Saturday, 28 January 2012

On International Data Privacy Day

Europe to Google

Really, Google? You're getting rid of over 60 different privacy policies and replacing them with one that's a lot shorter and easier to read? Gee, thanks for doing that! I do have trouble with anything requiring an adult's attention span. What's that, your new policy covers multiple products and features, reflecting your desire to create one beautifully simple and intuitive experience? Terrific! You believe this stuff matters? Well that's great, just great.

First of all: why oh why, in the name of all that's hairy (and private); why did you ever send this notification to my Sky Mail account? I know you provide their service; but you know, that only makes them, not me, your customer. My contract is with Sky. They carry a privacy policy, to which I've agreed. Your opinions were neither sought nor welcome, and your policy (or policies) has (or have) no dominion over me there.

Secondly: do you never learn? You killed the much over-hyped Google Buzz in 2010 by deliberately implementing and obscuring such default privacy settings as would shame Facebook. You just killed off any last chance of social network success, by enforcing your account naming policy in Google+ (latest feeble "concessions" notwithstanding). Now you impose, without an opt-out, this unification of accounts across all Google services. What makes you think that I will continue to want to entrust any of my business correspondence, private letters, other documents and messages, contact lists, calendars, photographs, videos, even this blog, to such a capricious company? To you, who might delete everything I own at any time, on a whim and without appeal, simply because you suddenly decide you don't like my name?

Thirdly and finally: shut up, sit down, and pay attention. European citizens will not have privacy policies dictated to them by their service providers. Europe shall determine the privacy policy to be applied to, and by, its service providers. That, or else providers will no longer be providers to Europeans.

Sufficient Unto The Day

And the same applies across the pond. Facebook Live, in conjunction with the National Cyber Security Counsel, streamed last Thursday's NCSA event anticipating International Data Privacy Day (which is today). This included the keynote opening speech by Federal Trade Commissioner Julie Brill, but if Zuckerberg and co thought their coverage would smooth the ride, then it's safe to say she surprised them. The full text of her remarks can be read here:

But here are a few samples.
Our enforcement actions in the privacy area are also a call to industry to put important privacy principles into practice. Facebook and Google learned this the hard way.

The Commission’s complaint against Facebook alleges a number of deceptive and unfair practices [...] These include the 2009 changes made by Facebook so that information users had designated private became public.

We also addressed Facebook’s inaccurate and misleading disclosures relating to how much information about users apps operating on the site can access [...] that the company misrepresented its compliance with the U.S.-EU Safe Harbor. And we called Facebook out for promises it made but did not keep: It told users it wouldn’t share information with advertisers, and then it did; and it agreed to take down photos and videos of users who had deleted their accounts, and then it did not.
Google received similar coverage of the FTC's complaint against them in the Buzz era. Both companies settled their respective complaints, and have been left embarrassingly subject to a decades-long regime of shame, rehabilitation, audit and assessment. Yet both seem determined to keep testing and risking their parole.

Facebook and Google: sufficiently evil, unto the day.

Wednesday, 25 January 2012

EU Data Protection Reform 2012

Europe Sets the Standard

The European Commission today proposed a comprehensive reform of the EU's 1995 data protection rules, to strengthen online privacy rights and boost Europe's digital economy. The text of the proposals (pdf) comprises a hefty 91 articles and supporting material, spread over 120 pages. Here, summarised in the form of annotated bullet points, are eight of the most important and/or controversial aspects from an initial reading of today's proposals.
  • One Rule for All
The intention is to introduce a single regulation (law) across all 27 member countries. This contrasts with the 1995 directive, which specified only the desired results. While these results were themselves binding, they were left to the individual states to implement, using their own chosen methods and mechanisms. Nobody seriously considers the outcome of that process, predictably enough a patchwork of 27 variegated rule sets, to have been a resounding success.
  • No Geographical Boundaries
Article 3 declares the scope of the new regulation, which would extend to anyone, anywhere in the world (yes you too, America!), involved in the processing of any personal information, relating to any EU citizen. And by personal information is meant not only names, dates, and places, but also technical data such as IP or Mac addresses; (explicitly) information of a genetic, biometric, or health nature; and so on. Service providers like Facebook or Google must accept these obligations in full, or else deny their services to EU citizens.
  • The Right to Erasure
Article 17 guarantees EU citizens the right to "extended erasure" of their personal data. Not only will the organization that processes personal data have to erase it on demand, but the they will also have to "take all reasonable steps, including technical measures" to get any copy, link, or replication on the Internet removed. Now, although in practice search engine data removal can mostly be automated, data removal from e.g. sites repeating CC-licensed Wikipedia content could be problematic.
  • Data Portability
Article 18 introduces the right to data portability - that is, to obtain a complete copy of stored or active data in a structured format. For example, this will allow users to switch between web mail systems with all their data intact.
  • Mandatory Assessments
Article 30 binds organizations to systematic security risk evaluations; unlawful forms of processing, unauthorized disclosure, dissemination or access, or alteration of personal data must be prevented. Here, the commission reserves the right to define: what constitutes the state of the art, for specific sectors and in specific data processing situations, in particular taking account of developments in technology and solutions for privacy by design and data protection by default.
  • Mandatory Notifications
Article 31, already being dubbed the Playstation Clause, requires organizations to disclose to their supervisory authority, effectively immediately, and in any case within a maximum of 24 hours, any personal data security breach. Sony famously waited one full week before telling their SEVENTY MILLION customers their personal data might have been compromised. This provision has of course come in for immediate and heavy criticism; 24 hours is not a lot of time for the kind of investigations that might be needed to avoid many false alarms. It might also be too short an interval to prepare measures to ensnare hackers, and serve only to warn them their attacks have been noticed and actioned.
  • Enforcement: Data Protection Officers
Article 36 provides for data protection officers, designated in regard to their knowledge on data protection laws, who will be independent, and will receive no instructions pertaining to the exercise of their function. These officers will be mandatory in three prescribed cases, namely:
  1. for any public authority or body;
  2. for any company permanently employing more than 250 persons; and
  3. for any company whose core activity consists of monitoring data subjects [qv].
One important corollary is the end of general notifications to local agencies, which measure alone should simplify the regulatory environment and save an expected 130 million € per annum.
  • Enforcement: Enormous Fines
Article 79 aims to give the legislation the necessary "teeth" to enforce these rules. This it does by providing individual national data privacy agencies with huge administrative sanctions. Various levels are countenanced, depending upon the particular violation, but the headline figures are: up to one million €, and up to 2% of an enterprise's annual worldwide turnover. Just to put that in context, to Microsoft in 2008, that would have come to 1.2 billion € plus tips.


It's a bold proposal, obviously designed to take the lead in the international areas of user privacy, data ownership, and data security. Certain of its provisions appear superficially to be quite "heavy" in their commercial import; some rather impractical, and maybe idealistic, although given the technological representation present and the consultancy that has taken place over the last 17 years, certainly not as naive as recent American proposals in adjacent fields (SOPA, ProtectIP). The Commission has clearly decided to take a stand against the piecemeal, partial, and largely failed implementations of its earlier directive. It will be very interesting to see how and where this extensive new structure flexes under the opposing pressures of commerce and politics in coming months.

Picture: Berlaymont building of the European Commission (Wikipedia).

Friday, 20 January 2012

Alabaster Jones - Glasgow 20/1/12

Pimp My Funk

Last time I set foot in the Classic Grand, Jamaica Street, was in the mid 1970s. My friend Spike and I went to see an X-certificate (18 - yes, we were both underage) porno flick French film of self-discovery called La Vallée. At that time, the small Glasgow movie theatre was renowned for its X-cert fare. So much so, the locals used to call it the Classic Gland, and joke that the clientele all wore plastic macs. However, we weren't there - we told ourselves - to ogle and drool at the pretend humping. The big attraction was actually the film's soundtrack: the Pink Floyd album, Obscured By Clouds. Written and recorded during the Dark Side of the Moon sessions, it does contain a few rather great songs...

Tonight I returned with my wife to the now-converted rock club & live music venue that is the repurposed Classic Grand. As before, the motivation was music. We arrived, as seems usual for us nowadays, just as the last band of this YRock-organised evening took to the stage at 9:30 :-(so we missed all of Picnic Railway, Erin Todd, Rosie Bans, and Motion Play)-:

Named for the King of the Hill Oklahoma City pimp voiced by Snoop Dogg, Alabaster Jones are a band with a solid direction, and that direction is funk. Unwavering, uncompromising, and unadulterated, even though alternative. Now, maybe they will develop an appetite for greater variety one day, when they're free to play longer sets than tonight's (the very, very best part of an hour). That should be quite a day. For who would dare to predict what musical dissertations a band, who number among their influences Prince, Hendrix, and The Mars Volta, might end up writing? But until then, they're playing a winning formula with this relentlessly dirty, alt-funk groove odyssey which they do so well.

Front and centre on keys and main vocals is Paul Loughran, who after the opening one-two salvo of Too Late and Pure Gold, complains about being hit in the back of the legs by the bass drum. The quality keeps rolling out with Brand New Day and the hugely original and catchy Superkrunk! - Andy Mushet's slap happy bass melds satisfyingly with tight syncopation from Liam Cutkelvin's drumwork, turning all of us into dancing fools. Paul answers a certain heckler shouting "Get a haircut!" with "I can't believe I've just been told to get a haircut by my dad!"

What's that intro sound? Wailing and noodling like... is it Pink Floyd again? Dire Straits? Nah, it's Funkatron! A sad story maybe ("That's why I'm mean..."), but in seconds we're back in that familiar warm and funky groove again.

New Song

Down In The Mud is a new song they're premiering at tonight's gig, but I've already downloaded and learned it from Soundcloud, so I'm singing along as Paul gives his humongous keyboard a rest, cavorting and vocalising instead like some over-animated Jay Kay. There's some particularly lovely guitar sketches by maestro Adam Millar in this performance tonight. Next, Funkatron part 2: where the party is at gives all three front men a good workout in vocal harmonies, to great effect. And Grease The Wheels (bring me the butter) provides a fitting Zappaesque finale, reaffirming the band's quirky sense of humour, and sending us off still dancing.

Tonight's gig was filmed. Professionally, with two cameras an' everything! Unfortunately that meant that we couldn't really stroll up to the front to get any action photos of our own, not without spoiling the video project. Second downer of the night: the bar shuts at 10, in order to let the venue reopen as a club at 11. This meant some people had to be happy with one drink, when the ideal number would obviously have been something more in the region of two.

Great gig though. Huge fun. Setlist (with Soundcloud links where available):
  1. Too Late
  2. Pure Gold
  3. Brand New Day
  4. Superkrunk!
  5. Funkatron
  6. Down In The Mud
  7. Funkatron part 2: where the party is at
  8. Grease The Wheels (bring me the butter)
Disclosure: keys and vocals funkmeister Paul is a working colleague of my wife, who insists he is not only a keen and diligent worker, but also one of the nicest blokes you could ever hope to meet. It'll be a sad day for her company when Alabaster Jones get the rewards and recognition they deserve!

Thursday, 12 January 2012

Happy 10th Birthday SDL

Many Happy Returns

Or successful continuations, if that's your programming paradigm of choice. They're busily blowing out candles and popping the fizz over at Microsoft Security Development Lifecycle Group. It's exactly ten years to the day since William Henry "Bill" Gates III,
[...] in response to customer feedback, grabbed his dilemma by the horns, and issued a back-me-or-sack-you directive known lovingly as Trustworthy Computing. Company-wide memos like this were rare. This one went into every department, as company-wide memos are wont to do, and demanded sweeping improvements in the "four pillars" on which the customer experience is based: security, privacy, reliability, and business integrity.
(from my Security 101: Part 2 a couple of years ago).

The Microsoft SDL Blog is itself celebrating with an appropriately crusty reminiscence, Trustworthy Computing’s 10 Year Milestone – Reflecting on Humble Beginnings, by Steve Lipner, Senior Director of Security Engineering Strategy, on behalf of the rest of the Trustworthy Computing team; frankly outdone by Principal Cybersecurity Architect Michael Howard's comprehensive memoir What a Journey It Has Been, and noted in turn by David Burt at the Microsoft Privacy & Safety TechNet blog among countless other well- (and ill-!) wishers.

[As an aside, while you're checking out those accounts, the new SDL post Compiler Security Enhancements in Visual Studio 11 by Tim Burrell (MSEC security science) gives a rare preview of the new /sdl and updated /GS switches.]

Let's join in wishing the Microsoft SDL another ten years of security enhancement and threat mitigation!

Picture of His Billness courtesy of Wikipedia.

Tuesday, 10 January 2012


Just Don't Go There

I've numfuscated the name of this domain, just to try to ensure that you won't end up going there accidentally. But Li1up0phi1up0p reached a significant milestone last week. In an ecosystem of low to medium spread, low to medium profile SQL Injection attacks, many quite serious and mitigated only by these low numbers, this one has over the span of six or more weeks, achieved in excess of one million infected URLs. I've been watching it grow...

Mark Hofman of Shearwater reported on December 1 last year, several websites becoming infected with a SQL Injection script containing the string

"></title> < script src="hXXp://"> < /script>

(or, as I said, something quite like it :-). Checking Google, he found the number of infections at that time to be about 80, covering all versions of MSSQL. Next day, similar checks revealed about 200 infections in the morning, a thousand by lunchtime, and over four thousand that afternoon. One week and 160,000 infected websites into the event, it had become clear the attack was spreading rapidly via several and various automated sources. The most affected single region was .uk, followed by .de and then .com.

Mark's log at the SANS Internet Storm Center blog ISC Diary contains details of database "probing" occurring some time prior to the actual commencement of the attack, and some detailed information about its motive (it's attached to a fake AV scam), while at Kaspersky's ThreatPost, Dennis Fisher reveals something of its modus operandi as it works through various IIS, ASP and Microsoft SQL Server vulnerabilities.

A very similar attack with the moniker lizamoon also achieved a million infections earlier in 2011.

Thursday, 5 January 2012

Scattered Along the River of Heaven

A Happy New Year to everyone who's currently using the same calendar as me.

Here's a great short to kindle your new year, new found, interest in Science Fiction. Aliette de Bodard is an American born, Franco-Vietnamese author and defence video analyst who lives in Paris. She has a strong interest in ancient Aztec, Vietnamese and Chinese cultures. This piece, based on four original poems in ancient Chinese (Qing and Tang) styles, is one of those stories you start re-reading immediately upon finishing it: