A Moment of Blatant Self-Regard

Five years, one month and one day ago, A Fistful of Euros went live with its first posts.

Thanks to David, for getting the ball rolling and keeping it rolling; thanks to Tobias for keeping the back end running and the front end looking good; thanks to all of the writers; thanks to the commenters, for keeping us on our toes; thanks to the advertisers for keeping this little venture self-financing; thanks to the politicians and other public types for giving us such rich material to work with; and thanks to the readers, hope that you keep coming back for more.

The European Parliament: It’s Doing Democracy

Nobody likes the European Parliament, and that’s probably why everyone had such low expectations about the “telecoms package” it was meant to pass. There was all kinds of horrible gunk in there – the French government, for a start, had outsourced its policy to the owner of a chain of record shops, who decided that all ISPs should be required to cut off service to anyone they were told was downloading illegal music. Then, for some reason, British Conservative MEPs joined in; it looked like we were on our way to a continent-wide mandate for deep packet inspection, with various horrible lobbies getting access to the take.

Not any more. Hardly anyone’s bothered reporting this, but as heise.de was the first to report, it’s been successfully castrated, using a selection of targeted amendments. The “three strikes” proposal so dear to Nicolas Sarkozy and friends has been struck out, Malcolm Harbour’s attempt to pass everybody’s clickstream to the record industry killed off, and a guarantee that surveillance can only begin with the approval of a court inserted. There’s more (in French) here;

en vertu du principe selon lequel aucune restriction aux droits et libertés fondamentales des utilisateurs finaux ne doit être prise sans décision préalable de l’autorité judiciaire en application notamment de l’article 11 de la charte des droits fondamentaux, sauf en cas de menace à la sécurité publique où la décision judiciaire peut intervenir postérieurement

So you can’t intrude on the rights of end-users without getting a court order, except in case of a threat to public safety, in which case the courts can strike down your decision retrospectively. Great. It’s a cracking piece of work all right, especially for the various tiny and unreported campaign groups who dragged it on deck and the various Green and Leftist MEPs involved. Like Danny Cohn-Bendit.

The package was supported by the EPP, the conservative group in the EP, and the worst things in it were their ideas. The EPP has a significant majority; it’s well worth pointing out that flipping a prestigious piece of legislation like this in the face of a working majority just doesn’t happen in the House of Commons, dominated as it is by the whipping system.

So who’s left to cry, other than monopoly-minded lobbyists and spooks? The blogosphere’s own Tim Worstall, it turns out. In a spectacularly idiotic piece published in The Register, he takes the expert advice on public international law of woman-hating nutbag UKIP MEP Godfrey Bloom and concludes that this statement means you’re not allowed to use Google.

“End-users are able to access and use services, including information society services, provided within the Community.”

His argument, if the word can be applied, is apparently that “Roman law” blah blah…but here’s the problem. It doesn’t say that you’re allowed to use them, does it? There is no value judgment in there. Strangely, nobody in the night-haunted tyrannies of the rest of Europe has ever found this a problem, either. For example, I’m able to stab the next man on the street; but Timmeh’s logic would imply that this makes it legal to stab the Prime Minister, as I haven’t…whatever. This is so stupid and intellectually dishonest it just makes me feel tired.

But you have to cut him some slack. After all, typing “Britney Spears sex tape” into his spam blog must get tiring. For the Register, well. I still remember when it was a reasonably useful news source; more recently it’s declined into publishing arsewit climate change denial bollocks and rehashed ECHR-bashing from the Sun.

The people who actually did the fight on this occasion, La Quadrature du Net, deserve your thanks, Tim. But that’s in French, by the way.

It’s All About Me

One of the consequences of Montenegro’s split from Serbia was the country’s need for its own top level domain, following its departure from .yu and .cs. In September 2007, ICANN settled for .me, potentially setting up another odd, little-country bonanza like .tv and .to.

Miquel Hudin Balsa relates his experience playing around to get a tasty .me name. The process looks like it’s set up as much to monetize the connection to the English-speaking world as to actually get people in Montenegro registered. As for the assignment itself, 21 of a possible 26 dot-m-whatever combinations were already taken; Macau, Malta and Mongolia had already claimed some of the likelier candidates.

There’s a second-level academic domain like the UK has. I sure hope that some wag will name servers on it after Warner Brothers cartoon characters.

For the misanthropes out there, bad news. (Is there any other kind for misanthropes?) The registrar says that the domain bite.me “is a premium domain and has not yet been scheduled for release.”

Just Foolish

There are a lot of bad things about the Georgia-Russia conflict, but this is just foolish: Nearly all Russia-based web sites seem to be blocked from Georgia, and by the Georgian side. Trying to surf to the Moscow Times gets me a domain-parking site, while Izvestiya.ru, just for example, yields a four-line message in Georgian. (Whatever Great Firewall of the Caucasus technology they’re using spills over in weird ways. Yesterday there were periods where I couldn’t get facebook (my productivity soared!) and couldn’t get Google.com but could get Google.de.)

C’mon guys, you’re the underdogs here. The free flow of information is your friend. Cut it out already.

Horrible European Surveillance Proposals

What fuckery is this? It looks like the French government, having failed to impose an awful record-industry inspired snooping act at home, is trying to policy-launder it through the European Union. The so-called “3 strikes” law foresaw that ISPs would be required to cut off service to anyone who was found downloading or distributing copyrighted material three times – which of course implied that the ISPs would be expected to filter all traffic by content, a wildly grandiose, authoritarian, and insecure idea. (Wonderfully, Nicolas Sarkozy outsourced his Internet policy to a committee led by the owner of a chain of record shops; a little like putting the manufacturers of candles in charge of street lighting.)

But the legislation failed in France; so here it is, coming straight back via the European Parliament. The odd bit, though, seeing as it’s a French idea chiefly backed by the EPP (=European Conservative group), is that it’s being pushed by the British Tories in Brussels – half of whom don’t believe there even should be a European Parliament. Specifically, according to Heise.de (German link), it’s the Tory MEPs Malcolm Harbour and Sayed Kamal. Kamal is responsible for possibly the most egregious tagnut of a clause in the whole thing, which would permit essentially unrestricted telecoms surveillance for the (naturally undefined) “security of a public or private communications system”, and Harbour for the copyright/content-sniffing bit.

This raises some interesting questions. For a start, let’s get this out of the way: here are detailed instructions on who to phone and shout at. There are more at the bottom of the ORG post referenced above. You have until the 7th of July.

But since when has EU-sponsored mass telecoms snooping and censorship been the policy of the Conservative Party? Perhaps fortunately, they’ve been out of power since the Internet has been an issue, so this has never really been tested; David Cameron certainly didn’t say anything about this, the lying turdwit.

Privacy Chernobyl in Bonn

That gaggle of elite geeks who have been arguing against the horrible possibilities an internetworked world offers to fraudsters and state bullies for years have often said that one day, there’ll be a horrible crunch. A disastrous moment of truth. As Chernobyl finished the reputation of nuclear power for 20 years, the Privacy Chernobyl will kibosh all those monster database schemes for the foreseeable future. The subtext is perhaps that whatever the damage may be, it’s the collateral damage we have to accept to stop the bastards overrunning us.

What if, however, the first people to catch it were pompous German executives? Some would fear this wouldn’t draw any moral reaction from the public – who cares what happens to the bastards? Others might think it’s precisely their outrage that would finish the buggers quickest. It seems, though, that the Privacy Chernobyl might already have happened, in Germany. Scandal has been raging around Deutsche Telekom for a while; the monster telco, one-third state-owned, has been caught spying on members of its supervisory board, and much worse, journalists and trade union reps. Der Spiegel burst the story, interviewing the boss of a Berlin information security firm that was given the raw data from DTAG’s systems to analyse. He’s singing like a canary. DTAG promised that it was all over by the time the current CEO took over, but it turned out that the security firm was receiving money years later, money that came from the same cost-centre as the CEO’s office.

But this is far from the worst that might have happened. It wasn’t so much the content of the calls that was being spied upon, but rather their metadata. This is something one learns quickly on joining the telecoms industry – it’s the signalling that matters. The SS7 signalling traffic on a mobile network contains a treasure of information on who telephones, with whom, and from which geographic locations. Matching the dumps of data, they would have been able to trace the movements of the targets, their social networks, and who they met with.

It gets worse. Last week, Der Spiegel revealed that Lufthansa had also trawled its frequent flyer files in order to find out who a particular hack was getting information from. The real killer was, though, the suggestion that the two companies’ security departments might have swapped data – it turns out there is a strong old boys’ network between the security organisations German industry set up during the extreme-left terrorism of the 1970s, and something like a black market in database tables. Lufthansa’s frequent flyer programme offers benefits on all kinds of other stuff, including railway tickets and their own virtual mobile phone operator (MVNO), and a credit card – there’s a lot there already, but the kicker is that most big German companies outsource their expenses management to the same Lufthansa division that runs the loyalty scheme. And the journos were run through the same analysis.

Quite possibly, an entire corporate elite’s movements, communications, and tastes may be compromised. Everyone involved is already in the deep shit, as the rights to privacy and to freedom of the press are guaranteed by the German constitution, to say nothing of the ordinary law. If the radioactive smoke isn’t already billowing over the countryside, the containment vessel is bulging and glowing.

But there’s an odd detail here – T-Mobile USA refused to participate in illegal surveillance operations, like Qwest and no other US telcos. I have always believed that the reason for this was that T-Mobile, alone among telcos, has on-network transatlantic roaming. Due to the fundamental principles of GSM, T-Mobile subscribers from Germany, Holland, the UK, or indeed any other T-Mobile network in Europe, would have been spied on in the US with the involvement of T-Mobile in their home country, because their Home Location Register (HLR) would have been queried for every network transaction that occurred in the US. (It’s the signalling, remember.) This would have obviously had very serious legal consequences back in Europe.

Can’t believe all you read in the media…

…I’m getting rather worried about the normally reliable B92. Doug M expertly dissected the organ-legging story a week or so ago; I’ve just come across this article from 26 March reporting on a UN document describing Kosovo as the “heart of [the] Balkan drug route”. Alarming stuff – essentially confirms the rumours and prejudices of many Balkan-watchers, sealing them with the official seal of UN approval.

Except that it is fictitious. The actual UNODC report contains precisely none of the statements reported by B92. Combing UNODC’s archives, I did find a relevant sentence in one of their reports from last year. The UN says (p. 83), “Some cases of cocaine shipments via the Black Sea to Romania and via the Adriatic Sea to Montenegro often organized by Albanian criminal groups, have already been observed.” This is ever so slightly different from B92’s report of what the UN said, which is “The Albanian mafia has recently begun taking over the control of ports in Romania, in addition to the already solid network existing in Albania and Montenegro”.

In fairness, it’s not B92’s original report, though most people will have seen it on their site; it originates from Tanjug, the Serbian state press agency, reporting from New York. But shame on B92 for not checking out Tanjug’s sources.

Russian Hide-and-Seek with Routers

So what exactly happened with the allegedly Russian-orchestrated DDOS attack on Estonian Internet interests? Some people have been talking about the first act of “cyberwar” against a sovereign state, others about a bizarre fuss about nothing. AFOE asked Gadi Evron, a world expert on botnets who runs Israel’s CERT and who took part in the international response effort, exactly what was going on.

How large was the DDOS attack on Estonian interests? How many different sites were targeted?

The DDoS attacks themselves were relatively small compared to some
past attacks we have seen, such as those on the root servers, but it
was significant for them and their infrastructure.

2. EE-CERT was presumably the first responder. How did other CERTS and agencies get involved, and what support did you/they provide?

There were 4 CERTs from Europe (Finland, Germany and Slovenia) who
helped directly with the response outside of Estonia, serving as an
escalation point for reporting attacking sources outside of Estonia.
I was there to help in whatever was needed, and later was also asked
to write a post-mortem of the attacks and defense for the Estonians,
covering preparedness for the next time.

Inside the country what saved the day was close coordination between
the CERT, ISPs, banks, etc. who all responded in semi real-time and
helped each other out.

3. Did the attackers attempt to compromise network infrastructure, or just end hosts?

They mostly left the network infrastructure alone, however, one
misconfigured router was attacked directly and another couldn’t take
the stress.

4. How much disruption was actually caused?

Considering Estonia is more advanced than most of us (they even held
the last elections online) the impact of the attack was significant
with some down-time for the banks, government sites, etc. It could
have been more serious, but while their Internet infrastructure as a
quiet country was not prepared for such an attack, the response and
mitigation worked for them. They stood the risk of losing their
ability to buy gas, for example, and for a short time, they did.

5. How unusual were the mitigation techniques used – just BCP38 etc, or spookier?

The fascinating thing is that in Estonia BCP38 is considered best
practice and implemented widely, which likely prevented some more
mess. As to mitigation, it ranged from basics such as using mitigation
devices to extremes such as blocking connections to certain networks
from abroad. Nothing any of us haven’t done before ourselves, however
mundane or extreme.

6. What fraction of the traffic came from within Russia? Or was it typical botnet activity, globally distributed?

The botnet traffic was distributed globally, with some of the botnets
being bought. However, many of the attacks were not by a botnet, but
rather by a mass of home users using commands such as ping to manually
attack Estonian sites. As they coined in Estonia, this was a riot, and
not just in the streets. Many different Russian-speaking forums and blogs (the Russian
blogosphere?) encouraged people to attack Estonia using crude commands
or simple tools. Others used more advanced techniques.

7. What was the role of ENISA?


8. Did the attack attempt to compromise/darkout other Internet-connected systems?

What other systems? Sorry, I don’t follow.

“Other systems” here was intended to mean such things as telco networks, embedded control systems, and the like.

Telco’s were affected for sure, as they hosted or were transit. There
was no attack on control systems that I know of, but the Internet is
critical infrastructure enough. The civilian infrastructure proved to
be more critical than any SCADA system.


General Management

You may have noticed that the Satin Pajama Awards back in February. First my job got in the way, then my computer died, then I moved to a new city, and, well, I never got back on track, until now. They’ll be held on Tuesday May 15 22.

Nosemonkey’s doing his fourth euroblog roundup.

Still some time left for the reader survey. C’mon people, it’s not that long if you skip all those vodka questions.