF83E.5000804@iosis.co.uk>
	<AB66CB51919848D197BCBECBB0610453@your41b8d18ede>
	<4C617DFC.4050705@iosis.co.uk>
	<AANLkTikzqWhKHg8mdrAv=Hg0-tV9E0twyj85WLNWyfeH@mail.gmail.com>
	<8147C9A1F9354BE7B6894771FD5D83D9@your41b8d18ede>
	<4EA4AF39-B514-4D60-A4E5-D8CA03010486@batten.eu.org>
	<6q0Z19dDclYMFAux@perry.co.uk>
	<4D33AB46-D7AA-4685-8BE2-18550F311D50@batten.eu.org>
	<Hwq2T+X6BtYMFAIc@perry.co.uk>
	<0BD2D72A-8B4C-4ED3-B263-1C4B857786BD@batten.eu.org>
Message-ID: <20100811181436.GA77262@davros.org>

Ian Batten said:
>> For local calls, weren't they like 2p for unlimited time then?
> I can't remember.  They certainly weren't unlimited time: calls then  
> were costed as minutes per unit.


From bogus@does.not.exist.com  Fri Aug 27 12:26:52 2010
From: bogus@does.not.exist.com ()
Date: Fri, 27 Aug 2010 11:26:52 -0000
Subject: No subject
Message-ID: <mailman.1.1282908712.29200.ukcrypto@chiark.greenend.org.uk>

on exchanges without it.

-- 
Clive D.W. Feather          | If you lie to the compiler,
Email: clive at davros.org     | it will get its revenge.
Web: http://www.davros.org  |   - Henry Spencer
Mobile: +44 7973 377646


From k.brown at bbk.ac.uk  Wed Aug 11 19:39:11 2010
From: k.brown at bbk.ac.uk (ken)
Date: Wed, 11 Aug 2010 18:39:11 -0000
Subject: Experian and benefit fraud
In-Reply-To: <4C628114.2060206@andros.org.uk>
References: <4C617869.9040506@zen.co.uk> <4C628114.2060206@andros.org.uk>
Message-ID: <4C62EE49.4010901@bbk.ac.uk>

On 11/08/2010 11:53, Andrew McLean wrote:

> It should be noted that there are perfectly valid circumstances where
> there will be more than one person on the electoral register at an
> address and where the 25% "single occupant" discount can be claimed
> (e.g. where all but one of the occupants is a student).

This is totally off-topic, but does that mean that as a single 
parent living with a daughter who is now a full-time student I 
can claim a councilk tax discount?

Cos I'm pretty sure I never did before.

ukcrypto - the list that saves money...


From k.brown at bbk.ac.uk  Wed Aug 11 19:52:36 2010
From: k.brown at bbk.ac.uk (ken)
Date: Wed, 11 Aug 2010 18:52:36 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it         interception?)
In-Reply-To: <8A557A12-CB73-4343-AAF9-8BB57D722463@sourcetagged.ian.co.uk>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk>	<u$wMwc4pQZWMFAdl@perry.co.uk><ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede><4C5CF83E.5000804@iosis.co.uk><FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
	<D8D4B034-C006-4C0A-9CA5-56D6252099DA@gladman.plus.com>
	<96C78C0A6E7347EC9D2EFC86702BF554@your41b8d18ede>
	<8934B06A-5C6F-410B-9A82-EA8ADB0F8A65@batten.eu.org>
	<8A557A12-CB73-4343-AAF9-8BB57D722463@sourcetagged.ian.co.uk>
Message-ID: <4C62F16E.9080405@bbk.ac.uk>

On 10/08/2010 17:19, Ian Mason wrote:

> It also contains the immortal line:
>
>> Real Programmers do Artificial Intelligence programs in Fortran.
>
> And once that was exactly what I was employed to do. Thus I feel that
> have some justification to consider myself a cut above the rest. :-)

Going by that standard I was at least a Great Programmer:

"No, your Real Programmer uses OS/370. A good programmer can 
find and understand the description of the IJK305I error he just 
got in his JCL manual. A great programmer can write JCL without 
referring to the manual at all. A truly outstanding programmer 
can find bugs buried in a 6 megabyte core dump without using a 
hex calculator. (I have actually seen this done.)"

Not that there is an IJK305I error, but I used to know at least 
a few dozen of those codes off by heart and knew where int he 
shelfloads of manuals to look for the rest. And I could 
certainly write JCL (and wrote programs to write JCL).  I 
occasionally found errors in hex dumps without benefit of 
calculator as well, but only in VM (or occasionally MVS) control 
blocks and with the help of the data structure manuals.

A colleague of mine could both do hex arithmetic in his head and 
read 360/370 machine code from dumps and at least once confused 
the people who took problem calls at IBM by telling them exactly 
what the programmers had done wrong in the source code of a 
program for which we didn't have the source code - the error was 
produced by an obvious typo in the assembler. Obvious to him 
that is. Not me.


From paul at leyland.vispa.com  Wed Aug 11 20:19:00 2010
From: paul at leyland.vispa.com (Paul Leyland)
Date: Wed, 11 Aug 2010 19:19:00 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP
	DPI, but is it         interception?)
In-Reply-To: <4C62F16E.9080405@bbk.ac.uk>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
	<D8D4B034-C006-4C0A-9CA5-56D6252099DA@gladman.plus.com>
	<96C78C0A6E7347EC9D2EFC86702BF554@your41b8d18ede>
	<8934B06A-5C6F-410B-9A82-EA8ADB0F8A65@batten.eu.org>
	<8A557A12-CB73-4343-AAF9-8BB57D722463@sourcetagged.ian.co.uk>
	<4C62F16E.9080405@bbk.ac.uk>
Message-ID: <1281554329.1868.35.camel@imhotep.brnikat.com>

On Wed, 2010-08-11 at 19:52 +0100, ken wrote:

> A colleague of mine could both do hex arithmetic in his head and

I can do hex addition, subtraction and simple multiplication in my head.
I thought it was a relatively common skill...

> read 360/370 machine code from dumps and at least once confused 
> the people who took problem calls at IBM by telling them exactly 
> what the programmers had done wrong in the source code of a 
> program for which we didn't have the source code - the error was 
> produced by an obvious typo in the assembler. Obvious to him 
> that is. Not me.

Reminds me when I was a sysadmin at Oxford and we had one of the first
DEC Alpha systems in the country.  The other sysadmin (Malcolm Beattie)
and I told DEC support precisely what was wrong with part of the OS (I
forget what it was called in those days.  Alpha OSF/1 perhaps?) by
looking at the hex dump and providing them with two snippets of C, one
containing the error and another with a fix.  We didn't have source so
could only use the variable names which were present in the symbol table
and had to invent the others.  It was after that episode that DEC
started taking us seriously and let us talk directly to the dev teams
instead of having to go through multiple layers of tech support.

Happy days, though also very stressful days..


Paul




From David_Biggins at usermgmt.com  Wed Aug 11 21:59:20 2010
From: David_Biggins at usermgmt.com (David Biggins)
Date: Wed, 11 Aug 2010 20:59:20 -0000
Subject: HP researcher claims proof that P != NP
Message-ID: <C6F343320DAC194BA010FD66AD4936233924B3@home.usermgmt.local>

http://www.hpl.hp.com/personal/Vinay_Deolalikar/Papers/pnp12pt.pdf

 

I understand that some mathematicians are already questioning it - which
of course is right, whether the proof is correct or not.  Mathematics
and science are based on scepticism and on the requirement for claims of
proof to be tested.

 

The math is somewhat over my head, I'm afraid.

 

So here is my basic understanding of what this means.

 

Proving P != NP means that it can be proved that there are classes of
problem for which no algorithm can solve them in polynomial time.

 

For the non-mathematicians among us, a vast-over simplification is that
as the core number in a problem gets bigger, there is no possible
solution where the number of steps needed to guarantee a result can be
expressed as a polynomial of the number (n) of digits in that number. 

 

Eg    a * n^3 + b * n^2 + c * n + d  

 

But only in terms of a much faster-rising function like an exponential 

 

Eg    a ^ (b * n)

 

Even more roughly, this might be interpreted to mean that the difficulty
of solution has to relate to how many different values a number of that
length could take, rather than of the length of the number.   E.g., how
many possible keys there could be, rather than the key length.

 

And in general, that means that there is no method of solution that is
significantly faster than brute-force testing all the alternatives.

 

So if factoring a large number that is the product of two primes, to get
back the factors,  is a problem that is NP, and also P != NP,  then
there can be no solution that is any significant order of magnitude
faster than dividing it by every prime less than it's square root and
testing the remainder.

 

The question of P = NP or P != NP arises because a 'P' problem that has
a shorter algorithmic solution can of course still be solved by brute
forcing.   There are efficient ways of obtaining a square root, but you
can still do it by dividing by squaring all numbers up to the square
root and comparing.

 

So P problems have NP solutions (always?) but it's not previously been
proved that there are NP problems that cannot have P solutions

 

Which means that RSA users get to breathe a small sigh of relief,
compared to the position if the author had proved P = NP.

 

I'm sure we have some real mathematicians here, so how am I doing so
far?

 

So I get a couple of questions.

 

1)  Has it actually been proven that such factorisation is actually NP?


 

Or is this still a "most of us believe that... but haven't proved it
yet"  like P!= NP has been for the last many years?

 

2) If so, then this does of course preclude there from being any
algorithmic solution that can reliably factor any arbitrary product
quickly.  

 

However, does it provably preclude probabilistic solutions that often
(for some value of often) work but sometimes fail?  Perhaps for cases
where one of the primes has other constraints, like being one of the
Mersenne primes, or some other such case?

 

In other words, is P != NP a guaranteed strong mathematical safety net
for RSA, or could it become a weak one?

 

 

D.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100811/99f3ab20/attachment-0001.htm>

From chl at clerew.man.ac.uk  Wed Aug 11 22:23:39 2010
From: chl at clerew.man.ac.uk (Charles Lindsey)
Date: Wed, 11 Aug 2010 21:23:39 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <C6F343320DAC194BA010FD66AD4936233924B0@home.usermgmt.local>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<C6F343320DAC194BA010FD66AD49362339249F@home.usermgmt.local>
	<R5PjB3XsVEYMFAbO@perry.co.uk>
	<C6F343320DAC194BA010FD66AD4936233924AE@home.usermgmt.local>
	<poM91DIgQSYMFAdL@perry.co.uk>
	<C6F343320DAC194BA010FD66AD4936233924B0@home.usermgmt.local>
Message-ID: <op.vhalpmln6hl8nm@clerew.man.ac.uk>

On Tue, 10 Aug 2010 20:44:55 +0100, David Biggins  
<David_Biggins at usermgmt.com> wrote:

> DEP - the ability to mark various parts of memory (once more) as not
> being allowed to be executed.
>
> But I might even question whether or not it is safe to continue to use
> the same stack for code pointers and for data.

The real solution for buffer overflow attacks is to keep the executable  
code in read-only partitions, and to forbid execution of code in data  
partitions. AIUI, this is routine practice in Unix, subject to suitable  
provisions in the hardare (as certainly provided in SPARC and ARM -  
ASIUI). I believe it is also possible in i86*, but that Bill Gates has  
painted himself into a corner that prevents taking advantage of it. BICBW.



-- 
Charles?H.?Lindsey?---------At?Home,?doing?my?own?thing------------------------
Tel:?+44?161?436?6131?                      
???Web:?http://www.cs.man.ac.uk/~chl
Email:?chl at clerew.man.ac.uk??????Snail:?5?Clerewood?Ave,?CHEADLE,?SK8?3JU,?U.K.
PGP:?2C15F1A9??????Fingerprint:?73?6D?C2?51?93?A0?01?E7?65?E8?64?7E?14?A4?AB?A5


From David_Biggins at usermgmt.com  Wed Aug 11 22:48:28 2010
From: David_Biggins at usermgmt.com (David Biggins)
Date: Wed, 11 Aug 2010 21:48:28 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it interception?)
In-Reply-To: <op.vhalpmln6hl8nm@clerew.man.ac.uk>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk><142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk><u$wMwc4pQZWMFAdl@perry.co.uk><ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede><C6F343320DAC194BA010FD66AD49362339249F@home.usermgmt.local><R5PjB3XsVEYMFAbO@perry.co.uk><C6F343320DAC194BA010FD66AD4936233924AE@home.usermgmt.local><poM91DIgQSYMFAdL@perry.co.uk><C6F343320DAC194BA010FD66AD4936233924B0@home.usermgmt.local>
	<op.vhalpmln6hl8nm@clerew.man.ac.uk>
Message-ID: <C6F343320DAC194BA010FD66AD4936233924B4@home.usermgmt.local>

> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Charles Lindsey
> Sent: 11 August 2010 22:24
> To: UK Cryptography Policy Discussion Group
> Subject: Re: Being safe on the internet (was Re: Here we go again -
ISP
> DPI,but is it interception?)
> 
> The real solution for buffer overflow attacks is to keep the
executable
> code in read-only partitions, and to forbid execution of code in data
> partitions. AIUI, this is routine practice in Unix, subject to
suitable
> provisions in the hardare (as certainly provided in SPARC and ARM -
> ASIUI). I believe it is also possible in i86*, but that Bill Gates has
> painted himself into a corner that prevents taking advantage of it.
> BICBW.
> 

Hi Charles,

As I understand it, you're spot on.

That was the bit I was talking about earlier, where MS' marketing
department allowed Motorola enthusiasts to take the high ground over the
Intel segmented memory model, and so went for the flat memory model with
Win95.  

But this defeated the protections, because they were driven by the
segment descriptors, and the flat model points all the segments at the
same descriptor.  That has to be a decision that MS have long regretted.

These features are now available further in the modern memory manager on
64bit CPUS without needing separate segment descriptors; as you say, I'm
not sure how thoroughly they are used yet, beyond DEP which is such a
mechanism that forbids execution in stack pages.

I'm not at all certain on this, but I believe that Intel-based unix
implementations have traditionally also been flat model.   I have heard
the suggestion that this would be in part because it would have meant
some serious messing with the gcc code generation to make it handle the
old segmentation.  Whether or not this is still true, is another
question.


D.




From igb at batten.eu.org  Wed Aug 11 22:51:42 2010
From: igb at batten.eu.org (Ian Batten)
Date: Wed, 11 Aug 2010 21:51:42 -0000
Subject: HP researcher claims proof that P != NP
In-Reply-To: <C6F343320DAC194BA010FD66AD4936233924B3@home.usermgmt.local>
References: <C6F343320DAC194BA010FD66AD4936233924B3@home.usermgmt.local>
Message-ID: <F0F47112-F96D-40DE-96A5-58E641F351FD@batten.eu.org>


On 11 Aug 2010, at 21:59, David Biggins wrote:

> So if factoring a large number that is the product of two primes, to  
> get back the factors,  is a problem that is NP


Factorisation (or its decision equivalent, more precisely) is in NP  
and co-NP, but it's not known if it's in P.  It almost certainly isn't  
NP-complete, which means that if tomorrow someone were to produce a P  
algorithm for factorization, it wouldn't say anything about P=NP,  
unless factorization were proved to be NP-complete, which seems  
unlikely.

But this is all slightly incidental, because just because something is  
in NP doesn't mean it's hard in a practical sense, rather than a  
theoretical sense.  It's perfectly possible to have tractable  
solutions for practical sized problems in harder complexity classes  
than P whilst not having tractable solutions for equivalently sized P  
problems.  If you can verify in O(n) but only solve in O(n^100) it's  
still in P, but is probably very hard in reality; if you can verify in  
O(n) but solve in O((1+epsilon)^n) for a suitably small n we're in NP,  
but it may in practical terms be a lot easier to deal with.  There are  
bigger threats to factorization as the basis for security than the  
(highly unlikely) proof that P=NP, and even if P were to be found to  
equal NP that wouldn't actually provide P-time algorithms for  
factorization.  Conversely, a very efficient factorization algorithm  
wouldn't say much about P=NP.

ian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100811/b5f7113e/attachment-0001.htm>

From igb at batten.eu.org  Wed Aug 11 22:52:37 2010
From: igb at batten.eu.org (Ian Batten)
Date: Wed, 11 Aug 2010 21:52:37 -0000
Subject: Experian and benefit fraud
In-Reply-To: <4C62EE49.4010901@bbk.ac.uk>
References: <4C617869.9040506@zen.co.uk> <4C628114.2060206@andros.org.uk>
	<4C62EE49.4010901@bbk.ac.uk>
Message-ID: <3A752294-B10F-4590-AEC2-631B60C23433@batten.eu.org>


On 11 Aug 2010, at 19:39, ken wrote:

> On 11/08/2010 11:53, Andrew McLean wrote:
>
>> It should be noted that there are perfectly valid circumstances where
>> there will be more than one person on the electoral register at an
>> address and where the 25% "single occupant" discount can be claimed
>> (e.g. where all but one of the occupants is a student).
>
> This is totally off-topic, but does that mean that as a single  
> parent living with a daughter who is now a full-time student I can  
> claim a councilk tax discount?
>
> Cos I'm pretty sure I never did before.
>
> ukcrypto - the list that saves money...
>

I believe that to be the case, based on this afternoon's looking at  
the situation for my wife working whilst I'm a PhD student.

ian




From David_Biggins at usermgmt.com  Wed Aug 11 23:09:29 2010
From: David_Biggins at usermgmt.com (David Biggins)
Date: Wed, 11 Aug 2010 22:09:29 -0000
Subject: HP researcher claims proof that P != NP
In-Reply-To: <F0F47112-F96D-40DE-96A5-58E641F351FD@batten.eu.org>
References: <C6F343320DAC194BA010FD66AD4936233924B3@home.usermgmt.local>
	<F0F47112-F96D-40DE-96A5-58E641F351FD@batten.eu.org>
Message-ID: <C6F343320DAC194BA010FD66AD4936233924B5@home.usermgmt.local>

Sorry about the top-post reply, but Outlook is playing me up a bit...

 

Excellent, many thanks Ian.

 

So again to just push this for us non-mathematicians,  the various
articles appearing that are talking in terms of this having an impact on
RSA-type crypto are wrong (as my post was) on two grounds:

 

1)  It is not yet certain that crypto is not P.

 

2) It is not certain that even if it is not P, it is actually
permanently "hard" as our understanding of the maths evolves.

 

Am I right still in thinking that even if it is permanently hard as a
deterministic problem, this would not in any way preclude a
probabilistic one?

 

D

 

 

 

 

From: ukcrypto-bounces at chiark.greenend.org.uk
[mailto:ukcrypto-bounces at chiark.greenend.org.uk] On Behalf Of Ian Batten
Sent: 11 August 2010 22:52
To: UK Cryptography Policy Discussion Group
Subject: Re: HP researcher claims proof that P != NP

 

 

On 11 Aug 2010, at 21:59, David Biggins wrote:





So if factoring a large number that is the product of two primes, to get
back the factors,  is a problem that is NP

 

 

Factorisation (or its decision equivalent, more precisely) is in NP and
co-NP, but it's not known if it's in P.  It almost certainly isn't
NP-complete, which means that if tomorrow someone were to produce a P
algorithm for factorization, it wouldn't say anything about P=NP, unless
factorization were proved to be NP-complete, which seems unlikely.  

 

But this is all slightly incidental, because just because something is
in NP doesn't mean it's hard in a practical sense, rather than a
theoretical sense.  It's perfectly possible to have tractable solutions
for practical sized problems in harder complexity classes than P whilst
not having tractable solutions for equivalently sized P problems.  If
you can verify in O(n) but only solve in O(n^100) it's still in P, but
is probably very hard in reality; if you can verify in O(n) but solve in
O((1+epsilon)^n) for a suitably small n we're in NP, but it may in
practical terms be a lot easier to deal with.  There are bigger threats
to factorization as the basis for security than the (highly unlikely)
proof that P=NP, and even if P were to be found to equal NP that
wouldn't actually provide P-time algorithms for factorization.
Conversely, a very efficient factorization algorithm wouldn't say much
about P=NP.

 

ian

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100811/4ce306d0/attachment-0001.htm>

From tony.naggs at googlemail.com  Wed Aug 11 23:29:15 2010
From: tony.naggs at googlemail.com (Tony Naggs)
Date: Wed, 11 Aug 2010 22:29:15 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI, 
	but is it interception?)
In-Reply-To: <op.vhalpmln6hl8nm@clerew.man.ac.uk>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>
	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<C6F343320DAC194BA010FD66AD49362339249F@home.usermgmt.local>
	<R5PjB3XsVEYMFAbO@perry.co.uk>
	<C6F343320DAC194BA010FD66AD4936233924AE@home.usermgmt.local>
	<poM91DIgQSYMFAdL@perry.co.uk>
	<C6F343320DAC194BA010FD66AD4936233924B0@home.usermgmt.local>
	<op.vhalpmln6hl8nm@clerew.man.ac.uk>
Message-ID: <AANLkTimttPkey4aGvQY7h2S+eA_wBT0vi2gwZ9AfXax2@mail.gmail.com>

Hi

I have enjoyed reading all the reminiscing about ICL and its predecessors.
Many of the stories predate my early encounters with computers, though
as a precociously geeky child I did enjoy disassembling a decommissioned
ICL terminal and studying how the logic boards worked. (Painted blue &
gray and possibly used with a 1904.) I think the only part that I actually
used was the isolating transformer - very reassuring when tinkering inside
other electronic gadgets.


All that apart, I think the discussions of software security are rather odd
for getting so hung-up on discussons of buffer overflows.


On 11 August 2010 22:23, Charles Lindsey <chl at clerew.man.ac.uk> wrote:
>
> The real solution for buffer overflow attacks is to keep the executable code
> in read-only partitions, and to forbid execution of code in data partitions.

Buffers overflows are only one class of security issue, and generally occur
in legacy code or code writen outside professional development environments.

Sadly thinking that "Read-Only" memory for code and read-write memory for data
is a solution to buffer overflow security issues is akin to thinking
an adhesive plaster
will fix a broken leg!

Often the buffer is in the stack, an overflow can be crafted to
corrupt the return
address or data used by other code in the call stack. For a notrious example
check out "Return to libc" attacks, for example here:
http://en.wikipedia.org/wiki/Return-to-libc_attack

Most corporate coding environments have protections against direct buffer
overflow attacks e.g. by having codng standards that outlaw functions such
as strcpy(), using only String classes that have intrinsic length attributes,
using static code analysis to find dodgy constructs, and using flags to the
C compiler that prevent those outlawed funcions being included.

Of course there is more that can be done, but at the end of the day it is
economics that governs things: graduate C/C++ coders are fairly cheap
and plentiful; the consequencies of shipping insecure are relatively mild,
("everybody" clearly does it); bean counters think that if there were
security issues in the last year the company is probably spending too
much on security!

> AIUI, this is routine practice in Unix, subject to suitable provisions in
> the hardare (as certainly provided in SPARC and ARM - ASIUI). I believe it
> is also possible in i86*, but that Bill Gates has painted himself into a
> corner that prevents taking advantage of it. BICBW.

Intel's XD (Execute Disable) and AMD's EVP (Enhanced Virus Protection)
are have been used by MS Windows since mid/late autumn 2004. (It was
in Windows XP Service Pack 2, released in August 2004.)
Refs:
http://support.microsoft.com/kb/875352
Ref: http://en.wikipedia.org/wiki/NX_bit


In environments that may run user scripts, Java or support scripting or
run executable data (Silverlight or Flash) in a web browser fetched from
untrusted locations there are plenty of other security issues to be
worrying about. All without considering the failure of security systems,
WEP or WPA encryption anyone?

Cheers,
Tony


From clive at davros.org  Wed Aug 11 23:33:04 2010
From: clive at davros.org (Clive D.W. Feather)
Date: Wed, 11 Aug 2010 22:33:04 -0000
Subject: HP researcher claims proof that P != NP
In-Reply-To: <C6F343320DAC194BA010FD66AD4936233924B5@home.usermgmt.local>
References: <C6F343320DAC194BA010FD66AD4936233924B3@home.usermgmt.local>
	<F0F47112-F96D-40DE-96A5-58E641F351FD@batten.eu.org>
	<C6F343320DAC194BA010FD66AD4936233924B5@home.usermgmt.local>
Message-ID: <20100811223302.GO40223@davros.org>

David Biggins said:
> So again to just push this for us non-mathematicians,  the various
> articles appearing that are talking in terms of this having an impact on
> RSA-type crypto are wrong (as my post was) on two grounds:
> 
> 1)  It is not yet certain that crypto is not P.

That's right.

> 2) It is not certain that even if it is not P, it is actually
> permanently "hard" as our understanding of the maths evolves.

Roughly so.

> Am I right still in thinking that even if it is permanently hard as a
> deterministic problem, this would not in any way preclude a
> probabilistic one?

You are correct.

To expand on this whole thing:

There are a set of problems that are known to be P. That is, you can
solve these problems in time A*N^B where N is the problem size (e.g. key
length). This is called "polynomial time".

There are other problems that are not known to be P but are known to be
NP. That is, it is not known if there's a polynomial time solution but if
you've found a possible solution you can check it in polynomial time.
One such problem is the "travelling salesman" - given a set of towns and
routes connecting them, find the shortest route that visits all the towns.

Another way to think of NP is to imagine your computer has an additional
instruction "guess the right choice out of this set". If the problem would
be polynomial time on such a computer, it's NP. For travelling salesman,
the NP algorithm is:
    Guess the right town to start at.
    While there are unvisited towns, guess the next town to visit.

Within the group NP, there are a set of problems called "NP-complete". If
any of those actually have a polynomial time solution, then all NP problems
have one and P = NP. Travelling salesman is NP-complete.

If P = NP, then there any problem that can be checked in polynomial time
can be solved in polynomial time.

If P != NP, then some problems can be checked in polynomial time but not
solved in it. These will include all the NP-complete problems.

Even if P != NP, just because a particular problem - other than an
NP-complete one - doesn't have a known polynomial time solution, it doesn't
mean that one might turn up later.

Some problems aren't NP either - they can't be checked in polynomial time.

-- 
Clive D.W. Feather          | If you lie to the compiler,
Email: clive at davros.org     | it will get its revenge.
Web: http://www.davros.org  |   - Henry Spencer
Mobile: +44 7973 377646


From lists at andros.org.uk  Thu Aug 12 00:17:57 2010
From: lists at andros.org.uk (Andrew McLean)
Date: Wed, 11 Aug 2010 23:17:57 -0000
Subject: Experian and benefit fraud
In-Reply-To: <4C62EE49.4010901@bbk.ac.uk>
References: <4C617869.9040506@zen.co.uk> <4C628114.2060206@andros.org.uk>
	<4C62EE49.4010901@bbk.ac.uk>
Message-ID: <4C632FA2.4090309@andros.org.uk>

  On 11/08/2010 19:39, ken wrote:
> On 11/08/2010 11:53, Andrew McLean wrote:
>
>> It should be noted that there are perfectly valid circumstances where
>> there will be more than one person on the electoral register at an
>> address and where the 25% "single occupant" discount can be claimed
>> (e.g. where all but one of the occupants is a student).
>
> This is totally off-topic, but does that mean that as a single parent 
> living with a daughter who is now a full-time student I can claim a 
> councilk tax discount?
>
> Cos I'm pretty sure I never did before.
>
> ukcrypto - the list that saves money...
>
Yes, as long as she meets the definition of full time student that you 
can find here:

http://www.direct.gov.uk/en/HomeAndCommunity/YourlocalcouncilandCouncilTax/CouncilTax/DG_10037422

I believe you can also claim the discount retrospectively:

http://www.nhs.uk/CarersDirect/moneyandlegal/finance/Pages/Counciltaxdiscounts.aspx

Andrew



From igb at batten.eu.org  Thu Aug 12 08:12:10 2010
From: igb at batten.eu.org (Ian Batten)
Date: Thu, 12 Aug 2010 07:12:10 -0000
Subject: HP researcher claims proof that P != NP
In-Reply-To: <20100811223302.GO40223@davros.org>
References: <C6F343320DAC194BA010FD66AD4936233924B3@home.usermgmt.local>
	<F0F47112-F96D-40DE-96A5-58E641F351FD@batten.eu.org>
	<C6F343320DAC194BA010FD66AD4936233924B5@home.usermgmt.local>
	<20100811223302.GO40223@davros.org>
Message-ID: <9075CFD5-647D-4FF8-9691-7D4B1641BDFC@batten.eu.org>


On 11 Aug 2010, at 23:33, Clive D.W. Feather wrote:

> David Biggins said:
>> So again to just push this for us non-mathematicians,  the various
>> articles appearing that are talking in terms of this having an  
>> impact on
>> RSA-type crypto are wrong (as my post was) on two grounds:
>>
>> 1)  It is not yet certain that crypto is not P.
>
> That's right.

The current view is, I believe, that both factorization and discrete  
logarithms (ie DH) are NP-intermediate. They are NP, in that a  
solution can be checked in P but cannot (seemingly) be generated in P,  
but are not NP-complete, in that providing a solution in P would  
neither prove P=NP nor (equivalently) provide a solution to all other  
NP problems.   The difference between RSA and DH is that although DH  
is equivalent to discrete logarithms and therefore is strongly  
believed to be NP, RSA may have solutions that do not involve  
factorization: there may be attacks on other parts of the derivation  
of the public and private keys from the initial primes which either do  
not involve recovering the primes at all or which recover them other  
than by factorization.

> Within the group NP, there are a set of problems called "NP- 
> complete". If
> any of those actually have a polynomial time solution, then all NP  
> problems
> have one and P = NP. Travelling salesman is NP-complete.

The decision problem that is NP-complete is the weaker "is there a  
tour that is shorter than a given number".   That's clearly much  
easier to check that the tour being the shortest.  If I claim you can  
buy a ticket from Cambridge to London for no more than ?X and show you  
a ticket for ?X, that's the end of it.  If I claim you can buy a  
ticket from Cambridge to London for no _less_ than ?X, so X is a  
minimum, I can't simply show you a proof without a lengthy exercise in  
considering whether season tickets between arbitrary pairs of  
stations, such as Finsbury Park to Liverpool Street, may be involved :-)

ian



From clive at davros.org  Thu Aug 12 08:19:35 2010
From: clive at davros.org (Clive D.W. Feather)
Date: Thu, 12 Aug 2010 07:19:35 -0000
Subject: HP researcher claims proof that P != NP
In-Reply-To: <9075CFD5-647D-4FF8-9691-7D4B1641BDFC@batten.eu.org>
References: <C6F343320DAC194BA010FD66AD4936233924B3@home.usermgmt.local>
	<F0F47112-F96D-40DE-96A5-58E641F351FD@batten.eu.org>
	<C6F343320DAC194BA010FD66AD4936233924B5@home.usermgmt.local>
	<20100811223302.GO40223@davros.org>
	<9075CFD5-647D-4FF8-9691-7D4B1641BDFC@batten.eu.org>
Message-ID: <20100812071932.GA13469@davros.org>

Ian Batten said:
>> Within the group NP, there are a set of problems called "NP- 
>> complete". If
>> any of those actually have a polynomial time solution, then all NP  
>> problems
>> have one and P = NP. Travelling salesman is NP-complete.
> 
> The decision problem that is NP-complete is the weaker "is there a  
> tour that is shorter than a given number".   That's clearly much  
> easier to check that the tour being the shortest.

Indeed. But, as a corollary, travelling salesman is also NP-complete.

There's an incomplete list at:
http://en.wikipedia.org/wiki/List_of_NP-complete_problems

> If I claim you can  
> buy a ticket from Cambridge to London for no more than ?X and show you  
> a ticket for ?X, that's the end of it.  If I claim you can buy a  
> ticket from Cambridge to London for no _less_ than ?X, so X is a  
> minimum, I can't simply show you a proof without a lengthy exercise in  
> considering whether season tickets between arbitrary pairs of  
> stations, such as Finsbury Park to Liverpool Street, may be involved :-)

Thus proving that WAGN management were not NP-complete. Though getting a
point through to them might well be an NP-hard problem.

-- 
Clive D.W. Feather          | If you lie to the compiler,
Email: clive at davros.org     | it will get its revenge.
Web: http://www.davros.org  |   - Henry Spencer
Mobile: +44 7973 377646


From lists at internetpolicyagency.com  Thu Aug 12 10:14:23 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 12 Aug 2010 09:14:23 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it         interception?)
In-Reply-To: <4C62F16E.9080405@bbk.ac.uk>
References: <20100802110024.GR29810@snowy.squish.net>
	<142201cb3319$124fa6c0$36eef440$@net> <4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
	<D8D4B034-C006-4C0A-9CA5-56D6252099DA@gladman.plus.com>
	<96C78C0A6E7347EC9D2EFC86702BF554@your41b8d18ede>
	<8934B06A-5C6F-410B-9A82-EA8ADB0F8A65@batten.eu.org>
	<8A557A12-CB73-4343-AAF9-8BB57D722463@sourcetagged.ian.co.uk>
	<4C62F16E.9080405@bbk.ac.uk>
Message-ID: <X1miSJYLs7YMFAK0@perry.co.uk>

In article <4C62F16E.9080405 at bbk.ac.uk>, ken <k.brown at bbk.ac.uk> writes

 >A colleague of mine ... [told] the people who took problem calls at 
 >IBM ... exactly what the programmers had done wrong in the source code 
 >of a program for which we didn't have the source code - the error was 
 >produced by an obvious typo in the assembler. Obvious to him that is. 
 >Not me.

I did that few times for DOS4 ! Although (as an OEM who wrote, with my 
own fair hand, a few customisations) I had the source code for several 
of the device drivers and utilities, I didn't for the main body of the 
product. The parts in question were written in Intel assembly code.
-- 
Roland Perry


From lists at internetpolicyagency.com  Thu Aug 12 10:28:25 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 12 Aug 2010 09:28:25 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <0BD2D72A-8B4C-4ED3-B263-1C4B857786BD@batten.eu.org>
References: <20100802110024.GR29810@snowy.squish.net>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<AB66CB51919848D197BCBECBB0610453@your41b8d18ede>
	<4C617DFC.4050705@iosis.co.uk>
	<AANLkTikzqWhKHg8mdrAv=Hg0-tV9E0twyj85WLNWyfeH@mail.gmail.com>
	<8147C9A1F9354BE7B6894771FD5D83D9@your41b8d18ede>
	<4EA4AF39-B514-4D60-A4E5-D8CA03010486@batten.eu.org>
	<6q0Z19dDclYMFAux@perry.co.uk>
	<4D33AB46-D7AA-4685-8BE2-18550F311D50@batten.eu.org>
	<Hwq2T+X6BtYMFAIc@perry.co.uk>
	<0BD2D72A-8B4C-4ED3-B263-1C4B857786BD@batten.eu.org>
Message-ID: <rVst6vah57YMFAv4@perry.co.uk>

In article <0BD2D72A-8B4C-4ED3-B263-1C4B857786BD at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>> No incoming calls either... from estate agents who were trying to 
>>find me somewhere to live... so that ICL could stop having to pay me 
>>to stay somewhere at their expense... as part of the relocation package.
>
>Well, unless you were unusual and had DDI, incoming calls consumed 
>operator time back then, so there's a thin argument.

The switchboard consumed a bit of time finding the recipient within the 
building complex, if they weren't at their desk (this would be for 
people allowed incoming calls).

This was done almost exclusively by tannoy messages, which of course 
resulted in people making prank calls for eg "Mr Ivor Biggun" (which 
they'd read out if told the person was a visitor).

>But as you  imply, it's almost certainly mill-owner attitudes.

Indeed. The Tannoy especially.

>today, employee  access to phones and email is something of a dead 
>issue, as you have  it in your pocket.

Of course, Ms Antoinette ;)
-- 
Roland Perry


From igb at batten.eu.org  Thu Aug 12 10:30:39 2010
From: igb at batten.eu.org (Ian Batten)
Date: Thu, 12 Aug 2010 09:30:39 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it         interception?)
In-Reply-To: <X1miSJYLs7YMFAK0@perry.co.uk>
References: <20100802110024.GR29810@snowy.squish.net>
	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
	<D8D4B034-C006-4C0A-9CA5-56D6252099DA@gladman.plus.com>
	<96C78C0A6E7347EC9D2EFC86702BF554@your41b8d18ede>
	<8934B06A-5C6F-410B-9A82-EA8ADB0F8A65@batten.eu.org>
	<8A557A12-CB73-4343-AAF9-8BB57D722463@sourcetagged.ian.co.uk>
	<4C62F16E.9080405@bbk.ac.uk> <X1miSJYLs7YMFAK0@perry.co.uk>
Message-ID: <CB42DECB-06C1-4683-8BEE-59F24B50008C@batten.eu.org>


On 12 Aug 2010, at 10:12, Roland Perry wrote:

> In article <4C62F16E.9080405 at bbk.ac.uk>, ken <k.brown at bbk.ac.uk>  
> writes
>
> >A colleague of mine ... [told] the people who took problem calls at  
> >IBM ... exactly what the programmers had done wrong in the source  
> code >of a program for which we didn't have the source code - the  
> error was >produced by an obvious typo in the assembler. Obvious to  
> him that is. >Not me.
>
> I did that few times for DOS4 ! Although (as an OEM who wrote, with  
> my own fair hand, a few customisations) I had the source code for  
> several of the device drivers and utilities, I didn't for the main  
> body of the product. The parts in question were written in Intel  
> assembly code.

Compilers were a lot simpler, though.   Fixing problems without the  
source was easier when compilers generated fairly stereotyped code and  
the object instruction sequence was closely related to the source  
program.   It's a lot harder these days because the relationship  
between source and object is more complex, and the object code has to  
deal with the fact that modern architectures have moved a lot of  
things out of the hardware into the compiler --- a 1960s compiler had  
much less knowledge of instruction sequencing than one today, because  
the issues (ho ho) were different and the hardware designers had done  
a more complete job...

ian


From lists at internetpolicyagency.com  Thu Aug 12 10:31:03 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 12 Aug 2010 09:31:03 -0000
Subject: Experian and benefit fraud
In-Reply-To: <4C62D57C.2070809@ernest.net>
References: <4C617869.9040506@zen.co.uk> <4C628114.2060206@andros.org.uk>
	<0zTKDoYeHtYMFAPd@perry.co.uk> <4C62D57C.2070809@ernest.net>
Message-ID: <01bqCab$77YMFAvh@perry.co.uk>

In article <4C62D57C.2070809 at ernest.net>, Nicholas Bohm 
<nbohm at ernest.net> writes
>the fact that you may owe a contractual duty of disclosure to a
>lender is no justification in law for a third party breaking a duty of
>confidence owed to you for the purpose of making the disclosure you
>ought to make, since the third party is a stranger to the contract.

It's been suggested (on another list) that its fraudulent to acquire 
loans that you wouldn't be entitled to if the lender knew your real 
circumstances, and as such might fall under the increasing web of 
anti-fraud provisions?
-- 
Roland Perry


From lists at internetpolicyagency.com  Thu Aug 12 10:38:27 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 12 Aug 2010 09:38:27 -0000
Subject: Experian and benefit fraud
In-Reply-To: <AANLkTinpYmSTh7OVYniVyAwdWcDkfsTD0__9LTKr33vJ@mail.gmail.com>
References: <4C617869.9040506@zen.co.uk> <7qmZVRcLGlYMFAuG@perry.co.uk>
	<AANLkTinpYmSTh7OVYniVyAwdWcDkfsTD0__9LTKr33vJ@mail.gmail.com>
Message-ID: <wDbLPuc8C8YMFA8Z@perry.co.uk>

In article 
<AANLkTinpYmSTh7OVYniVyAwdWcDkfsTD0__9LTKr33vJ at mail.gmail.com>, Tony 
Naggs <tony.naggs at googlemail.com> writes
>I expect in the first place that reference to these agencies would be 
>made as part of a benefits fraud investigation rather than pro forma 
>for every claimant.

I read it as more routine than that.

>E.g. to check whether the claimant has applied for credit cards or loans during
>the period of their benefits claim, perhaps giving an emloyer's address in the
>process!

You'd only find out the information on the application form by asking 
the lender, not Experian. But I suppose that if new credit card 
applications show up on Experian, it would be a place to start.

But being on benefits isn't supposed to be bankrupcy-lite. Plenty of 
people legitimately on benefits lead perfectly ordinary lives, which can 
include things like applying for storecards (which if used carefully can 
save money), and "interest free" and "no payments for 12 months" HP 
agreements on basic/essential household items like a fridge.

>Or as part of an investigation into whether a claimant may be sharing
>a property with someone who is emloyed, which could invalidate their claim for
>Housing Benefit.

That's a more fruitful area, although it requires looking up the 
employment status of someone other than the claimant, which sounds a bit 
dodgy. There's also a problem with records being out of date, so if a 
claimant moves into a house that's just been vacated by an employed 
person, you'll get a false positive.
-- 
Roland Perry


From lists at internetpolicyagency.com  Thu Aug 12 10:43:46 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 12 Aug 2010 09:43:46 -0000
Subject: Experian and benefit fraud
In-Reply-To: <4C632FA2.4090309@andros.org.uk>
References: <4C617869.9040506@zen.co.uk> <4C628114.2060206@andros.org.uk>
	<4C62EE49.4010901@bbk.ac.uk> <4C632FA2.4090309@andros.org.uk>
Message-ID: <lzGOTRdLI8YMFA9F@perry.co.uk>

In article <4C632FA2.4090309 at andros.org.uk>, Andrew McLean 
<lists at andros.org.uk> writes
>Yes, as long as she meets the definition of full time student that you 
>can find here:
>
>http://www.direct.gov.uk/en/HomeAndCommunity/YourlocalcouncilandCouncilT
>ax/CouncilTax/DG_10037422

The difficulties seem to arise at the end of PhD courses, where someone 
is "writing up at home" in years 4+, and disputes often arise as to 
whether they are technically still a student or not.
-- 
Roland Perry


From igb at batten.eu.org  Thu Aug 12 10:47:40 2010
From: igb at batten.eu.org (Ian Batten)
Date: Thu, 12 Aug 2010 09:47:40 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <rVst6vah57YMFAv4@perry.co.uk>
References: <20100802110024.GR29810@snowy.squish.net>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<AB66CB51919848D197BCBECBB0610453@your41b8d18ede>
	<4C617DFC.4050705@iosis.co.uk>
	<AANLkTikzqWhKHg8mdrAv=Hg0-tV9E0twyj85WLNWyfeH@mail.gmail.com>
	<8147C9A1F9354BE7B6894771FD5D83D9@your41b8d18ede>
	<4EA4AF39-B514-4D60-A4E5-D8CA03010486@batten.eu.org>
	<6q0Z19dDclYMFAux@perry.co.uk>
	<4D33AB46-D7AA-4685-8BE2-18550F311D50@batten.eu.org>
	<Hwq2T+X6BtYMFAIc@perry.co.uk>
	<0BD2D72A-8B4C-4ED3-B263-1C4B857786BD@batten.eu.org>
	<rVst6vah57YMFAv4@perry.co.uk>
Message-ID: <FE3EC46F-7A48-4824-89EB-32C5B1ABF10E@batten.eu.org>

>
> Indeed. The Tannoy especially.
>
>> today, employee  access to phones and email is something of a dead  
>> issue, as you have  it in your pocket.
>
> Of course, Ms Antoinette ;)

But on this occasion, they really can all afford brioche.  I would  
take a lot of convincing that there is anyone in paid employment who  
doesn't have a mobile phone by dint of cost; these days, people have  
mobiles rather than fixed line phones because they're cheaper...

ian


From lists at internetpolicyagency.com  Thu Aug 12 10:49:46 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 12 Aug 2010 09:49:46 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it         interception?)
In-Reply-To: <CB42DECB-06C1-4683-8BEE-59F24B50008C@batten.eu.org>
References: <20100802110024.GR29810@snowy.squish.net>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
	<D8D4B034-C006-4C0A-9CA5-56D6252099DA@gladman.plus.com>
	<96C78C0A6E7347EC9D2EFC86702BF554@your41b8d18ede>
	<8934B06A-5C6F-410B-9A82-EA8ADB0F8A65@batten.eu.org>
	<8A557A12-CB73-4343-AAF9-8BB57D722463@sourcetagged.ian.co.uk>
	<4C62F16E.9080405@bbk.ac.uk> <X1miSJYLs7YMFAK0@perry.co.uk>
	<CB42DECB-06C1-4683-8BEE-59F24B50008C@batten.eu.org>
Message-ID: <Sz9DjbenN8YMFAa1@perry.co.uk>

In article <CB42DECB-06C1-4683-8BEE-59F24B50008C at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>> I did that few times for DOS4 ! Although (as an OEM who wrote, with 
>>my own fair hand, a few customisations) I had the source code for 
>>several of the device drivers and utilities, I didn't for the main 
>>body of the product. The parts in question were written in Intel 
>>assembly code.
>
>Compilers were a lot simpler, though.   Fixing problems without the 
>source was easier when compilers generated fairly stereotyped code and 
>the object instruction sequence was closely related to the source 
>program.

But sticking assembly code through a disassember (whether that's a 
formal one, or in one's head) is very closely related.
-- 
Roland Perry


From lists at internetpolicyagency.com  Thu Aug 12 10:53:08 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Thu, 12 Aug 2010 09:53:08 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <FE3EC46F-7A48-4824-89EB-32C5B1ABF10E@batten.eu.org>
References: <20100802110024.GR29810@snowy.squish.net>
	<XpriFyBEyRWMFAb5@perry.co.uk>
	<20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<AB66CB51919848D197BCBECBB0610453@your41b8d18ede>
	<4C617DFC.4050705@iosis.co.uk>
	<AANLkTikzqWhKHg8mdrAv=Hg0-tV9E0twyj85WLNWyfeH@mail.gmail.com>
	<8147C9A1F9354BE7B6894771FD5D83D9@your41b8d18ede>
	<4EA4AF39-B514-4D60-A4E5-D8CA03010486@batten.eu.org>
	<6q0Z19dDclYMFAux@perry.co.uk>
	<4D33AB46-D7AA-4685-8BE2-18550F311D50@batten.eu.org>
	<Hwq2T+X6BtYMFAIc@perry.co.uk>
	<0BD2D72A-8B4C-4ED3-B263-1C4B857786BD@batten.eu.org>
	<rVst6vah57YMFAv4@perry.co.uk>
	<FE3EC46F-7A48-4824-89EB-32C5B1ABF10E@batten.eu.org>
Message-ID: <fztAjbfnQ8YMFA7J@perry.co.uk>

In article <FE3EC46F-7A48-4824-89EB-32C5B1ABF10E at batten.eu.org>, Ian 
Batten <igb at batten.eu.org> writes
>>> today, employee  access to phones and email is something of a dead 
>>>issue, as you have  it in your pocket.
>>
>> Of course, Ms Antoinette ;)
>
>But on this occasion, they really can all afford brioche.  I would take 
>a lot of convincing that there is anyone in paid employment who doesn't 
>have a mobile phone by dint of cost; these days, people have mobiles 
>rather than fixed line phones because they're cheaper...

For calls, I agree; but accessing email on a phone isn't nearly as easy 
and widespread as is sometimes assumed.
-- 
Roland Perry


From Ray.Bellis at nominet.org.uk  Thu Aug 12 12:26:27 2010
From: Ray.Bellis at nominet.org.uk (Ray Bellis)
Date: Thu, 12 Aug 2010 11:26:27 -0000
Subject: Being safe on the internet (was Re: Here we go again - ISP	DPI,
	but is it         interception?)
In-Reply-To: <1281554329.1868.35.camel@imhotep.brnikat.com>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
	<D8D4B034-C006-4C0A-9CA5-56D6252099DA@gladman.plus.com>
	<96C78C0A6E7347EC9D2EFC86702BF554@your41b8d18ede>
	<8934B06A-5C6F-410B-9A82-EA8ADB0F8A65@batten.eu.org>
	<8A557A12-CB73-4343-AAF9-8BB57D722463@sourcetagged.ian.co.uk>
	<4C62F16E.9080405@bbk.ac.uk>
	<1281554329.1868.35.camel@imhotep.brnikat.com>
Message-ID: <0444A511-B22F-4F98-8706-B2C8257C6129@nominet.org.uk>

> Reminds me when I was a sysadmin at Oxford and we had one of the first
> DEC Alpha systems in the country.

There must have been quite a few around before then - I was running several in the Dept. of Experimental Psychology a good year or so (Jan '93?) before OUCS got Sable.  That's how I got on the procurement committee for it. ;-)

Our DEC 3000 Model 500 was the first OSF/1 DEC Alpha at Oxford, although ISTR rumours that someone may have got a VMS one slightly before us.

Ray



From pwt at iosis.co.uk  Thu Aug 12 17:54:56 2010
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Thu, 12 Aug 2010 17:54:56 +0100
Subject: Upcoming news item re NHS Patient Records
Message-ID: <4C642760.8000405@iosis.co.uk>

The email taster for tonight's 7 pm Channel 4 TV News includes:

PATIENT RECORDS
Victoria MacDonald will be revealing chaos and confusion over plans to 
put patient records on a big central NHS computer system. A leaflet 
campaign informing people how to opt out if they have concerns about the 
gathering of such information has been halted because it is deemed 
ineffective. She?ll be examining whether it should be replaced with an 
opt in system.

Peter



From David_Biggins at usermgmt.com  Thu Aug 12 18:56:15 2010
From: David_Biggins at usermgmt.com (David Biggins)
Date: Thu, 12 Aug 2010 18:56:15 +0100
Subject: Being safe on the internet (was Re: Here we go again - ISP DPI,
	but is it interception?)
In-Reply-To: <AANLkTimttPkey4aGvQY7h2S+eA_wBT0vi2gwZ9AfXax2@mail.gmail.com>
References: <20100802110024.GR29810@snowy.squish.net><4C57B7D9.2040403@iosis.co.uk><F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede><N5AkxUNohCWMFAI4@perry.co.uk><142201cb3319$124fa6c0$36eef440$@net><4C58370C.3030006@iosis.co.uk><000901cb3324$b2b61df0$182259d0$@philipkatz.eu><+b3IJFf22EWMFANs@perry.co.uk><20100803185937.00007a49@surtees.fenrir.org.uk><XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net><obbNJiEHZSWMFAO1@perry.co.uk><20100804114701.00003c52@surtees.fenrir.org.uk><EHaGemlCkWWMFAqV@perry.co.uk><20100804150343.00007a3f@surtees.fenrir.org.uk><u$wMwc4pQZWMFAdl@perry.co.uk><ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede><C6F343320DAC194BA010FD66AD49362339249F@home.usermgmt.local><R5PjB3XsVEYMFAbO@perry.co.uk><C6F343320DAC194BA010FD66AD4936233924AE@home.usermgmt.local><poM91DIgQSYMFAdL@perry.co.uk><C6F343320DAC194BA010FD66AD4936233924B0@home.usermgmt.local><op.vhalpmln6hl8nm@clerew.man.ac.uk>
	<AANLkTimttPkey4aGvQY7h2S+eA_wBT0vi2gwZ9AfXax2@mail.gmail.com>
Message-ID: <C6F343320DAC194BA010FD66AD4936233924B7@home.usermgmt.local>


> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Tony Naggs
> Sent: 11 August 2010 23:29
> To: UK Cryptography Policy Discussion Group
> Subject: Re: Being safe on the internet (was Re: Here we go again -
ISP
> DPI, but is it interception?)
> 
> Hi
> 
> All that apart, I think the discussions of software security are
rather
> odd
> for getting so hung-up on discussons of buffer overflows.
> 

Indeed, such was not my intention, and I apologise for dragging it on so
long, though it did seem to cause some interest.

You are right that there are many other classes, though I would contend
that the conventional stack attack has been one of the most common.

My original intention was merely to consider the way that three
disconnected decisions by three separate bodies had come together to
create a serious hole, which in hindsight seems obvious and while not
perhaps avoidable, probably capable of significant mitigation without
those decisions, but which clearly escaped everybody at the time.

D


From David_Biggins at usermgmt.com  Thu Aug 12 19:02:20 2010
From: David_Biggins at usermgmt.com (David Biggins)
Date: Thu, 12 Aug 2010 19:02:20 +0100
Subject: HP researcher claims proof that P != NP
In-Reply-To: <20100811223302.GO40223@davros.org>
References: <C6F343320DAC194BA010FD66AD4936233924B3@home.usermgmt.local><F0F47112-F96D-40DE-96A5-58E641F351FD@batten.eu.org><C6F343320DAC194BA010FD66AD4936233924B5@home.usermgmt.local>
	<20100811223302.GO40223@davros.org>
Message-ID: <C6F343320DAC194BA010FD66AD4936233924B8@home.usermgmt.local>

> -----Original Message-----
> From: ukcrypto-bounces at chiark.greenend.org.uk [mailto:ukcrypto-
> bounces at chiark.greenend.org.uk] On Behalf Of Clive D.W. Feather
> Sent: 11 August 2010 23:33
> To: UK Cryptography Policy Discussion Group
> Subject: Re: HP researcher claims proof that P != NP
> 

Excellent.  Many thanks, Clive and Ian for the detail.  I think I've got
it now - or at least enough that I have the fingerholds to read up on
the rest if I need to.

Thanks again.  

D


From amidgley at gmail.com  Thu Aug 12 23:14:34 2010
From: amidgley at gmail.com (Adrian Midgley (Gmail))
Date: Thu, 12 Aug 2010 23:14:34 +0100
Subject: Being safe on the internet (was Re: Here we go again -
	ISP	DPI, but is it interception?)
In-Reply-To: <83944DF7585743478D7A47F8BDE18D5C@your41b8d18ede>
References: <20100802110024.GR29810@snowy.squish.net>
	<4C57B7D9.2040403@iosis.co.uk>
	<F83296DFE4A84016BC63F8053B95AAE5@your41b8d18ede>
	<N5AkxUNohCWMFAI4@perry.co.uk>	<142201cb3319$124fa6c0$36eef440$@net>
	<4C58370C.3030006@iosis.co.uk>
	<000901cb3324$b2b61df0$182259d0$@philipkatz.eu>
	<+b3IJFf22EWMFANs@perry.co.uk>
	<20100803185937.00007a49@surtees.fenrir.org.uk>
	<XpriFyBEyRWMFAb5@perry.co.uk><20100804081824.GU29810@snowy.squish.net>
	<obbNJiEHZSWMFAO1@perry.co.uk>
	<20100804114701.00003c52@surtees.fenrir.org.uk>
	<EHaGemlCkWWMFAqV@perry.co.uk>
	<20100804150343.00007a3f@surtees.fenrir.org.uk>
	<u$wMwc4pQZWMFAdl@perry.co.uk>
	<ACA586C5C0F04F9EA4959CDE74B99169@your41b8d18ede>
	<4C5CF83E.5000804@iosis.co.uk>
	<FF760455-9260-4CFD-BABA-B7A58A320ECF@batten.eu.org>
	<D8D4B034-C006-4C0A-9CA5-56D6252099DA@gladman.plus.com>
	<96C78C0A6E7347EC9D2EFC86702BF554@your41b8d18ede>
	<8934B06A-5C6F-410B-9A82-EA8ADB0F8A65@batten.eu.org>
	<8A557A12-CB73-4343-AAF9-8BB57D722463@sourcetagged.ian.co.uk>
	<83944DF7585743478D7A47F8BDE18D5C@your41b8d18ede>
Message-ID: <1281651274.4330.80.camel@lyrae>

On Tue, 2010-08-10 at 18:27 +0100, Tom Thomson wrote:

> ... a language that was hated by every Fortran programmer in the world, except those for whom Fortran IV was their first language.

Fortran IV was my first language.

I certainly didn't /hate/ it.

-- 
A




From ukcrypto at sourcetagged.ian.co.uk  Fri Aug 13 08:12:40 2010
From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason)
Date: Fri, 13 Aug 2010 08:12:40 +0100
Subject: HP researcher claims proof that P != NP
In-Reply-To: <9075CFD5-647D-4FF8-9691-7D4B1641BDFC@batten.eu.org>
References: <C6F343320DAC194BA010FD66AD4936233924B3@home.usermgmt.local>
	<F0F47112-F96D-40DE-96A5-58E641F351FD@batten.eu.org>
	<C6F343320DAC194BA010FD66AD4936233924B5@home.usermgmt.local>
	<20100811223302.GO40223@davros.org>
	<9075CFD5-647D-4FF8-9691-7D4B1641BDFC@batten.eu.org>
Message-ID: <544EA33F-BF19-42DA-A8C0-B0C0D434E06E@sourcetagged.ian.co.uk>


On 12 Aug 2010, at 08:12, Ian Batten wrote:

>
> The decision problem that is NP-complete is the weaker "is there a  
> tour that is shorter than a given number".   That's clearly much  
> easier to check that the tour being the shortest.  If I claim you  
> can buy a ticket from Cambridge to London for no more than ?X and  
> show you a ticket for ?X, that's the end of it.  If I claim you can  
> buy a ticket from Cambridge to London for no _less_ than ?X, so X  
> is a minimum, I can't simply show you a proof without a lengthy  
> exercise in considering whether season tickets between arbitrary  
> pairs of stations, such as Finsbury Park to Liverpool Street, may  
> be involved :-)
>
> ian
>
>

Why does this make me think you've had long conversations with Mr.  
Feather before? :)

T'other Ian

From zenadsl6186 at zen.co.uk  Fri Aug 13 19:40:10 2010
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Fri, 13 Aug 2010 19:40:10 +0100
Subject: Cost of traffic data access?
Message-ID: <4C65918A.70106@zen.co.uk>

If the Police want to get traffic to and from a server/IP address, how 
much does it cost them? I know the ISPs charge, but can anyone say how much?


For a more specific example, suppose they want a month's traffic data to 
and from a TOR node - quite a lot of data, size, time, IP addresses - 
but only one IP to watch. How much?


Thanks,

-- Peter Fairbrother


From lists at internetpolicyagency.com  Fri Aug 13 21:34:39 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Fri, 13 Aug 2010 21:34:39 +0100
Subject: Cost of traffic data access?
In-Reply-To: <4C65918A.70106@zen.co.uk>
References: <4C65918A.70106@zen.co.uk>
Message-ID: <oRStbAOfxaZMFA2W@perry.co.uk>

In article <4C65918A.70106 at zen.co.uk>, Peter Fairbrother 
<zenadsl6186 at zen.co.uk> writes
>If the Police want to get traffic to and from a server/IP address, how 
>much does it cost them? I know the ISPs charge, but can anyone say how 
>much?

It used to vary a lot. Not sure if it's been standardised 
post-data-retention etc.
-- 
Roland Perry


From igb at batten.eu.org  Sat Aug 14 09:12:47 2010
From: igb at batten.eu.org (Ian Batten)
Date: Sat, 14 Aug 2010 09:12:47 +0100
Subject: Cost of traffic data access?
In-Reply-To: <4C65918A.70106@zen.co.uk>
References: <4C65918A.70106@zen.co.uk>
Message-ID: <4B1EB3EE-4816-43CA-8A03-CFB000BD6471@batten.eu.org>


On 13 Aug 2010, at 19:40, Peter Fairbrother wrote:

> If the Police want to get traffic to and from a server/IP address,  
> how much does it cost them? I know the ISPs charge, but can anyone  
> say how much?
>
>
> For a more specific example, suppose they want a month's traffic  
> data to and from a TOR node - quite a lot of data, size, time, IP  
> addresses - but only one IP to watch. How much?

What do you mean by "traffic data" in this context?    What logs would  
an ISP hold such that TOR traffic would be recorded in any form?   
Isn't this straight interception?

ian



From zenadsl6186 at zen.co.uk  Sat Aug 14 11:25:02 2010
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Sat, 14 Aug 2010 11:25:02 +0100
Subject: Cost of traffic data access?
In-Reply-To: <4B1EB3EE-4816-43CA-8A03-CFB000BD6471@batten.eu.org>
References: <4C65918A.70106@zen.co.uk>
	<4B1EB3EE-4816-43CA-8A03-CFB000BD6471@batten.eu.org>
Message-ID: <4C666EFE.1010807@zen.co.uk>

Ian Batten wrote:
> 
> On 13 Aug 2010, at 19:40, Peter Fairbrother wrote:
> 
>> If the Police want to get traffic to and from a server/IP address,
>> how much does it cost them? I know the ISPs charge, but can anyone
>> say how much?
>> 
>> 
>> For a more specific example, suppose they want a month's traffic
>> data to and from a TOR node - quite a lot of data, size, time, IP
>> addresses - but only one IP to watch. How much?
> 
> What do you mean by "traffic data" in this context?

Packet sizes, times, source and destination IPs.

> What logs would an ISP hold such that TOR traffic would be recorded
> in any form?

Logs of the above data - aren't ISPs required to record it for all
users, and keep it for 6 months/two years/whatever?

I thought they were anyway, isn't it some EU law?

> Isn't this straight interception?

No, there is no content involved, and therefore no interception.

It comes under s.22(4) of Chapter 2 of Part 1 of RIPA, "Acquisition and 
disclosure of communications data", and lots of people can demand the data.

Offhand I can't remember exactly who, it's in one of the SIs somewhere, 
but for the Police it's something like a Chief Inspector, and various 
equivalents in other forces/agencies.



-- Peter Fairbrother



From zenadsl6186 at zen.co.uk  Sat Aug 14 11:38:09 2010
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Sat, 14 Aug 2010 11:38:09 +0100
Subject: Cost of traffic data access?
In-Reply-To: <4B1EB3EE-4816-43CA-8A03-CFB000BD6471@batten.eu.org>
References: <4C65918A.70106@zen.co.uk>
	<4B1EB3EE-4816-43CA-8A03-CFB000BD6471@batten.eu.org>
Message-ID: <4C667211.1080808@zen.co.uk>

Sorry, previous incomplete version sent by accident

Ian Batten wrote:
> 
> On 13 Aug 2010, at 19:40, Peter Fairbrother wrote:
> 
>> If the Police want to get traffic to and from a server/IP address, how 
>> much does it cost them? I know the ISPs charge, but can anyone say how 
>> much?
>>
>>
>> For a more specific example, suppose they want a month's traffic data 
>> to and from a TOR node - quite a lot of data, size, time, IP addresses 
>> - but only one IP to watch. How much?
> 
> What do you mean by "traffic data" in this context?    

Packet sizes, times, source and destination IPs.

> What logs would an ISP hold such that TOR traffic would be recorded in any form?

Logs of the above data - aren't ISPs required to record it for all
users, and keep it for 6 months/two years/whatever?

I thought they were anyway, isn't it some EU law?

In any case, if the ISP didn't keep logs of the above data, the person 
demanding the data could require them to collect and keep it, see RIPA 
s.22(4)(a).


> Isn't this straight interception?

No, there is no content involved, and therefore no interception.

It comes under s.22(4) of Chapter 2 of Part 1 of RIPA, "Acquisition and 
disclosure of communications data", and lots of people can demand the data.

Offhand I can't remember exactly who is on the list, it's in one of the 
SIs somewhere, but for the Police it's something like a Chief Inspector, 
and various equivalents in other forces/agencies.

They keep changing it, but it's the same list of people that at one time 
(in)famously included the egg marketing board inspectors.



-- Peter Fairbrother


From lists at internetpolicyagency.com  Sat Aug 14 13:42:17 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Sat, 14 Aug 2010 13:42:17 +0100
Subject: Cost of traffic data access?
In-Reply-To: <4C667211.1080808@zen.co.uk>
References: <4C65918A.70106@zen.co.uk>
	<4B1EB3EE-4816-43CA-8A03-CFB000BD6471@batten.eu.org>
	<4C667211.1080808@zen.co.uk>
Message-ID: <vAv8PrCp8oZMFA2O@perry.co.uk>

In article <4C667211.1080808 at zen.co.uk>, Peter Fairbrother 
<zenadsl6186 at zen.co.uk> writes
>They keep changing it, but it's the same list of people that at one 
>time (in)famously included the egg marketing board inspectors.

No, they never were on the comms data list... but on the different list 
for Surveillance (Poole-style or otherwise).
-- 
Roland Perry


From zenadsl6186 at zen.co.uk  Sat Aug 14 14:56:54 2010
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Sat, 14 Aug 2010 14:56:54 +0100
Subject: Cost of traffic data access?
In-Reply-To: <vAv8PrCp8oZMFA2O@perry.co.uk>
References: <4C65918A.70106@zen.co.uk>	<4B1EB3EE-4816-43CA-8A03-CFB000BD6471@batten.eu.org>	<4C667211.1080808@zen.co.uk>
	<vAv8PrCp8oZMFA2O@perry.co.uk>
Message-ID: <4C66A0A6.3030508@zen.co.uk>

Roland Perry wrote:
> In article <4C667211.1080808 at zen.co.uk>, Peter Fairbrother 
> <zenadsl6186 at zen.co.uk> writes
>> They keep changing it, but it's the same list of people that at one 
>> time (in)famously included the egg marketing board inspectors.
> 
> No, they never were on the comms data list... but on the different list 
> for Surveillance (Poole-style or otherwise).

My bad, sorry, I'd confused lists - and it needs a signature from a 
Superintendent, not a Chief Inspector:

http://www.opsi.gov.uk/si/si2010/uksi_20100480_en_2



Roland, do you have even a very rough range for the cost? Thanks,



-- Peter Fairbrother


From lists at internetpolicyagency.com  Sat Aug 14 16:22:12 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Sat, 14 Aug 2010 16:22:12 +0100
Subject: Cost of traffic data access?
In-Reply-To: <4C66A0A6.3030508@zen.co.uk>
References: <4C65918A.70106@zen.co.uk>
	<4B1EB3EE-4816-43CA-8A03-CFB000BD6471@batten.eu.org>
	<4C667211.1080808@zen.co.uk> <vAv8PrCp8oZMFA2O@perry.co.uk>
	<4C66A0A6.3030508@zen.co.uk>
Message-ID: <6Q857HNkSrZMFAFq@perry.co.uk>

In article <4C66A0A6.3030508 at zen.co.uk>, Peter Fairbrother 
<zenadsl6186 at zen.co.uk> writes

>Roland, do you have even a very rough range for the cost? Thanks,

There are perhaps two extremes punted around long ago, where it's been 
alleged some reverse-DQ requests cost ?100 each, versus some requesters 
only prepared to pay ?15/hr for proven effort sorting out the answers. 
But where we are today, I don't know.
-- 
Roland Perry


From ukcrypto at sourcetagged.ian.co.uk  Sat Aug 14 22:10:02 2010
From: ukcrypto at sourcetagged.ian.co.uk (Ian Mason)
Date: Sat, 14 Aug 2010 22:10:02 +0100
Subject: Cost of traffic data access?
In-Reply-To: <6Q857HNkSrZMFAFq@perry.co.uk>
References: <4C65918A.70106@zen.co.uk>
	<4B1EB3EE-4816-43CA-8A03-CFB000BD6471@batten.eu.org>
	<4C667211.1080808@zen.co.uk> <vAv8PrCp8oZMFA2O@perry.co.uk>
	<4C66A0A6.3030508@zen.co.uk> <6Q857HNkSrZMFAFq@perry.co.uk>
Message-ID: <C3309116-7946-4B4E-8A84-259F5458F45D@sourcetagged.ian.co.uk>


On 14 Aug 2010, at 16:22, Roland Perry wrote:

> In article <4C66A0A6.3030508 at zen.co.uk>, Peter Fairbrother  
> <zenadsl6186 at zen.co.uk> writes
>
>> Roland, do you have even a very rough range for the cost? Thanks,
>
> There are perhaps two extremes punted around long ago, where it's  
> been alleged some reverse-DQ requests cost ?100 each, versus some  
> requesters only prepared to pay ?15/hr for proven effort sorting  
> out the answers. But where we are today, I don't know.
> -- 
> Roland Perry
>

?15 a hour wouldn't even represent cost recovery of salary, let alone  
overheads, for ANY engineer I've employed in the last 10 years. A  
realistic minimum charge would be in the order of ?35/hour just on a  
cost recovery basis for low level engineering staff extending to ?100/ 
hour for senior staff on the same basis.

As to the particular data Peter is asking about NO sane ISP keeps  
those records, I doubt any insane one does either. To do so, even as  
a one off, would incur significant engineering effort and involve  
setup costs in the thousands if the existing ISP network was suitably  
structured to make it a possibility. For many ISPs it might not be  
possible to do without network re-engineering across an entire  
network potentially involving effort in the six figure region.

The nearest to what Peter's asking for that anybody routinely gathers  
is netflow data and that is analysed and discarded quite quickly.  
Also it is strictly statistical rather than accurate, in the sense  
that there is no guarantee that events have ALL been logged. Even  
when recorded netflow data would usually be at a much coarser  
granularity than Peter's envisioning - e.g. destination AS number  
rather than destination address.

Ian



From zenadsl6186 at zen.co.uk  Sat Aug 14 23:01:39 2010
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Sat, 14 Aug 2010 23:01:39 +0100
Subject: Cost of traffic data access?
In-Reply-To: <C3309116-7946-4B4E-8A84-259F5458F45D@sourcetagged.ian.co.uk>
References: <4C65918A.70106@zen.co.uk>	<4B1EB3EE-4816-43CA-8A03-CFB000BD6471@batten.eu.org>	<4C667211.1080808@zen.co.uk>
	<vAv8PrCp8oZMFA2O@perry.co.uk>	<4C66A0A6.3030508@zen.co.uk>
	<6Q857HNkSrZMFAFq@perry.co.uk>
	<C3309116-7946-4B4E-8A84-259F5458F45D@sourcetagged.ian.co.uk>
Message-ID: <4C671243.8080001@zen.co.uk>

Ian Mason wrote:
> 
> On 14 Aug 2010, at 16:22, Roland Perry wrote:
> 
>> In article <4C66A0A6.3030508 at zen.co.uk>, Peter Fairbrother 
>> <zenadsl6186 at zen.co.uk> writes
>>
>>> Roland, do you have even a very rough range for the cost? Thanks,
>>
>> There are perhaps two extremes punted around long ago, where it's been 
>> alleged some reverse-DQ requests cost ?100 each, versus some 
>> requesters only prepared to pay ?15/hr for proven effort sorting out 
>> the answers. But where we are today, I don't know.
>>
> 
> ?15 a hour wouldn't even represent cost recovery of salary, let alone 
> overheads, for ANY engineer I've employed in the last 10 years. A 
> realistic minimum charge would be in the order of ?35/hour just on a 
> cost recovery basis for low level engineering staff extending to 
> ?100/hour for senior staff on the same basis.
> 
> As to the particular data Peter is asking about NO sane ISP keeps those 
> records, 

I thought that it was part of the voluntary data retention programme to 
keep that data for 4 days?

It's also part of the EU directive which no-one seems to be implementing.

But all that doesn't matter.

Any one of several thousand designated persons (there are 1,715 
designated Policemen alone, plus people from the army, navy, mi5, mi6, 
gchq etc) can serve an ISP a notice demanding the next month's data - 
the only question is cost.

I agree ?15 per hour is too low for the required geekery, but eg the ISP 
has to have interception equipment in place which could do that traffic 
data collection job, and it isn't exactly hard anyway.

Raw netflow records contain all the needed data, for instance, and if an 
occasional one is missed out it doesn't really matter as far as breaking 
Tor anomymity goes.

With access to the traffic data from about 20 selected exit nodes and 
you can break most people's Tor anomymity.




-- Peter Fairbrother


From lists at internetpolicyagency.com  Mon Aug 16 10:20:22 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Mon, 16 Aug 2010 10:20:22 +0100
Subject: Cost of traffic data access?
In-Reply-To: <C3309116-7946-4B4E-8A84-259F5458F45D@sourcetagged.ian.co.uk>
References: <4C65918A.70106@zen.co.uk>
	<4B1EB3EE-4816-43CA-8A03-CFB000BD6471@batten.eu.org>
	<4C667211.1080808@zen.co.uk> <vAv8PrCp8oZMFA2O@perry.co.uk>
	<4C66A0A6.3030508@zen.co.uk> <6Q857HNkSrZMFAFq@perry.co.uk>
	<C3309116-7946-4B4E-8A84-259F5458F45D@sourcetagged.ian.co.uk>
Message-ID: <NCDUP8rWLQaMFALq@perry.co.uk>

In article 
<C3309116-7946-4B4E-8A84-259F5458F45D at sourcetagged.ian.co.uk>, Ian Mason 
<ukcrypto at sourcetagged.ian.co.uk> writes
>
>On 14 Aug 2010, at 16:22, Roland Perry wrote:
>
>> In article <4C66A0A6.3030508 at zen.co.uk>, Peter Fairbrother 
>><zenadsl6186 at zen.co.uk> writes
>>
>>> Roland, do you have even a very rough range for the cost? Thanks,
>>
>> There are perhaps two extremes punted around long ago, where it's 
>>been alleged some reverse-DQ requests cost ?100 each, versus some 
>>requesters only prepared to pay ?15/hr for proven effort sorting   out 
>>the answers. But where we are today, I don't know.
>
>?15 a hour wouldn't even represent cost recovery of salary, let alone 
>overheads, for ANY engineer I've employed in the last 10 years. A 
>realistic minimum charge would be in the order of ?35/hour just on a 
>cost recovery basis for low level engineering staff extending to ?100/ 
>hour for senior staff on the same basis.

The sort of people who respond to requests from law enforcement are not 
engineers (because they generally only have to extract information from 
existing systems, set up for the purpose - if anything they are more 
akin to para-legals because the requests need to be validated), but the 
rest of what you say mirrors's the industry's reaction at the time: 
"I'll find if I have anyone I pay that little to and see how long it 
takes them to do it".

>As to the particular data Peter is asking about NO sane ISP keeps those 
>records, I doubt any insane one does either. To do so, even as  a one 
>off, would incur significant engineering effort and involve  setup 
>costs in the thousands if the existing ISP network was suitably 
>structured to make it a possibility. For many ISPs it might not be 
>possible to do without network re-engineering across an entire  network 
>potentially involving effort in the six figure region.

And requests can only be for data that the ISP is "capable of obtaining" 
22(4) and is "reasonably practicable for him to do" 22(7), which I'm 
confident (without actually examining the latest codes of practice, but 
it was a criterion when I last worked in this area) *excludes* engaging 
in brand new engineering projects simply to fulfil the request (let 
alone the proportionality and ban on fishing expeditions - 22(5)).
-- 
Roland Perry


From lists at internetpolicyagency.com  Mon Aug 16 11:03:42 2010
From: lists at internetpolicyagency.com (Roland Perry)
Date: Mon, 16 Aug 2010 11:03:42 +0100
Subject: Cost of traffic data access?
In-Reply-To: <4C671243.8080001@zen.co.uk>
References: <4C65918A.70106@zen.co.uk>
	<4B1EB3EE-4816-43CA-8A03-CFB000BD6471@batten.eu.org>
	<4C667211.1080808@zen.co.uk> <vAv8PrCp8oZMFA2O@perry.co.uk>
	<4C66A0A6.3030508@zen.co.uk> <6Q857HNkSrZMFAFq@perry.co.uk>
	<C3309116-7946-4B4E-8A84-259F5458F45D@sourcetagged.ian.co.uk>
	<4C671243.8080001@zen.co.uk>
Message-ID: <eD5AvSt+zQaMFAIq@perry.co.uk>

In article <4C671243.8080001 at zen.co.uk>, Peter Fairbrother 
<zenadsl6186 at zen.co.uk> writes

>>>> Roland, do you have even a very rough range for the cost? Thanks,
>>>
>>> There are perhaps two extremes punted around long ago, where it's 
>>>been  alleged some reverse-DQ requests cost ?100 each, versus some 
>>>requesters only prepared to pay ?15/hr for proven effort sorting out 
>>>the answers. But where we are today, I don't know.
>>>
>>  ?15 a hour wouldn't even represent cost recovery of salary, let 
>>alone  overheads, for ANY engineer I've employed in the last 10 years. 
>>A  realistic minimum charge would be in the order of ?35/hour just on 
>>a  cost recovery basis for low level engineering staff extending to 
>>?100/hour for senior staff on the same basis.
>>  As to the particular data Peter is asking about NO sane ISP keeps 
>>those  records,
>
>I thought that it was part of the voluntary data retention programme to 
>keep that data for 4 days?

That was entirely aimed at keeping data you already had - in particular 
the web proxy logs. 4 days was chosen as the compromise between speed of 
request by Law Enforcement (it allows long weekends plus one day) and 
the size of file.

>It's also part of the EU directive which no-one seems to be implementing.
>
>But all that doesn't matter.
>
>Any one of several thousand designated persons (there are 1,715 
>designated Policemen alone, plus people from the army, navy, mi5, mi6, 
>gchq etc) can serve an ISP a notice demanding the next month's data - 
>the only question is cost.

No, there are also tests of proportionality and "practicability"

>I agree ?15 per hour is too low for the required geekery, but eg the 
>ISP has to have interception equipment in place which could do that 
>traffic data collection job, and it isn't exactly hard anyway.

I see another "what is interception" debate breaking out here. How many 
innocent subscribers are you allowed to intercept, to extract some 
traffic data for the one target under investigation?

-- 
Roland Perry


From zenadsl6186 at zen.co.uk  Mon Aug 16 16:43:37 2010
From: zenadsl6186 at zen.co.uk (Peter Fairbrother)
Date: Mon, 16 Aug 2010 16:43:37 +0100
Subject: Cost of traffic data access?
In-Reply-To: <eD5AvSt+zQaMFAIq@perry.co.uk>
References: <4C65918A.70106@zen.co.uk>	<4B1EB3EE-4816-43CA-8A03-CFB000BD6471@batten.eu.org>	<4C667211.1080808@zen.co.uk>
	<vAv8PrCp8oZMFA2O@perry.co.uk>	<4C66A0A6.3030508@zen.co.uk>
	<6Q857HNkSrZMFAFq@perry.co.uk>	<C3309116-7946-4B4E-8A84-259F5458F45D@sourcetagged.ian.co.uk>	<4C671243.8080001@zen.co.uk>
	<eD5AvSt+zQaMFAIq@perry.co.uk>
Message-ID: <4C695CA9.2010007@zen.co.uk>

Roland Perry wrote:
> In article <4C671243.8080001 at zen.co.uk>, Peter Fairbrother

>> But all that doesn't matter.
>> 
>> Any one of several thousand designated persons (there are 1,715 
>> designated Policemen alone, plus people from the army, navy, mi5,
>> mi6, gchq etc) can serve an ISP a notice demanding the next month's
>> data - the only question is cost.
> 
> No, there are also tests of proportionality and "practicability"

Out of 2,000+ people, isn't at least one of them going to think that
potentially catching 20 pedophiles or stopping a bombing is more
important than collecting some traffic data from people who are trying
to hide it?

It's a common belief among coppers that they have the right to see comms
data,and people who are trying to hide must be up to no good.

As for practicability, I'm told "it would only take a couple of commands
and a daily email if the Isp has IPFIX  installed, which most do, as
it's the industry standard." Replaced NetFlow apparently.


> I see another "what is interception" debate breaking out here.


Nope. It's not interception. Maybe it should be, but it isn't.


-- Peter F

ps relevant bits from the CoP:
http://tna.europarchive.org/20100419081706/http://security.homeoffice.gov.uk/ripa/publication-search/general-publications/ripa-cop/acquisition-disclosure-cop?view=Binary

I doubt this would stop many coppers,and especially not GCHQ etc.

2.5 The designated person must believe that the conduct required by
any authorisation or notice is necessary. He or she must also believe
that conduct to be proportionate to what is sought to be achieved by
obtaining the specified communication data ? that the conduct is no
more than is required in the circumstances. This involves balancing
the extent of the intrusiveness of the interference with an individual?s
right of respect for their private life against a specific benefit to
the investigation or operation being undertaken by a relevant public
authority in the public interest.

2.6 Consideration must also be given to any actual or potential
infringement of the privacy of individuals who are not the subject of
the investigation or operation. An application for the acquisition of
communications data should draw attention to any circumstances
which give rise to a meaningful degree of collateral intrusion.

2.7 Taking all these considerations into account in a particular case,
an interference with the right to respect of individual privacy may
still not be justified because the adverse impact on the privacy of an
individual or group of individuals is too severe.

2.8 Any conduct that is excessive in the circumstances of both the
interference and the aim of the investigation or operation, or is in any
way arbitrary will not be proportionate.


From pgut001.reflector at gmail.com  Wed Aug 18 07:32:03 2010
From: pgut001.reflector at gmail.com (Peter Gutmann (alt))
Date: Wed, 18 Aug 2010 18:32:03 +1200
Subject: Civil Evidence Act 1995 and changing GP systems
In-Reply-To: <4C5FC9DC.7090208@pmsommer.com>
References: <34FDBD09AF834939BF3B67393ACFABFD@MaryPC>
	<4C5FC9DC.7090208@pmsommer.com>
Message-ID: <AANLkTimZjLQ28gJE+2f1QhtOEwVnqJiWkO+yyL+6Ddkf@mail.gmail.com>

Peter Sommer <peter at pmsommer.com> writes:

>The main purpose of the Civil Evidence Act 1995 was to admit hearsay evidence
>and to provide associated conditions.  Section 7 made it possible to admit
>copies of documents and section 8 allowed for the admission of "records" of a
>business or public authority provided there was an affidavit / certificate
>that the records formed part of the regular business activity.

This sounds exactly like the Business Records Exception for the US Federal
Rules of Evidence, was there a deliberate attempt to emulate this?
Australia has the same thing in Section 69 of its Evidence Act of 1995, I
wonder if there was deliberate cross-pollination there or if it was just
coincidence?  Hmm, and the UK one seems to be in section 9, "Proof of records
of business or public authority", not 8, if I'm reading it right.

Peter.


From nbohm at ernest.net  Thu Aug 19 16:05:09 2010
From: nbohm at ernest.net (Nicholas Bohm)
Date: Thu, 19 Aug 2010 16:05:09 +0100
Subject: Experian and benefit fraud
In-Reply-To: <01bqCab$77YMFAvh@perry.co.uk>
References: <4C617869.9040506@zen.co.uk>
	<4C628114.2060206@andros.org.uk>	<0zTKDoYeHtYMFAPd@perry.co.uk>
	<4C62D57C.2070809@ernest.net> <01bqCab$77YMFAvh@perry.co.uk>
Message-ID: <4C6D4825.1030502@ernest.net>

 On 12/08/2010 10:29, Roland Perry wrote:
> In article <4C62D57C.2070809 at ernest.net>, Nicholas Bohm
> <nbohm at ernest.net> writes
>> the fact that you may owe a contractual duty of disclosure to a
>> lender is no justification in law for a third party breaking a duty of
>> confidence owed to you for the purpose of making the disclosure you
>> ought to make, since the third party is a stranger to the contract.
>
> It's been suggested (on another list) that its fraudulent to acquire
> loans that you wouldn't be entitled to if the lender knew your real
> circumstances, and as such might fall under the increasing web of
> anti-fraud provisions?

It's fraud to misrepresent facts, expressly or impliedly.  It's only
fraud to fail to fail to disclose facts where you are under a legal duty
to disclose them (contrast ss 2 and 3 of the Fraud Act 2006 -
www.legislation.gov.uk/ukpga/2006/35/crossheading/fraud).

So it probably becomes a question of whether applying for a loan aimed
at people in particular circumstances when they do not apply to you
amounts to a misrepresentation.  Usually the application form would put
the matter beyond doubt by requiring a representation about the relevant
facts, so it's a bit of an edge case where that elementary precaution is
omitted, and some red-faced bank is left trying to show an implied
representation.

(Sorry about late response.)

Nicholas
-- 
Contact and PGP key here <http://www.ernest.net/contact/index.htm>


From maryhawking at tigers.demon.co.uk  Sun Aug 22 08:33:45 2010
From: maryhawking at tigers.demon.co.uk (Mary Hawking)
Date: Sun, 22 Aug 2010 08:33:45 +0100
Subject: Bank signatures - not crypto
Message-ID: <35CF6DF4974B479A941D40F7FA873AC5@MaryPC>

Sorry to ask this here, but can anyone tell me how banks are supposed to
acquire specimen signatures for cheques or point me to any relevant URLs?

My bank refused to honour a cheque on the grounds that it did not match the
mandated signature.

With some difficulty, I got a sight of the said signature, obtained in 2002
abd scanned in in 2004. The bank is unable to tell me where the signature
came from: it could have been from something I signed or taken from a
cheque.

Surely there must be some regulations or at the least internal bank
regulations on this? Seeing I've been with the same bank since 1961 and the
same branch since 1979, it seems a bit odd to only get a signature in 2002!

(and it has become more flamboyant compared to the signature they hold - so
why have other, similarly large, cheques been honoured without problems?)

 

Mary Hawking

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100822/f1f43f44/attachment.htm>

From nbohm at ernest.net  Sun Aug 22 10:50:29 2010
From: nbohm at ernest.net (Nicholas Bohm)
Date: Sun, 22 Aug 2010 10:50:29 +0100
Subject: Bank signatures - not crypto
In-Reply-To: <35CF6DF4974B479A941D40F7FA873AC5@MaryPC>
References: <35CF6DF4974B479A941D40F7FA873AC5@MaryPC>
Message-ID: <4C70F2E5.6060007@ernest.net>

 On 22/08/2010 08:33, Mary Hawking wrote:
>
> Sorry to ask this here, but can anyone tell me how banks are supposed
> to acquire specimen signatures for cheques or point me to any relevant
> URLs?
>

I think this is a matter of banking practice rather than law, and I
doubt whether it is touched by regulations (except perhaps tangentially
by anti-money-laundering rules about "identifying" customers).

The place to look would be one of the professional bankers' educational
books - I've long forgotten most of their titles (I remember "Byles on
Bills", but it's probably irrelevant even if it could be found).


From bogus@does.not.exist.com  Fri Aug 27 12:26:52 2010
From: bogus@does.not.exist.com ()
Date: Fri, 27 Aug 2010 11:26:52 -0000
Subject: No subject
Message-ID: <mailman.2.1282908787.29200.ukcrypto@chiark.greenend.org.uk>

course of an account-opening visit to the branch, during which they
could check whatever credentials were flavour of the decade. It seems to
me very odd indeed for a bank to rely on anything other than a signature
expressly provided as a specimen for account management purposes -
people often use different signature for signing cheques from the ones
they use for other purposes.

> My bank refused to honour a cheque on the grounds that it did not
> match the mandated signature.
>
> With some difficulty, I got a sight of the said signature, obtained in
> 2002 abd scanned in in 2004. The bank is unable to tell me where the
> signature came from: it could have been from something I signed or
> taken from a cheque.
>
> Surely there must be some regulations or at the least internal bank
> regulations on this? Seeing I?ve been with the same bank since 1961
> and the same branch since 1979, it seems a bit odd to only get a
> signature in 2002!
>
> (and it has become more flamboyant compared to the signature they hold
> ? so why have other, similarly large, cheques been honoured without
> problems?)
>

Anybody's guess, unfortunately - just a more than usually careful bit of
random scrutiny, perhaps.

You should obviously give them a new specimen, but you may have to turn
up at the branch to do it.

Nicholas
-- 
Contact and PGP key here <http://www.ernest.net/contact/index.htm>


From pwt at iosis.co.uk  Sun Aug 22 11:33:15 2010
From: pwt at iosis.co.uk (Peter Tomlinson)
Date: Sun, 22 Aug 2010 11:33:15 +0100
Subject: Bank signatures - not crypto
In-Reply-To: <4C70F2E5.6060007@ernest.net>
References: <35CF6DF4974B479A941D40F7FA873AC5@MaryPC>
	<4C70F2E5.6060007@ernest.net>
Message-ID: <4C70FCEB.9030409@iosis.co.uk>

Nicholas Bohm wrote:
>  On 22/08/2010 08:33, Mary Hawking wrote:
>   
>> Sorry to ask this here, but can anyone tell me how banks are supposed
>> to acquire specimen signatures for cheques or point me to any relevant
>> URLs?
>>     
> I think this is a matter of banking practice rather than law, and I
> doubt whether it is touched by regulations (except perhaps tangentially
> by anti-money-laundering rules about "identifying" customers).
Recently I found out that my signature for my business account can now 
be brought up on the screen of a bank terminal, so it would have been 
scanned (probably quite recently) from my account application a good few 
years back (not as far back as my personal account opening, which was in 
1962). My signature has deteriorated since then... I found out because I 
tried to contact the bank on their national contact number phone 
service, but could not because I don't have a permanent magic number for 
that account and the national phone line refused to let me speak to a 
real person unless I keyed in that number (yet I happily use their 
on-line service because they gave me a widget that generates a number, 
different every time, for me to enter). So I wrote them a letter which 
they rejected because my signature didn't match... By persisting at the 
branch where my account is held, I actually got to meet a real banking 
person and then to see my signature on the screen. My uncle will be 
turning in his grave - for many years (all his working life after he was 
demobbed in 47 as still a young man) he worked for that bank under its 
previous name.

Peter



From peter at pmsommer.com  Sun Aug 22 11:36:46 2010
From: peter at pmsommer.com (Peter Sommer)
Date: Sun, 22 Aug 2010 11:36:46 +0100
Subject: Bank signatures - not crypto
In-Reply-To: <35CF6DF4974B479A941D40F7FA873AC5@MaryPC>
References: <35CF6DF4974B479A941D40F7FA873AC5@MaryPC>
Message-ID: <4C70FDBE.3030300@pmsommer.com>

As Nicholas says,  this appears to be a problem in banking practice 
rather than law.

In the late 1990s most UK banks embarked on projects to examine the 
details and "best practice" of scanning print documents,  including 
cheques,  into electronic form.  The Civil Evidence Act, 1995,  meant 
that it was no longer essential for banks and others to maintain 
original hard copies - scanning has the virtues of saving space,  being 
much easier to index and hence locate stuff when required, and also the 
e-versions can be backed up.

Colleagues of mine at the LSE helped formulate what became BSI 
PD0008/0009, which are the applicable standards.  (I played a rather 
minor part).  The international, as opped to the British, version  is 
now ISO15489.

Later one of the clearing banks asked us to do some consultancy specific 
to their implementation of it.

Your bank is thus likely to have had many examples from which to obtain 
the "sample" signature they decided to compare with the one you offered.

Peter Sommer




On 22/08/2010 08:33, Mary Hawking wrote:
>
> Sorry to ask this here, but can anyone tell me how banks are supposed 
> to acquire specimen signatures for cheques or point me to any relevant 
> URLs?
>
> My bank refused to honour a cheque on the grounds that it did not 
> match the mandated signature.
>
> With some difficulty, I got a sight of the said signature, obtained in 
> 2002 abd scanned in in 2004. The bank is unable to tell me where the 
> signature came from: it could have been from something I signed or 
> taken from a cheque.
>
> Surely there must be some regulations or at the least internal bank 
> regulations on this? Seeing I've been with the same bank since 1961 
> and the same branch since 1979, it seems a bit odd to only get a 
> signature in 2002!
>
> (and it has become more flamboyant compared to the signature they hold 
> -- so why have other, similarly large, cheques been honoured without 
> problems?)
>
> //Mary Hawking//
>
>


-- 
THE INFORMATION CONTAINED IN THIS E-MAIL IS CONFIDENTIAL AND LEGALLY PRIVILEGED.  IT IS INTENDED ONLY FOR THE ADDRESSEE NAMED ABOVE. IF YOU ARE NOT THE ADDRESSEE ANY DISTRIBUTION, COPYING OR DISCLOSURE OF THIS E-MAIL IS STRICTLY PROHIBITED. IF YOU HAVE RECEIVED IT IN ERROR PLEASE NOTIFY THE SENDER BY E-MAIL IMMEDIATELY AND DESTROY THE ORIGINAL

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.chiark.greenend.org.uk/pipermail/ukcrypto/attachments/20100822/7db3b07a/attachment-0001.htm>