Monday, 3 August 2015

#CryptoWars - why back doors in iMessages are stupid

Obviously that is a tad convoluted, and you might expect the phone to be able to work out keys to use automatically, but it raises serious questions.

With end to end encryption any "back door" has to be added by the sender. This means that if, say, someone in China texts someone in America, the sending phone has to add the necessary "back door" keys at the start. Now, US may be able to bully Apple in to adding their keys, perhaps by making US laws, but what if Chinese made laws saying Apple was not allowed to do that when on Chinese soil?

Even if you changed it to be a server based solution, what country wants to entrust all message intercepts on such a popular platform to the control and whims of a foreign country - we need end to end encryption to protect us, and countries need to insist on it to protect their citizens.

As I also ask at the end of the video - is this only down to the country you are in, or is the sender's (and recipient's) nationality a factor too? How would Apple know that?

But then whose keys are included at the sending end, in what circumstances, and by what legal jurisdiction?

Friday, 31 July 2015

Crypto wars

Is the UK trying to ban iMessage, FaceTime, Whatsapp? Seems unclear - they make contradictory statements about encryption being important but also about needing access to communications. Let's try something simple - assume governments get some "back door keys" in there...

If a British citizen with an iPhone purchased in France and roaming in Germany iMessages a Chinese citizen roaming in Sweden using an iPhone purchased in Denmark, which government's keys need to be inserted in the iMessage communications by an American company (Apple) legally based in Luxembourg using servers hosted in Eire?

Baroness Howe at it again

Once again mentioned in The Lords, albeit more indirectly: "One of them even boasted of the fact that it deliberately did not filter". That pretty much has to be us, A&A.

Would she be so condescending to a phone company saying that they do not listen to, and filter, what you say on the phone, I wonder?

Once again, I say to the Baroness here:
  1. We already offer our customers an unavoidable choice regarding filtering when ordering.
  2. We already confirm customers are over 18, and are happy to link to any freely available external validation system that she wishes to put in place for that.
  3. We already provide help and advice for parents wishing to actually be parents and look after their children.
For those that do not know, the choice is like this :-

I have removed the comment about moving to North Korea if you want filtering. At this rate, their ISPs will be suggesting you come to the UK for censorship!

We already (as you see in that image) suggest we can set up alternative DNS (e.g. OpenDNS) that can avoid children accidentally accessing unsavoury parts of the Internet. This is about the best any ISP could actually do as anyone determined to access something can easily bypass the filters any ISPs include.

We also lack the actual evidence that access to porn is harmful anyway. I would be happy to stop my kids (when they were younger) accidentally finding smut on the Internet, but if my son accessed it when he was in his teens, that is not something I could have stopped even if I wanted to, and is there actual evidence that it is a problem? What we need is education so that young adults understand the context of porn - like any fiction on TV depicting unreal scenarios and not "how you do things in a real relationship".

Of course, we also have the fact that such filtering it likely to fall foul of EU wide net neutrality rules that are coming in to place.

We also have the fact that such filters are against mere conduit EU rules, and perhaps even against the Computer Misuse Act.

I assume her Bill will, again, fall flat on its face. If it does not, it seems we will have little problem complying and probably already do.

P.S. Sorry if not obviously, but if you pick the "Censored" option you cannot place your order and the message suggests you choose another ISP. That is a choice anyone can make.

Thursday, 30 July 2015

Nearly slamming

Well, we have found a case where clearly OFCOMs plan for transfers is not designed that well!

We have a customer leaving, moving out of his house, and ceasing service. Fine, no problem

We put a cease order in to BT, only to find that the new occupant has already ordered phone and broadband on the line.

Because their order went in before we put in the cease, the order has gone in as a migrate, causing a 10 working delay for the new customer, which I am sure is much to their annoyance.

Bear in mind, new occupier could have done the order 10 working days ago to align with the day they move in, or a week ago nor realising the 10 working day thing, so an extra week delay. It looks like that did it a couple of days ago. All of this is actually quite sensible for the person moving in, and as a migrate it saves them money...

The problem is we cannot now cease the line. We are stuck with it - in this case for 12 more days and stuck paying for it until then.

Now, this is not a lot of money, but it is more the principle of the matter. We have ceased!

What adds to the problem is our systems have been carefully coded to match the messages we get from BT. The cease being rejected has unset the cease date and billed the customer ongoing (and if left will charge up to the new migrate date) even though our customer asked for it to be ceased.

Obviously we are sorting the billing to our customer, but we have the same issue with BT now. We want it ceased and BT are rejecting that. I think we'll make a billing dispute of this one to highlight the problem to BT.

However, our customer is likely to be exercising his right to treat this as slamming and click the link in the email we sent him and cancel the migrate. He did not, after all, authorise it! This will allow our cease to go through (if we put it in quickly enough), and then new customer will have to order as a new provide and not as a migrate and it will cost them more.

This is a mess! Personally I think our cease should be accepted, stopping billing to us, and if the migrate order had a CRD (Customer Required Date) that was sooner than the 10 working days, move the migrate back to match. That way this scenario would work for us and our customer, and allow the new customer the cheaper "migrate in" option without the extra lead time.

It would also allow us to expedite an outgoing migrate at the request of our customer by submitting a cease after notified of the outgoing migrate. This could be very good for customer service generally.

I'll suggest to BT, but I doubt it will get fixed.

Friday, 24 July 2015

Holy cow - man cave may happen!

Well, the man cave, or garage, or perhaps "Binfield Engineering Centre" may actually come to pass, at last.

First off the boiler needs moving in to the utility room next to the garage, and that means also moving the sink, tiling the floor, new cabinet and cupboards. But that is actually starting with the boiler move on Wednesday. It really is happening!

The council confirmed, finally, that there was no requirement for planning permission as this sort of conversion is "permitted works". They have a pre-planning enquiry form on the web site which was something like £45, and they check if the work needs permission or not. I was able to upload photos and a diagram - the site actually worked quite well. Ironically, I did not have to move from my desk to sort a plan and photo as I just grabbed google earth / street view shots. That is the final hurdle before we actually get started - so the garage is finally going to happen.

Once the utility room is done, it looks like work can start on the garage in two weeks time. Raising/levelling the floor, blocking one tiny window, building wall with door way and windows where garage door was, and so on.

Then I have to really consider the internal fittings, work-top, "bar", shelving, cupboards, sofa, TV, loads of things to think of.

I'll have to start taking some proper pictures of all of this as work progresses.

Update: We have some MDF shelves we need removing ready to re-do the walls... Sandra wants them intact, else this would have been easy! They were not actually screwed to the wall, so should be simple, or so we thought.

  • Looked like jammed in on right/left to plaster board, so I managed to remove the plaster board and wood, and still did not move. I could get it to move away from the wall a bit on the left.
  • James tried - he could move it a bit, but managed to put feet through the plasterboard in the process! Good job we are re-doing the dry lining.
  • James then tried using a tow rope, no joy.
  • James then tried three claw hammers (why do we have three claw hammers?) and was wedging them in at the top and moving them right a bit at a time - no joy.
  • James then tried a car jack, and managed to punch a hole in the plaster instead of moving the shelves.
  • James tried again, car jacking against the brick wall behind, and managed to twist the whole shelving unit but no more.
  • James finally car jacked against the brick wall on the top right, and popped it out - it was simply wedged top to bottom, floor to lintel on the right.

Thursday, 23 July 2015

116000 more important than 999?

OFCOM GC20 is not that new, but I had not spotted it before (not good). Thanks to the couple of customers that asked about 116000, and we're routing 116 numbers now. However, reading it has opened a new can of worms.

Oddly it seems to provide some rather onerous and even impossible requirements on a lot of people, and even give OFCOM some powers that seem rather far reaching.

GC20.1 is not too bad as it has a caveat of "technically and economically feasible", and basically means allowing numbers in EU to be called.

GC20.2 is hard to parse, sorry. I'll update when I understand it.

GC20.3 seems to give OFCOM super powers. It allows them to require any telephone number to be blocked for fraud or misuse, but also allows any Public Electronic Communications Services to be blocked for fraud or misuse. Now, PECS covers a mess of definitions, but reading the comms act that covers quite a few things - it could, I think, cover email, for example. This means OFCOM could block email addresses or other things.

This sounds like OFCOM could block any broadband or phone line even as they can block a whole service if they like, for something as vaguely defined as "misuse". That is quite a power OFCOM have granted themselves!

GC20.4 covers international call pricing.

GC20.5 is an issue though: "The Communications Provider shall ensure that any End-User can access a hotline for missing children by using the number “116000”".

GC20.6 is a huge problem: "For the purposes of this Condition, “Communications Provider” means a person who provides an Electronic Communications Network or an Electronic Communications Service."

It is these last two that are the problem - the whole of GC20 only makes sense for public telephone service providers, but GC20.6 means it applies to anybody that provides electronic networks or services even if not to the public. It applies to all types of network and services, not just telephone.

Even the requirements for 999/112 calling only apply where someone provides telephone service that allows calls to numbers in the national dialling plan. i.e. a naked DSL does not have to do 999. An incoming calls only line with no dial tone does not have to allow 999. This seems to mean that access to 116000 is massively more important than access to 999/112 in OFCOMs eyes.

And to be honest I am not sure what the hell 116000 is meant to be for - if I had a missing child I'd call the police. Why the hell is a special number needed for this? Will there be a stolen bike helpline next? This is not even the equivalent of childline for kids to call, which might make sense as a special EU wide number. Why the hell is 116000 so special that it has to be callable even from lines and services that would not have to allow 999/112 calls?

This also means that broadband only lines are no longer valid - we have to allow 116000. It means SDSL, EFM, fibre Ethernet are not allowed as they all have to ensure access to 116000. It means BT's new single order GEA (FTTC without phone line) will not be allowed as it has to allow 116000. It means a wifi provider (even if not providing to the public) has to ensure access to 116000. Does your wifi at home (assuming you "provide" it to others in the house) ensure they can call 116000?

What the hell are OFCOM thinking this time???

We're all big fans of the IT Crowd at A&A :-)
Posted by AAISP on Thursday, 23 July 2015

Wednesday, 22 July 2015

Private mobile data networks

I read the story about Jeeps being hacked. Scary!

What is interesting is the total lack of security on the mobile side - it seems the manufacturer had SIMs on Sprint mobile network which simply operated on private IP addresses but still on Sprint's network. This allowed anyone with a Sprint SIM to access the cars systems.

One of my customers just commented on irc basically "Should've gone to A&A", in that we do private network data SIM cards for UK use where the SIM connects back to us, and can connect on to a private LNS on a corporate network allowing the IP traffic to be private to that network. It would, with a very simple set up, allow someone to run a completely private corporate mobile network from one SIM card upward for very low cost.

But this is "simple", in that it allows open, unencrypted, IP traffic to and from the mobile device and the corporate network relying entirely on the mobile and ISP networks to provide that security. It works well. It is great for things like iPads and the like that can "just work" out of the box and find themselves on the corporate LAN behind the corporate firewall without a complicated VPN set up.

Of course, doing this for cars would have the issue that you just get one of the SIMs from a car and have access to the car network. This, fortunately, is one line of firewall config on the LNS to stop car to car traffic (he he "traffic", and "cars", sorry, LOL).

Even so, and even though this is a solution we sell, this is far from the solution that should be used for access to a car! The link should use a secure and validated encrypted communications channel - essentially a VPN. This would allow the car to be sure that it is talking to the manufacturer, and would also allow the car to communicate safely via any IP connection to get there (WiFi or mobile) and so not tie the manufacturer to one SIM/mobile set up.

Hopefully they will learn! It sounds like there will be laws to make them learn!