Moved

I moved house again yesterday (Friday).  I’m now finally a homeowner: no rent to pay, though lots of repairs and improvements to consume what would have been a rent budget.  Over the coming days (or more likely weeks, months, …) I’ll be unpacking, sorting, fixing things, getting up to speed in the new place.  As well as a couple of final visits to the old place, to clean up and leave it in a presentable state, and (weather permitting) gather some fruit from the garden.

The new place has, alas, no garden.  The only outdoor space is the balcony, which hangs over the river.  But that river is a huge attraction: both the living room and the main bedroom above it look out on the river, so I get to sit and relax, as well as sleep, to the immensely soothing sound of rushing water from the weir.

And that weir is itself part of the building’s history.  For this was originally a foundry, and drew its power from the river.  The building was converted to houses in the late 1990s, but retains thick stone walls, wooden beams, and cast iron fittings, all of which are utterly beautiful, as well as giving character to the house.  So while on one level it’s a humble two-up two-down plus attic (which becomes my office), on another it’s most unusual and indeed amazing!

The location also has much to commend it: under ten minutes walk from the town centre shops, market, and activities, but also scarcely more than that to open moorland.  On the downside, it’s on a busier road than I would choose, and the front rooms – the kitchen and the guest bedroom – will get traffic noise.  And due to a high bank and trees on the other side of the road, the house gets little sun, and the north (river-facing) side gets more light than the south!

It was the river above all else that drew me to this house.  I hope I shall enjoy many years in its company.

 

Advertisements

Mail Hiatus

I am likely to be subject to email hiatus in the immediate future.

On seeing a suddenly-filled default inbox folder (customarily where spam lands, as procmail sorts non-spam), I find an address for me has been used as “From” in what is evidently a big spam run.  The unexpected messages are mostly out-of-office auto-replies.  A handful are from mailinglists that have been spammed but need “me” to subscribe before “I” can post.  Happily my own spam filtering has caught most of the other big class: bounce messages from servers so misconfigured as to accept the spam before identifying it as spam and “returning” it to the victim – me.

After a bit of firefighting to reject the autoresponses and moderate the server load, I instead just deleted the address they’re targeting.  Since it’s an address that is publicly advertised, I can’t make that a permanent solution[1].  I shall keep an eye on the mail log and re-enable it when the flood abates.  Also to relieve the load on the server, I’ve turned off greylisting.  It appears to be OK now, but if necessary I may intervene further.

Interestingly the lists spammed include a lot of my current and former hangouts at w3.org and apache.org.  Happily the “from” address isn’t one I’ve used to subscribe to any of those lists, so nothing should’ve sneaked through there as “from” me.

[1] Or maybe I can.  But that’ll be as part of a general revamp of my mail addresses, and needs planning.

Summer Concert

A week today, Saturday July 6th, we’re performing Rossini’s Petite Messe Solennelle at Plymouth’s Catholic Cathedral.  A work that’s lots of fun and should be worth coming to if you’re in the area.  Though also one I’m feeling I’ve done rather too often in recent years, and I might even make this the third major work in the concert repertoire I’ve sung from memory without the score (after the Messiah and Carmina Burana).

This is a summer concert, with interval cheese-and-wine (or somesuch) included in the ticket price.

Whatsupp?

Funny that.  Just a couple of weeks ago, I wrote:

The spy in your ‘puter or ‘phone … Some of that is P2P communications software like Microsoft’s skype or Facebook’s whatsapp, that should be prime vehicles for Aussie-style targeted espionage.

Suppose you’re a government spy agency that has leaned on whatsapp to introduce your spyware.  You want to get everyone to update to a version with the spyware.  How do you go about it?  How about an announcement of a serious security flaw in earlier versions to persuade everyone who might have something to hide to make the upgrade?

As reported, the whatsapp flaw was already at a much deeper level than just spying on whatsapp traffic (as per my earlier comment): it was used to install some of the world’s most sophisticated spyware called Pegasus, developed by an Israeli company NSO and sold to government agencies for total surveillance on dangerous elements such as dissidents and human rights lawyers.  The Reg article quotes a comment that kind-of summarises:

NSO Group has been bragging that it has no-click install capabilities for quite some time. The real story here is that WhatsApp found the damn thing.

— Eva (@evacide)

Indeed.  Pegasus wasn’t new, and was thought to have been distributed by more conventional means (and no doubt was, to less-than-paranoid users).  How did they make the connection between it and a critical whatsapp bug?  One might speculate there was more to this story than is being told!

A good day to bury other security/spyware news?  Golly, what a coincidence that Thrangrycat was also just announced.  The perfect way to bury something more than the official lawful intercept (wiretapping as required of them by the US Government) malware into Cisco routers, switches and firewalls, so deeply that future upgrades won’t affect it.

Wicked speculation: could it be the amount of work they’ve had to devote to supporting US Government spying requirements that caused Cisco to fall behind an unencumbered Huawei?

A World of Pain

Whither Firefox?

It’s a long time since I experienced the Web without ad-blocking, without noscript.  Individual sites may have changed for better or worse, but overall it remains a whole world of pain.

I don’t even mind adverts.  What I need to block is crap that moves: animations, tickers, slideshows, etc, including those that aren’t adverts at all but are just some deezyner’s wet dream.  And it turns out there’s a lesser nuisance alongside those: sites that put up a huge great dialogue box where I have to agree T&Cs, and usually telling me about their cookies, before viewing the page.

Goodbye, Firefox.  Hello Chromium.  Probably won’t look back (at least for general browsing) until and unless I start getting grief with the latter.

Quis Custodiet Ipsos Custodes?

With the controversy over the US and its allies adopting Huawei kit generating more heat than light, I think perhaps it’s time to don my mathematician’s hat and take a look at what could and couldn’t really be at stake here.  Who could be spying on us, and how?

Much of the commentary on this is on the level of legislating the value of pi.  That is to say, a fundamental conflict with basic laws of nature.  At the heart of this is Trump’s ranting about China spying on us: the idea that a 5g router (or any other infrastructure component) could spy on his intelligence services’ communications is on the level of worrying about catching cold from reading my blog because I sneezed while writing it.

At least, a router acting on its own.  A router in collaboration with other agents could plausibly be a different story, but more on that later.

To set the scene, I can recommend Sky’s historical perspective: Huawei’s 5G network could be used for spying – while the West is asleep at the wheel.  This looks back to the era of British domination of the world’s communications infrastructure, and how we successfully used that to eavesdrop German wartime communications.  It also traces the British company involved, which was bought by Vodafone in 2012.

Taking his lesson from history, Sky’s correspondent concludes that if the Brits and the Americans could do it (the latter a longstanding conspiracy theory more recently supported by the Snowden leaks[1]), then so could the Chinese.  Of Huawei (a private company), he says:

[founder] Ren Zhengfei … has said his firm does not spy for China, and that he would not help China spy on someone even if required by Chinese law.

Personally, I’m inclined to believe him.

But it may also be a promise he is unable to keep, even if he wants to. The state comes before everything.

which might just be plausible, with the proviso that it would risk destroying China’s world-leading company and a powerhouse of its economy.

But the historical analogy misses one crucial difference in the modern world.  Modern encryption.  Maths that emerged (despite the US government’s strenuous efforts to suppress it) around the 1980s, and continues to evolve, while also being routinely used online, ensures that traffic passing through Huawei-supplied infrastructure carries exactly zero information of the kind historically used to decrypt cyphers, such as (famously) the Enigma.  Encryption absolutely defeats the prospect of China doing what Britain and America did.  And – particularly since Snowden[1] – encryption is increasingly widely deployed, even for data whose security is of very little concern, such as a blog at wordpress.org.

Unless of course the encryption is compromised elsewhere.  The spy in your ‘puter or ‘phone.  Or the fake certificate that enables an imposter to impersonate a trusted website or correspondent.  These are real dangers, but none of them is under Huawei’s (let alone the Chinese government’s) control or influence.

Looking at it another way, there’s a very good reason your online banking uses HTTPS – the encrypted version of HTTP.  It’s what protects you from criminals listening in and stealing your data, and gaining access to your account.  The provenance of the network infrastructure is irrelevant: the risk you need to protect against is that there is any compromised component between you and your bank.  Which is exactly what encryption does.

So why is the US government attacking Huawei so vigorously, not merely banning its use there but also threatening its allies with sanctions?  I can see two plausible explanations:

  1. Pure protectionism.  Against the first major Chinese technology company to be not merely competitive with but significantly ahead of its Western competitors in a field.  And against the competitive threat of 5G rollout giving Europe and Asia a big edge over the US.
  2. The US intelligence agencies’ own spying on us.

OK, having mooted (2), it’s time to return to my earlier remark about the possibility of a router collaborating with another agent in spying with us.  The spy in your ‘puter or ‘phone.  There’s nothing new about malware (viruses, etc) that spy on you: for example, they might seek to log keypresses to steal your passwords (this is why financial institutions routinely make you enter some part of your credentials using mouse and menus rather than from the keyboard – it makes it much harder for malware to capture them).  Or alternatively, an application (like a mailer, web browser, video/audio communication software, etc) encrypts but inserts the spy’s key alongside the legitimate users’ keys: this is essentially what the Australian government legislated for to spy on its own citizens.

But such malware, even when installed successfully and without your knowledge, has a problem of its own.  How to “phone home” its information without being detected?  If it makes an IP connection to a machine controlled by the attacker, that becomes obviously suspicious to a range of tools in a techie’s toolkit.  Or for non-techie users, your antivirus software (unless that is itself a spy).  So it’ll have a pretty limited lifetime before it gets busted.  Alternatively, if it ‘phones home’ low-level data without IP information (that’ll look like random line noise to IP tools if they notice it at all), the network’s routers have nowhere to send it, and will just drop it.

This smuggling of illicit or compromised data to a clandestine listener is where a malicious router might conceivably play a role.  But for that to happen, the attacker needs a primary agent: that spy in your ‘puter or ‘phone.  If anyone’s intelligence service has spyware from a hostile power, they have an altogether more serious problem than a router that’ll carry or even clone its data.

And who could install that spy?  Answer: the producers of your hardware or software.  Companies like Microsoft, Apple, Google and Facebook have software installed on most ‘puters and ‘phones.  Some of that is P2P communications software like Microsoft’s skype or Facebook’s whatsapp, that should be prime vehicles for Aussie-style targeted espionage.  If anyone is in a position to spy on us and could benefit from the cooperation of routers to remain undetected, it’s the government who could lean on those companies to do its bidding.  I’m sure the companies aren’t happy about it, but as the Sky journalist said of Huawei, it may also be a promise he is unable to keep, even if he wants to. The state comes before everything”.

China’s presence in any of those markets is a tiny fraction of what the US has.  Could it be that the NSA made Huawei an offer they couldn’t refuse, but they did refuse and the US reaction is the penalty for that?  It’s not totally far-fetched: there’s precedent with the US government’s treatment of Kaspersky.

And it would certainly be consistent with the US government’s high-pressure bullying of its allies.  The alternative explanation to pure protectionism is that they don’t want us to install equipment without NSA spyware!  The current disinformation campaign reminds me of nothing so much as Bush&Blair’s efforts to discredit Hans Blix’s team ahead of the Iraq invasion.

[1] I’m inclined to believe the Snowden leaks.  But I’m well aware that anything that looks like Intelligence information might also be disinformation, and my inclination to believe it would then hint at disinformation targeted at people like me.  So I’ll avoid rash assumptions one way or t’other.  Snowden’s leaks support a conspiracy theory, but don’t prove it.

Passion

Time to mention our next concert: one of the greatest of all Easter works.  Bach’s St Matthew Passion, at the Guildhall, Plymouth, a week today (Sunday April 14th).

This work should need no introduction, and I have no hesitation recommending it to readers within evening-out distance of Plymouth.  I’m looking forward to it.

Just one downside.  As with our performance of the St John’s Passion three years ago, this is a “new” Novello translation.  I think if I’d come to these (translations) in reverse order my criticisms might have been a little different, but the underlying point remains: these are about money.  A rentier publisher contemptuously saying screw the art.  And I can now answer the question I posed then: with ISIS no longer having the earthly power to destroy more great heritage, Novello score a clear victory in the cultural vandalism stakes.

Placing the Blame

When David Cameron resigned, I said here that his successor would come in for a lot of blame.  And indeed, it has come to pass: Mrs May is getting the greater part of the blame for the mess brexit inevitably became.  Much of her party wants her to resign, and she’s indicated she may do so – albeit as a form of bribe to her party.

But who would want her job now?  There’s still a lot of blame to come, and our next prime minister won’t be popular for long either, no matter what he or she may do.  There might be someone among the more swivel-eyed loons with delusions, but the Party Establishment can surely see them off.

There’s one obvious candidate.  He’s in a position somewhat akin to May in 2016: of an age where if he doesn’t get the job now, he’ll be too old to be considered for it.  And every party in parliament – including his own – would just love to see him fall flat on his face, and take the major share of the blame for brexit fallout.  He is of course opposition leader Jeremy Corbyn.

And he’s also in a corner.  Give him an election and, unlike the tories, he really can’t afford not to fight it to win.

So the question is, how to engineer it, and leave him (and the country) the most poisonous legacy possible.  Well, they’re doing that by demonstrating that the tory party is just too dysfunctional and cannot govern.  That’s three-birds-with-one-stone: it leads us by default to the worst possible brexit to poison the future; it helps precipitate an election, and it helps avoid winning that election.  Genius!

Ultima Thule

NASA appear to be showing a profound lack of ambition.  They’ve gone to the end of the world, and will never go further.

For there is no destination more remote than Thule, the semi-mythical far northern land of tales of the ancient world.  A mythical character that leaves it open to being identified with a range of different northern isles known to modern man, but always the end of the earth.

Iceland is by far the biggest candidate on the modern map, and tales of a land of fire and ice like Weelkes’s Period[1] of Cosmography (from around 1600) support that.  And if Thule is Iceland, Ultima Thule could be either even-more-inaccessible Greenland or merely inflationary language.  But only because Renaissance Europe’s exploration had gone further than the Odyssey in the 2000+ years since ancient Thule.

Now NASA has gone to Ultima Thule.  The end of the world.  By their own choice of nomenclature, they can go no further.

[1]Period as in punctuation: the ultimate end of the world!

The Humbug that stole Christmas travel

The bizarre story of the Gatwick Drone(s) seems to have gone quiet, and some of what’s been reported appears to indicate the possibility that responsible authorities may have egg on their face.  Very likely the Police: they’re a regular scapegoat for idiocy on the part of politicians, civil servants, and the judiciary, as well as their own cockups.

The jokes have done nicely on it: a fat bloke on a sleigh, or Liliputian tourists, for example.  And when a senior policeman suggested the possibility there was never actually a drone, only to be “corrected” the following day, how could conspiracy theories fail to follow?  Quite apart from the obvious kneejerk reactions and the added complication of the sale of Gatwick airport itself in the middle of the crisis!  Someone has something to hide, but what?  Do even TPTB know?

My non-conspiracy theory: it was christmas lights.  There seem to be a fair few coloured lasers around: could some of them have interacted to produce an accidental holographic display?  The first reported sightings being at night and in the rain (unlikely flying conditions for a drone), it was presumably just lights that someone actually saw.  And after it had been reported, I should imagine only the merest ghost of a hologram would be needed to convince the brain it had seen a drone!

Would TPTB ever admit such a thing?  No suggestion of malicious intent, just too embarrassing for someone.  And lots of people no doubt wanting compensation, and lawyers circling around delayed travellers!  Mind you, it would be rather satisfying if the whole thing were indeed down to humbuggery!