@NCSC Hey Mat; your categorisation has issues at the very first hurdle - understandable considering that it comes from a perspective of attribution. In the private sector it's rarely about how godlike the attackers are, it's about how long they persist before if they get bored.
@NCSC It's a concrete example of the old joke about "I don't have to outrun the bear, I just have to outrun you" - the private sector is not and should not be collectively responsible for each other's security. As such we strive amongst ourselves to be secure sufficient to our needs.
@NCSC Of course one of the benefits of a "elitism based approach" to qualifying hacking risk is that it sediments GCHQ as role as arbiter of how bad threats are; NCSC becomes a bit like the IOC, vetting the state of the hacker "athletic" field...
Clearly @schneierblog has forgotten ITAR, let alone the moves against PGP in the early 90s, HTTPS in the late 90s, Java crypto in the early 2000s, wire-speed crypto in the late 2000s, & E2E more recently. Sorry Bruce, you're wrong. nytimes.com/2018/10/11/opi…
The usual excuse at this juncture is "No, not _that_ regulation, of course; that was bad regulation, but this would be _good_ regulation"; regrettably there's a scope-creep associated with all regulation, it rarely pans out that way.
Of course if you want to live in a world where not merely do you have to dismiss value-free "we collect cookies" popups to browse a site, but also where you have to individually check-out software extensions if you want to do so securely, then go ahead and invite regulation:
If you want to know my opinion of how @timberners_lee's #Solid will impact "tech giants", watch this video (actually, x3) from 2010; the bulletpoints are:
- facebook killers, aren't
- there's plenty of room for alternatives
- first it must grow
The media loves zero-sum, david/goliath stories, and thereby often causes doom ("ello") & even tragically suicidal levels of stress ("diaspora*") to people who are foolish enough to pitch themselves/their platforms as the antithesis of "social media giantism; so do please beware.
<pops open bonnet of car>
Mark: "There you go, there's the engine. 4 cylinder petrol engine" @CommonsCMS: "Where are the horses?"
CMS: "We heard it's a 100 Horsepower engine."
Mark: "That's just a metaphor…?"
.@CommonsCMS: "No, we know there are horses. That engine is a black box. You're not being transparent about where the horses are."
Mark: "But that's not how cars really work…"
CMS: "Everyone knows that cars are driven by horsepower. We want to see the horses." #algorithms
Author's Note: this may sound like whimsy, but it's only a few years since I had the following conversation with a member of a London-based "civil society" campaigning organisation:
While we're on the topic of scale: every so often I have the misfortune of having to listen to some politician or former civil servant* demanding that people "NEED TO LEARN THE VALUE OF THEIR PERSONAL DATA, GODDAMNIT!".
This one can be quite quick:
- About 2 Billion users
- Annual revenue 2017: $40.653 Billion
Regards #Article13, I wrote up a little command-line false-positive emulator; it tests 10 million events with a test (for copyrighted material, abusive material, whatever) that is 99.5% accurate, with a rate of 1-in-10,000 items actually being bad.
For that scenario - all of which inputs are tuneable - you can see that we'd typically be making about 50,000 people very upset, by miscategorising them as copyright thieves or perpetrators of abuse:
But let's vary the stats: @neilturkewitz is pushing a 2017 post by very respected fellow geek and expert @paulvixie in which Paul speaks encouragingly about a 1-to-2% error rate; let's split the difference, use 1.5% errors, ie: 98.5% accuracy: circleid.com/posts/20170420…
Today is a challenge - on and off for the next 12 hours, now that the GDPR dust is settling, I am going to try and Tweet about nothing but the #EUCopyrightDirective - BECAUSE, YE GODS, YOU NEED TO KNOW ABOUT THIS:
If you would like an authoritative voice regards why we YOU need to act to get the EU to #DeleteArt13 - to avoid the Internet and Web being swamped with a "Link Tax", here is the perspective of German Euro-MP, Julia Reda: juliareda.eu/2018/05/censor…
Quote: «We have recently upgraded our link security infrastructure to include HSTS preloading, which automatically upgrades HTTP links to HTTPS for eligible websites. This will improve people's security and will also often improve the speed of navigation to sites from Facebook.»
It would be an interesting academic exercise to cross-reference this mechanism against the crowdsourced (and slightly hairy/flaky) HTTPS-Everywhere list from the likes of @EFF :-
The piece runs thusly (via Google Translate) - and it conflates the abuse-reporting mechanism with the "Franking" mechanism that "Secret Conversations" uses, and which (a) @matthew_d_green helped design and (b) is fully documented.
The Franking mechanism is designed to support abuse-reporting: if Alice receives abusive material (eg: unwanted dick-pics) then she may want to report them to Facebook... but (given the nature of E2E) how can we trust Alice not to make a bogus report to incriminate Bob?
The more I read and understand about #GDPR, the more I feel it was drafted by lawyers whose concept of "data" is akin to "human tissue samples" - discrete, attributable to a single individual, identifiable, not prone to proliferate…
And they've never heard of Henrietta Lacks.
Before someone reads Wikipedia and plays the "Neither Henrietta Lacks nor her family gave her physicians permission to harvest her cells"—card, yes, but that's not what I am getting at.
What I am saying is that I sense a clash of models: tidy-minded political people who believe that data moves around like a <thing> in a bottle… rather than what actually happens, of leaving copies of itself behind, whenever it starts moving.