UK has one CCTV camera per fourteen citizens according to a research paper released in 2002 and in the harsh financial climate now facing the world the local councils in Britain has started slashing the funding used to actually monitor the cameras.

From Daily Mail (via Schneier):

“Once, Britain was the most watched nation in the world, with more than 4 million CCTV cameras monitoring our every move.

But now in these difficult economic times, it seems that Big Brother isn’t actually watching, in fact no one is.

As cash-strapped police forces and councils around the UK are forced to tighten their belts in the recession, CCTV cameras around town centres are being left unmanned as they can’t afford to pay anyone to watch out for crime as it happens.

Instead, entire networks of surveillance cameras are being effectively put on auto-pilot, with police reviewing tapes only after a reported incident.”

Does it take a recession to make people realize that an annual expense of ~£50 million on CCTV is excessive? That it never was useful? That the cost is too high in relation to what you might gain (if any)? This just verifies that the presented image of CCTV as a tool for crime prevention is false.

An another citation from the same article as above:

While in Dorset, police resorted to advertising for unpaid civilian volunteers to monitor CCTV footage after claiming that it was not cost effective to pay trained professionals.

In June Dorset Police appealed for members of the public to watch live images from street security cameras in Wimborne, Blandford, Shaftesbury and Gillingham to help spot crimes and anti-social behaviour.

Civilian volunteers? Spot “anti-social behaviour”? Since when does an untrained civilian make an educated decision on when someone is acting anti-social? That’s like asking for false positives… deluxe version…

Read the full article…

My guess is that the United Kingdom is not that very far from that point and now would be the time to stand up against the madness going on on their island. Caught this little poster via BoingBoing (with creds to Shardcore):

*shrug*

I mean please. This single statement is an outright lie as it has been broken several times. They might provide a marginal level of increased security around the specific streets where they are, but in some cases just move the crimes to other streets in the vicinity. Not even this has been fully established though. Even Scotland Yard says CCTV monitoring do not prevent crime for crying out loud!

It feels like they’re trying to say it like a Japanese manga character or something, like “More CCTV!!! *big eyes* Means More Security For You!!!! *freakishly large smile* *happy* *happy*”… Maybe it’s just in my brain

Another thing I react to as a person working with security is that there can’t be a sound risk assessment in the bottom of the decisions to put up more camera’s and set up more monitoring stations. The risk of a crime does not motivate the cost of the “protection” so to speak. This is something that Bruce Schneier mentions in his article from which I stole all the links above.

Anyways, I think that the UK is setting a bad example for Europe and the risk for the rest of the countries in the region is that our governments point at them saying “It works over there!” even though it doesn’t and then we’re back were we are with the FRA-law, EU IPRED1 and the EU Data Retention.

Apparently the suggested surveillance and “corporate police” laws weren’t enough for Sony.

From TheLocal.se:

“Sony Pictures in Sweden has employed methods worthy of James Bond in an attempt to protect against the pirating of Quantum of Solace.

The film company is using special night vision goggles to keep an eye on moviegoers attending showings of the latest Bond film at 149 cinemas around Sweden, reports entertainment news agency TT-Spektra.”

Oh – my – god. That’s the words that best describes my immediate reaction.

If I were to be informed that someone would be lokoing at me with night vision goggles while I was enjoying a movie I had paid good money to see, I would probably sue them. Possibly just file a complaint with the police as that easily qualifies as harrasment (or is it OK to look at Sony employees in the dark with night vision goggles?).

Sick.

More here, here, here and here.

Apparently the swedish interpretion of IPRED1 has got the “Go ahead” from Lagrådet (those that check that everything is compatible with other legislation etc.).

Next step is that the Government gives the law to the parliament for voting. And if they vote yes, well, then we have the harshest IPRED1 implementation cemented in law here in Sweden.

So? One might ask. Well, the biggest problem is that we are giving private, commercially motivated organizations more power than our regular police. Second, we’ll be stepping into a world of hurt as all previous implementations have made those countries hellish.

In Denmark, for example, the citizens has been harassed and there has been one suicide because of the extortion attempts by these organizations. Seems harsh but I got the facts to back it up (sorry, just Swedish and Danish, try the translator.).

Anyways, I hope that our politicians see the absurd legislative situation as it is and do not grant anyone except our police the rights needed to fight real, commercially motived, piracy.

But as usual, we’ll see what happens…

The second day of Internetdagarna (22/10-08) was spent in the Security track as well, except for the last seminar where I switched to the society track.

The first seminar was “Pålitlig e-post / Anti-spam” which translates to “Reliable e-mail / Anti-spam”. The moderator for this seminar was Jörgen Eriksson from .SE.

First speaker out was Amar Andersson from TeliaSonera and he spoke about “Spam-protection that undermine their own goals”. I can honestly say that I did not follow this good enough as I was very tired this first seminar and I kind of regret it now. However, the main problem presented by him was the lack of coordination and standards in anti-spam prevention methods. He mentioned blacklisting in general and the DUL-blacklist in particular, hostname “naming” (reverse lookups which results in a name conatining either “static” or “dynamic”) and how to make sure your e-mails got delivered in this day and age where the requirements for delivery can vary quite much from server to server (correct HELO/EHLO messages, correct reverse lookups, SPF and other DNS related issues).

Next speaker up was Bengt Carlsson from Blekinge Tekniska Högskola that just announced a new project between .SE and BTH. The project name was “säker e-post hantering bland illsinnad programvara” which translates to “Secure e-mail management amongst bad software”.

After this Rickard Bondesson from Linköpings Universitet took the stage to present his research on DKIM, DKIM-milter and DNSSEC implementations. This was a quite long and very informative presentation which stepped through his research in a comprehensive way under the following bullets; Forged e-mail, Prevention of forged e-mail, DKIM, Reliability within DNS, Implementation, Tests, Statistics, Experiences.

After this there was a small moderated panel debate on the topic of Reliable e-mail.

The next seminar was “Parasitekonomin på Internet” which (roughly) translates to “The parasitic economy on the internet”. Stefan Görling from KTH moderated and had one presentation, and the other speakers were two representatives from Lavasoft (you know, the guys behind Ad-Aware) and Martin Boldt (IT-security researcher from BTH).

Görling started out by picking at affiliate systems and the easy of exploiting these services for profit and he worked out from a site that supposedly uses this format in a legit way. He did not go into the malware point-of-view very much but he touched the subject when talking about “mis-spelled domain names default pages” which contain only affiliate links.

The guys (they were two) from Lavasoft then held their presentation which more or less detailed the different types of spyware they had included during the year, and also gave a strange remark saying the TeliaSonera was gaining money from the malware circulating on the internet (as they’re an ISP, they supposedly make profit when having their bandwidth used… hrrm…). This little remark came back to bite them in the ass when a (quite upset) TeliaSonera security employee demanded that they would take that statement back during the Q & A at the end of the session.

Following this Martin Boldt from BTH that discussed reputation systems and automatic EULA analysis. He had researched these areas and they were at this moment involved in creating web browser plugins and applications to enable users to share their thoughts and score on specific applications (binary files). See their project website at www.softwareputation.com for more information. He also noted that this project is still in Alpha stage. The ideas they’re having kind of looks like Panda Security’s Collective Intelligence, except it is user generated not automatic.

When it came to EULA analyzing they’ve taken a harder route than SpywareGuide’s EULA analyzer and they used many different bayesian and similar algorithms in order to define if an EULA is “good” or “bad” with a high level of success. Ideas for the future was to make this automatically integrated into system so that any EULA boxes could be automatically read and scored.

After this there was a Q&A session and Lavasoft’s statements was quite heavily scrutinized both by the TeliaSonera employee and Netnod‘s CEO Kurt-Erik Lindqvist (I think it was him but I only heard the voice, so don’t quote me on this). It seems like Lavasoft’s statement was just illustrating and that they based their assumptions on an US ISP that had misbehaved and in some ways had profited on bad software.

Here I switched room and joined the “Infrastructure and society”-line of seminars. The one I was interested in was “Integritet och övervakning” which translates to “Integrity and surveillance”.

This seminar was moderated by Johan Hallsenius (editor for Computer Sweden) and the debate panel was only populated by pro-Integrity people as none of the invited politicians and FRA-people had turned up even though they were invited. The panel members was Oscar Swartz (debater, writer and blogger), Patrik Fältström (Cisco), Fredrik von Essen (Swedish IT and Telecom Industries) and Daniel Westman (Juridicum, Stockholms University)

The focus of the debate was of course the FRA-law but also dangerous EU-directives and other laws that affect impede personal integrity. It was an interesting debate, but as “the other side” was missing no hard questions could be discussed. I talked briefly to Oscar Swartz before the seminar and he described it as a “non-debate”, as there was only one point of view from all participants (with small diversions). He wrote a post on “Internetdagarna” on his blog in which he breifly mentions this debate.

It was also to hear what Fredrik von Essen from the Swedish IT and Telecom Industries had to say on this issue.

Unfortunately I had to leave before the Q&A session that followed, so I’m looking forward to the sound recording that are to be released here.

Some pictures from this day:

Integrity debate:


Martin Boldt (from BTH):

Power without oversight equals abuse!

From The NY Times – “Panel to Study Military Eavesdropping” (4-page article):

WASHINGTON — The chairman of the Senate Intelligence Committee, Senator John D. Rockefeller IV, said Thursday that the committee would investigate claims by two military eavesdroppers that they routinely listened in on private calls home from American military officers, aid workers and journalists stationed in Iraq.

Former intelligence officers were interviewed by ABC News and by James Bamford, above, who has written a book about the National Security Agency due to be published next week.

Mr. Rockefeller, Democrat of West Virginia, called the accusations “extremely disturbing.”

“Any time there is an allegation regarding abuse of the privacy and civil liberties of Americans it is a very serious matter,” he said.

More references:
ABC News – Exclusive: Inside Account of U.S. Eavesdropping on Americans
UPI.com – Spy agency accused of improper listening
Reuters.com – U.S. probes claims officials eavesdropped on calls

Apparently the US’s multi-billion surveillance system is used to wiretap personal calls, and joking around about them. Will our system be used in the same way? For sure, power without oversight equals abuse. This is worth repeating.

Found this news first on Bruce Schneier‘s blog.

Well, just don’t add them.

A-R-G-H-H-H.

Swartz used this as an illustration. It’s right on.

The situation is now like this;

The parliament has voted on the Telecoms package. As familiar, amendment 166 was voted into the package and thus providing european citizens with protection against arbitrary disconnection from the internet and privacy.

So far all good and here’s the voting results from EU-parliament so you can read for yourselves.

Now the matter moved on to the “WORKING PARTY ON TELECOMMUNICATIONS AND INFORMATION SOCIETY” whose job is to prepare the package for either a second hearing, or if everyone are still agreeing, for the ministers for OK’ing.

HOWEVER (always seem to be a however in my posts), what they are now doing is more or less editing away the amendments that were added and making it as they (the french, primarily) want it. Yep, that’s right, they are actually editing the democratic decision by the parliament to fit the lobbying organizations needs. A leaked document shows us this progress and the evidently left out “Article 32a” which would be the one containing amendment 166′s content.

We now need to make some noise! But not just the (crazy?) swedes, everyone! If you are from another European country please send e-mails to your MEP’s and/or call them and ask them to follow-up on and verify that their democratically voted decisions stands firm! Remind them that if this can be changed, so can their own main issues and that this should not go unnoticed through a democratic system!

I’m getting seriously tired of writing about politicians and others tricking and removing citizens rights.

Can’t any of them please break the trend so I can write something nice?

Others writing (mostly in Swedish, use the translator): Oscar Swartz, Opassande, Josef, scaber_nestor, farmorgun, Frihet-Fildelning&Feminism, satmaran, Jens. O, HAX.

Others posting this image to raise awareness of DRM-dangers (in Swedish) are Opassande, Dennis, Daniel. Probably a lot of others as well but these were the ones conveniently linked from Emma (Opassande) and I’m lazy today

And another comment in english on the suggested swedish IPRED1 implementation from paf (also posted the XKCD image).

Cheers,

Even though it doesn’t need to be… Here we go again… Not really sure I’ve got the energy for this lunacy…

First off, what’s the IPRED1 directive?

Intellectual Property Rights Enforcement Directive 1 (IPRED1) is a directive created by lobbyists and pushed through the EU by a woman married to a record company executive. The gist of the directive is to enable rightsholders to force counterfeiting middle-men to tell where they got the goods from. So in the beginning this was but this was about physical counterfeiting. Along the way it got a bit manhandled by the IP-lobbyists and record companies and finally was voted through in the form of a law that would allow private companies to demand ISPs to hand over their client data for a specific client, so that the rightsholder could sue.

However,

The EU IPRED1 directive is not forced upon any member state in the European Union as ruled by the European Court of Justice (source EFF). From the article:

In a much-anticipated decision, the European Court of Justice ruled yesterday that European Community law does not require EU Member States to impose an obligation on ISPs to divulge customer data in response to a request from a copyright holder who alleges that copyright infringement has taken place. The decision in Promusicae v. Telefonica involved a request made by a Spanish music rightsholder association (Promusicae) to Spain’s leading ISP (Telefonica) for personal data about Telefonica subscribers using particular dynamic IP addresses, which Promusicae alleged were engaged in filesharing.

The European Court of Justice was asked to interpret a mesh of overlapping EU Community laws and answer the question: does European community law require EU Member States that are implementing this suite of EU directives to impose an obligation on ISPs to divulge their customers’ personal data to rightsholders in a civil copyright lawsuit? The court ruled no, but with some qualifications. Thus, the Spanish law is valid and Telefonica will not be forced to divulge its customers’ data.

And what does the Swedish government, with the help of record company lobbyists do now?

They go ahead and suggest a Swedish implementation and law which would grant MORE power to the IP-holders, effectively creating a corporate police which can, without any real evidence, get the identity of the person owning a specific IP-adress.

The law that is now proposed actually grants these commercial interests more power than the Swedish police.

Actually, it is so over-implemented so it actually breaches the directive’s own regulations which states:

3. Paragraphs 1 and 2 shall apply without prejudice to other statutory provisions which:
(a) grant the rightholder rights to receive fuller information;
(b) govern the use in civil or criminal proceedings of the information communicated pursuant to
this Article;
(c) govern responsibility for misuse of the right of information; or
(d) afford an opportunity for refusing to provide information which would force the person
referred to in paragraph 1 to admit to his own participation or that of his close relatives in an
infringement of an intellectual property right; or
(e) govern the protection of confidentiality of information sources or the processing of personal
data.

I mean come on.. If I, an uneducated IT-nerd with a taste for bodybuilding can find, read, and understand this, then why can’t the people preparing our laws do the same?

So, the question remains;

WTF?

Yep. That’s really the question. What the f*ck?

This, if voted through in parliament, will create a situation like the one in the US where companies threaten with lawsuits that no one can afford to challenge, effectively forcing you to pay up even though you haven’t done anything wrong.

Next question is the use of IP-addresses as evidence. What value does an IP-address have in Sweden today where most ISPs ship unsecured wireless APs as the default router? Not much.

This also presents more questions, like “If downloading torrents in an internet café, is the café liable?” and “What are your rights if a neighbour uses your WLAN, willingly or without knowing it, and downloads pirated material? Are you liable?”.

And again, why does this law grant commercial interests powers that now even our police have? Where’s the logic? It’s so glaringly see-through, ordered and paid for, lobbyist crap that has been suggested as a law.

As I wrote in some of the first FRA-posts… Where will this end?

Other writing about this in Swedish (plz use Google translate): Rick Falkvinge (PP), Opassande, HAX, El Rubio.

And here’s the whole crapfest that our swedish, newly suggested, law claims to be born out of.