On Twitter: @JamesFirth and @s_r_o_c (post feed)

Got a tip? tip@sroc.eu

Tuesday, 30 April 2013

Life in Waverley, Surrey

Depressing reading, for anyone wanting to buy property in my locality.

Mortgage companies are currently offering around 3.5 times basic salary in home loans, and requiring around 20% deposit to access the bulk of their deals, meaning one needs to earn around £70,000 per annum and have £60k equity in their existing property or tucked away in order to afford the average semi.

Even the average flat requires a £40k salary plus a £40k deposit.


Average house price
(source: BBC, data date: Oct-Dec 2012)

Compared to my birthplace the difference is stark...


Average house price

Still, things could be worse.  I could be based in a London borough such as Hammersmith...

Hammersmith and Fulham

Average house price


Thursday, 25 April 2013

What the Letzgo Hunting vigilantes can teach the Home Office

One of my many criticisms of this and recent governments' obsession with online snooping is that it diverts resources away from other policing methods.

Governments are obsessed with creating (or restoring, depending on who you talk to) a power imbalance they say is necessary to maintain order and prevent serious crime and terrorism.

I and many other technologists argue to the contrary - that blanket surveillance will have little long-term impact on seriously organised criminal and terrorist activity as perpetrators will adapt quickly to evade today's proposed imperfect monitoring systems as technology continues to evolve quickly.

At most such technology will trap mid and low-level criminals, giving a short-term advantage that will soon be lost as even petty thieves learn how to hide their online trail more efficiently.

Whilst reducing crime of any description is undoubtedly a good thing, this must be balanced against the cost and risk to all non-criminals in society who face having even more of their secrets held by state agencies and other third parties without their consent.

Additionally, such monitoring carries a significant cost.

Not just the monetary cost in siphoning off, storing, filtering and retrieving large quantities of data - but a cost to technological progress.  Internet service providers may shun network upgrades because of the added complexity of accommodating the surveillance regime, denying customers increased bandwidth and other benefits of the latest technology.

Additionally - or so a network engineer at a very large mobile phone network once told me - network changes required to meet today's data retention laws made the system, in his opinion at least, more vulnerable to failure because all transactions had to be routed through one of a few data collection points.

Police in the UK still don't carry guns on routine patrols - why? Because the risk outweighs the benefits.  Society is generally better off with a softer balance of power - consensus policing - and not carrying a firearm is a powerful reminder to the public.

The benefits of a more consensual approach to policing is that the public are more likely to do their bit to help the police in their duty; contrasted with more militaristic approaches, which pit the public - even the law abiding public - against the police, whom they often live in fear of.

I believe analogies can be drawn with policing the internet.  I'm afraid of snoopers taking a snippet of my data out of context or misidentifying someone else's transaction as originating from me.  I'm afraid of a large mountain of my personal data leaking, leaving me vulnerable to identity theft.

I'm afraid of police creeping around in bushes watching ordinary citizens go about their lives - because this, quite frankly, just freaks me out.

Of course the state must be involved in some way; a free-for-all leaves the weak unprotected.

But the level and manner of involvement I have in mind usually contrasts strongly with what governments around the world are pushing for.

I believe the internet should be policed to a large extent via the front door, not by creeping around the back or hiding in bushes with the digital equivalent of a long-lens camera and parabolic microphone.

The Home Office often cites the hunt for dangerous paedophiles as justification for blanket surveillance, playing to the public's fears.

A group of vigilantes recently showed us all that progress in the fight against paedophiles can be made without snooping around behind the scenery planting bugs in the very fabric of the network.

Police condemned the action of vigilantes as potentially illegal itself, but this perhaps says more about police wanting to maintain an illusion of control, or says something about the contradictory state of current privacy laws which are seen by some as limiting police operationally whilst allowing the state to watch us all via our mobile phone activity, etc.

If we could find some way for police to use the internet via the front door, connecting via an ISP to inhabit the places people hang out online - in a similar way to the mix of visible and plain clothes patrols inhabiting the streets; then this surely will be more proportionate and more sustainable than relying on blanket surveillance.


Wednesday, 24 April 2013

Hell, yeah! Let's flood our public spaces with lots of "clean", porn-free WiFi...

I have no idealistic or moral objection to the Prime Minister wanting to appear to be doing the good and proper thing to appease campaigning children's charities and electors with kids.

But technically what the Prime Minister wants (and this smells like another shambolic policy emanating from the general direction of "Minister for the Internets" Ed Vaizey) - porn-free WiFi in open spaces, is both unworkable and misguided.

Misguided because it sends the message that pornography is the biggest danger kids face on the internet.

Not even close.  I haven't got references to hand but I've read studies showing the effects on children of exposure to sexualised imagery are minimal in most cases.

Bar a minority who have a tendency to become obsessive, most children can adapt to effectively "block out" sexual imagery and it loses its effect.

Yes it can normalise abnormal behaviour (such as sexual violence) but even here the jury's out and the debate is along similar lines to violent films and video games: is a society which does little to discourage the availability of violent imagery more violent than one that discourages it?

My premise is that the biggest danger children face on the internet is physiological.  Just one example: interacting with others online in text-based formats with the absence of non-verbal cues (such as facial expressions) seems to lead to some extremes of behaviour (eg flame wars) and passionately entrenched arguments can become an obsession.

Also in that department there's bullying (again exacerbated by the shielding the internet brings, ie being unable to see the effect bullying has on the bullied), mob behaviour, and other extremes that can sometimes lead to illegal activity such as harassment or hacking in order to get a greater hold over a perceived opponent.

And unworkable for two reasons.

On the legislative front it will be very hard to impose what amounts to state-mandated decency rules on all "public" WiFi.  The risk of being fined for allowing a bare nipple to slip through your modesty filter will merely discourage businesses from providing WiFi.

So instead I'm hearing what the Prime Minister wants - "clean, porn-free WiFi" - won't be enforced by legislation.  It will instead be secured by a classic fudge that I've heard Ed Vaizey mutter tens of times: an industry code of conduct.  The threat being if the industry doesn't enforce the rules, legislation will follow.

But which industry? The cafe industry? Or the hotel industry? Or the ISP industry? If the latter, then will ISPs providing a service to a cafe have to block porn at source? And if so, how will the cafe owner get his daily fix of flesh if he or she requires, behind closed doors, of course?

And on the technical front it's a running battle to filter all porn.  A battle the filtering companies aren't winning and probably will never win - particularly in regards to over-blocking of 'legitimate' sites.

Plus there's the tricky issue of "dual-use" mainstream websites such as Flickr.

Flickr wasn't blocked when I tested a multitude of content filtering systems 18 months ago whilst with Open Digital.

But if you're over 18, not easily offended, in a private space and not using a work internet connection, you might try this:
  • Sign up to the 74th (according to Alexa at time of writing) most popular website in the world
  • Type your favourite sex words* in to the search box
  • In the results, click on Advanced Search and change the SafeSearch setting to "SafeSearch off"  

It's not hard to find flesh.  From there you can even get list of users who have favourited such images, and from there find other similar images favourited by that user. Or so my research assistant tells me!

So I assume Flickr will have to be blocked in internet cafes across the country.

Now imagine the following scenario: a tourist visiting London, uploading their day's photos to one of the world's most popular photo-sharing websites...

David Cameron's wish for clean public WiFi - noble, but utterly unworkable.

What we should be telling all parents is that they must work with their children on what is the digital equivalent of the green cross code re internet safety.  Be aware of the dangers, mitigate the risks, and be careful chosing the devices you allow your children to use - consider devices with built-in locks on internet use for younger children, allowing only supervised access.


Wednesday, 10 April 2013

What's the real reason for Amazon resetting customer passwords?

I got an email this morning from Amazon.  A legit email, DKIM signed by Amazon's email server.

Amazon have reset my password because they say I 'may have been subject to a phishing scam'.

But why now? Running my own mail servers and a string of public email addresses I'm subject to Amazon phishing scams on an almost daily basis, as I am with many other companies.

And why did Amazon suspect I've been subjected to a phishing scam?  Have they read the phishing emails on my private mail servers?...

No, of course they haven't.  Phishing Amazon customers is an activity that only involves Amazon infrastructure when the scammers use credentials phished from me to perform illegal transactions on my account.

And since I'm pretty certain my credentials haven't been phished from me  - as a professional involved in this area I'm on high alert for odd emails - the only reason I can think of for Amazon to suspect I'm at increased risk of phishing is if my email and perhaps other personal details have somehow leaked from Amazon.

I don't mind my password being reset as a security precaution.

But I do mind the tone of the email they sent, which makes it sound like it's my fault for being at increased risk of phishing, along with handy links to protect myself.

When I reset my account I will take the precaution of removing all my credit card details. Much as it is a pain to re-enter whenever I buy music I suspect there is more going on here.

Here's the email in full (my bold - I'm curious why they don't want me to use my previous password if I know I haven't been subject to a phishing attack...):
Hello J * Firth, 
This is an important message from Amazon.co.uk 
As a precaution, we've reset your Amazon.co.uk password because you may have been subject to a "phishing" scam. 
Here's how phishing works: 
A scam artist sends an e-mail, which is designed to look like it came from a reputable company such as a bank, financial institution, or retailer like Amazon.co.uk, but is in fact a forgery. These e-mails direct you to a website that looks remarkably similar to the reputable company's website, where you are asked to provide account information such as your e-mail address and password. Since that website is actually controlled by the phisher, they get the information you entered. 
Go to amazon.co.uk/phish to read more about ways to protect yourself from phishing. 
To regain access to your Amazon customer account: 
1. Go to Amazon.co.uk and click the "Your Account" link at the top of our website. 
2. Under Account Settings, click the link that says "Forgotten your password?" 
3. Follow the instructions to set a new password for your account. 
Please choose a new password and do not use the same password you used with us previously. If you have used the same password for your email account as on your Amazon.co.uk account, you should also change your email account password to prevent phishers from reading and/or stealing your emails. 
I hope this helps. 
We look forward to seeing you again soon at Amazon.co.uk 
Please note: this e-mail was sent from an address that cannot accept incoming e-mail. To contact us about an unrelated issue, please visit the Help section of our website.