IT is not magic pixie dust

Instajustice

Bloody Lawyers, Dutch politics, IT is not magic pixie dust
Published on

The Dutch minister of justice wants to block credit cards which were used to buy child porn (link in dutch). And he wants to do this as soon as the police notices that a particular credit card was used to buy child porn, without involving the courts. It sounds though and decisive, everything a minister in a bit of trouble (due to the Gregorius Nekschot case) needs to bolster his image. Very likely nothing will come of this of course, due to all those nastly little practical details that always derail bright ideas like this. Like, if the police knows somebody has used a credit card to buy child porn, why don’t they arrest them for it, rather than just blocking that credit card? How will the police get this transaction data anyway, and how will the credit card companies be sure it’s the police telling them to block a card and not J. Random Person with a grudge against the person whose card is blocked?

But most importantly, how will the police determine that said card hadn’t had its details stolen for use in some internet scam or other? You might think this a theoretical danger, were it not for what happened in the UK back when their police went fishing for child porn buyers, in Operation Ore. The Yorkshire Ranter has the details:

The killer fact? Many of the credit cards presented for payment don’t correspond to the server log – to put it more brutally, a mysteriously large number of people were paying up in advance but not taking delivery of their smut. In fact, quite a lot of the websites that used Landslide contained no porn, nor anything else, existing purely for fraudulent purposes. The M.O. was to get hold of a list of cards – a black market exists – set up an account, and then run a script that would charge small amounts (say £25) to each, hoping that the payments would go unnoticed.

This is why we have courts, because even when the police is correctly representing the facts as they know them they may very well be wrong about what’s going on. If you go through the courts, you have the chance to test if the police is right in their assumptions; if you don’t, you run a much greater risk of harming innocents, branding people as pedophiles because their stolen credit card data got used for dodgy data. Instajustice sounds great in a soundbyte, but in reality it doesn’t work.


Crossposted from Wis[s]e Words.

Back to the red pencil

'08/12 Election, Dutch politics, Election Skullduggery, IT is not magic pixie dust
Published on

Not every political campaign can boast that it only took two years for their goals to be reached, but that’s exactly what the Dutch campaign against voting computers can do. Of course to a certain extent they were swimming with the political tide, so to speak. The election disasters in Florida in 2000 and Ohio in 2004 had shown the dangers of relying on voting computers and how easy they could be manipulated by people with malign intents, and when that theoretical danger turned out to be not so theorethical as both types of voting computer in use in the Netherlands turned out to be easily hackable, things came to a head. Already the most vulnerable machine had to be withdrawn just before the last elections and last year a parliamentary commission to investigate voting systems came with their proposal for a safer voting computer, but even this turned out to have problems. So last week the ministry of home affairs bit the bullet and decided to go back to the red pencil.

Now if only the US followed suit. (Hattip: Avedon.)

The traffic cam works for Uncle Sam

IT is not magic pixie dust, Policing, UK politics, War on Terror
Published on

If there’s one group that’s done well out of “9/11” is the collective security and intelligence services of the United States and Europe, who have been able to justify ever increasing demands for data collecting and sharing and the accompanying invasions of privacy in the name of fighting terror. You’re already fair game if you’re flying to (or even near) the US, or if you make an international bank payment, not to mention that on both sides of the Atlantic your internet and telephone traffic is monitored as well. But now it seems that even car journeys will be monitored by the CIA, as it seems that enforcement agencies in the US and elsewhere have access to British traffic camera data:

The certificate specifically sets out the level of data that can be sent to enforcement authorities outside the European Economic Area (the EU plus Iceland, Liechtenstein and Norway) by anti-terrorist officers from the Metropolitan Police. It says:

“The certificate relates to the processing of the images taken by the camera, personal data derived from the images, including vehicle registration mark, date, time and camera location.”

A spokesman for Richard Thomas, the information commissioner, confirmed that the certificate had been worded so that the images of private cars, as well as registration numbers, could be sent outside to countries such as the USA.

Officers from the Metropolitan Police have been given the right to view in “real time” any CCTV images from cameras that are meant to be enforcing the congestion charge.

Sources said that officers would access the cameras on behalf of overseas authorities if they were informed about a terrorism threat in the UK or elsewhere. They would then share the images, which can be held for five years before being destroyed, if necessary.

I can’t imagine anything useful will ever come out of this or what the reasoning behind this granting of access is, other than doing it just because it’s possible. Even having local police have access to traffic camera data is questionable, as unless they have a pretty good idea who they’re looking, it isn’t going to help them catch terrorists or other bad guys, except by accident.

When greed and cluelessness combine

Internet, IT is not magic pixie dust, Life under Capitalism
Published on

Do you know what Phorm is? If you think it’s just a particularly bad misspelling of prom, you’re not alone; this is one of those stories that has largely remained hidden in geek circles. What Phorm does is enable your ISP to serve you adverts without your consent by hacking your internet traffic. Everytime you do anything on the internet you need to sent a traffic request through your ISP’s servers, at which time it stores the request in some database, which Phorm uses to built up a profile of you and your interests. This information is then used by subscribing websites to put up adverts which are targeted at those interests. It works a bit like Google adwords, but Google adapts its ads to the website they appear on, but not to its visitors. Google assume that if you visit a knitting website, you’ll like ads about knitting. Phorm reckons that if you visit a knitting website, but spent most of last week looking at AffordableKittens.com that you would like to see ads about affordable kittens.

Sounds benign? Not quite, as all your internet traffic is stored and analysed which Phorm says is done anonymously, but we all know that doesn’t work that way in real life. Especially since it depends on your ISP to work, because only by installing the Phorm server there can they capture all your internet traffic –including e-mail. And of course, your ISP knows what IP address you use, who are, where you live, etc. The temptation to use all that juicy data to bring you offers you can’t refuse to your doorstep –well, do you trust advertisers to resist it? If you don’t, you might want to avoid BT, Virgin or Talk-Talk as your internet provider… Luckily this “service” is only being used in the UK so far.

All of this is bad enough, but then Alex discovered something much more alarming about Phorm: it doesn’t just snoop, it adds its own little snippets of code to your URL requests, which means bad guys can use it to hijack your browsing and, well, let Alex explain it to you:

OK. So not only were they snooping, but Phorm actually injects not just data – like a cookie – but code into your URL requests, so their customer websites react differently as a result. It’s especially worrying that what they are adding is JavaScript; it’s not just data, it’s program logic. It does things. And, as any user of modern Web 2.0 services should realise, you can do all kinds of things with it – for example, you can call other web servers from within a web page without reloading. There is no way for you – the person whose BT, Virgin or Carphone Warehouse billing record stands behind the IP address that stands behind the identifier Phorm assigned – to know what such code does until after the fact.

Now, consider this; the good people of F-Secure unpicking the latest trend in security threats, the iFrame injection. It works like this – a lot of websites catch the search requests they receive and cache them, either to speed up the search process or to provide suggestions with the search results. This means that the search string…appears in a web page on their servers. So, if you fire enough popular search terms (which you can get from their website…) in, and append your attack code, there’s a chance it’ll get cached. And then, a visitor who uses the same search terms will get a page that contains the attack code; JavaScript is executed in the client side – i.e on the visitor’s computer – so you’re in.

So, let’s put them together; if you’re a Phorm customer, you can get the interests and web habits (and billing data?) of everyone in the UK delivered to your dodgy website in real time, and then you can reload anything you damn well like in their browser based on that information. Suddenly – let’s back off here. It’ll be someone unpopular. At first. So bnp.co.uk or alghuraabah.co.uk sends you to www.sweeticklekiddiesandtentacles.203vggngh65t7.biz.cn; and there’s fuck all you can do about it, except try to explain the concepts of “deep packet inspection”, “iFRAME SEO injection”, and the like to a court of law.

Oops.

Have Expat Democrats’ Primary Votes Counted? Who Knows?

'08/12 Election, Election Skullduggery, IT is not magic pixie dust, US politics
Published on

If you are a left-leaning US expat in Europe, whoever you voted for in the primary – if you voted – I bet it felt fantastic to finally be able to do something politically positive for once.

Though not all the results are in yet, Clinton is ahead and Obama has pledged to take it all the way to the convention. The margins are narrow and small numbers could make a difference.

But did your overseas vote even count?

According to The Register and an American academic at the University of Bath whoever you preferred, Clinton or Obama, your vote may not have counted and there’s no way to tell:

Joanna Bryson, an American citizen living in the UK, used the system to cast her ballot on Tuesday, and the experience has left the computer science lecturer at the University of Bath questioning how anyone could possibly verify its accuracy, should it ever come to that.

Upon casting her ballot, Bryson says she got a message encouraging her to print out a receipt of her vote. That’s a common enough technique in elections that’s designed to aid poll workers in the event of an audit. What was unusual in this case is that the receipt contained only one piece of information: the candidate she voted for. There was no bar code, serial number or other mark to distinguish her receipt from thousands of others that might be printed out by other American expatriates.

Typically, receipts contain additional information that provides a unique identifier while still preserving a voter’s anonymity. In the event fraud is suspected, auditors check a small sample of the receipts against the recorded results and look for irregularities. It’s unclear what the benefit is of a receipt that records nothing other than the chosen candidate.

“Either they’re incompetent or it’s an empty gesture,” Bryson says.

More...

Doubts have been expressed already about the reliability of primary voting technology. Our old friends Diebold and optical scanning are still in use and as unreliable and easily subvertable as ever. Add to that a new online voting system shown to be unverifiable and you’ve got a trust problem.

A canny candidate could use such a situation to their advantage – after all, how did Bush get elected not once, but twice?

I name no names and make no accusations but the Clinton campaign, for example, has shown itself quite ready to go as far as to challenge the right to cast a ballot in order to gain immediate political advantage. Not many scruples there.

It’s funny, Bush the Elder was all about the process too – I wonder if Bill learned something while they swanned about the globe together on their bipartisan world tour & photop mission of mercy post-Aceh?

More on the reliability or otherwise of Democrats Abroad’s primary voting process here.