igb's posthaven

HTTP/2.0 and so on

2017-03-28T09:18:32Z

More nerdery, I'm afraid.

As I've got my fingers in certificates and web servers, and as I have the vague justification that it's never cool when students point out some new security wrinkle I don't have on batten.eu.org, I had another trip around the update everything houses.

I've now added DNS CAA records, which specify which CAs should issue my certificates. The idea is that if someone manages to convince another issuer to issue a batten.eu.org certificate, there's a chance that either they'll notice they shouldn't, or that a third party will notice the mis-match.

I've also, after some thrashing around, brought up HTTPv2 support on my servers (required recompiling OpenSSL in all cases, as to do it properly needs >= 1.0.2 and most OSes still ship with 1.0.1).

And hah! https://www.ssllabs.com/ssltest/analyze.html?d=www.batten.eu.org&latest A+ across the board.

The only warnings are that some elderly machines with modern browsers (ie, old crypto libraries, but new browsers that do HTTPv2) regard the cipher suite they end up negotiating as deprecated: all the Cipher Block Chaining ciphers are blacklisted in HTTPv2 in favour of Galois Counter Mode (or Counter Mode, more generally). I'm not going to fix this: people should not (H/T @gbrightn) use ancient operating systems, and anyway the cipher wouldn't be marked as blacklisted were it not for the presence of HTTPv2, so HTTP/1.1 would be perfectly happy using it.

The World. Grim.

2017-01-31T21:06:43Z

I've remarked in various places that the Labour Party is currently in such disarray that if Theresa May kicked off a general election campaign with an hour of drowning kittens on live television she'd still win by 100 seats, or words to that effect. It's basically Leo in The West Wing:

"To sweep all fifty states, the President would only need to do two things-- blow the Sultan's brains out in Times Square, then walk across the street to Nathan's and buy a hot dog."

Which is all good knockabout politics, although I don't hear anyone, _anyone_, whether in the pub or in a CLP meeting, who takes Labour winning in 2020 are requiring anything less than a multi-dimensional miracle.

Unfortunately it does bring up one grim thought to depress me (and I've stopped listening to Today, that's how bad it is). At the moment, there is little the Tories need fear with regard to losing an election, and on the current trajectory with an increased majority, too. Abolish all free education past the age of 11? Fifty quid to see a GP? Declare war on Switzerland and make the eating of Toblerone an act of treason? Whatever: they still win in 2020. There is almost no policy, no matter how toxic, that the Tories could enact which gets the current Labour front bench into office. All the Tories have to do is kick back, chill their beans, and weigh the ballot papers. Labour need a manifesto which challenges UKIP to the right in the north and the SNP to the left in Scotland without alienating London, and even were the party functional and led by an proven election winner that is almost impossible. The more likely dogs' breakfast in the manner of 1983 just means a massive defeat followed by a generation of in-fighting while the Tories celebrate by roasting poor people over an open fire.

Suppose, just suppose, that instead of seeking the glory of a 150 seat landslide, May decided to double down and run on a manifesto which wins by 50 seats but makes her the Thatcherites' eternal heroine by giving party faithful as much as they can possibly have, consistent with winning an election. Not just the Human Rights Act, but tear up PACE, Freedom of Information and the Data Protection Act ("red tape", "stopping the police doing their job"). Not just index linking of university fees, but uncapped, and while we're at it not only grammar schools in every city but post-16 education chargeable via loans. And just for shits and giggles criminalise abortion, bring back workhouses and repeal the Discrimination Act. Whatever: a scorched earth, salted fields, roll the country back to before the Great Reform Act extinction burst of atavism.

With a manifesto like that coming from the Tories, what would Labour do? Lose by fifty seats, that's what. Grim, isn't it?

Fwd: UK Citizens (etc): Please Register to Vote in the Referendum

2016-06-01T07:12:27Z

http://www.aboutmyvote.co.uk

If you are a UK Citizen or otherwise entitled to vote in this month’s referendum, please do so.

http://www.aboutmyvote.co.uk

My generation (born in the mid 1960s) are the single largest cohort in our society, and we vote at high rates. We’re the peak of the post-war boom, and we still go to polling stations.

We’re why you can’t buy houses; my wife and I bought a house, with a 100% mortgage, 11 months after we graduated, and we were hardly unusual: how many of you will be doing that?

http://www.aboutmyvote.co.uk

We’re why your pensions are likely to be grim: we paid a few quid into schemes that were clearly insolvent the moment our parents stopped smoking, but many of us can retire on secure incomes in our early to mid sixties.

And for the university educated amongst us, we got it free, too.

http://www.aboutmyvote.co.uk

Governments pander to us, because we win and lose elections; unlike the cohort older than us, we switch our votes from election to election and are susceptible to retail politics (“what’s in it for me?”). We are why inheritance tax is a major political issue: IHT isn’t about old people, it’s about their avaricious middle-aged children, like me. And we are why crazy rising house prices are a popular thing; the houses we don’t own, our parents own.

We are why education policy is a minor footnote, because most of our children are coming towards the end of, if they haven’t already finished, their educations.

http://www.aboutmyvote.co.uk

The referendum’s outcome could change your lives. Mine, not so much.    But my generation will be flocking to polling stations to vote, and our issues are radically different to yours. You don’t trust your parents' opinion on Kanye West (808s and Heartbreak is my favourite, my children disagree) so why would you trust their views on anything else?

http://www.aboutmyvote.co.uk

We’ve now seen two general elections which have been decided by an if not grey at least greying vote, while policies that affect you have been put through without any attention to what you think. Sadly you (or at least people your age) just don’t vote in sufficient quantities to be interesting to politicians. Change that. Please.

http://www.aboutmyvote.co.uk

I don’t think anyone over 45 should be allowed to vote in the referendum, and I shall be voting strictly on the advice of my children.   But people like me, and indeed my parents (ie, your grandparents) could decide the outcome of this referendum. Please don’t let us be the only voices that are heard.

http://www.aboutmyvote.co.uk

ian

(That was a referendum broadcast on behalf of the “For God’s Sake Ian, shut up” party).

VPN Key Exchange Enhancements in iOS 9.3, OS X 10.11.4 and Server 5.1 - Apple Support

2016-04-15T10:50:55Z

On 15 Apr 2016, at 01:00, Ian Batten wrote:

If anyone is keen enough to be running their own VPN server for Apple clients

More detailed examination with coffee in my hand (hey, I teach two lectures on IPSec and IKE, so this is _real_ _work_) reveals that on the down-low, Apple have re-written the entire opening phase of their VPN software and released it on two platforms over the past couple of weeks.

Historically, the Apple L2TP-over-IPSec implementation was as brittle as thin glass. The recommended deployment was talking to an Apple “Server” on OSX, but if you wanted to roll your own, it was very difficult to end up with an IKE configuration which would work with the Apple clients and also work with anything else. In essence, you had to configure the server with exactly the algorithms used at each phase by Apple, and none others: if you so much as mentioned an algorithm the clients didn’t support, the whole thing collapsed. I don’t have anything other than Apple kit in my mobile VPN estate so this didn’t matter to me, but I gather from former colleagues that using the Apple VPN client and the Microsoft VPN client into the same server is the best tool in your Cisco’s salesman’s box to convince you to just buy the end-to-end Cisco solution. Which Apple kind-of admitted by shipping the Cisco VPN client, branded, as a standard part of iOS (I think I’m right in saying that it’s the only piece of iOS as installed on a new device which has anyone else’s branding on).

The new stuff is completely different. You can turn on all the algorithms you like, and the Apple clients (a) in main mode, negotiate a sensible mutual combination of algorithms and use those for the rest of the exchange and (b) more impressively, in aggressive mode (where the two ends need to know in advance what algorithms are in use, as there’s no “what has and encryption do you fancy?” phase) it steps through a sequence of proposals to try to find one that works: that’s not fast, but at least it works. So you can turn on the offer of algorithms that Apple don’t support yet (large DH groups, EC crypto, SHA512, that sort of thing) and leave them there waiting for the clients to catch up, and for use by more capable clients.

There’s some other changes which aren’t as easy to analyse. The negotiation of PFS has definitely changed: it used to be that if you asked for it on the server, the client dropped the connection, now you can have it enabled with a group selected. But it’s not obvious whether it’s actually respected: since you can ask for crazy groups (6144 bits) or for things that don’t appear to be supported anywhere else in the Apple client (EC) and it still “works”, the implication is that the client is just doing a better (or worse, depending on your view) job of negotiation and is not using PFS even though it’s offered. I’m not sure how to check this. The packet sequence is the same, and although the contents are different they are encrypted: I’d need to find a way to get hold of the Phase 1 keys and use them to decrypt the Phase 2 packets in order to check. My gut feel is that Apple haven’t added PFS, they’ve just fixed the negotiation so it’s rejected cleanly.

It’s interesting that there’s a paper which raises concerns about widely deployed IPSec configurations, and within six months Apple are fielding a complete suite (they’ve made the same changes to the server, but I’m not using that code) of changes to close the whole issue down. They are playing hardball with the US government.

ian

VPN Key Exchange Enhancements in iOS 9.3, OS X 10.11.4 and Server 5.1 - Apple Support

2016-04-15T10:50:28Z

If anyone is keen enough to be running their own VPN server for Apple clients, it’s worth noting

that as of the latest bits (10.11.4 OSX, 9.3 iOS) you can now use larger DH groups and more

modern hash and encryption algorithms for IKE Phase 1:

https://support.apple.com/en-gb/HT206154

You were previously restricted to DH Group 2 (1024 bits), with SHA1 or MD5, and 3DES. This was a

matter of some concern following the publication of "Imperfect Forward Secrecy: How Diffie-Hellman

Fails in Practice” [1], which implied that brute-force attacks on the 1024 bit group were realistic,

plus the usual annoyance of 3DES being slow on general-purpose hardware.

There’s not been the same changes in Phase 2, so you are still restricted to using SHA1 for packet

authentication rather than SHA256 (or at least, that appears to be the case talking to my router, a

Mikrotik running 6.34.2).

I didn’t see any announcement of this, and I only stumbled over the Apple support document while

looking for something else. It does seem that Apple are closing off weaknesses that require

a state actor as your opponent.

I’ve tested this with iOS 9.3.1 and OSX 10.11.4. There doesn’t appear to be a performance penalty,

and there’s a substantial security benefit in using a larger DH group for Phase 1 (if you think your

opponent is a state-level actor, that is).

ian

[1] https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf

The myth of operational security

2015-11-16T12:04:51Z

One day, I am going to get around to writing my magnum opus on the mistaken beliefs that some security people have about threat actors. But today, I’m going to consider one of them: the terrorist with perfect operational security.

There are a whole range of arguments which assume that there is no point is society adopting mechanisms to attempt to defend itself, because our enemies have perfect operational security. There is no point in intercepting communications because they all use encryption, both effective algorithms and with flawless security around key management (a feat few national agencies have managed). There is no point trying even traffic analysis because they all use TOR with flawless, error-free precision (even though there is ample reason to believe this is very difficult). There is no point using ANPR because all criminals drive stolen cars with false plates (although this weekend’s Paris attacks used hire cars). And so on.

There are good reasons to be wary of security service claims as to the efficacy of their boxes of tricks, and certainly we need to balance civil liberties and security agendas. We need to do this all the more in the aftermath of appalling events as happened in Paris this weekend. But we need good arguments. Arguments which presume that terrorists are criminal masterminds with not only access to, but the skills and discipline to use effectively, top-quality crypto and therefore interception is pointless are just wrong. Terrorists have many things to be doing while planning an outrage, and they clearly are not communicating using perfectly-used one time pads.

The Gang That Couldn't Shoot Straight

2015-07-21T08:39:23Z

The most important thing that Labour can do in 2015 is get elected in 2020. As my constituency secretary says, it’s going to be hard. It’s going to be a challenge. It’s going to involve discipline, focus and political skill.

So what the hell happened last night? Not only did George Osborne set a trap for Labour, he actually wrote an article about the trap, clearly and unambiguously, and published it in the Guardian the previous morning:

http://www.theguardian.com/commentisfree/2015/jul/19/george-osborne-progressive-reform-welfare-benefits-system

Not just some doublespeak “Don ’t throw me in the briar patch, Brer Rabbit” coded message, which the naive or deluded might struggle to understand, but in words of if not one at most two syllables. He pretty much spelt out what amounts to a plan to either leave Labour split into two parties, or internally divided to the point of irrelevance, between what one might term (to take the language of German green politics, themselves no strangers to futile opposition) “realo” and “fundi” strands. He’s encouraging Labour MPs, perhaps MPs who see politics as government, rather than a Sealed Knot Society re-enactment of the Winter of Discontent, to look up “Limehouse” in their A to Z. This is not the subtle dark arts that we provincials can neither know nor understand, this is stuff so obvious that there are West Wing episodes about it. A “realo” Labour offshoot, or indeed the “realo” phoenix emerging from the smoking ruins of a divided party, might be able to win in 2030, but Osborne doesn’t care: he’s looking straight at getting into office in 2020 and doesn’t much care what happens after he wins a second term in 2025. And by God he’s doing a good job. You can admire the execution even if you despise the intentions.

Harriet Harman, because she’s clever and has been around parliament long enough to know how things work, saw the trap and did the only thing she could do in that situation, which is to order abstention. Vote for the budget and Labour are Tories attacking the poor, vote against the budget and the next five years are a re-run of 2010-15, all talk of Labour’s mismanagement of the economy, excessive spending and building of a client state. Cameron’s speeches almost write themselves, to the point that he’d have a big key on his computer marked “Greece” and another marked “Syrzia” to avoid having to type them in full each time. “Banks closed, pensioners unable to buy food: this is what happens when welfare outstrips revenue”. It would be nonsense, of course, but it would be politically devastating, putting Labour back to 2011 but now out of office for longer, having to fight on the economy and being unable to be heard on anything else. Cameron would be able to give Neil Kinnock’s “scurrying around in Taxis” speech, with minor modifications, every week.

This was such obvious politics from the Tories that even Tom Watson, rarely a man to pass up on an opportunity to get on the telly being contrary, saw it for what it was and abstained. The choice is between harmful gesture and galling but ultimately harmless abstention: the point of being an MP, rather than a ranty bloke in a meeting, is knowing when to shoot, and when to keep one’s powder dry.

So what did the self-indulgent, ill-disciplined, suicidal 48 do? For the sake of a moment’s futile self-righteousness, they made Labour look split, incompetent and incoherent. They made it clear to Harman, and by extension any future Labour leader, that they reserved the right to be disloyal at the drop of a hat, to make gestures that will have no effect beyond showing the willingness to look like a rabble for the sake of two minutes of glory in front of their own supporters. Abstaining has no political cost: if challenged in twelve months time, “I was following the line of the then leader for the sake of avoiding a damaging split right after a bruising election” satisfies all but the most irreconcilable headbangers. Not a single child will be fed, not a single family will have their benefits restored, as a result of last night. But as a free gift to the Tories, it makes a Labour government in 2020 that little bit less likely, and that Labour government in 2020 is the only effective help that those in poverty can look forward to.

Some Tory said last night that it’s impressive to have a leadership crisis when you don’t have a leader. They did not mean this kindly. When Pierre Bosquet wrote of the Charge of the Light Brigade that "C'est magnifique, mais ce n'est pas la guerre: c'est de la folie" he was at least admiring of the bravery and sacrifice of the men; this is beyond that. This is the sort of stuff that the Tories dream of: a majority, a divided opposition and a leaderless Labour Party ripping itself to pieces. They could ram through legislation criminalising the consumption of coffee and declaring war on Sunderland and no-one would notice.

If this is what the next five years are going to be like, Frances Osborne should nip next door right now and start measuring up for curtains. What sort of smoking ruin of a party is the next leader, and worse the next leader but one, going to inherit?

A Labour Government in 2020. Surely to God that’s the main objective? Please?

ian

"The Imitation Game"

2014-11-17T09:59:28Z

In case anyone is taken with an urge to go to the cinema to see Benedict Cumberbatch giving us his Alan Turing, I would suggest that those with a knowledge of his life either suspend their disbelief or don’t go. As a film in its own terms it’s not bad; crypto hardware nerds will appreciate the appearance of Bletchley’s bombe rebuild as a prop and an (unremarked) set of Zygalski Sheets [1] being used, there aren’t too many anachronisms to set your teeth on edge (although I’m pretty certain that senior military officers born in 1881 didn’t go around saying “you’re fired” to people) and both Benedict Cumberbatch and Keira Knightly are more than competent.

But the distortions of the events are very substantial, both in terms of how Enigma was broken (unsurprisingly, as this isn’t a documentary) and in terms of the biographical details of his and other’s lives (which is slightly more surprising). Some of it’s just sub-McKee [2] “story arc” stuff. Joan Clark, played by Knightly, and others are shown as being recruited via some gambit involving crossword puzzles, when in fact Clark and most of the other later arrivals were simply recommended by their tutors and supervisors; she’d been taught by Gordon Welchman (who is completely written out of the story, oddly). Some of it is rather more substantial, and rather odd: there is a strange sub-plot which implies that the security services knew about John Cairncross (“The Fifth Man” in the Burgess-Maclean-Philby-Blunt ring) and used him as a back-channel to Stalin; to describe that as unlikely and unsupported is to be generous.

Were I a relative of Alistair Denniston I’d be upset, as he is shown as a petty martinet and vindictive incompetent, which (so far as one can tell from published sources) was not the case. Peter Hilton (later Mason Professor of Pure Mathematics at Birmingham, I see) is shown working on Enigma prior to the development of the bombe; the first bombe went into use in late 1940 and Hilton, only 18, didn’t arrive at Bletchley until 1942. Similarly, Jack Good didn’t arrive until mid-1941, long after the bombe’s development.

Andwere I Polish I’d be very upset indeed, as their massive contribution to Enigma is completely bypassed.

[1] https://en.wikipedia.org/wiki/Zygalski_sheets

[2] https://en.wikipedia.org/wiki/Robert_McKee

GNU emacs on OSX 10.9: fix for runaway CPU

2014-08-29T09:13:17Z

There's a fairly well documented, and rather annoying, bug in Emacs 24.3 on OSX 10.9. Under some circumstances it either consumes a lot of memory and CPU and starts to run very slowly, or it causes distnoted to do likewise. It happens particularly after sleep and wake-up, and if distnoted is the victim it's usually enough to get the fans to come on and stay on. It happens to me roughly once a week. The bug is present in the binaries available from http://emacsformacosx.com.

There is a patch:

It's apparently incorporated in the 24.4 pre-tests and nightlies, if you like to live dangerously.

I've applied the patch to a set of clean 24.3 sources and compiled it on 10.9.4 with the latest version of XCode, to get the fix without any other changes.

If anyone needs the binaries:

http://www.batten.eu.org/~igb/emacs-24.3-leakpatch-mavericks.tar.xz

SHA256 hash [1] is f94c2f9dbf40ff42dd8ee41ce7fab4e1f5208c2178aa99ab8a8344560e49d41c

Just untar it and move the resulting Emacs.app directory to /Applications or wherever you keep such things. The OSX tar command now automagically handles .xz.

Aficionados of the ludicrous bloat of modern software will have their prejudices confirmed upon learning that using a good compression algorithm, the installation kit (ie a tar of /Applications/Emacs.app) is 100MB.

ian

[1] openssl dgst -sha256 -hex < emacs-24.3-leakpatch-mavericks.tar.xz

A Horrible Battery Warning

2014-07-09T19:41:54Z

A colleague of mine started talking about having resurrected an old Olympus OM-10 which his father had abandoned in the 1990s. Sparked by that, I decided to check what state my OM1n and OM2 were in. I'd last used them regularly in about 1994, and I was pretty certain that the batteries hadn't been changed since then.

The OM2 was fine. The battery compartment opened up, and a pair of spare silver oxide batteries that I had in the case turned out to be perfectly sound. The camera fired straight up. I'd had it serviced shortly before it stopped being used, so the batteries in the camera and the spares probably dated back about 20 years. That the fresh ones still worked was pretty miraculous (and I've ordered a new pair to be sure), but the ones in the camera hadn't come to too much harm.

Luckily, the seepage was into the interface between the two batteries, rather than into the camera itself. With new batteries the metering is at least internally consistent and appears to give sensible readings, and dry-firing the camera shows that slow shutter speeds are slower than fast shutter speeds. The auto seems to open for longer the less light there is. Overall, it looks like the camera's sound (given it was made in 1978 this is rather nice).

The OM1n, however, is a bit more serious. The battery that uses is a 1.35V mercury cell which is now unobtainable, but more seriously the battery hatch is jammed solid.

Gingerly I removed the base of the camera

By the time I took this photograph I had cleaned the battery compartment, but the original state of the battery was pretty grim.

The rectangle in the first picture is the impression left by the contact strip. Given it's a mercury battery and mercuric oxides are nasty stuff I washed my hands very carefully after handling it. Unfortunately, the gunk from the battery has gone into the threads of the battery hatch, which is still jammed. People on t'internet recommend all sorts of caustic options, but initially I'm just soaking it in some penetrating oil to see if it will free off. In the picture below the oil has already cleaned off the worst on the inner face of the hatch, but the threads are still resolutely jammed.

Update: an hour of soaking and it could be opened, with the threads not looking in too bad a state.

Update update: with the help of the Small Battery Company, I now have a Wein MRB625, which is a weird Zinc-Air replacement for the banned mercury 625 1.35V battery. It's not a long-term solution as apparently it only lasts a few months; Zinc Air batteries use oxygen from the air to provide a lot of power for hearing aids, which is fine, so long as you want the power to be continuously developed. However, SBC also stock a converter to allow a modern 1.55V 386 battery to be stepped down to 1.35V, while fitting into a 625 formfactor. Assuming the first few films through the OM1 check out OK, I'll get one of those.

Nick Robinson Misses the Point

2014-06-04T07:49:23Z

Home Secretary letter to Michael Gove on extremism in schools - News stories - GOV.UK

Nick Robinson had the 10 past, and outlined what had happened.

Gove and May had been at a meeting of the "Extremism Task Force" where Gove had lost the argument over whether you should wait, or not, for people to actually threaten violence before you try to de-radicalise them. The context was discussion of voluntary code of practice for "supplementary schools", which is code for after-hours Madrassas.

I think, as a free-speech advocate, that it's perfectly reasonable to say that not only should it be legal to advance unpopular ideas, but that in general arguing for violence should not be illegal. After all, plenty of vanguard parties of the hard left argue for non-democratic revolution, and they are not proscribed organisations, nor should they be. However, even if you think it should be legal to call for the execution of the Prime Minister, that doesn't make it wrong for the state to attempt to argue you out of it: there's a massive, massive gulf between the state locking people up for advancing vanguard ideas and the state putting "how democracy permits you to change the government without an AK" lessons into schools.

Whatever, it turns out that Gove believes that the Home Office has been reluctant to tackle extremism, and argued for the threshold for action being lower, while May went for the current "there has to be evidence of plausibly threatened violence" threshold. Gove apparently lost the argument. So far, I'd incline towards Gove's position as outlined: waiting until people are actually radicalised before intervening seems a high risk strategy, and even if you do manage to catch the people with AKs, you're left with a lot of people who aren't actually dangerous, but form an ecosystem within which those who are dangerous go unchallenged.

However, Gove then went to Cameron, having lost, and attempted to re-open the debate. May found out, was unhappy, and went nuclear. She writes:

The allegations relating to schools in Birmingham raise serious questions about the quality of school governance and oversight arrangements in the maintained sector, not just the supplementary schools that would be signatories to this Code of Practice. How did it come to pass, for example, that one of the governors at Park View was the chairman of the education committee of the Muslim Council of Britain? Is it true that Birmingham City Council was warned about these allegations in 2008? Is it true that the Department for Education was warned in 2010? If so, why did nobody act?

The first question is inane: the MCB's a legal organisation, and there is absolutely no reason why someone should not be a school governor and a member of a pressure group. If you want to proscribe the MCB, say so, but retrospectively arguing that membership makes you unfit to be appointed as a governor is simply silly. But the rest is toxic, and for those that don't follow Birmingham education, the intervention of the head of Queensbridge is a massive thing, because Tim Boyes is one of the most respected heads in the area, and will have some of the primaries involved as feeders. He has cast-iron evidence that he presented the issues in 2010, which sounds about right, and that leaves the DfE in a very exposed position. It's less clear that BCC were warned in 2008, but problems at Moseley around then were common knowledge; it went into special measures for other reasons, but it seems unlikely that under the governance arrangements of the time the IEB didn't know what had been going on.

Robinson went on with some gossip about Charles Farr, who has the counter-extremism brief in the Home Office, having had an affair with May's SPAD who's now leaking about him, which is vaguely amusing. But he appeared to completely miss the real story: the two key candidates for the Tory leadership if they lose next year, having a massive, public row which boils down accusing each other of being soft on terrorism.

"Soft on immigration" would be toxic enough, but "soft on terrorism?" I love it when the Tories tear themselves apart.

Apache Password Storage

2014-04-18T15:51:40Z

Updating my password on an SVN server, I happened to forget the parameters to htpasswd

and actually looked at the usage message. It contains this rather interesting line buried at the

bottom (Solaris 11.1, derived from Apache 2.22):

The SHA algorithm does not use a salt and is less secure than the MD5 algorithm.

Obviously, by "X algorithm" they mean "the overall process of taking password and using our password hashing procedure which incorporates hash algorithm X".

Indeed, it's true: there's no salt. Generate an apache password file entry for user myUser, password myPassword:

igb@mail:~$ htpasswd -nbs myName myPassword

myName:{SHA}VBPuJHI7uixaa6LQGWx4s+5GKNE=

and repeat the same task using simple hashing:

igb@mail:~$ echo -n myPassword | openssl dgst -sha1 -binary | openssl enc -base64

VBPuJHI7uixaa6LQGWx4s+5GKNE=

to see that they're the same. I wonder how many sites quickly thought "MD5 is a bit broken, SHA1 is better"? When in fact, dictionary searching given a file of 1000 SHA1 hashes is at least 1000 times easier (unsalted).

It's actually documented http://httpd.apache.org/docs/2.2/misc/password_encryptions.html

The iterated MD5 that is used if you select that option is here:

http://svn.apache.org/viewvc/apr/apr-util/branches/1.3.x/crypto/apr_md5.c?view=co

It does have good salting, and is clearly the better option. It at least generates different outputs each time it is called with the same input!

igb@mail:~$ for i in 1 2 3 4; do htpasswd -nbm myName myPassword | head -1; done

myName:$apr1$8wUtj8FR$m2OfIoNqjJVkNYjAhwZ25.

myName:$apr1$3qS0CJOD$ONOeHyqTIUPgnMBKH9XCW0

myName:$apr1$g4igyO/H$XJIx4OHNIDxDD4m3Q5vNj1

myName:$apr1$95GXXu0V$wPM3zi/BLMVgpGJI4KNAC/

igb@mail:~$

However, that too makes one wonder. It uses sort-of iterated MD5: it doesn't repeat the whole algorithm, complete with finalisation, rather it iterates repeatedly with the password, the salt and some fixed strings, calling the hash update function each time. Unless I'm missing something, the way the code is written means that running apr_md5_update repeatedly is equivalent to building a buffer containing the catenation of the successive strings and calling it once: that is ripe for hardware acceleration.

It's not parameterised (by contrast, see the SHA256 and SHA512 based hashes now used for the password file on recent Linuxes and Solarises here http://pythonhosted.org/passlib/lib/passlib.hash.sha256_crypt.html - they have a parameter for how many iterations to use, allowing scaling over time). The comment in the code shows how old the decisions are:

     * And now, just to make sure things don't run too fast..
     * On a 60 Mhz Pentium this takes 34 msec, so you would
     * need 30 seconds to build a 1000 entry dictionary...
     */

My laptop (three year old Air with an i5 processor) can compute 240000 such hashes in 30s without even going to the effort of writing dedicated code:

ians-macbook-air:~ igb$ time (for i in 1 2 3 4; do head -60000 /usr/share/dict/words | openssl passwd -apr1 -salt ayS1/GqV -stdin > /dev/null & done; wait)

real 0m28.363s

user 1m46.752s

sys 0m0.227s

ians-macbook-air:~ igb$

and a more modern i7 Air is can do about 400000. Being able to perform hashes 400x faster using a very naive approach, with presumably much more performance available via GPUs and other hardware tweaks, makes the loss of a password hash pretty serious. ~10k/sec means that you could could run the top 10000 entries from the roku database (say) again 86400 users in a day using a laptop, which would be a pretty devastating attack against a large stolen hash file.

Fwd: "Evil Twin" WiFi

2014-03-07T09:29:05Z

Today programme at the moment (so you can pull it from iPlayer later today, starting 1h20 in) is talking about security of public WiFi, with the usual claim that using an untrusted WiFi network is risky for, specifically, accessing banking. And that people should not access banking websites from public locations.

I'm very sceptical about this claim. OK, we have recently had a case in which a major browser had a flaw which permitted the use of fake certificates, but only under specific circumstances and there's no suggestion I've seen that it had been exploited on a long-term or wide-spread basis. And there is a roughly plausible mechanism that can be used:

* Hi-jack insecure connections to Google

* Look for searches for BankCo UK Banking

* Inject a fake URL pointing to https://BankC0.co.uk

* Look for DNS lookups for BankC0.co.uk, and return IP number of attacker's system

* Present a certificate for BankC0.co.uk, rather than BankCo.co.uk.

Alternatively, you can hijack requests destined for http://BankCo.co.uk and redirect them to https://BankC0.co.uk, possibly with the help

of fiddling with Google.

This attack would work even in the face of certificate pinning and, arguably, certificate transparency. Transparency would allow BankCo to patrol the logs looking for "similar" names being issued, but if the claim is users don't check URLs then the attacker could pass back an arbitrary string as the URL and hope the victim doesn't notice.

But is this actually happening? Yes, in principle we should worry about capability and potential rather than execution, but looking at the attacks that are actually "in the wild" helps us prioritise. Wikipedia's entry for "Evil Twin" networks is old and has very little hard information about actual exploitation. The pages that come up towards the top of the Google search are getting on for ten years old. The line between the good guys and the bad guys is blurred and the tools used by the bad guys rarely remain secret for long; it defies belief that "Evil Twin" attacks could have been happening for ten years and yet no example of code or hardware has emerged.

So why do I think the risk is overstated?

Firstly, the attack is quite narrow. If you have a bookmark for your online banking, it doesn't work. If your web browser's search bar uses https to access Google, as is increasingly common, it's narrower still (you'd have to hope that users bookmarked the http:// version on their banks website, and use a redirect). Alternatively, you'd have to hope that people override the many warnings of fake certificates while no-one in the location complains to the owners.

Secondly, the attack doesn't yield money. Unlike skimming PINs and card details, which you can monetise immediately, all you get from this attack is a set of login credentials. If the bank uses one of those funky card machines or some other second factor, then you will not be able to login afterwards. If the bank uses "select letters 2 and 5" type authentication you might be able to guess, but even the banks that do that require a phone call in order to set up a new payment. And even if you intend to make transactions within the login session the user has established, rather than afterwards, you will again hit the problem that setting up a new recipient requires out-of-band authentication. There is far more advantage in having credit card number, CV2 and address than in having online banking details, and far easier ways to obtain them.

Thirdly, the attack leaves virtual fingerprints everywhere. Ross Anderson has written that the massive step forward in credit card fraud was the realisation by attackers that if they didn't put through the transaction that was hijacked by the skimmer, the banks couldn't cross-match accounts that had been the victim of fraud in order to find out where it had happened. But here, the attacker doesn't control other payments, so if the victim has paid by debit card (it's a reasonable bet in Starbucks, a near-certainly in hotels) there will be common transactions between victims. The attacker is probably able to avoid just using a single IP number for the transactions, but given the detail of the logs that are kept it's likely that there will be timing or format similarities between attacked sessions that allow the man-in-the-middle to be retrospectively identified. And, of course, because there is no way to obtain cash from this attack, you have the problem of money laundering: you have to have a destination where you can transfer the money to, where you can subsequently draw it out, without getting caught. Even if you manage this, the account(s) will be again an obvious common factor between the victims.

Fourthly, the attack leaves actual fingerprints. You're going to have to carry the equipment into the building, or nearby. The equipment has a history. If you abandon the equipment, it will be found, and the police will have your software to analyse and the hardware to match for fingerprints and DNA. If you stay near the equipment, you risk observation by CCTV. There's a reason why ATM skimming is done in petrol station forecourts and out of the way street corners, and that is for an attack which can immediately be converted into cash, rather than requiring laundering.

And finally, the bandwidth of the attack is very low. You might be able to obtain login details for bank accounts, but the subset of those where you can set up a payment to a new destination will be vanishingly small. What can you do with access to a bank account where you can't transfer money?

If you were going to conduct these sorts of attacks on on-line banking, you would do so at far lower risk by malware infection, installing keyloggers on victim machines. There's little evidence that in the UK at least, key loggers are today a significant risk for online banking either; the phone call to setup new recipients is the key defence. If you want GMail account details (or similar) then Malware is an infinitely more effective attack, and that clearly is circulating in the wild. And if you want to steal money and goods, credit card details are the best thing to have, which again doesn't require an elaborate attack on WiFi.

So I think this is another of the cyber-crime industry's bogie-men: an attack which is theoretically possible, but only actually works against a tiny, possibly null, subset of potential victims, at high risk and expense to the attacker.

ian

Why Gaol Doesn't Work, and an alternative

2014-03-02T10:46:34Z

One of the common threads in discussions about Caredata and other large databases is the idea that there should be gaol terms for those that transgress. See, for example, Ben Goldacre's two columns on the topic in the Guardian.

I don't think that this can work, and I don't think it's an effective penalty. Worse, I think it's a distraction.

In the aftermath of the Herald of Free Enterprise disaster, there was a massive call for the introduction of an effective charge of Corporate Manslaughter. Such legislation has now been on the books for seven years. There have been very few prosecutions, even fewer convictions, and I believe (I would welcome correction) no gaol terms.

The problem is that the threshold to get over for showing that the company either sanctioned, or was reckless about, the behaviour that led to the death is extremely difficult. Courts are ill-placed to determine who said what to whom in corridors and meeting rooms, and the threshold of "beyond a reasonable doubt" means that lack of evidence is lack of conviction.

And at least in the case of health and safety (the main area where corporate manslaughter is likely to arise) there is widespread public awareness of the legislation, and the endpoint --- a corpse --- is fairly unambiguous.

That's not remotely the case in data protection. Firstly, the legislation surrounding data protection is not remotely unambiguous and there is very little case law. Actually demonstrating that an individual in senior management grossly breached, or was reckless as to the breach, will be virtually impossible. Consider Caredata today: ministers and senior directors are unable to agree on what was released, under what provisions, and what the law actually says. This would not even get over civil standards of proof, never mind criminal. Courts require a very high threshold to gaol people for acts committed as officers of companies, and this would not get close that level.

Secondly, if the claim were that it would deter individuals from misusing data they have access to, it would be even less effective. Courts will be very reluctant to support the contention that employees have a wide-ranging obligation to check the orders they are given by their employer for lawfulness except when the act is so manifestly unlawful as to fail the "reasonable man" test, or when the employee is a qualified professional being asked to knowingly breach their professional obligations (for example, an accountant being asked to file misleading accounts). Actually pinning down someone in the chain involved in releasing data who can be reasonably expected to realise that the act they were asked to commit was part of any unlawful scheme would be very difficult in a civil case; again, it is fanciful to think it would pass a "beyond a reasonable doubt" test. In the case of the release of HES information to the IFoA, assume for one moment that it actually is, in terms, illegal: where would you place the responsibility, and whom would you propose to prosecute?

It is possible that the threat might be useful against individuals who, of their own volition, access, release or otherwise mis-use data they are not entitled to handle in this way. However, that is where the "distraction" argument comes in. Data controllers should put in place controls and processes such that individuals cannot release data they are not entitled to. By having "oh, but they'll go to gaol" lying around as a rusty blunderbuss, a data controller can put in place inadequate controls and defend them with the argument that the staff are incentivised to behave by the threat of gaol. But that's true of frauds carried out by staff against either their employer or their employer's customers: it's straightforwardly illegal, and you can go to gaol. People still do it, because they (accurately) regard the risk of detection as low, the risk of prosecution as even lower (employers are very reluctant to admit to fraud in their operation) and the risk of serious sanction almost infinitesimal.

And in any event, none of this consoles the victims. If your medical record is leaked, that someone went to gaol does not get your privacy back. And until a significant number of people have been gaoled pour encourager les autres (ie, a significant number of offences have been committed) the threat is hollow anyway. So in the meantime, data controllers will deploy inadequate controls backed by implausible threats, and everything will go on much as it already does.

For sanctions to be effective, they have to be usable and deterring. Data protection failures are unlikely, other than in the most egregious cases, to leave a detailed enough trail to sustain a criminal prosecution, still less one ending in gaol time for individuals. It's a hollow threat, which makes the threatener look weak.

No, far more effective is a civil regime as follows:

As a data controller, you are responsible for the data you handle. If it leaks, you have have broken that responsibility. We do not care why it happened: you are responsible for implementing controls sufficient for the material at hand. After one leak of government-supplied data you will be subject to a one year suspension from the processing of any government-supplied data for any purpose, including existing contracts. This will probably bankrupt you. A second offence will result in a ten year ban, which will bankrupt you. If you have any doubts about your data protection regime, please seek advice from the ICO or CESG, who will be only too happy to help. Board, hear this: just as you are still liable to repay money to your customers that was stolen by rogue staff, yes, we are making you responsible for your staff. We are not joking.

This would also incentivise other staff to keep an eye on their colleagues: knowledge that everyone will lose their jobs in the event of a failure will focus everyone's minds wonderfully. The fear of this will put a massive premium on the willingness of private sector companies to take on risky contracts, which will make government much more careful about issuing them. Everyone wins.

Caredata Governance

2014-03-01T22:34:40Z

Part of the reason why Caredata has become such a hot topic is the revelation that patient-level data was sold to actuaries, for a study into which factors are meaningful when assessing premiums. And that when this was revealed, no-one appears quite clear who approved it, and under what rules. There is now some significant debate as to whether this sale was wrong, whether it was permissible under the rules at the time, whether it would be permissible now (ie, under the Caredata rules as planned for the now-delayed spring 2014 launch) and whether it will be permissible under the hypothetical rules Jeremy Hunt is proposing in the aftermath of Friday's announcement of new legislation.

The problem seems to be a governance structure that is so complex that actual responsibility and accountability has been diffused to the point of invisibility. There is a complex mesh of advisor groups, boards and executives --- has anyone seen a diagram? --- but, when an actual case is challenged, no-one appears able to point to who took the decision, and under what rules. Even if the people who agreed the release of the IFoA can be identified, it's not at all clear what rules they were operating under and whether those rules were followed. The failure of the HSCIC to produce a code of practice exacerbates this.

The governance should have three clear components.

First, there should be a set of rules setting down the purposes for which data can be released, and in what form. The rules are owned by a group of people, with a named chairman, who sign off successive releases of the document. If the rules are found to be inadequate, either because they do not cover some case or because public opinion challenges the contents, that group of people are tasked with re-writing it. Those people are appointed by a minister who is democratically accountable to parliament (or, more probably, a select committee); it is likely that the process and policy for these appointments would be the subject of secondary legislation or the schedule to primary legislation. This is strategy.

Secondly, there should be another group of people who consider requests for access and evaluate them in the context of the rules. These decisions should be uncontentious, and if there is disagreement between reasonably informed people then that is more likely to reflect a problem with the rules than anything else. These people will probably need to be employees of the agency handing the data as the decisions will need to be made relatively quickly, but as they wield relatively little power this is not of itself dangerous. This is tactics.

And finally, there needs to be oversight that the decisions are being made correctly and that the process is fit for purpose. This could be done by a select committee directly, is more commonly done by appointing a retired judge or similar to act as a regulator. This person does not make decisions or policy, but confirms that the process is being followed, samples decisions to check in detail, and reports annually. This is audit. For all the fact that the legislation has many problems and there has been a lot of dispute, the role of the Interception of Communications Commissioner is a good model.

One committee, named and appointed by a minister who is democratically accountable, sets detailed policy. A second committee executes it. A commissioner checks the process is being followed.

That way, when things go wrong, people can be held to account. Democratically.

Opting Out Is Always Rational

2014-02-28T14:36:57Z

One of the most common memes used in support of mass health data projects is that the data supports important research. Whether it is disease causation, effective treatment, epidemiology, drug side-effects, researchers need large amounts of data, so your data matters.

But from the perspective of a patient, ie you, your data doesn't matter.

Your data would only matter if a study which looked at the whole dataset would have a different outcome with or without your participation. But in a dataset covering 47m people (the size of the Hospital Episode Statistics database) or around 53m people (the number of people registered with general practitioners in England, assuming everyone is), the chances of your individual record being anything other than statistical noise are infinitesimal. In order for that to be the case, you would have to be very unlike the rest of the dataset, but mass population studies rarely identify things that affect only one person. So there always be sufficient people who look like you to fill your place in the analysis. And of course, the chances of a medical breakthrough hinging on your personal data, _and_ being related to a condition you have, _and_ producing a change in treatment quickly enough to benefit you are similarly small. An infinitesimal chance of a very small benefit has a net present value of zero, for practical purposes.

On the other hand, the risk of the data being leaked, re-identified or otherwise mis-used is greater than zero. We don't know how much greater, and without a code of practice we can't calculate it. But if, for example, your health record in which you talk to your GP about your depression were leaked to your ex-spouse in a contested custody battle, the effect would be immediately harmful. That's an immediate risk: a small chance times a very large disbenefiit has a net present value considerable greater than zero.

Now the problem with this, of course, is that if everyone thinks like this, there is no data. But of course, they won't; Germany's scheme is opt-in, and yet has reasonable numbers of participants. But shouting yet more loudly about potential benefits doesn't work, because that has already been written down to zero. What needs to happen is calm, rational discussion about why people are over-estimating the potential harm such a project can cause. And without transparent, accountable organisations handling the data, that will never happen.

ian

Why joining against Experian Mosaic is easy

2014-02-27T22:32:55Z

One issue that has arisen in the debate about the release by either the HSCIC or its predecessor NHSIC is the joining of the HES hospital data against Mosaic demographic data.

This would have been done by NHSIC. And once they had made the basic decision to release the data in the first place (a separate discussion) this was the _right_ thing to do, and it would be the correct way to do a similar task for a less controversial research project.

Mosaic data maps very small areas to demographic tags. Let's assume that the data goes down to full postcode level (I believe that in some cases it's slightly less granular than that).

The Mosaic data would look like this:

X12 3YZ Demographic Description 1

X12 3YY Demographic Description 2

X12 3YX Demographic Description 1

X12 3YW Demographic Description 1

There are a lot of full postcodes in the country (I'm guessing, but around 2m --- 20 million houses, ten per code). There are a few hundred Mosaic descriptions, if that.

So the process will have been something like this:

IFoA take the Mosaic data and, with Experian's agreement, pass it to the NHSIC for this specific purpose (this is a standard thing to do with this sort of data).

NHSIC join the HES data against the Mosaic data using the postcode as the key, so that each HES record is extended by a demographic description.

NHSIC then truncate the postcodes to the agreed length (probably just the initial letters like "B" or "SW" would be enough) and hand over the records. All that IFoA see against each patient is therefore a very low resolution postcode, which will match an entire city or county, plus a demographic tag, which will be shared amongst tens of thousands of postcodes.

The basic agreement to release data to the IFoA is something that there is a lot of dispute about, and I think it was a very, very bad thing. But once you've made the decision to do it, what was done with Mosaic tags was the right thing: the IFoA got the data they could use, and the level of resolution in it was appropriately reduced.

ian

When Hubris Meets Over-Promotion

2014-02-26T06:29:35Z

Yesterday, the Health Select Committee met to discuss the Caredata project. It was a shocking thing to watch.

You can see the entire car crash here.

The first part was interesting but unexciting. Phil Booth (Medconfidential, ex-No2ID) and Nick Pickles (Big Brother Watch) outlined the concerns about the identifiability of data when combined with other data sets, issues of consent and issues of safe processing and transparent policies around release. Sharmila Nebhrajani (AMRC) and Peter Weissberg (BHF) made a strong case for the benefits of processing data for public health while admitting that the execution of this project left a lot to be desired. Chand Nagpaul for the RCGP presented the issues confronting GPs, particular confidentiality with patients and responsibilities as data controllers, while again making it clear that the project has a whole has massive potential benefits.

There were attempts to get Phil and Nick to condemn the processing of the data in any circumstances, which was rightly seen as the straw man it was, but in general terms there was nothing to surprise those familiar with the saga. The Committee showed impatience with presentations of benefits as though those of themselves negated risks, but in general proceedings showed a broad agreement.

This was not true of the second part. Daniel Poulter (undersecretary of state for health), Tim Kelsey (NHS England, Director for Patients and Information) and Max Jones (Director, HSCIC) were under-briefed and unimpressive. The committee drew harsh inferences from the fact that they had not attended the first part, and Poulter, in particular, was clearly not on top of his brief. All three appeared to assume that the committee would roll over in the face of a presentation of benefits, and at several points Kelsey seemed to think that the meeting was a platform for him to set the agenda, rather than answer questions. Jones relied on the defence that the HSCIC was a new body and therefore the actions of its predecessors were neither relevant nor knowable, which is an extraordinary legal theory.

A massive backlog of points to be confirmed in writing later built up, as Jones blustered and repeatedly claimed not to know about the key operations of the body he is director of: for example, the code of practice for the HSCIC's processing of Caredata assets has yet to be written, but he could not provide a timescale for its production. Sarah Woolaston and Charlotte Leslie, who clearly _were_ on top of their briefs, picked away at the inconsistencies, and got very little hard information for their pains. The threat hangs in the air of the HSC summoning the staff of of HSCIC's predecessor bodies: I don't have Erskine May by heart, but I would have thought that the summoning of Mark Thompson in his guise as former DG of the BBC sets a precedent.

What did we learn? Firstly, we learnt that the NHS has a habit of promoting middle-managers to leadership roles without getting leaders: Kelsey and, particularly, Jones looked under-prepared, under-briefed and under-rehearsed. Their endless recourse to "we don't know, we'll write to you" was completely unacceptable for senior managers of major NHS functions: they should know, or have it in their briefing pack in front of them. Secondly, we learnt that treating a select committee with contempt, by assuming that an invitation to appear in front of them is a platform to make statements, goes down very badly. Thirdly, we saw how shallow the talent pool in the Tory party is, given Poulter's hesitant, blustering and uncertain performance: his civil servants will be very cross, I suspect.

But to my mind, the most shocking revelation was that the HSCIC is collecting data, and releasing it to consumers, without having a code of practice in place. Everything I've ever done in information governance --- I've run an ISO 27001 accredited operation --- says that this is insane. Coupled with the HSCIC's claim that it does not hold the records of its predecessors (a claim I intend to test with some FoI requests) and you are left with the obvious conclusion that information governance in the NHS is a Potemkin village, thin sheets of painted board concealing a swamp of poor practice.

It's to be hoped that the HSC follow through. If they do not, Jones and Kelsey will be able to get away with not knowing and not telling. But if these are the best people the NHS can put up to make their case, and the best arguments, then Caredata is dead in the water, either because the HSC will stop it, or because the rate of opt-out will render the scheme useless.

And Dan Poulter? I think he can forgot his ambitions, to be honest.

ian

NHS Email

2014-02-24T07:45:34Z

Begin forwarded message:

From: MAILER-DAEMON@nhs-pd1e-esg001.ad1.nhs.net (Mail Delivery System)

Subject: Undelivered Mail Returned to Sender

Date: Mon 24 Feb 2014 07:34:54 GMT

To: igb@batten.eu.org

This is the mail system at host nhs-pd1e-esg001.ad1.nhs.net.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

The mail system

<england.cdo@nhs.uk>: mail for nhs.uk loops back to myself
Reporting-MTA: dns; nhs-pd1e-esg001.ad1.nhs.net
X-Postfix-Queue-ID: 8195544916D
X-Postfix-Sender: rfc822; igb@batten.eu.org
Arrival-Date: Mon, 24 Feb 2014 07:34:53 +0000 (GMT)

Final-Recipient: rfc822; england.cdo@nhs.uk
Original-Recipient: rfc822;england.cdo@nhs.uk
Action: failed
Status: 5.4.6
Diagnostic-Code: X-Postfix; mail for nhs.uk loops back to myself

From: Ian Batten <igb@batten.eu.org>

Subject: F.A.O. Information Governance Compliance Team

Date: Mon 24 Feb 2014 07:34:50 GMT

To: enquiries@hscic.gov.uk

Cc: england.cdo@nhs.uk

The Staple Inn Actuarial Society processed a large volume of Hospital Episode Statistics, which they also joined to Experian credit reference data.

Please supply:

* The submission made by SIAS in support of obtaining this data. This may take the form of a Privacy Impact Assessment, a Research Proposal, or some other document.

* The minutes of meetings at which this proposal was discussed.

* Details of the financial settlement between HSCIC and SIAS.

* Details of any agreement between HSCIC and SIAS which permits the combining of HES data with Experian data

It has been clearly stated by Geraint Lewis, NHS Chief Data Officer, that insurance companies are not able to purchase HSCIC data for commercial use, and that HSCIC does not sell data on a commercial basis, it only recovers costs. I therefore give you advance notice that any refusal on the basis of "commercial confidence" will be the immediate subject of an appeal to the ICO.

Ian Batten
XXX
Birmingham
XXX

Why I am opting out of #caredata

2014-02-23T16:18:09Z

Today, I sent a letter to my GP confirming that I am opting out of the Caredata scheme, and do not want my data uploaded in any form to either the secondary uses databases (codes 9Nu0, 9Nu4), or to other record systems. I am already opted out of the Summary Care Record Scheme (code 93C3); I have pre-emptively also added 93C1 to opt out of upload to local record keeping systems.

I opted out of the SCR scheme because, for me, the risks were entirely disproportionate to any benefits. I am not allergic to anything, I am not taking long-term medication, there is no particular information in the SCR extract that would assist a doctor in the extremely implausible scenario where I am unable to communicate but my identity can be established with sufficient certainty as to make use of my records without further confirmation safe and good practice. As there is no benefit to me, no risk, no matter how small, is worth taking, and my general objection to large government databases applies: data leaks, data is repurposed, data is wrong.

I am opting out of the nascent Midland Care Records scheme as it appears to be run by people outside the NHS. There is a website, but such contact details as it contains refers to "powered by Central Midlands Commissioning Support Unit". The link takes you to www.experiencecounts.org.uk which purports to be in some way affiliated with the NHS, but provides no evidence for it. Even its domain name is outside the NHS domain, and therefore it presumably operates outside the NHS information governance framework. It looks like a commercial operation, and therefore not a safe place for my records.

However, the Caredata scheme opens up a different moral conundrum: I am asked to provide my records not for my own benefit, but for the common good. Although I might benefit directly in some rather unlikely circumstances, it is far more likely that the benefit will be more diffuse; drug research, epidemiology, treatment standards on a national basis. I am broadly receptive to these aims, even to the point of overcoming my needle fear to have samples taken for the Biobank project. I have participated in several followup questionnaires and even worn an activity monitor for a week for them.

However, Biobank is a model of ethnics and information governance. I was approached, sent information, gave consent after exploring their objectives and structure, and was at all times in control of the process of providing data. Contrast Caredata: after a lengthy period in which the project was veiled in secrecy, the NHS rather reluctantly agreed to a minimum cost information campaign involving using the Post Office junk mail channel. I didn't receive the leaflet, and I don't know anyone who did. As it happens, I am not opted out from receiving unaddressed mail, but it is interesting to contrast Daniel Poulter MP's statement to parliament that it was delivered to those people who have opted out with the NHS's flat contradiction. Misleading parliament is usually seen as a bad thing, but apparently not when it's done to mislead people about NHS projects.

Had I received the leaflet, it is not clear I would have been any the wiser. The leaflet is deeply misleading; as well as only mentioning the name of the project in the URL at the foot of the last page, it is vague to the point of obfuscation about what data will be uploaded, and for what purposes. Couple that with the NHS's decision to use a bizarre interpretation of "selling" in their assurances that the data will not be sold while publishing a price list and Tim Kelsey's bland claim that data re-identification is not possible, or if it's possible it's very difficult, or if you do it it's illegal (although it's not clear under what legislation) and you are left in a position of not really knowing what the project is actually going to do.

Finally, Gerait Lewis published a blog which, although not answering the question as to whether a blog is an official statement of NHS policy, did remove some mystery from the proceedings. But not terribly reassuringly. For example, having defined red data as data which is straightforwardly personally identifiable, he writes it may be released if there is "legal approval [from] the Secretary of State for Health or the Health Research Authority following independent advice from the Confidentiality Advisory Group (CAG).". So that boils down to "the NHS can't release your personal data without telling you unless the NHS decides to release your personal data without telling you". Recent minutes of the CAG show them agreeing to the release of identifiable data in the absence of consent or opt-out for a project, risk stratification, they have reservations about the value of, so they are hardly a fierce guardian of privacy, and in any event "advice" is not a veto, so the Secretary of State can ignore them anyway.

As to the benefits, well, obviously insurance companies can benefit from this sort of data. The NHS again is totally confused as to whether insurance companies will be prevented from buying it, or will be able to buy it but will be given a stiff telling off if they do the wrong things with it, or what. Similarly drug companies: research, marketing, what is permitted? In an outbreak of black farce, the original timescale was for the uploads to start before the committee met to agree the permitted purposes; in any event, the purposes can be changed at any time, so provide little solace.

There is now a six month pause while the NHS tells us why we are wrong; already there have been outbreaks of "you little people don't understand, and we doctors know best" from Clare Gerada, which is a priceless demonstration of why doctors should keep off the telly. Sorry, Clare, but speaking slowly and being patronising doesn't convince when you're so obviously contradicting yourself: "commercial entities can't have access, unless they can have access".

So I'm opted out. If the NHS can make a case, I'll change my mind. But something better than this car-crash of a publicity programme has to convince me.

The illusion of spelling reform

2013-12-18T16:34:37Z

Over the years, many people have thrown themselves at the issue of spelling reform. Concerned about the irregularity and non-phonetic nature of English spelling, clever people have devoted imense amounts of effort to the cause. But over the last two hundred years, the results have been negligible. The last successful attempt to impose new spellings by fiat was American Noah Webster's speller of 1785: he managed, in a febrile political climate which was very receptive to the idea of change in general and change to things inherited from England in particular, to impose some minor changes to words like colour/color and theatre/theater. Since then, all efforts have come to naught. And they will continue to come to naught.

Leave aside the inability of reformers to agree amongst themselves about the reform they want. Leave aside doubt about the claim that phonetic spelling is actually necessary. Instead, let us assume that the basic premise of the reformers, that there should be a consistent relationship between sound and spelling, is true, and that they have such a reformed orthography complete ready for adoption. It will fail. Whatever the proposal, it will fail.

Regional Division

Firstly, the proposal will inevitably involve the concept of some form of standard accent that the reformed spelling relates to. In any significantly sized country which speaks English, there is a variety of regional accents. Not only will these have different pronunciations for the same words, but words which are homophones in one accent may not be in another. Londoners might pronounce poor and pour alike; Scotsmen will not; some or all of duel, dual and jewel may be homophones depending upon who is talking. Any spelling reform will tend to privilege one particular accent, usually something close to "RP", and will become almost as arbitrary as existing orthography the further from that accent one moves. This will make the reform unacceptable to many, including parts of the English speaking world which have distinctive accents and already have separatist tendencies (Scotland, Quebec). Separatist politicians will denounce the new spellings as an attempt to impose a national accent; the argument will be very hard to refute while still providing a coherent argument for the reform. If the spelling is to be national and to be phonetic, there must be a national accent. If regional accents are to be preserved, the spelling cannot be phonetic.

Age and Class Division

Secondly, even if the reform could be "sold" throughout a country, the only plausible way to introduce it would be via schools. Many schools would simply refuse to accept such a change, and these schools would tend be those which are already privileged. They would tell parents that the reform constituted "dumbing down" and that, even if it succeeds, the new spelling will be seen as low status. In addition, literate parents would not welcome such a reform, as it would exclude them from helping their children, and they would work actively to undermine it. It is hard to see how the result would not be a two-tier English, with children of affluent, educated parents retaining old spellings while the new spellings become the hallmark of deprivation. Newspapers and other publishers would not change, as the market for new spelling would be tiny in comparison with that for the existing orthography, and the new spelling would not achieve critical mass.

International Division

Thirdly, unlike in 1785 when international communication was by sailing ships, and books were published locally on local presses with local spelling, English is now an international language. There is no central body which manages English, and there is no plausible way that such a body could be set up. Therefore, any country which altered its "official" spelling (even accepting that it could impose such a thing on its own population) would be cutting itself off from the rest of the English speaking world. Much of English's value lies in its role as a lingua franca, and complicating that by adding a new set of spelling rules (which would, of course, not be phonetic in the heavily accented English spoken in countries where it is the second or third language) would damage this.

Objections to these Arguments

Reformers point to successful, or at least partially successful reforms, in other languages. The German reforms of 1996 would be the most relevant, but do not answer my objections. Firstly, the reforms aimed at increasing phonetic correspondence were minor, so the issue of accent does not arise (or, at least, arises no more than in any other spelling system for German). The changes do not seek to impose a standard accent, and the spellings which were altered were brought into closer correspondence with almost all native speakers' accents. Secondly, the changes were small, of a scale akin to Webster's of 1785 rather than the extensive changes proposed by reformers of English, and do not create a very obvious before and after language. Thirdly, German is dominated by one country, Germany, which has a particularly centralised education system with a very strong degree of control, so the issues both of refusal by some schools and of international division do not arise.

Conclusion

Spelling reform of English will not happen, no matter how excellent the arguments or how polished the proposal. It would not be acceptable to people who do not speak RP, it would not be possible to mandate its use on any large scale, and it would not gain any traction outside the first country to adopt it. It is a waste of intellectual effort to work on reforms without answering these objections.

Spot the difference

2013-11-07T11:48:11Z

Ofsted inspection in November 2012:

Year on year, students’ test marks get better and better. By the time they leave school, they are ahead of students in other schools and are well prepared for their next stage of education, employment or training.

Ofsted inspection of the same school, under the same head, without any significant changes to demographic, funding or other external events, in September 2013:

Too many students fail to make the progress expected of them in English and mathematics across Key Stage 3. When they begin their GCSE studies, they have too much ground to make up and, as a result, GCSE results for the last two years have been much lower than expected, given the students’ starting points.

November 2012:

Teaching is mostly good or outstanding which is why students make such good progress.

September 2013:

Too much teaching is ineffective and not enough is good, leading to students’ inadequate achievement.

November 2012:

The headteacher and senior staff know what the issues are for the school and quickly sort them out.

September 2013:

Leadership and management are inadequate because the school is not improving quickly enough. There has not been a sufficiently cohesive drive by leaders and staff to raise standards. Leaders have an overly positive view of the quality of teaching and the school’s performance. They do not analyse the performance of key groups of students sharply enough to help them plan effectively for improvement.

November 2012:

Behaviour is good in lessons and around the school. Students have good manners and respect adults. They enjoy and feel safe at school and their attendance has improved.

September 2013:

• Some students do not feel safe around the school grounds.

November 2012:

Students with a visual or hearing impairment or those who have other special educational needs also make good progress in The Hub, due to the high quality of support they receive from teachers and specialist support workers.

September 2013:

• Disabled students and those who have special educational needs, including students in the Hub, make insufficient progress. Although teachers clearly identify these pupils and receive good information about their circumstances, not all teachers adjust their teaching to meet their needs. The large majority of disabled pupils and those who have special educational needs in Year 7 last year, made little progress or went backwards in English.

November 2012:

• The governing body is aware of the quality of teaching and the strategies the school is using to improve its quality. Governors are aware of how well students are doing, including in comparison with students nationally. They regularly ask questions about teaching and attend some of the staff training sessions. As a result, they are aware of which staff are performing well and how performance management is being used to reward staff when they have made a difference to students’ outcomes. Governors themselves are well-trained through a planned programme and hold the headteacher to account for the performance of the school. They have ensured that the pupil premium is used effectively to help potentially disadvantaged students to do better.

September 2013:

• The governing body has not questioned the school’s leaders robustly enough about students’ achievement; the decline in performance has not been investigated and they have not checked on how well groups of students are doing. They have simply accepted information given to them by senior leaders and, as a result, they do not hold an accurate picture of the school’s effectiveness. They do not have a deep enough understanding about the quality of teaching across the school. Governors have not held school leaders to account for their actions and, as a result, have not sufficiently challenged them about needed improvements.

Visiting Universities

2013-02-13T09:16:00Z

A colleague and I have an on-going conversation about how universities in the Russell Group are going to be affected by the 20% drop in the number of 18 year olds over the next ten years. Simplifying what has been a long-running debate, he essentially argues that any fall in numbers applying at the upper end of the current spectrum of institutions will be back-filled by people who might otherwise have applied to less selective institutions, while I argue that there are practical, cultural, academic and other reasons why people will continue to apply to post-94 universities (particularly urban ones) even if there are places going spare in the Russell Group, even if they go on to get A Levels which would get them a place in the RG institution. Time will tell, I suspect, but universities whose recruitment is entirely predicated on people living away from home --- most of the post-Robbins universities --- are going to feel the chill more than the traditional metropolitan Redbricks with a large "home" source of students.

However, it's interesting to look over the ocean and see how the high-end US universities are recruiting. They also face a ten year period of decline in the number of people turning 18 in their country, but with cultural factors that make the situation probably worse than it is for equivalent institutions here. The Ivy League is at least as middle-class as Oxbridge, and it's the white middle classes where the birthrate is dropping most savagely. So to get the best students, the Ivy League has both to reach out to new groups and compete amongst themselves for the best from the traditional recruiting grounds.

It's a whole other world.

The British universities, other than the "tourist destination" old Oxford and Cambridge colleges which offer daily tours of the buildings, have a few open days per year. In practice, you can usually just turn up, but in principle they need booking. They are marketed to schools, rather than to parents and prospective students. Although the middle classes (who are in very short supply, as their birth rate is low and falling) plan campaigns of open days for their children as though they are contemplating an amphibious invasion of France, large portions of the potential student population only make ad hoc visits to a local university, organised by schools on the basis of distance as much as anything else. Aside from anything else, cost is a major factor: visiting four or five universities, even if like me you regard parents going with their children as a lamentable development, could easily cost 250 quid. Packing those into the small window of time during which they all happen is very difficult.

The Ivy League and their competitors have campus tours, on a turn-up basis, every day apart from high days and holidays, both in and out of term (all from the first hit of google "visit X", except for Berkeley, where it's the second hit as the first hit is the district rather than the university).

http://admissions.yale.edu/visit-and-connect

http://www.harvard.edu/visitors

http://www.princeton.edu/admission/visitprinceton/

http://www.stanford.edu/dept/visitorinfo/

http://visitors.berkeley.edu

Welcoming, yes?

Contrast with the first paragraph of the result of searching for "Visit [Russell Group] University" (and it's the same for all of them, plus or minus, so it would be invidious to identify it).

Reading through a prospectus is not the same as coming to visit the University in person. ‘Invitation only’ applicant visit days are held from November to April when students who have applied to study at [RG] are invited to a VIP day where you can meet current

Other examples are available from

http://www2.warwick.ac.uk/study/undergraduate/visits/

http://www.bris.ac.uk/university/visit/prospective-tours.html

http://www.sheffield.ac.uk/undergraduate/opendays

There are special days, which you have to book for, but otherwise the university's doors are closed to you.

The US tours are up to a point aimed at prospective students, but they're also more general to raise awareness amongst passing tourists. Those tours also include a chance to talk to admissions people and student ambassadors, every day. So if you're near a university for some other reason, you can visit and get a sense of what that universities, and universities in general, are like.

And if you and your parents don't have a background in university education, for Yale you can sit in on _any_ class on campus as a visitor, something explicitly aimed at explaining why universities are A Good Thing:

You are welcome to drop in on a class – just search for classes that you might enjoy. Or, thanks to Open Yale Courses, you can try out a Yale class online at anytime

This doesn't appear to be a hollow offer --- my elder looked up what lectures were happening on the day we intend to visit Yale, mailed the lecturer and within 35 minutes got an enthusiastic response, finishing

Have a safe trip, and I look forward to meeting you next week.

So a holiday in New York can include a side-trip to New Haven, a campus tour and sitting in on a class. That's a pretty compelling piece of marketing.

Now, suppose a student who happened to be in a city fancied a look at a Russell Group University, or more specifically at a department in such a university. They're told it's invitation only, and those invitations are only available to applicants. How likely are they to think better of the university?

ian

How sensible policies conflict with each other

2013-01-26T11:14:00Z

[[ Not theory, not technical, but if you're interested in policy... ]]

It's a sensible idea to provide a renewal schedule for photographic ID, to account for changes in appearance and to "time out" tokens which might have weak physical security. So passports, for example, force renewal every five years for children and young adults and every ten years for old adults. The photographs are reasonably up-to-date (although five year old children can travel on photographs of them as a baby, which might not be good news in custody disputes) and passports only have to withstand a maximum of ten years of attempted forgeries. For example, recent EU passports have the passport number perforated through each page, presumably to defeat the swapping in of pages with visas, or swapping out of exclusion stamps. Older ones don't, but within ten years of the introduction of that security measure, all passports will have it. Attackers might choose to forge or modify an older passport, but they can't choose to manipulate a 1994 Blue British Passport with handwritten details and a photograph glued in, because even if they were able to modify the expiration date, the physical design itself has expired as well.

So when photographic driving licenses were introduced, there was a lot of noise about the photocard portion having a ten year renewal schedule, the same as passports. This way, the photograph would always be relatively recent, and at least no worse than a passport photograph. However, it was a lot of work issuing photographic driving licenses, as it required photographs to be endorsed and validated and scanned. Once the passport office started scanning photographs and signatures and printing them in passports, rather than physically attaching a real photograph and sending them out for the bearer to sign, the solution was obvious: link driving licenses to passports, so that the same photograph was used for both. Provided you have a passport, you can apply for a driving license in the same name with the same photograph, modulo other proofs of shared identity. And you can do this irrespective of when the passport was issued.

Can you see the problem?

I've just received my first photographic driving license, applied for using the "linked to a passport" process. My passport was issued in 2003. So my new driving license, valid until January 2023 (when I will be 58), features a photograph taken in 2003 (which I was 38). I can drive, perfectly legally, in 2023 with a _twenty_ year old photograph on my driving license. So, why do we need to renew them every ten years? OK, the anti-forgery aspect of it is an issue. But most uses of driving licenses as driving licenses, rather than as ID cards, are checked online with the DVLC. Because you can't have driving license until you're sixteen, the ability to forge an older, weaker driving license isn't of much use for the main use case of posing as being old enough to buy alcohol, and I seriously doubt that even the Level 1 Security features in the license [1] are in reality checked by publicans. ian

[1] UK Driving License Security Features

Lance Armstrong

2013-01-18T08:37:44Z

Well, I'm not sure that was worth getting up for. By which I mean that by the end we knew more, but none of it was really worth knowing. We learnt that Armstrong doped to win races, but we all pretty much knew that already. Even the deniers knew it in their hearts. We learnt that he denies doping since 2005 which is, conveniently, the point at which the US Statute of Limitations on perjury kicks in to cover his his denials. I doubt even he believes that, but that's a matter for the courts. And nastiest, we had learnt what we also already knew: that Armstrong's a sociopathic, narcissistic bully with the morals of the gutter.

It's not about the bike: it's about him. He dismissed his vile abuse of Betsy Andreu (someone I would want in my corner in a fight) and Emma O'Reily (who did nothing wrong other than be honest and true). In the latter case, he pretended to not even remember what he'd done. In each case, his self-obsession meant that he believed that his mere apology made things right, and he implied that they were unreasonable for not accepting that at face value. It was like some hideous 12-step nonsense (he'd talked about "process" at the outset); under the guise of "making amends" narcissists make hollow apologies, and then blame their victims for not accepting them. It's a manipulative technique at the heart of 12 steps: it's not my fault that they hate me for what I've done, haven't I apologised?

He also tried to blame it on his "flaws". He was flawed, and therefore lacked moral agency, so didn't have any choice. Sophocles unpicks that in his plays, and Shakespeare gives it no credence, so it's as though Armstrong hasn't read a play written in the past two and a half thousand years. Yes, he was flawed, but that doesn't mean he didn't make choices. It's as though his desire to "win" excused, and excuses, any excess, any abuse, any assault on others.

Winfrey has the journalistic credibility of Hello magazine, and the whole thing was obviously staged. Armstrong had clearly been given the questions in advance, and given the way in which some topics weren't followed up had presumably had final cut on the interview. Confused, self-contradictory stories (especially about Betsy Andreu's testimony but also whatever happened in Switzerland) weren't followed up, and the contradictions weren't challenged. This was Frost-Nixon as Nixon envisaged it, not as Frost managed it: soft questions, poor followup, heavy editing, final cut. But what came over, unintentionally, was what an appalling man Armstrong is, and how he clearly lives in a house with no mirrors.

In his mind, all he did was what he had to do. We should move on, shouldn't we?

ian

Oh Tempora, Oh Mores

2013-01-07T17:22:00Z

In 1986, you could bring up a network of half a dozen Sun workstations, each running a perfectly capable 4.3bsd-derived Unix which most people today would be perfectly happy to use in terms of functionality (the 15MHz 68020 might not be such fun) off a single 327MByte Fujitsu Super Eagle disk [1], with plenty of room left to do real work.

Today, the installation image for a Raspberry Pi is 1.8GBytes.

ians-macbook-air:Downloads igb$ ls -lh 2012-12-16-wheezy-raspbian.img
-rw-r--r--@ 1 igb staff 1.8G 16 Dec 18:52 2012-12-16-wheezy-raspbian.img
ians-macbook-air:Downloads igb$

And the update kit looks like about another 475MBytes, too.

 remote: Counting objects: 21472, done.  
remote: Compressing objects: 100% (7381/7381), done.  
Receiving objects:  70% (14868/21219), 331.89 MiB | 32 KiB/s

[1] I found the securing straps from the pallet it was delivered on recently: I'd been using them to tue things down in the boot of one of the cars.

Government putting key documents on AWS: what could go wrong?

2013-01-07T15:04:06Z

Politics junkies seeking a copy of the Coalition's "mid-term review" will be amused to note that it's being served from the snappily-named "assets.cabinetoffice.gov.uk.s3-external-3.amazonaws.com". Anyone might think that the UK government didn't have any data centres.

Font junkies will be pleased that, rather than recent DfE publications which have the hideous combination of Helvetica logos and Arial body, it is at least in Helvetica Neue throughout.

ian

Look on my works, etc

2013-01-07T14:14:00Z

Having been watching the demolition of Bournville College, I hadn't noticed that Shenley Court was being demolished as well. I hadn't been past it in daylight for a few months, so by the time I noticed yesterday it was pretty far gone.

Police and Thieves

2012-12-24T23:38:00Z

Well, it looks like the Tories have been taken over by student Trots. Never mind putting the disestablishment pistol to the CofE's head over women bishops, and then just shrugging their shoulders and telling the churches to get stuffed over same-sex marriage: that could be principle, or could just be lugging some soft ones to the Lib Dems in the knowledge it's going to be a bloodbath in the Lords'. But the last week has seen:

* Osborne announcing that the government's going to donate the VAT on the Hillsborough single back to the "Justice for the 96" campaign (contrast Thatcher and Band Aid, although I believe that was sorted out in the end), Cameron announcing that the government is going to fund the legal representation of all the families of the 96 and Grieve announcing new inquests for all of the 96;

* Cameron announcing a fresh inquiry into the Battle of Orgreave

* No backing down over police pension, pay and conditions

* Assorted Tories getting ready to take the Met on, unambiguously, over Mitchell.

Time was that Tory policy on the police was to pay them off and grant them immunity in exchange for bashing in the heads of union members. Now it looks like the Tories are seeing that the police (via both ACPO and the Fed) have been behaving like a private army and not one that the Tories either control or need, so are planning a front and centre assault on them. Labour didn't dare, for fear of being seen as "soft on crime", so allowed a culture of impunity to develop in which the police believed that they could write the law as they want it. I guess that perjury in support of an attempt to bring down a minister is taking that a bit far. But it is like the SWP are running Tory relations with the police. Fun times.

Merry Christmas one and all.

ian

Victory for the Mail! Children WILL be protected from online porn after Cameron orders sites to be blocked automatically | Mail Online

2012-12-20T09:56:18Z

Yes, I know, reading the Daily Mail rots the brain, although in my defence I only saw this story because it was on the front page that Paxman showed at the end of last night's Newsnight. David Cameron is trying to square the circle of the Mail's howling about online pornography and the resounding results of the recent consultation exercise:

David Cameron writes:

Want to restrict access to Facebook after 8pm? Decide to allow younger children to view fewer sites than their older siblings? Or want to stop access to certain sites altogether? Now you will be shown how to do it.

Read more: http://www.dailymail.co.uk/news/article-2250809/Victory-Mail-Children-WILL-protected-online-porn-Cameron-orders-sites-blocked-automatically.html#ixzz2FaHpxWqU
Follow us: @MailOnline on Twitter | DailyMail on Facebook

So, for those of us in the security community, it appears Dave is going to solve the problem of home users sharing computers and/or sharing accounts at a stroke. All the issues associated with people using one login (or, more commonly, no logins) will be gone. And, better, devices which don't have the concept of multiple users (such as those iPads which so few people have bought, and which have been so unpopular since their damp-squib launch) will now be locked to a single user and won't be shared around in households. Excellent! That's a major security issue solved at a stroke!

ian