Category Archives: Security

No, the “UK national firewall” doesn’t block Boing Boing, EFF and slashdot

Government-mandated web filtering is a really bad idea, for reasons which should be obvious to anyone who’s used the Internet for long. I’m against them: I think it should be up to adults to decide what they see, and for parents to decide what their children see.

However, in opposing them, it’s really important that we don’t go off the deep end and cry wolf about what ISPs are doing. That’s why I find Cory’s post at Boing Boing about how “UK’s new national firewall: O2′s “parental control” list blocks Slashdot, EFF, and Boing Boing” concerning. 

Cory’s post takes it’s lead from another post by Peter Hansteen, which points at o2′s URL checker, which lets you see whether an individual site is blocked by o2′s web filters. The third setting – “Parental Control” – appears to block pretty-much the whole internet.

However, I think this is misleading, and conflating two very different sets of filters. The site checker Peter linked to is, I believe, related to o2′s mobile service, not its broadband service (which is now part of Sky). In common with most mobile companies, o2 has a default blacklist, which can you opt out of easily. It also has a set of much stricter “Parental control” setting which allows parents to tightly lock-down what a child with a mobile can see. It’s this second “Parental control” setting that’s basically blocks everything on the internet, apart from a handful of “child-friendly” sites.

I don’t think this is anything to do with the government mandated porn block. It’s just the same mobile filtering that’s always been there, and that’s common across pretty-much every mobile company. I can’t imagine why anyone would change any child’s mobile to basically block the whole of the internet, but it’s opt-in, and it should be up to the parents.

Sky, which now owns o2′s former broadband service (not the mobile network), does have a system of DNS-based filtering called “Broadband Shield” which is compliant with the government-”requested” filtering system. Although I haven’t run through it, it seems to work like this: when you sign up to Sky as a new customer, you’re presented with filtering options. The default setting is on, but you can change it at this point. (More details in Sky’s response to ORG’s questions about it). The “PG” and “18″ level filtering is, of course, as much riddled with inconsistency as any other filtering system, but it’s not the “OMG BLOCK EVERYTHING” that o2′s mobile parental controls are.

UPDATE: And now this piece on the New Statesman is making the same error, conflating pre-existing filters on a mobile network with Cameron’s “porn blocking” plans. This is crying wolf. The two things are not the same. For the love of god, people, let’s have a grown up debate that actually deals with the facts, rather than sensationalising things.


Did the NSA pay RSA $10m to weaken encryption?

According to a story by Reuters, the NSA paid encryption company RSA $10m to deliberately weaken one of its products by using an encryption algorithm which, presumably, the NSA had already cracked.

Sounds plausible. After all, we know the NSA at least attempted to influence standard-setting bodies to adopt weaker levels of encryption.

But there’s something about this story which doesn’t add up. Once you begin to think about it, this kind of deal doesn’t make sense for either the NSA, or for RSA.

For RSA, doing something like this would be a brain-dead move. Yes, as the Reuters report says, $10m looks big in the context of the $27m made by the division of RSA which allegedly received it. But for the company as a whole, it amounts to less than 2% of its annual revenue of $525m in 2007. And a decision to accept that money would almost certainly have to have been board-level: so why would they have accepted it? Would they undermine their own product – and in a way which they must have known would almost certainly leak at some point? It just looks unlikely.

For the NSA, why bother when there are more effective and secretive ways of achieving the same goal? Why not simply plant an employee in RSA with access to the code? Why not quietly pay a very senior individual (or individuals) to buy their compliance? Why not hack into the company and plant your own back door? After all, this is an organisation capable of planting malware in top secret nuclear facilities of another country – breaking into a commercial organisation, by comparison, is trivial. And using methods like bribery, “human intelligence” or hacking gives you a level of plausible deniability that no direct deal with a company could.

Paying the company money – money which would have to be accounted for somehow “through the books” – is the least secure, most probable to leak and thus least-effective option. It seems pretty unlikely to me that an organisation like the NSA would choose to do that, rather than use one of the more covert (and effective) options at its disposal.

UPDATE: RSA has “categorically denied” it was paid to weaken its security. It’s worth reading this post in its entirety, because it includes some details about its decisions.

Computer security doesn’t have to be a binary state

Robert Atkins, on John Grubermissing the point” about the EFF’s “crystal prison” argument:

It’s a pity Richard Stallman is such a boor because he’s actually right about some things: if we aren’t vigilant, the general public will have its legal right to build and run arbitrary software on hardware they own eroded to the point where it’s impossible to do so legally.

What I think both John AND the EFF are missing is that this is not a black/white, either/or argument.

Chrome OS gets this right: you can’t install any executable on the machine at all, or tinker with the operating system in any way. It is, to all intents and purposes, arguably more locked down than iOS. Thanks to the inclusion of TPM, a Chromebook simply won’t run if so much as one byte of its OS code is changed.

But flip a hardware switch on the side, hidden behind a panel, and you have full access to everything. If you want to tinker, you can. But if you want a secure, safe machine you can have that, too.