Whatsupp?

Funny that.  Just a couple of weeks ago, I wrote:

The spy in your ‘puter or ‘phone … Some of that is P2P communications software like Microsoft’s skype or Facebook’s whatsapp, that should be prime vehicles for Aussie-style targeted espionage.

Suppose you’re a government spy agency that has leaned on whatsapp to introduce your spyware.  You want to get everyone to update to a version with the spyware.  How do you go about it?  How about an announcement of a serious security flaw in earlier versions to persuade everyone who might have something to hide to make the upgrade?

As reported, the whatsapp flaw was already at a much deeper level than just spying on whatsapp traffic (as per my earlier comment): it was used to install some of the world’s most sophisticated spyware called Pegasus, developed by an Israeli company NSO and sold to government agencies for total surveillance on dangerous elements such as dissidents and human rights lawyers.  The Reg article quotes a comment that kind-of summarises:

NSO Group has been bragging that it has no-click install capabilities for quite some time. The real story here is that WhatsApp found the damn thing.

— Eva (@evacide)

Indeed.  Pegasus wasn’t new, and was thought to have been distributed by more conventional means (and no doubt was, to less-than-paranoid users).  How did they make the connection between it and a critical whatsapp bug?  One might speculate there was more to this story than is being told!

A good day to bury other security/spyware news?  Golly, what a coincidence that Thrangrycat was also just announced.  The perfect way to bury something more than the official lawful intercept (wiretapping as required of them by the US Government) malware into Cisco routers, switches and firewalls, so deeply that future upgrades won’t affect it.

Wicked speculation: could it be the amount of work they’ve had to devote to supporting US Government spying requirements that caused Cisco to fall behind an unencumbered Huawei?

Advertisements

A World of Pain

Whither Firefox?

It’s a long time since I experienced the Web without ad-blocking, without noscript.  Individual sites may have changed for better or worse, but overall it remains a whole world of pain.

I don’t even mind adverts.  What I need to block is crap that moves: animations, tickers, slideshows, etc, including those that aren’t adverts at all but are just some deezyner’s wet dream.  And it turns out there’s a lesser nuisance alongside those: sites that put up a huge great dialogue box where I have to agree T&Cs, and usually telling me about their cookies, before viewing the page.

Goodbye, Firefox.  Hello Chromium.  Probably won’t look back (at least for general browsing) until and unless I start getting grief with the latter.

Quis Custodiet Ipsos Custodes?

With the controversy over the US and its allies adopting Huawei kit generating more heat than light, I think perhaps it’s time to don my mathematician’s hat and take a look at what could and couldn’t really be at stake here.  Who could be spying on us, and how?

Much of the commentary on this is on the level of legislating the value of pi.  That is to say, a fundamental conflict with basic laws of nature.  At the heart of this is Trump’s ranting about China spying on us: the idea that a 5g router (or any other infrastructure component) could spy on his intelligence services’ communications is on the level of worrying about catching cold from reading my blog because I sneezed while writing it.

At least, a router acting on its own.  A router in collaboration with other agents could plausibly be a different story, but more on that later.

To set the scene, I can recommend Sky’s historical perspective: Huawei’s 5G network could be used for spying – while the West is asleep at the wheel.  This looks back to the era of British domination of the world’s communications infrastructure, and how we successfully used that to eavesdrop German wartime communications.  It also traces the British company involved, which was bought by Vodafone in 2012.

Taking his lesson from history, Sky’s correspondent concludes that if the Brits and the Americans could do it (the latter a longstanding conspiracy theory more recently supported by the Snowden leaks[1]), then so could the Chinese.  Of Huawei (a private company), he says:

[founder] Ren Zhengfei … has said his firm does not spy for China, and that he would not help China spy on someone even if required by Chinese law.

Personally, I’m inclined to believe him.

But it may also be a promise he is unable to keep, even if he wants to. The state comes before everything.

which might just be plausible, with the proviso that it would risk destroying China’s world-leading company and a powerhouse of its economy.

But the historical analogy misses one crucial difference in the modern world.  Modern encryption.  Maths that emerged (despite the US government’s strenuous efforts to suppress it) around the 1980s, and continues to evolve, while also being routinely used online, ensures that traffic passing through Huawei-supplied infrastructure carries exactly zero information of the kind historically used to decrypt cyphers, such as (famously) the Enigma.  Encryption absolutely defeats the prospect of China doing what Britain and America did.  And – particularly since Snowden[1] – encryption is increasingly widely deployed, even for data whose security is of very little concern, such as a blog at wordpress.org.

Unless of course the encryption is compromised elsewhere.  The spy in your ‘puter or ‘phone.  Or the fake certificate that enables an imposter to impersonate a trusted website or correspondent.  These are real dangers, but none of them is under Huawei’s (let alone the Chinese government’s) control or influence.

Looking at it another way, there’s a very good reason your online banking uses HTTPS – the encrypted version of HTTP.  It’s what protects you from criminals listening in and stealing your data, and gaining access to your account.  The provenance of the network infrastructure is irrelevant: the risk you need to protect against is that there is any compromised component between you and your bank.  Which is exactly what encryption does.

So why is the US government attacking Huawei so vigorously, not merely banning its use there but also threatening its allies with sanctions?  I can see two plausible explanations:

  1. Pure protectionism.  Against the first major Chinese technology company to be not merely competitive with but significantly ahead of its Western competitors in a field.  And against the competitive threat of 5G rollout giving Europe and Asia a big edge over the US.
  2. The US intelligence agencies’ own spying on us.

OK, having mooted (2), it’s time to return to my earlier remark about the possibility of a router collaborating with another agent in spying with us.  The spy in your ‘puter or ‘phone.  There’s nothing new about malware (viruses, etc) that spy on you: for example, they might seek to log keypresses to steal your passwords (this is why financial institutions routinely make you enter some part of your credentials using mouse and menus rather than from the keyboard – it makes it much harder for malware to capture them).  Or alternatively, an application (like a mailer, web browser, video/audio communication software, etc) encrypts but inserts the spy’s key alongside the legitimate users’ keys: this is essentially what the Australian government legislated for to spy on its own citizens.

But such malware, even when installed successfully and without your knowledge, has a problem of its own.  How to “phone home” its information without being detected?  If it makes an IP connection to a machine controlled by the attacker, that becomes obviously suspicious to a range of tools in a techie’s toolkit.  Or for non-techie users, your antivirus software (unless that is itself a spy).  So it’ll have a pretty limited lifetime before it gets busted.  Alternatively, if it ‘phones home’ low-level data without IP information (that’ll look like random line noise to IP tools if they notice it at all), the network’s routers have nowhere to send it, and will just drop it.

This smuggling of illicit or compromised data to a clandestine listener is where a malicious router might conceivably play a role.  But for that to happen, the attacker needs a primary agent: that spy in your ‘puter or ‘phone.  If anyone’s intelligence service has spyware from a hostile power, they have an altogether more serious problem than a router that’ll carry or even clone its data.

And who could install that spy?  Answer: the producers of your hardware or software.  Companies like Microsoft, Apple, Google and Facebook have software installed on most ‘puters and ‘phones.  Some of that is P2P communications software like Microsoft’s skype or Facebook’s whatsapp, that should be prime vehicles for Aussie-style targeted espionage.  If anyone is in a position to spy on us and could benefit from the cooperation of routers to remain undetected, it’s the government who could lean on those companies to do its bidding.  I’m sure the companies aren’t happy about it, but as the Sky journalist said of Huawei, it may also be a promise he is unable to keep, even if he wants to. The state comes before everything”.

China’s presence in any of those markets is a tiny fraction of what the US has.  Could it be that the NSA made Huawei an offer they couldn’t refuse, but they did refuse and the US reaction is the penalty for that?  It’s not totally far-fetched: there’s precedent with the US government’s treatment of Kaspersky.

And it would certainly be consistent with the US government’s high-pressure bullying of its allies.  The alternative explanation to pure protectionism is that they don’t want us to install equipment without NSA spyware!  The current disinformation campaign reminds me of nothing so much as Bush&Blair’s efforts to discredit Hans Blix’s team ahead of the Iraq invasion.

[1] I’m inclined to believe the Snowden leaks.  But I’m well aware that anything that looks like Intelligence information might also be disinformation, and my inclination to believe it would then hint at disinformation targeted at people like me.  So I’ll avoid rash assumptions one way or t’other.  Snowden’s leaks support a conspiracy theory, but don’t prove it.

Passion

Time to mention our next concert: one of the greatest of all Easter works.  Bach’s St Matthew Passion, at the Guildhall, Plymouth, a week today (Sunday April 14th).

This work should need no introduction, and I have no hesitation recommending it to readers within evening-out distance of Plymouth.  I’m looking forward to it.

Just one downside.  As with our performance of the St John’s Passion three years ago, this is a “new” Novello translation.  I think if I’d come to these (translations) in reverse order my criticisms might have been a little different, but the underlying point remains: these are about money.  A rentier publisher contemptuously saying screw the art.  And I can now answer the question I posed then: with ISIS no longer having the earthly power to destroy more great heritage, Novello score a clear victory in the cultural vandalism stakes.

Placing the Blame

When David Cameron resigned, I said here that his successor would come in for a lot of blame.  And indeed, it has come to pass: Mrs May is getting the greater part of the blame for the mess brexit inevitably became.  Much of her party wants her to resign, and she’s indicated she may do so – albeit as a form of bribe to her party.

But who would want her job now?  There’s still a lot of blame to come, and our next prime minister won’t be popular for long either, no matter what he or she may do.  There might be someone among the more swivel-eyed loons with delusions, but the Party Establishment can surely see them off.

There’s one obvious candidate.  He’s in a position somewhat akin to May in 2016: of an age where if he doesn’t get the job now, he’ll be too old to be considered for it.  And every party in parliament – including his own – would just love to see him fall flat on his face, and take the major share of the blame for brexit fallout.  He is of course opposition leader Jeremy Corbyn.

And he’s also in a corner.  Give him an election and, unlike the tories, he really can’t afford not to fight it to win.

So the question is, how to engineer it, and leave him (and the country) the most poisonous legacy possible.  Well, they’re doing that by demonstrating that the tory party is just too dysfunctional and cannot govern.  That’s three-birds-with-one-stone: it leads us by default to the worst possible brexit to poison the future; it helps precipitate an election, and it helps avoid winning that election.  Genius!

Ultima Thule

NASA appear to be showing a profound lack of ambition.  They’ve gone to the end of the world, and will never go further.

For there is no destination more remote than Thule, the semi-mythical far northern land of tales of the ancient world.  A mythical character that leaves it open to being identified with a range of different northern isles known to modern man, but always the end of the earth.

Iceland is by far the biggest candidate on the modern map, and tales of a land of fire and ice like Weelkes’s Period[1] of Cosmography (from around 1600) support that.  And if Thule is Iceland, Ultima Thule could be either even-more-inaccessible Greenland or merely inflationary language.  But only because Renaissance Europe’s exploration had gone further than the Odyssey in the 2000+ years since ancient Thule.

Now NASA has gone to Ultima Thule.  The end of the world.  By their own choice of nomenclature, they can go no further.

[1]Period as in punctuation: the ultimate end of the world!

The Humbug that stole Christmas travel

The bizarre story of the Gatwick Drone(s) seems to have gone quiet, and some of what’s been reported appears to indicate the possibility that responsible authorities may have egg on their face.  Very likely the Police: they’re a regular scapegoat for idiocy on the part of politicians, civil servants, and the judiciary, as well as their own cockups.

The jokes have done nicely on it: a fat bloke on a sleigh, or Liliputian tourists, for example.  And when a senior policeman suggested the possibility there was never actually a drone, only to be “corrected” the following day, how could conspiracy theories fail to follow?  Quite apart from the obvious kneejerk reactions and the added complication of the sale of Gatwick airport itself in the middle of the crisis!  Someone has something to hide, but what?  Do even TPTB know?

My non-conspiracy theory: it was christmas lights.  There seem to be a fair few coloured lasers around: could some of them have interacted to produce an accidental holographic display?  The first reported sightings being at night and in the rain (unlikely flying conditions for a drone), it was presumably just lights that someone actually saw.  And after it had been reported, I should imagine only the merest ghost of a hologram would be needed to convince the brain it had seen a drone!

Would TPTB ever admit such a thing?  No suggestion of malicious intent, just too embarrassing for someone.  And lots of people no doubt wanting compensation, and lawyers circling around delayed travellers!  Mind you, it would be rather satisfying if the whole thing were indeed down to humbuggery!

The Dream of Gerontius

For our next concert, the Plymouth Philharmonic Choir and Plymouth Symphony Orchestra join forces for a performance of Elgar’s Dream of Gerontius, one of the biggest and most complex works in the concert repertoire.  We will be under the baton of the orchestra’s conductor Anne Kimber, and I’m much looking forward to it.

The performance is next Sunday, November 25th, at the Guildhall, Plymouth.  I think the work is sufficiently well known to need no introduction for music lovers, and I have no hesitation recommending it to readers in the area.

Great War Symphony

Our next concert[1] features a new work, written for the centenary of the Armistice of November 1918.  We will be performing Patrick Hawes’s Great War Symphony at St Andrews Church, Plymouth, on November the 3rd.  This is a symphony in a conventional four movements, for two soloists, chorus and orchestra, and is just under an hour (half a full concert programme).

The texts are primarily poetry from the Great War, encompassing big names of the era such as Siegfried Sassoon, Wilfred Owen, Edward Thomas, Rupert Brooke, and other scribes who don’t spring to mind just now but probably should.  Also featured are the soldier’s oath of allegiance, the Last Post, and the latin Dies Irae.

A major new work on this subject inevitably suggests comparisons.  This is not a work to threaten the War Requiem’s crown as the towering masterpiece of war commemoration, but in any other comparison I’d say it holds up pretty creditably.  I’ve enjoyed learning it and look forward to the performance, which I expect will also be well worth attending for readers local to the area.

For readers not in the area, performances are also taking place elsewhere.  The premiere was a couple of weeks ago at the Royal Albert Hall.  Another big-name venue is Carnegie Hall where it’ll be performed on November 11th, with some of my fellow-performers flying to New York to take part in that too.

[1] Or rather, the next concert I’m performing in.  “Our” doesn’t really fit when it’s a group I’ve joined for the first time for this concert, being a sucker for opportunities to perform in a major new work.

Stalemate?

“Michel Barnier has said Britain would get a better brexit deal if he were negotiating with himself”

— attributed to comedian Henning Wehn.

The sad thing is, the quip is probably true!  The real problems lie not between the UK and EU, nor even between political parties here, but within the governing Tory party.

I’ve been meaning to write most of this post – less the above joke – for a long time.  I think since last December, when they announced the ‘backstop’ agreement to the Irish border issue.  An agreement that was never going to be acceptable to the hardliners, and looked set up as vehicle for pushing blame onto the EU when the UK started to mess with it.  But if so, that looks to be failing, as it seems the hardliners eschew such a “double-cross them later” fudge and reject it now.

So what is standing in the way of an agreement?  At the core of it are two red lines:

EU red line: the integrity of the rules and regulations that protect our people and other things we care about.
Brexiteer red line: we must not be bound by EU rules: they stand in the way of trade agreements.

OK, that’s a bit abstract.  There’s exactly one trade agreement that’s at issue here, and (so far as I’m aware) just one set of EU rules that’s really relevant.  The trade agreement is of course with the US, and the rules in question are food safety.  Because the US red line that has prevented a big US-EU trade agreement over many years is their freedom to export to us a range of foods that are banned here.  I don’t have the expertise to say who is right or wrong when it comes to America’s wide range of genetically modified foods, chlorinated chicken, or beef pumped full of growth hormone (though I’d want to avoid the latter myself if I ate meat in the first place), but we’ll have to accept them if we want that US trade agreement[1].

So that’s the UK importing all those foods, now legally. And the US exporting them in bulk.  And with consequential issues: the US will want to prevent backdoor restraint of trade, so a US importer should have a clear case in law against a British supermarket that uses a labelling scheme (like red tractor) prejudicial to the imports.  And that’s a problem for British farmers: how are they to compete if we hold them to higher standards?  What happens to the countryside if we lower our own standards to help them compete?

The EU wants to keep them out.  It knows there will be smuggling (as with illegal drugs), but we must at least seek to minimise it: confine it to the margins.  In the absence of proper border checks, the only limit on smuggling is the capacity of transport links between Belfast and Dublin.  Hence the problem over that Irish border.

And it seems the EU really are insisting on the open border if we’re to have agreement.  They made concessions in aid of that at the outset: notably the declaration that the Irish border is a unique case, thus avoiding problems like the Spanish feeling the need to veto an agreement that would be unacceptable to them on the Gibraltar border.

Looks like stalemate.  Who will blink?

Mrs May has tried to deal with that by preserving regulatory alignment on goods – including of course food standards.  But the US lobbyists in her own party won’t stand for that.  So unless she can beat them, probably with help from other parties in parliament, that’s going nowhere.  And her compromise-attempt was wrapped in a package so convoluted as to present problems to more than just the hard-brexiteers.

Still looks like stalemate.  Who will blink?

What about the brexiteer proposal that technology can be a solution?  The only real question there is, why do our mainstream media allow such disingenuous distraction to stand?  Technology might serve to implement a solution, but that can only happen if and when there’s a political solution to implement!  Claiming it as a solution in itself is about as useful to that as supplying bikes to fish: its only purpose is to confuse the issue and throw a spanner in negotiations.  I consider the failure to debunk it comprehensively to be Gross Negligence on the part of the mainstream media.

[1] I wonder if that even need have been true if our politicians hadn’t made such a big issue of the standards?  If we could have honestly said to the US “our hands are tied”, might a maverick like Trump have moved his red lines (with, no doubt, some give-and-take elsewhere) in the interests of showing the world “look, we can have a trade agreement”?