No It Wasn’t a GDPR Hissy Fit But A Hardware Fault

 Computing, Security  No Responses »
Jun 052018
 

As the subject says, this blog has been offline for just over a week because of a hardware failure. Just when I wanted to moan about all the GDPR hissy fits that people are throwing.

Noticed some websites are blocking you because of the GDPR?

That’s the hissy fit. Seems that some international web site operators who previously assumed that GDPR didn’t apply to them, are suddenly realising that it does. Which is an indication that they have been impersonating an ostrich for a couple of years now.

Smaller businesses get a free pass on that one, but any reasonably sized company should have been aware of GDPR by now. It was put in place and deliberately put on hold for two years to allow people to get started with complying with GDPR. Anyone involved in the security business has been hearing “GDPR” for over two years now.

So there are those who claim they’ve not heard of it, and are now panicking and trying to catch up, making a mountain out of a molehill, and claiming that it’s a dumb law. Technically it isn’t actually a law but an EU regulation that member states are required to make law.

Anyway onto some of the biggest arguments against the GDPR …

The Whois Question

This is a great example of what happens when you ignore a situation and then panic.

When you register a domain (such as zonky.org) or a netblock (a set of IP addresses), you are expected to provide contact details for the individual(s) involved in the registration process – to allow for billing, and contact to be made in the event of operational issues.

Storing that information is perfectly reasonable.

Publishing that information is perfectly reasonable given informed consent.

Ideally the domain registration would offer a choice to the registrant – public listing of personal details, public listing of role contact information, or public listing of indirect contacts (i.e. keeping the contact details private).

There is a German court case decision saying that it isn’t necessary to have contact information for registering a domain; all I can say is that the German court obviously didn’t have the full facts.

GDPR’s “Right To Be Forgotten”

One of the misconceptions is that the “right to be forgotten” is an absolute human right; for a start it’s not a a human right, but a right under the law. And it is not absolute; the text of the GDPR includes numerous exceptions to the right to be forgotten, such as :-

  • A legal or regulatory obligation to keep the personal information.
  • An overriding public interest.
  • Ongoing legitimate business processes still require that personal information.

The key is that if you are an ethical business (in particular don’t plan to sell personal information and/or keep spamming people) then the right to be forgotten isn’t anything to worry about.

GDPR: The Fines

The strange thing is that there is doubt over the level of fines that can be levied under the GDPR which is remarkable as the language is quite clear – the lower level of breach can be fine of up to either €10 million or 2% of annual turnover.

Or to put it another way, for the lower level of breach, the maximum fine is whichever is greater €10 million or 2% of annual turnover. The maximum.

Do you know how often the ICO has imposed the maximum level of fine under existing legislation? Never.

The Jurisdiction Issue

Now here there is some legitimate grounds for grievance; after all whenever the US starts imposing its laws outside of the US, people outside the US start jumping up and down. And yes, the EU does expect non-EU companies to obey the GDPR regulation if they store data on EU citizens.

In practice, the EU isn’t going to try going after small companies outside the EU; particularly not small companies that are just ordinary business and not engaged in Cambridge Analytica type business.

The other way of looking at the global reach of the GDPR is whether it would be a good idea for there to be a world-wide law in relation to the protection of personal information. The Internet means that world-wide laws are necessary in this area, or those abusing personal information will merely move to the jurisdiction with the weakest protection of personal information.

Rusty Handrail

What’s So Bad With Elitist Experts?

 General, Politics  No Responses »
May 242018
 

A day or two ago, I bumped into someone online that used the phrase “elitist expert” in a negative context; either a troll or a spectacularly dumb person. He isn’t the only one; there are plenty of people who show a similar attitude.

Hell, the whole Trump government is riddled with that attitude.

There are two parts to this attitude – the notion that “elitist” is wrong, and the notion that “expert” is wrong. And I will attack those attitudes in reverse order.

An expert is simply someone who knows what they’re doing in one particular area – not necessarily just one. That could be an expert in economics, coal mining, carpentry, plumbing, etc. There is no reason why ordinary working people cannot be experts in what they do; in fact many of them are.

Imagine if you will that a plumber inspecting your pipework suggests that some of the pipes need replacing. If you totally ignore him, there is a word to describe you: “idiot”. Sure if it costs lots of money, getting a second opinion from another plumber is a sensible precaution, but to totally ignore the advice of the expert? Surely that’s stupid.

So don’t ignore experts – by all means get advice from other experts too, but to ignore them is stupid. Of course if you consult 1,000 experts and 995 of them say the sky is blue and 5 say the sky is purple, you should probably side with the majority.

As to elitist, well it is usually a bad thing – treating one person better than another for whatever reason is almost always wrong. But in at least one case, elitism is just common sense – my opinion on a plumbing problem is worth less than any plumber much less a plumber that other plumber go to for advice (“Man, that’s a tricky one; you’d better ask Jo.”).

Why do I use a plumber as an example rather than say a climate scientist?

Because there are two other factors in play :-

  1. The notion that “book learning” is inherently wrong.
  2. The notion that practical skills are worth less than intellectual skills.

A plumbing expert is just as useful to society as a climate scientist, and visa-versa. Of course they are valuable at different time scales – if there is sewage spewing out of your toilet, you need a plumber right now, and the services of a climate scientist are rarely that urgent.

Follow The Path

 

 

Don’t Break SSH: Remove Insecure Crypto Gracefully

 Computing, Security  1 Response »
May 042018
 

I had the pleasure of upgrading a server today which involved fixing a number of little niggles; one of which was that connecting to switches suddenly stopped working :-

✗ msm@${server}» ssh admin@${someswitch}
Unable to negotiate with ${ip} port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

This was relatively easily fixed :-

✗ msm@${server}» ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 admin@${someswitch}
Password:

Of course doing this command-by-command is a little tedious, so a more permanent solution is to re-enable all the supported key exchange algorithms. The relevant algorithms can be listed with ssh -Q kex, and they can be listed in the server-wide client configuration in /etc/ssh/ssh_config :-

Host *
    KexAlgorithms ${comma-separated-list}

But Why?

According the OpenSSH developers, the latest version of ssh are refusing to use certain key exchange algorithms (and other cryptographic ‘functions’).

Their intention is perfectly reasonable – by default the software refuses to use known weak crypto. I’m fully behind the idea of discouraging the use of weak crypto.

But the effect of disabling weak crypto in the client is unfortunate – all of a sudden people are unable to connect to certain devices. The developers suggest that the best way of fixing the problem is to upgrade the server so that it supports strong cryptography.

I fully agree, but there are problems with that :-

  1. Some of the devices may very well be unsupported with no means to upgrade the ssh dæmon. Now in an ideal world, these devices wouldn’t be on the network, but in the real world there are such devices on the network.
  2. Some devices may not be capable of being upgraded because of processor or memory limitations. Network switches are notorious for having slow processors and tiny amounts of memory, and it is entirely possible that such a device would not be capable of running more exotic and modern crypto. Similarly lights out management processors are often severely limited.
  3. Even if a device is capable of being upgraded, there are the standard problems – the vendor may be slow at releasing updates, change control gets in the way, and lastly resourcing may be an issue – upgrading several hundred switches manually with just one or two people doing it is not going to be a quick job.

Lastly, whilst security is important, breaking things just to make a point is a little extreme. Whilst it is possible to fix the problem, it is something that isn’t immediately obvious to someone who doesn’t routinely configure ssh. And someone, somewhere has had this breakage occur just before they really need to fiddle with a switch Right Now.

There is a far better option available – leave the weak crypto enabled, but warn noisily about its use :-

WARNING!!!!! (2 second delay)
WARNING!!!!! (2 second delay)

The device you are connecting to only supports known weak crypto which means this connection
is subject to interception by an attacker.

You should look at upgrading the device as soon as possible.

Telling people what is wrong noisily and continuing to work is far better than simply breaking with a rather terse message.

Foggy Reflection

 

USA: Home of the Pædophile, Land of the Sex Slave

 General, Politics  No Responses »
Apr 142018
 

In the USA, a considerable number of states (30 counting 16 years as “adult”) allow the marriage of underage children under certain constraints. And these marriages do happen; whilst proportionally they are a tiny minority, to those victims it is nothing less than state-sanctioned child sex abuse.

In terms of numbers, Unchained at Last (via Wikipedia) found that between 2000-2010 there were 167,000 children in marriages; 13% were boys (I mention boys because most articles start with the girls). But weren’t they all children marrying each other? Only in 14% of cases.

The USA government condones and supports child sex abuse.

The overwhelming majority of not just the rest of the world, but even third-world countries are better on the marriage loophole allowing child sex abuse. Trump: For the victims of those marriages, USA is the “shit-hole”.

The Bench

 Older Entries  Newer Entries