Tag Archives: Security

Register Your Club To Use My Face Value Free Of Charge

My Face Value is preparing for launch on 31st December 2017. To keep up to date with the latest news follow us on Facebook and Twitter

What Will My Face Value Do For Your Club?

My Face Value will make our platform available for use by your Club – free of charge – for:

  • Ticketing – Selling Tickets To Your Games
  • Posting Your Fixtures & Results
  • Promotions – Announcing Events & General News
  • Running Competitions & Fundraisers
  • Merchandising – Your Club Shop Online
  • Blogging – Allowing You To Keep Your Fans & Community Informed
  • Other – We will take suggestions for other services that Clubs would like us to consider providing

Why Are My Face Value Doing This?

The My Face Value mission is to remove touts (street level and corporate) from the ticket supply chain.

Touting and ticket price gouging will always exist in one form or another. In time, the positive disruptive activities of My Face Value will make touting far less prevalent and see far less wasted money from honest punters on counterfeit tickets or genuine fans being priced out of attending events.

We need the Clubs support to achieve our goals. Especially around a universally accepted process that governs the secondary ticket market that we want to see operate at Face Value ONLY with NO touting of any kind.

My Face Value is committed to introducing positive change. To demonstrate the My Face Value commitment to the grassroots and the development and promotion of football and fairness at all levels of the game we stated at the outset that we would allow qualifying Clubs access to our platform – free of charge.

By doing so we are giving qualifying Clubs access to world class marketing tools, technology and best practices to promote their Clubs and their Communities.

Who Can Register?

Registration is available to all clubs in England, Scotland, Wales, Northern Ireland and the Republic of Ireland who do NOT play in the following leagues:

  • English Premier League
  • English Football League Championship
  • English League One
  • English League Two
  • English National League
  • English National League North
  • English National League South
  • Scottish Premiership
  • Scottish Championship
  • Scottish League One
  • Scottish League Two
  • Welsh Premier League
  • NIFL Premiership
  • NIFL Championship
  • League of Ireland Premier Division
  • League of Ireland First Division

To register your interest please email AMAclubs@myfacevalue.co.uk

ENDS

Does anyone have experience of “KAYMERA MOBILE THREAT DEFENSE SUITE”

We are looking at this platform in parallel with the SaltDNA app which I previously posted about.

Kaymera has a pre-installed secured Android OS with integrated high-end security components to detect, prevent and protect against all mobile security threats without compromising on functionality or usability. A contextual, risk-based app uses a range of indicators to identify a risk in real-time and apply the right security measure so mitigation is performed only when needed and appropriate. Their Cyber Command Centre framework manages and enforces organization-specific permissions, security protocols and device policies. Monitors risk level, threat activities and security posture per device and deploys countermeasures.

Any thoughts welcome.

ENDS.

People That Like To Throw Grenades Into Your Privacy

For good or for bad I have a tattoo that reads “Fidarsi è bene non fidarsi è meglio” which literally translated is “To trust is good but to not trust is better.” or colloquially “Better safe than sorry”. At least that’s what Google translate told me. I have to trust it. But Veritas Language Solutions have previously reported on the perils of foreign language tats. Like the man who wanted the Chinese symbols for “Live and let live” on his arm but ended up with the Mandarin for “Sweet and Sour Chicken”. I like sweet and sour chicken.

Your “Mass Surveillance” Reality 

In case you have forgotten the reality of the world that you live in right now (in terms of your Privacy), here is a reminder, before it gets exponentially worse:

“The attitude of these politicians (Trump, May, Valls & Co.) and their intelligence organisations and the new “laws” – in the form of the revised Patriot Act and the Investigatory Powers Act – means that’s the vast majority of the worlds English speaking population now live under governments who can – legally – invade their privacy at will – whether at home, at work or at leisure – store the information and use it for any purpose, at any time, at any point in the future – for any reason.”

But that is not good enough. Now they want all of your encrypted data too. Just in case.

Pop Quiz

With that as a backdrop here is a pop quiz and my answers to same (Note: I am a paranoid git, and grumpy):

  1. Do I trust Theresa May? – No;
  2. Do I trust Malcolm Turnbull – No;
  3. Do I trust Donald Trump – F**k No;
  4. Do I trust the Five Eyes Intelligence Alliance – No;
  5. Do I trust the Nine Eyes, the Fourteen Eyes, NSA, GCHQ, MI6, ASD, GCSB, CIA, or CSEC – No;
  6. Do I trust the government of the country of my birth or their national security credentials – No;
  7. Do I think that politicians are concerned with striking an appropriate balance between the right to privacy, freedom of speech, and the preservation of civil liberties with the need to maintain the rule of law – No;
  8. Do I trust any bugger who asks me to trust them with the infinite power to snoop on my personal, professional, online, offline, awake, asleep life – Eh, No.

Do you?

ENDS

IBM Mainframe Ushers in New Era of Data Protection with Pervasive Encryption

Main take-outs in IBM Z Systems announcement:

  1. Pervasively encrypts data, all the time at any scale;
  2. Addresses global data breach epidemic;
  3. Helps automate compliance for EU General Data Protection Regulation, Federal Reserve and other emerging regulations;
  4. Encrypts data 18x faster than compared x86 platforms, at 5 percent of the cost (Source: “Pervasive Encryption: A New Paradigm for Protection,” K. R. E. Lind, Chief Systems Engineer, Solitaire Interglobal Ltd., June 30, 2017);
  5. Announces six IBM Cloud Blockchain data centers with IBM Z as encryption engine;
  6. Delivers groundbreaking Container Pricing for new solutions, such as instant payments.

The new data encryption capabilities are designed to address the global epidemic of data breaches, a major factor in the $8 trillion cybercrime impact on the global economy by 2022. Of the more than nine billion data records lost or stolen since 2013, only four percent were encrypted, making the vast majority of such data vulnerable to organized cybercrime rings, state actors and employees misusing access to sensitive information.

In the most significant re-positioning of mainframe technology in more than a decade, when the platform embraced Linux and open source software, IBM Z now dramatically expands the protective cryptographic umbrella of the world’s most advanced encryption technology and key protection. The system’s advanced cryptographic capability now extends across any data, networks, external devices or entire applications – such as the IBM Cloud Blockchain service – with no application changes and no impact on business service level agreements.

“The vast majority of stolen or leaked data today is in the open and easy to use because encryption has been very difficult and expensive to do at scale,” said Ross Mauri, General Manager, IBM Z. “We created a data protection engine for the cloud era to have a significant and immediate impact on global data security.”

ENDS

* From an article originally published on July 17 2017 on my Peerlyst blog

AI Voice Cloning & Perceived Reality – Fake News Has A New Friend

A Canadian startup called Lyrebird has announced that it has developed a platform capable of mimicking human voice with a fraction of the audio samples required by other platforms such as Google DeepMind and Adobe Project VoCo.

The Lyrebird synthesis software requires only 60 seconds of sample audio to produce it’s synthetic sample. VoCo needs about 20 minutes to do the same.

The quality of the voice reproductions that the software can make are mixed. Some are better than others.

The three founders state that they are addressing possible misuse concerns by making the software publicly available. That may be a little optimistic.

“By releasing our technology publicly and making it available to anyone, we want to ensure that there will be no such risks. We hope that everyone will soon be aware that such technology exists and that copying the voice of someone else is possible. More generally, we want to raise attention about the lack of evidence that audio recordings may represent in the near future.”

James Vincent at The Verge neatly summarizes the worrying outcomes of the combination of trick biometric software, 3D mapping and voice synthesizers.

“There are more troubling uses as well. We already know that synthetic voice generators can trick biometric software used to verify identity. And, given enough source material, AI programs can generate pretty convincing fake pictures and video of anyone you like. For example, this research from 2016 uses 3D mapping to turn videos of famous politicians, including George W. Bush and Vladimir Putin, into real-time “puppets” controlled by engineers. Combine this with a realistic voice synthesizer and you could have a Facebook video of Donald Trump announcing that the US is bombing North Korea going viral before you know it.” 

Fake news has a new friend.

ENDS

Is Moxie Still An Anarchist, Are Farcebook Deliberately Hobbling WhatsApp & Does SIGNAL Leak?

Recently I wrote in a blog post “When The Privacy Advocate Becomes An Apologist For The Opponent” about the main stream media sponsored spat that had @Moxie from @WhisperSystems siding with @WhatsApp and @Facebook in a face off against @Guardian and their contributor @tobiasboelter (Security and Crypto at UC Berkeley) in a “man in the middle” versus “design” versus “vulnerability” versus “backdoor” versus “privacy” versus “convenience” versus “user experience” tit for tat.

1. Is Moxie Still An Anarchist?

I said of Moxie Marlinspike that:

“When the advocates become apologists for the mainstream then they longer deserve to be called advocates in the purest sense of the word. And Moxie does consider himself “pure”. He is not. In July 2016 Wired wrote “Meet Moxie Marlinspike, the Anarchist Bringing Encryption to All of Us” but being an “anarchist” and an ally of Zuckerberg are incompatible ideological stances.”

The blog post drew some comment on Peerlyst and elsewhere that took the debate in a number of different directions that I think are worthy of note. My personal belief is that WhatsApp is a more inferior app than most people will accept and that Moxie’s stance also leads me to doubt the once unassailable position of Signal as a trustworthy option.

Peter Stone on Peerlyst commented that:

“Your assertion that Moxie‍ fundamentally is no longer an anarchist when he sides with Zuck holds. And you’re right it matters that they made this design choice, and yes it can be a threat if you have Governments in your threat model. I cannot argue with you at all. My only point, and thanks for the mention, was that it wasn’t, as such, a backdoor.”

Conclusion: Moxie is not an anarchist

2. Are Farcebook Deliberately Hobbling WhatsApp?

This comment led me to ask:

“I agree with you Peter and my post is only expressing my view from the lens of being one of those “crypto geeks” that you and Dave Howe were discussing on the original thread. I accept all of the points that you both make about barriers to entry / usage and cost factors for “average” users in adopting escalating levels of security. But would you agree with the statement that:

“WhatsApp have made a design choice that can be exploited as a backdoor – the rest is semantics”?

Any takers?”

Boelter in his articles laments the fact that Farcebook, after being notified of the weakness in the “design-choices” that they had made for WhatsApp, still refused to take action.

This to me betrays an unwillingness to properly secure the platform for whatever reason and while I accept that a legitimate interim position between releases of a product is to state “it is good enough – for now – but lets see if we can make it even better” that does not seem to be what the Farcebook approach is to ongoing WhatsApp app hardening.

I really liked what Dave Howe had to say in reply to my original comment:

“I can agree totally on the first part of that. WhatsApp have made a design choice that can be exploited as a backdoor.

In fact, I would go further; WhatsApp have made a series of poor design choices which impact severely the security of the solution.

The first is that mail will be retransmitted without an option to block if a new device is added.

The second is that a new device can be added and, by default, this will be silently accepted by the system, and

The third is that the account holder has no reliable way to know a new device was added unless WhatsApp notify them – which of course for a TLA “listening tap” will not happen.

However, “the rest is semantics” I disagree with.

The impact of these poor choices is severe, but the solution is still better than it was before the protocol was added, and more importantly, now WhatsApp is aware of the mistake, it is in a position to fix it.

The detail is therefore important, and while a lot of crypto purists would class anything not a provable success as an abject failure, a more pragmatic security enthusiast will take any improvement as an improvement, and work to build on that platform.

Similarly, to a purist, a system is broken if, given a compute cube the size of the moon, you could break a message on average every thousand years or so – while a pragmatist would say “it’s good enough – for now – but lets see if we can make it even better”

We need to push them to get better. If nothing else, this “backdoor” publicity put this in the public eye (only for Brexit and Trump to push it back under cover of course).

I have to wonder if there is some sort of instruction preventing them from doing so – I know they can insist on that in the UK now, but I wasn’t aware this was true in the US yet (See my blog post Silencing the Canary & The Key Powers & Reach of The IPA)

Solution is obvious though – increase user choice, and make it so they can turn that *off* if they want to, not off by default.

New device added? Have confirmation of new devices as an option.

Until confirmed, new messages will *not* be encoded to the new key, so you can email the old keyset asking if they really have added a new device.

Options can have “auto accept” “ask” and “deny” with the default set to “ask”.

Unacknowledged messages? Have that only resend if the new device is confirmed, and not until; that takes care of that problem too.

If users then choose to disable the “annoying popup” then that’s their choice, not something imposed on them by Farcebook.”

Aside from the poor “design choices” that are covered in “When The Privacy Advocate Becomes An Apologist For The Opponent” and above by Dave here are a few more “design choices” WhatsApp chose not to include from the SIGNAL protocol:

Ability To Password Protect The WhatsApp App

WhatsApp does not have any password system built into the app. WhatsApp say there are many apps in the Google Play store that provide that functionality so just tag on a third party app to make it even weaker

screen-shot-2017-02-01-at-20-41-45

“Disappearing Messages” Option in WhatsApp 

There is no “disappearing messages” option in WhatsApp.

Conclusion: Yes Farcebook are deliberately hobbling WhatsApp IMHO. Their reasons? I do not know but I do not accept “user experience” as a justification.

3. Does SIGNAL Leak? 

Would anyone care to comment on this statement regarding the signal app and “leakage”:

“Note that Open Whisper Systems, the makers of Signal, use other companies’ infrastructure to send its users alerts when they receive a new message. It uses Google on Android, and Apple on iPhone. That means information about who is receiving messages and when they were received may leak to these companies.”

Found at on a post on ELECTRONIC FRONTIER FOUNDATION Surveillance Self-Defense.

Conclusion: I don’t know

ENDS

Mass Surveillance & The Oxford Comma Analogy

Acknowledgments, Contributions & References: This blog post was written in collaboration with and using contributions from Mr. Dean Webb (find Dean’s profile on PeerLyst). The clever and insightful bits are all Dean, the space fillers and punctuation are mine – except the “Oxford Comma” analogy, which even though it is lifted from @Grammarly on Twitter, is mine – and I like it (a lot). Enjoy.

Who Do We Like, Who Do We Dislike (Today)

Wearable tech is on its way, for surveillance during times when one is away from the vidscreen. But we need this stuff in order to protect against Eurasia. We have always been at war with Eurasia. We will always be at war with Eurasia until 20 January, at noon. Then we will always have been at war with Eastasia. And then we will need all this stuff to protect against Eastasia.

On a more serious note, anonymity has been dead for quite some time. As an example, about 10 years ago Dean Webb was running a web forum for students involved in an academic competition.

He and other teachers had volunteered to be admins for the board. They had a student that began to harass others on the board and post some highly inappropriate material. They banned his account, and he would connect again with another account.

So, Dean took down the IP addresses he’d used for his accounts and did a quick lookup on their ownership. They were at a certain university, so he contacted that university with the information and the times of access and they were able to determine which student was involved.

He was told to stop posting, or face discipline at the university. That got him to stop.

Simple Methods, Complex Implications

The point is, that IP address and timestamp for most people is going to be what gets them in the end. They don’t know what a VPN is from a hole in the ground, let alone what a TOR node is.

At best, most of them will use a browser in anonymous / incognito mode, without realising that cookies are still retained and updated, credit card transactions remain on the record, and ISPs will still retain IP address information with timestamps.

It could be argued that a Layer 2 hijacking of someone else’s line is the way to go anonymously, but that involves a physical alteration of someone’s gear, and that means physical evidence, which is very difficult to erase completely.

Even if anonymity is not completely dead (mostly dead, perhaps?), it is certainly outside the reach of most people because they lack general IT knowledge about the basics of the Internet.

I (Graham) was met with the following comment when I posted a tweet some time before Xmas 2016 about Identity Theft:

“despite the hysteria the theft of most peoples personal information is / will be inconsequential”

The use of the word “inconsequential” by the commenter on my post reminded me of the hilarious Doctor Evil therapy session monologue in the Austin Powers movie when Doctor Evil stated, when asked about his life, that “the details of my life are quite inconsequential”. But 60 seconds of monologue later it was quite clear that they were far from “inconsequential” – it is a matter of perspective as to what is and what is not. That is the problem. And that is the potential worry.

Threat Awareness & Counter Measures

The vast majority of people and their browsing habits are innocuous. The point though that the comment misses and which is the point that Dean makes in his comments about the average John Q. Citizen’s awareness of the threats and the countermeasures available is that the public in general has moved their private communications on to a platform where they do not understand the implications of the ability of externals to eavesdrop or to store and reference data at a future point.

There was a blog post I (Graham) made some time ago about the risk of “profiling” and of “false positives” and the threat that they posed especially with respect to miscarriages of justice. (See “The Sword of Islam” story below)

The point is not whether “the theft of most peoples personal information is / will be inconsequential” or the storage of most peoples browsing history or contacts with other parties is / will be inconsequential or not – the point is that it can be made to look very different to what was actually happening originally.

Like a misquoted partial comment in a newspaper article – actions taken out of context can look very different.

The Oxford Comma Analogy

Recently I posted a tweet about the Oxford comma and it does indirectly inform the point that I am trying to make here:

Excerpt begins from Grammarly

“Unless you’re writing for a particular publication or drafting an essay for school, whether or not you use the Oxford comma is generally up to you. However, omitting it can sometimes cause some strange misunderstandings.

“I love my parents, Lady Gaga and Humpty Dumpty.”

Without the Oxford comma, the sentence above could be interpreted as stating that you love your parents, and your parents are Lady Gaga and Humpty Dumpty. Here’s the same sentence with the Oxford comma:

“I love my parents, Lady Gaga, and Humpty Dumpty.”

Those who oppose the Oxford comma argue that rephrasing an already unclear sentence can solve the same problems that using the Oxford comma does. For example:

“I love my parents, Lady Gaga and Humpty Dumpty.”

could be rewritten as:

“I love Lady Gaga, Humpty Dumpty and my parents.”

Excerpt Ends

The analogy serves to demonstrate one of the main concerns of mass surveillance and mass retention of user data. People are now being profiled and tracked and their behaviours stored and analysed and they do not know why or by whom or for what purpose – they barely understand how to use a browser.

In the wrong hands that potentially makes them cannon fodder. Accuse me of being alarmist and dramatic – fair enough – so did everyone four years ago when I wrote about mass immigration as a weapon, the rise of radical Islam and the dangers of the USA supporting a sectarian Shi’a government in Baghdad, the marginalisation of Sunnis and the Ba’ath party, the randomness of the Arab Spring, the threat of Libya turning into a terrorist haven and so on.

The point is people ignore these developments at their peril but you may as well be talking to a concrete block. You can make all the compelling philosophical points that you like to someone but if they do not have the capacity to understand them then you are wasting your time.

And most of our politicians fall into that category.

Mass Profiling, Mass Surveillance Will Be Inconsequential Until It Isn’t

Dean once met a man named Saifal Islam. He has a devil of a time getting on an airplane because a terror group has the same name – “Sword of Islam”.

He is constantly explaining that the man (him) isn’t the group (them) and that he’s had his name longer than they’ve had theirs. That, yes, the group (them) should be banned from getting on airplanes, but that, no, the man (him) should be allowed on the plane.

Hell of a false positive, and that’s not the only one. Mismatches on felon voting lists, warrants served to the wrong address for no-knock police invasions, people told that they can’t renew driver’s licenses because they’re dead, the list goes on.

Be happy in the knowledge though that your data is apparently “inconsequential” and this privacy debate and the growing intrusion on your personal life is all “hysterical” alarmism.

You can use that statement when you are in the dock defending your very own hysterical “false positive” – no charge.

The next post will be “KarmaWare & Thieves of Thoughts” again in collaboration with Mr. Dean Webb.

ENDS