Friday, 22 April 2016

Is Amazon marketing to bike thieves?

Image result for bike thief
I'm interested in cycling and I'm interested in lock picking.  I've searched for paraphernalia related to both on Amazon and consequently my recommendations include items related to each.

Recommendations are sometimes categorised in a weird way.  Practice locks (locks mounted in clear plastic for learning lock picking) are listed under the cycling category, when they'd seem to have nothing to do with cycling.

At first I assumed that this was due to a generalised algorithm not taking into account subtleties of classification, meaning that their ontology sucks.

But then I started to wonder if Amazon had actually got it right.  I'm not a bike thief but an interest in bikes and lock picking might suggest that I am.  So perhaps Amazon is marketing to the niche Gentleman Bike thief crowd.

I'm not sure which I prefer.

Friday, 15 April 2016

European parliament votes in big shake-up of data protection laws

Image result for data protection actThe data protection regulation's stated aim is to give citizens back control of their personal data as well as simplifying the regulatory environment.
It could mean huge fines for companies that breach the law and offer some complex problems about how they store, delete and return data to citizens.
There's no incentive for companies to protect customer data unless the cost of breaching the rules and the risk of getting caught greatly outweighs profits.  Currently this is not the case, especially with large companies with a lot of customers.  User data is valuable to companies and misuse of data can be hugely problematic to the users.  Fines and powers of investigation must reflect this.

Let's not forget, though, that governments must also be accountable for internet users' data.  They must recognise that it is our data, be transparent about how they use it and about how that usage may change.

The biggest change is an increase to the fines that can be issued to non-compliant companies - up to 4% of their global turnover or 20m euros, whichever is bigger.  Regulators will be able to inspect companies, who must show that they have appropriate systems in place for compliance, including a mandatory data protection officer for large companies.

It's difficult to see how regulators could properly inspect companies or whether they'll have the resources to do so.

There'll also be provision aimed at making it easier for users to transfer data and accounts to other providers, but once again this could prove difficult in practice:
Or, in the case of someone wanting to transfer their data from one utility or insurance provider to another or even to many, to ensure they get the best deal, "your name and address is probably data you provided, but companies could argue that your gas usage is something that they have collected directly", says Ms Boardman.

Online abuse law needs shakeup

Image result for troll
Conservative MP Maria Miller, chair of the Commons Women and Equalities committee, urges a review on the "significantly increasing" problem of online abuse, here reported by the BBC.
[...] Ms Miller [...] said police found it "incred
ibly difficult" to make current laws work.
She added it was time to get tough on social media networks too, which treat online space as the "Wild West". 
The national digital policing lead said responses to victims were inconsistent.
Chief Constable Stephen Kavanagh points out that police are working with 30 different pieces of legislation, including the Computer Misuse Act, which is 26 years old.  Such law was not designed with modern offences in mind and are no longer fit for purpose.

The UK government is far too concerned with policing the internet in general but free speech has to have limits.  The article relates the all-too-familiar story of Nicola Brooks:
My ordeal started in 2011. I was singled out for commenting on a Facebook page for an X Factor contestant. The abuse escalated very, very quickly, which included a fake paedophile profile made of me. They spread and shared my profile photo and name all over Facebook pages, saying I was a prostitute, a drug dealer, a paedophile. Obviously the other users were reacting to this. 
The report system to Facebook did not work. My family, friends and I constantly were reporting escalating abuse to Facebook. After about four days, I realised I needed expert help so I contacted the police and a law firm. I was told to print out all the screenshots, which I did. 
I took over 200 screenshots into my local police. It was awful. I was in there less than 15 minutes. They would not look at the evidence. They said because it happened on Facebook, it was not a police matter, no crime had been committed. And they told me to close down my Facebook account.
Tactics of this sort are common among people who want to silence others.  The victims are usually women who are guilty of nothing more than having an opinion while female.  This is why the common response that victims should just stay off the internet is inappropriate.  The internet is a public space like any other and companies and law enforcement agencies need to take some responsibility for users' safety.

Tuesday, 5 April 2016

Do you have the brains for cybersecurity?

Image result for cybersecurity fail
If the question annoys you - and it should - the BBC article ought to register a code green.

For starters, it's not remotely about cybersecurity.  For seconds, it contains sentences like this:
From ancient times to the present day, security, codes and puzzles have been intertwined, as have the people who have tried to crack those codes to read messages they were never meant to see.
and this:
This time there is no key to help decipher this short string of numbers, so it is a bit harder. However, here is a hint - once deciphered the string will reveal the name of a famous maths code that uses numbers.
A....famous...maths...code....that...uses...numbers....?  Who wrote this? (the 'code' is the Fibonacci Sequence, as the picture of the sunflower hints.)

They are all trivial apart from number six.  Obviously 6.1 one is hex-coded, but it's not simply ASCII coded as hex. Presumably some arbitrary typographical manipulation is needed to reveal the cleartext. The clue suggests that it's a quote from Alice in Wonderland.  I'd start by writing a script to look for quotes of that length in the text of the book, rather than trying to figure out the arbitrary transformation.

6.2 looks harder.  I'm guessing that you have to work around the wheel to generate a sequence of numbers which will act as some kind of key.  My guess is that you pick a starting point on the wheel and step round it clockwise or anti-clockwise to generate a number of the same length as the one below, then perform some operation with the two numbers.  The other clue is that there's a computer science theme, so I'd start with logical operations.

I'm not sure about the third one, but I'd start with Morse code.  If it isn't Morse, then the message is very densely packed.  I expect the trick is to find a route around the chess board that reveals a message in Morse.

But anyway, that's not I really wanted to write about.  The problems are either trivial on the face of it (1 through 5) or (unless I'm missing something obvious) require a lot of tedious trial and error of trivial operations (6).

This has nothing to do with cybersecurity.  It's actively harmful to the goal of cybersecurity because it suggests that an ability to solve codes and cyphers is somehow related to security practice. Here's how the BBC puts it:
In the modern day, the ability to work through a problem and decipher it is essential to anyone who works in cybersecurity, partly because a lot of what they do involves working out what is going on with less than perfect knowledge.
That's not even coherent but that's OK because it's also completely wrong.  Here's what you need to work successfully in cybersecurity:

  1. An understanding of how systems work. Technical systems, human systems, the interface between them... 3 of the 4 wifi networks I can see from here have routers that use the default password.  They all have the default security configuration, too, which is shit and would be vulnerable even if they weren't using the default password.  If you want to protect people, this is your starting point - knowing about this kind of thing - not whether you can solve arbitrary puzzles.
  2. An ability to abstract, to be creative. I wouldn't seriously try to solve the 6.x puzzles on paper because I can see the shape of the puzzles and it'd be so much easier to write code to solve them for me.  Creative people solve puzzles by looking at them in a way that makes them easier to solve.

Fuck you, Mark Ward of the BBC for insinuating that cybersecurity is scary. YOU  are part of the problem.