Snooper’s Charter – UK Passes Surveillance Law

This was always likely to happen given recent events, the ridiculous snooper’s charter which was originally tabled in 2012 by the then home secretary Theresa May has been approved and passed.

12-01-2009-anonsymoussurfingsoftware-anonymous_democracy-dictators

Over the years it’s been blocked and repealed with good cause, civil liberties groups have described it as the most extreme surveillance legislation ever passed in a democratic nation.   It’s a huge blow to personal privacy with the government basically having access to pretty  much everything we do online.

Here’s some stand out points:

Internet provider’s Forced to Log Web History for 12 Months

This is a great one, your ISP will be forced to record every single web site you visit for 12 months.  So just imagine this, Government departments will be able to generate a list of every single web site you have visited for the last year.   Sounds a bit Orwellian,  a bit intrusive?  We thinks so!  Further imagine sitting down for an interview or an application with some Government official sitting across the desk from you with that list in hand.

Decrypt Data on Demand

The government will have the power to force any company or individual to decrypt data on demand.  Obviously no one really has any idea how this will work or how it can be implemented, but this just means it can be made up to suit the situation.  Is your VPN a protection, who knows if the law demands you hand over the key perhaps not.

Intelligence Agencies can Hack into Our Devices and Computers

Great eh!  Not only do they get a list of every porn site you may have inadvertently clicked on over the last 12 months, but the Government can legitimately hack into your phone, TV or internet enabled toaster to pry just a little bit further.  The use of the word ‘devices’ means they have pretty much ‘carte blanche’ to break into every electronic device in your possession and create sinister, snoopy lists and databases.

government-snoop-information

There are many other provisions, and in the spirit of oppressive regimes everywhere lots  of them are kept suitably vague and unclear.  This is important because it allows the security agencies to do pretty much anything and claim it is covered under the legislation.  Places like Iran, Turkey and China have been doing this for decades.

Is privacy a basic human right?  Many people think so, yet this legislation completely erodes that concept.   It’s been criticized from all quarters – privacy groups, United Nations representatives, lots of IT companies and even the parliamentary committee that was tasked with looking through the bill.

Nothing seemed to matter and the UK has now established a legal right to spy on it’s citizens like some second rate, despotic regime.

IP Address Mapping Hell in Kansas

Is there such a thing as a ‘digital hell’ well although it sounds like some sort of melodramatic media headline, one couple in Kansas could arguably have been living there for several years.

Everything that is connected to the internet has an IP address, every computer, laptop, tablet or smart phone needs some sort of address in order to communicate on the world wide web. Tracking, mapping and filtering these addresses is big business and many companies have sprung up providing accurate information on the IP address attached to your device.

Obviously knowing the location is one major part of the puzzle and there are several services for looking up the physical location of an IP address. You can have a look here at where your IP address appears to be located – https://www.whatismyip.com/ – did it return your correct location?  Sometimes these can be very accurate, the information sourced from companies like MaxMind has been built up over many years through a variety of methods. The information is used for a variety of reasons, from targeting advertising to region locking and filtering used by companies like Netflix

Sometimes, however this information is not very accurate at all  but sufficient if you just want a specific country or region. However when a company like MaxMind have no relevant data on an IP address they will tend to resort to assigning a default location. For example if they have no further information other than country is USA, Maxmind will return a default location – the geographic center of the United States.

ipad-632394_640-1

Sounds logical? It is until you realise that located in the geographical center of the US is a small farm in Kansas owned by James and Theresa Arnold. Furthermore there are quite a few IP addresses which are registered to this ‘default location’ – specifically just over 600 million addresses.

Now it might seem that this isn’t really a problem, but unfortunately this is not the case. These 600 million addresses are real and being used online all the time – and of course with such a huge volume some of these addresses are being used for all sorts of activities. Spammers, hackers, cyber crime, terrorists, pedophiles are all using these IP addresses online and when anyone tries to investigate their location – they are directed to this small rural farm in Kansas.

For years the couple have been subject to all sorts of accusations – they’ve had visits from law enforcement agencies, public officials, ordinary people who’ve been crime victims and have tracked the IP address back to the Arnold’s home address. You can imagine the volume when even a small percentage of 600 million addresses are used for criminal purposes.

It’s not the only situation like this, there is a house located at the end of a cul-de-sac in Ashburn, Virginia which has similar problems. The town itself is the home to several huge data centers and server farms, all with registered commercial IP addresses – the house was unfortunately given as the default location for millions more IP addresses with similar results – strange accusations and police raids being a common occurrence.

Fortunately there should be a happy ending for both these parties as the ‘default locations’ for unknown IP addresses is being changed to non-residential addresses such as the middle of a lake! The Arnold’s though are unsurprisingly also seeking some financial compensation for the distress and inconvenience over the year, and you can hardly blame them!

The Big Business Hackers

When you imagine a team of highly skilled hackers attempting to make money, most people will probably think of some criminal exercise of exploitation, cyber crime or extortion.   You certainly wouldn’t think of the stock market or investment firms profiting directly from this sort of enterprise – yet it seems this is exactly what is happening.

Hacking is going mainstream and it looks likely that there will be a lot more profit going legitimate than through the standard ransom or blackmailing routes.   Others will perhaps argue that these new methods are pretty much the same as the criminals use.

The story arises from the tactics of a company called MedSec a cyber security firm which has recently started up.  They investigated a range of hospitals and medical hardware for potential security issues and identified one medical devices company to be at particular risk – St Jude Medical Incorporated, more specifically the pacemakers and defibrillators they make.

At this point MedSec faced a classic, traditional ‘hackers dilemma’ – you find a serious vulnerability – what do you do?   For the ethical hacker it often represented a difficult choice particularly if a little digital trespassing was involved.  Many individuals have found themselves behind bars after attempting to inform a company or organisation about a vulnerability in their software or network, while some have been praised and rewarded.   The MedSec guys though have a plan to inform and profit at the same time, although the ethics seem fairly dubious to many.

They approached an investment firm run by Carson Block called Muddy Waters Capital LLC with their money making initiative.   The idea was unusual, MedSec team would prepare all the evidence demonstrating the problems with the medical devices, however before making this public the investment company would take out a short position on the parent company of St Jude Medical.    Basically they would both make money if the share price fell in response to the negative news.

Sounds like insider dealing? Perhaps, although it is assumed legal advice was taken before this unusual tactic  – here’s a MedSec representative justifying their tactics.

Convinced? Nope me neither, I suspect they may be in trouble for using this tactic. Where will it end ? The false concern about patients using these medical devices to try and justify their money making scheme was particularly hard to believe. Currently the tactic seems to have paid off though with the share price falling significantly and presumably making the ‘short’ position profitable.