security | Steve Woods

50 years on

28/06/2023 Steve WoodsLanguage, Linux, Open Source, Politics, Security, Tech
In October 1973, a large cohort of (mostly) young people aged 17-19 left their homes with varying levels of street wisdom under their belts and dampness behind the ears (not to mention essential life skills such as being able to manage money and cook. Ed.) to embark on something that was going to change their lives for ever – studying the BA Modern Languages course at Wolverhampton Polytechnic, now the University of Wolverhampton, a matter that was going to occupy us for the next four years until the summer of 1977.

Just shy of 50 years later, twenty-two alumni plus partners (including some who are also Wolverhampton veterans. Ed.), some travelling from as far away as New Zealand, and seven of our lecturers all assembled for a significant anniversary celebration back in the city that grew up around the site of an abbey dedicated to St Mary founded by Wulfhere of Mercia in 659 and in which they studied from 1973 to 1977.

Alumni, lecturers and partners stand back from the bar. Photo courtesy of Paul, edited by photography wizard Tim.

The hair may be greyer or diminished in luxuriance, the limbs less lissome, the waistlines somewhat stouter, but the same personalities still shine through the physical changes and laughter and good times prevailed as they did all those decades ago, even though some of the party had not seen each other for over 45 years instead of the 5 years since the last reunion.

This time your ‘umble scribe travelled up to Wolverhampton on Friday afternoon; and it proved to be worth the effort, allowing plenty of time to settle in and relax instead of the mad rush of arriving on the day and then scrabbling to get ready in time before sitting down to meat. After a meal and a couple of lemonades at nearby hostelries, it was back to the hotel where we kept the barman busy serving us brown beverages of various shades.

Saturday dawned far too early, but any lack of sleep was cured by an excellent breakfast, assisted by the excellent company. At lunchtime, a small party gained access to the room where our revels were to take place, to decorate it, sort out the seating plan and ensure that the music and visuals worked properly.
Two o’clock on a warm Saturday afternoon saw a large group of alumni assembled in front of the oldest part of the university – known as The Marble for a campus tour led by David from the Alumni Office. Since our time, many of the university building that we remember have been demolished and replaced by more modern facilities. Long gone are the wooden huts and the perishing cold St Pater’s Hall (which the the polytechnic shared with a vegetable wholesaler. Ed.) Part of the tour took in secure parts of the campus and for this we were joined by David from security who’s worked for the university for nearly two decades. His tales of student high jinks revealed very little has changed over the decades/generations. Finally, any Wolverhampton Polytechnic/University of Wolverhampton alumni who have not provided their contact details to the Alumni Office or need to update them can do so here, whilst back copies of the alumni magazine can accessed online too.
Alumni on tour with Dave from security. Photo credit: David from the Alumni Office.

The traditional Saturday night celebratory meal saw new directions and a new dimension. Firstly, the usual disco was dispensed with and replaced with Sheila’s Spotify playlist as background music. This meant there was no need to SHOUT TO HOLD A CONVERSATION. 😀

Secondly, much mirth and merriment was occasioned by the presence of an inflatable Selfie Station photo booth complete with props – silly hats, inflatable musical instruments and the like.

Last but not least, your ‘umble scribe had volunteered to compile a video slideshow. Comprising mostly photos from our student days, this 32 minutes’ long movie was played on loop throughout the meal until coffee was served and we reached the speeches slot. For the nerds, the slideshow was compiled with Imagination, “a lightweight and easy to use slide show maker” for the Linux and FreeBSD operating systems. Similar software is available for other, more common operating systems. Those whose photos were not used will be pleased to hear there is mofre than enough material for another slideshow for the 50th anniversary of our graduating in 2027.

Feedback on the meal itself was most appreciative and it was possibly the best our gatherings have enjoyed to date.

With coffee served, it was speech time, with former assistant head of department Alan on his hind legs for a few well-chosen and thought-provoking words. These ranged from the benefits of a period of residence abroad, including not only gains in maturity, but also finding common ground with one’s hosts, primitive hygiene arrangements in 1960s Spain, the difficult relationship of Britain with the rest of Europe and the continuing need to teach and study other languages in a world where English in the de facto lingua franca.
Once the applause died away, MC Dave leapt up to respond and in amongst the anecdotes of student life during our mandatory year abroad, which featured broken sanitary fittings and a visiting England rugby league team, he found time to propose a heartfelt toast and tribute to absent friends – both staff and students – who had not survived to join our revels that weekend. Many remarked afterwards that Dave is a natural public speaker, so well done mate!

Celebrations continued well into the small hours on that warm and sunny June evening with the moon and stars shining down before it was finally time for bed.

All in all it was a brilliant weekend and my gratitude goes out to all my fellow attendees for their kindness, generosity and company. We now have a couple of years off until planning for the next event needs to start.

Thanks to…

Of course, events don’t happen of their own accord and a fair bit of time was spent planning in various Zoom sessions. Your correspondent would like to express particular thanks to the following:
- Sheila, Paul & Gwenda for the bulk of the organising;
- Sheila (again!) for the Saturday evening playlist;
- Whoever arranged the flowers for Paul and Gwenda;
- Dave for relieving Paul of master of ceremonies duties;
- Alan for his speech;
- Jill for her exhibition of course paperwork and photographs;
- Jane for liaising with the alumni office and arranging the university tour; and last but not least
- Anyone who bought me a drink! 😀
Final bouquets and brickbats

First the bouquets. Your ‘umble scribe is indebted to: the staff and management of The Mount Hotel for being so welcoming and accommodating (the food was excellent! Ed.); the Westacres for feeding nineteen of us on Friday evening; the Swan Inn for their splendid draught Banks’s Mild and idiosyncratic urinals; David of the Alumni Office and David of security for the university tour; the weather gods for their lack of wrath; and finally, the good folk of Wolverhampton for filling my ears with the music of the Black Country accent and dialect.

Brickbats (so no links. Ed.) are awarded to: Cross Country Trains, First Great Western, London Northwestern Railway and Network Rail for making the British Railways Board of yore appear a model of efficiency and punctuality. Other attendees who endured railway hell are invited to add the names of the guilty parties in the comments below.
Facebook’s parent company fined €1.2 bn. for GDPR breach

22/05/2023 Steve WoodsGDPR, Privacy, Security, Social Media, Tech

Meta, the parent company of social media platform Facebook, has been fined a record €1.2 bn. by Ireland’s Data Protection Commission (DPC) in relation to breaches of the European Union’s General Data Protection Regulation (GDPR) in respect of user data transfers from the EU to the USA, Irish broadcaster RTE reports.

The company has been given five months to implement changes to such data transfers.

The DPC said Meta had infringed the GDPR by continuing to transfer EU user data to the US despite a ruling by the European court of justice requiring strong protection of such information, adding that the data transferred by Facebook under a measure called standard contractual clauses “did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the [European Court of Justice] in its judgment”.

Meta has said it will appeal the decision, as well as commenting that it was disappointed to have been singled out when using the same legal mechanisms as thousands of other companies providing services in Europe.

The EU and the USA have agreed a new data transfer framework which is expected to be in place later this year.

This is the largest ever fine levied in the EU for a privacy breach. The previous record penalty of €746 mn was imposed on Amazon in 2021.
Firefox Focus – first impressions

02/05/2023 Steve WoodsBristol, Open Source, Privacy, Security, Tech

Your ‘umble scribe is a great fan of the free and open source Firefox web browser and has been using the desktop version since version 0.x many years ago. One of its major attractions has been its emphasis on security and privacy.

Until recently it was also the default browser on my smartphone, until I discovered Firefox Focus. Firefox Focus is a free and open-source privacy-focused mobile browser based on Firefox which is available for Android and iOS devices. First released in December 2015, it was initially a tracker-blocking application for mobile iOS devices, but was developed into a minimalistic web browser shortly afterwards.

According to Mozilla, Firefox Focus is a dedicated privacy browser with automatic tracking protection. meaning web pages load faster and your data stays private. It’s also easy to delete history, passwords and cookies, so advertisers and other ne’er-do-wells don’t follow you around online. Just tap the erase button on the search field and all that data is gone. Tracking protection is also very strong. The browser blocks a wide range of common trackers by default, including social trackers and those sticky ones that come from things like Facebook ads.

After using Firefox Focus for one week, I can say I’m impressed with the way it works. Although it required me to learn how to use tabbed browsing (hint: hold down a link in your search results and a menu appears, offering the option to open the link in a new tab. Ed.), once that was cracked, I was away. As for fast page loading, that’s not disappointing either, even on notoriously slow-loading sites, like that of Bristol City Council, which still seems to be powered by a horse turning a shaft in the basement of the Counts Louse (which some call City Hall. Ed.). 😉

If you value your privacy and security, I’d recommend Firefox Focus on your mobile device.
Sunak and his low-carbon escort

25/04/2023 Steve WoodsLanguage, Media, Oddities, Politics, Security

It’s not unusual for heads of government and state to have their motorcades accompanied by motorcycle escorts, as seen in the example below from 2009 of the then Chinese president Hu Jintao‘s visit to Zagreb in Croatia.

Image courtesy of Wikimedia Commons
On Sunday – the day of the London marathon – a fleet of cars containing the alleged Prime Minister was spotted surrounded by two sets of police officers – one on bicycles and the other on foot.

Sunak has in recent months been criticised for his disproportionate use of flying, both on private aircraft and on military ones, including one of a mere 25 minutes’ duration.

The Telegraph has suggested the action was to thwart the attentions of environmental protesters from Extinction Rebellion.

If that were not the case and Fishy Rishi was making a vain attempt to reduce his carbon footprint, your ‘umble scribe would like to introduce him to a new word to add to his vocabulary: greenwash.
French Customs censured for illegal retention of personal data

21/04/2023 Steve WoodsPrivacy, Security, Tech

French IT news site Le Monde Informatique reports that the French Customs authorities have been sent a formal notice by the CNIL, France’s data privacy regulator, in respect of an illegal data file containing the details of more than 45,000 people, including copies of identity documents and records of criminal offences.

Businesses are not the only organisations with which the CNIL has found fault for holding illegal files containing personal data. Public sector organisations can also fall foul of the law.

The French Customs authorities, which come under the control of the Ministry for the Economy have been caught red-handed following a report in respect of Customs’ file used for recording information about vessels and their crews which is known as SIRENE. Intended to identify all the people checked at sea or in port in order to combat fraud, this system was in fact developed and implemented with no legal basis and not in accordance with the law, according to the CNIL

Checks were carried out by Customs’ Channel-North Sea-Atlantic coastguard service and inspections revealed that recourse to this system did not comply with France’s Data Protection Act. This data system actually lists information about the vessels checked and their passengers, including personal information such as marital status, address, occupation and copies of identity documents, as well as criminal convictions (drug trafficking, counterfeiting, off-the-books employment, failure to co-operate, sexual assault, possession of illegal weapons, intentional homicide and murder).

6 months to comply or be fined

All told, the details of 45,793 persons – including 392 minors – are included in the SIRENE file. “The creation and use of the SIRENE file are not provided for by any legislation (for example a law or a decree). In addition, the CNIL has not received a request for an opinion concerning its implementation, in violation of the Data Protection Act (articles 87 and 89, the CNIL explained. Other grievances have also been lodged against the Ministry for the Economy, such as the failure to send an impact assessment in respect of the protection of personal data and the lack of a clear distinction between the data of the different categories of persons concerned. or the fact that the latter were not made aware that their data had been included.

Following the CNIL’s formal notice, the Ministry for the Economy and Customs have 6 months to comply otherwise a penalty could be issued.
Seriously

06/04/2023 Steve WoodsLanguage, Security, Tech
The language used in official responses to news stories seems to have been rigid and formulaic in recent times, particularly amongst those organisations within or linked to the public sector.

Today’s edition of The Register reports that ACRO, the UK’s Criminal Records Office was taken offline due to a security breach. The site currently displays a holding page blaming ‘technical issues‘, a fine example of misleading bureaucratic language.

This is the site’s holding page as this post is published.

El Reg notes that manages ACRO people’s criminal record information, running checks as needed on individuals for any convictions, cautions, or current prosecutions. It with British police and businesses, as well as exchanging this data with other countries, particularly where people wish to move or emigrate to another country and a certificate of good behaviour is required from the British police. ACRO has access to data from the Police National Computer via an information sharing agreement with the Cabinet Office.

The data typically handled by ARCO includes name and address history, extended family information, a new foreign address, legal representation, passport information, photo and data PIN cautions, reprimands, arrests, charges or convictions.

Earlier this week, ACRO emailed users to inform them that it had “recently been made aware of a cyber security incident affecting the website between 17th January 2023 and 21 March 2023“, adding that “we have no conclusive evidence that personal data has been affected by the cyber security incident; however it is only right that we inform you of the situation. We are very sorry that because of your interaction with ACRO your data could have been affected, and we are working tirelessly to resolve this matter.”

The message went on to say that “robust measures” had been taken as soon as the breach was discovered. It won’t be the first time that pulling the plug on a website has been described by a public sector organisation spokesperson as “robust”, If your systems were truly “robust”, taking the site offline would not have been necessary.

After intoning the “robust” mantra, ARCO then goes on to say: “We take data security very seriously and will ensure that the matter is fully investigated…. Translating this into plain English, this means “Oh dear! We’ve been caught out!”

The fact that ARCO had not taken data security “very seriously” is clearly highlighted by two facts:
- Firstly, ARCO did not notice crooks were gaining access to its computer systems for more than two months; and
- Secondly, it has now freely admitted that it is going to take steps to find out how the breach happened and prevent its reoccurrence. A clear case of that old adage of shutting the stable door after the horse has bolted.
The public sector relies heavily on public trust to do its work. If it really does want to be taken seriously, tough measures need to be taken and implemented, not just for IT security, but in connection a very ancient and fundamental idea: that of honesty.
Czech government using open source web analytics

17/03/2023 Steve WoodsGDPR, Open Source, Privacy, Security, Tech

Joinup, the EU’s open source news site, reports that the Czech Republic is to begin using the Matomo open source web analytics tool on the Czech citizen portal and gov.cz websites, where it will replace Google Analytics.

This change will ensure that the data by the sites collected will stay within the EU and, as the Czech administration will be using its own instance of Matomo, it will retain full control of the records.

The change was triggered by an open letter sent by the Czech the digital freedom watchdog luridicum Remedium after it noticed the Czech state vaccination system website was using Google Analytics during the COVID-19 crisis. The Czech Data Protection Authority and public sector strategic partner NAKIT then pursued the matter and replaced Google Analytics with Matomo on Czechia’s Ministry of Health website. This move later led to further action and the country will continue following this trend on public sector websites.

Previously named Piwik, Matomo has been in development since 2007 and is presently deployed on 1.4 million websites, including those of NASA, the European Commission, the United Nations and Amnesty International.

The Czech decision to choose Matomo follows those of other European countries seeking to keep control of their citizens’ data. Last year the French and Austrian data protection authorities determined that Google Analytics was not compliant with EU data privacy standards, in particular because Google’s data transfers to the United States are contrary to the EU’s General Data Protection Regulation (GDPR).
LibreOffice & Nextcloud for EU Institutions

27/02/2023 Steve WoodsOpen Source, Politics, Security, Tech

EU data protection authorities have negotiated a contract for the use of Nextcloud and LibreOffice Online in EU institutions. They are now testing the solutions, German IT news heise reports.

Data protection-friendly alternatives

It was announced last Wednesday that the European Data Protection Supervisor Wojciech Wiewiórowski and his team have begun testing both solutions this month. In coming months they want to examine “how these can tools support EU day-to-day work“. This pilot phase is part of a larger IT reflection process that the EDPS already started last year aimed at encouraging EUIs to consider alternatives to large-scale service providers to ensure better compliance with Regulation (EU) 2018/1725.

By procuring the Open Source Software from one single entity in the EU, the use of sub-processors is avoided. In doing so, the EDPS avoids data transfers to non-EU countries such as the USA and allows for more effective control over the processing of personal data.

According to Mr Wiewiórowski, “Open Source Software offers data protection-friendly alternatives to commonly used large-scale cloud service providers that often imply the transfer of individuals’ personal data to non-EU countries. Solutions like this may therefore minimise reliance on monopoly providers and detrimental vendor lock-in. By negotiating a contract with an EU-based provider of cloud services, the EDPS is delivering on its commitments, as set out in its 2020-2024 Strategy, to support EUIs in leading by example to safeguard digital rights and process data responsibly“.

Microsoft Office in the sights

Mr Wiewiórowski has already examined the contracts which EU institutions have with Microsoft and reached the conclusion in 2020 that the data processing purposes when using Windows or Microsoft Office had been defined far too openly. Processing contractors were not adequately audited and data could be transferred too easily by EU institutions to countries outside the Union. At the time, he demanded that Microsoft should only retain user information within the EU. The roles of all those involved with all their rights and obligations must be clearly regulated. Furthermore, Users should look around for alternatives that “enable higher data protection standards“.

The EDPS started further investigations into the use of Microsoft and Amazon cloud services by EU institutions. These entailed the use Microsoft Office 365 by the EU Commission. According to Wiewiórowski many contracts were concluded prior to the “Schrems II Judgment” and had to be examined in the light of the European Court of Justice case law.
Germany – photographing illegal parking is lawful

04/11/2022 Steve WoodsLanguage, Media, Privacy, Security, Tech

German newspaper <a href="https://www.welt.de/regionales/bayern/article241937155/Urteil-Buerger-duerfen-Falschparker-fuer-Anzeige-fotografieren.html".Die Welt states that it’s so obvious: people wanting to report an illegal parker just pull out their smartphone and then send the picture to the police. However, two men in Bavariahad trouble with the state’s data protection authorities. A court has now decided who acted corrected.

A Ferrari parked on the footway being booked in Munich.
Image courtesy of Wikimedia Commons

Anyone who sends photos of illegal parkers as part of a report to the police does not normally violate data protection legislation. This emerged on Thursday from two landmark rulings published by the Ansbach Administrative Court. With these the court agreed with two men who corroborated their reports of parking infringements on footways and cycleways with photos. For using this they received a warning and a fine of €100 each from the Bavarian State Data Protection Office (LDA). Both objected and went to court with the support of Deutsche Umwelthilfe e.V. (DUH)

The administrative court combined the two procedures in a joint hearing because of the identical questions and ultimately ruled that the procedure involved lawful data processing. However, the actual statement of is not available. The verdicts are of fundamental significance from the legal point of view, but are still not absolute.

The DUH, which supported one of the two plaintiffs in a test case, welcomed the verdict. “Illegal parking is no trivial offence, but endangers people who are travelling by bike, wheeled walking frame, wheelchair or pram”, commented Jürgen Resch, its Federal director. “The authorities should not take action against civil society commitment, but rather take consistent measures against blocked footpaths and cycle paths, illegal parking in front of dropped kerbs or at junctions; and do so not just in Bavaria, but nationwide.»

The crux of the proceedings was the question of whether digital transmission of the photos constituted lawful data processing within the meaning of the General Data Protection Regulation since there must be a legitimate interest in forwarding the image files. On the other hand, data transmission and processing must be necessary.

Accordingly, the parties to the proceedings before the court argued about whether the plaintiffs had to be personally affected by the parking violations and whether a written or telephone description of the facts including the vehicle registration number, was not sufficient. In addition, the LDA pointed out that other data such as other cars with registration plates and people can often be seen in the pictures. In reply, the plaintiffs stressed that the police had asked them to document the parking situation as accurately as possible with photos as evidence.

The LDA stated that once the judgment’s statement of grounds was available, it would examine whether the decision was an individual case or whether a reassessment of the use of photos in public places that was critical for data protection had been initiated. In addition, it wants to agree clear and uniform guidelines with the police regarding which information is required when reporting illegal parking and which communication channel should be used.
Chrome’s incognito mode is anything but – allegedly

01/11/2022 Steve WoodsLanguage, Media, Open Source, Privacy, Security, Tech

Google Chrome is a cross-platform web browser first introduced in 2008. Based largely on the open source Chromium browser, perhaps the best description for it is proprietary freeware.

French IT news website Le Monde Informatique reports that a federal judge in California is examining complaints against Google alleging that the company is tricking users into believing that their private life is protected when using the browser’s incognito mode. The lawsuit which was initiated before the North California District Court more than 2 years ago by 5 users is now awaiting a more recent petition from these plaintiff in a class action. One of the complaints concerns Chrome users with a Google account who accessed a non-Google website containing Google tracking or advertising code and who were browsing in incognito mode; a second covers all users of Safari, Edge and Internet Explorer with a Google account who accessed a non-Google website containing Google tracking or advertising code in private browsing mode. According to legal documents first disclosed by Bloomberg, Google employees joked about the browser’s incognito mode and the fact that it was not really private. They also took the company to task for not having done more to provide users with the privacy they though they were enjoying.

Judge Yvonne Gonzalez Rogers, who presides over the United States District Court for the Northern District of California, will decide whether the tens of thousands of users of Chrome’s incognito mode can be grouped together to seek statutory damages of $100 to $1,000 per violation, which could potentially increase the fine to over $5 bn. The definition of the word incognito is to disguise or conceal one’s identity. The confidentiality settings of web browsers are intended to delete local traces of sites visited by a user, as well as web searches and information provided when filling in online forms. Simply put, private modes such as incognito are not supposed to track and record data from web searches and sites visited by users. Google is also facing proceedings linked to user confidentiality from the justice ministers and public prosecutors of several federal states including Texas, the District of Columbia and Washington. Earlier this month Google settled a lawsuit filed by the attorney general of Arizona for $85 mn. Initially filed in June 2020, the class action was asking for at least $5 bn., accusing Google of surreptitiously collecting data on what people were viewing online and where they were browsing despite using private browsing mode. Lawyers for the plaintiffs say they have a large number of internal Google emails proving that managers have known for years that private browsing mode does not do what it claims. When a user chooses to use this incognito mode, Google’s browser is supposed to delete browsing history and cookies automatically at the end of a session.

Data sold for advertising purposes in auctions

The plaintiffs, who are Google Account holders, alleged that the search engine collected their data, distributed it and sold it for targeted advertising through a real-time auction system (RTB). LThe plaintiffs allege that even in incognito mode, Google can see what sites Chrome users are visiting and collect data by means which include Analytics, digital fingerprinting techniques, concurrent applications and processes on a user’s device and AdManager. The latter is a Google service enabling businesses to distribute and create web, mobile and video advertising reports for a company.

According to one report, more than 70% of all website use one of more of Google’s services. More specifically, the plaintiffs allege that every time a user with private browsing mode active visits a website running Analytics or AdManager, the search giant’s software scripts on the site surreptitiously order the user’s browser to send a secret separate message to its servers in California. “Google learns exactly what content the user’s browser software was asking the website to display, and it also passes a header containing the URL information of what the user viewed and requested online. Device IP address, geolocation data and user ID are all tracked and logged by Google”, according to one report in the lawsuit. “Once collected, this mountain of data is analyzed to build digital records on millions of consumers, in some cases identifying us by name, gender, age, and medical conditions and political issues we researched online”, the lawsuit claims.

Truly private browsing results in loss of revenue

In March 2021, a California judge denied 82 motions by Google’s attorneys to end the lawsuit and ruled against the company, allowing it to proceed. In July that year the company was sentenced to pay almost one million dollars in legal fees and expenses as a penalty for not having disclosed evidence concerning the lawsuit in a timely manner.

This week a spokesperson for Google told the Washington Post it had been frank with users about what its incognito mode offers in terms of privacy and that the plaintiffs “deliberately misrepresented our statements”. Jack Gold, senior analyst at J. Gold Associates, said the company makes the majority of its revenue by tracking everyone and selling ad space. “If they’re really creating a completely private browsing experience, then the revenue stream is gone,” he said. “So, I suspect there is a ‘balancing act’ going on internally as to where the borders are around privacy vs. tracking. No company builds a free browser without being able to generate revenues somehow”. The plaintiffs in the case said they chose “private browsing mode” to prevent others from learning what they’re viewing on the internet. When it comes to using Google Chrome and other browsers, “let the user beware,” Gold said. “You have to trust the maker to take care of your privacy, but it’s not always in their best interest to do so”.