A lot of visitors searching for data on a Yahoo ‘password too weak’ issue end up on my own Password is too weak… page.
My own issue was with BT – but since there is a close relationship between BT and Yahoo, it may well be exactly the same problem. The answer lies within the comments on my earlier page. Put simply, the BT password rules exclude certain characters that get generated by password managers (such as vertical bars), and is limited to 16 characters.
If you go over 16 characters and include vertical bars then you get a ‘password too weak’ error when actually your password is being rejected because it is too strong.
I don’t use Yahoo so cannot confirm whether this is the same issue. However, if Yahoo is continually rejecting your password as ‘too weak’ it would be worth checking the small print; and perhaps limiting your password to 16 characters – and no vertical bars.
I subscribe to a number of paper.li dailies. I use them to aggregate news stories for me that I probably wouldn’t find on the BBC – Anonymous, civil liberties, censorship etcetera.
So I was a little perturbed when I couldn’t access them yesterday. I got the emails with the links alright, but the links didn’t work. Rather than my selected Daily, I got this:
My first thought, naturally, was that some sinister, subtle censorship was underway – perhaps one of the dailies included a proxy for The Pirate Bay and BT felt it necessary to ‘block’ it. Far-fetched, maybe – but the society we now have makes such thoughts inevitable. It turned out not to be censorship, but (or so I understand) ‘DNS issues’ at paper.li.
But I’m still concerned. Look at the page that BT/Yahoo sent me to. Did I mean ‘gap.co.uk’? Now by what stretch of the imagination does mis-typing ‘paper.li’ end up with ‘gap.co.uk’?
Gap Inc, says Gap, “is a leading global specialty retailer offering clothing, accessories, and personal care products for men, women, children, and babies under the Gap, Banana Republic, Old Navy, Piperlime, and Athleta brands.” Yeah, well, I guess that can easily be confused with an off-the-wall news aggregator.
Then there’s the ‘related searches’. Now, how can there be a related search when I haven’t made a search?
The simple fact is that these are all paid-for adverts. I don’t actually mind that. But what I seriously object to is BT/Yahoo trying to pretend that they’re providing me with a service when they’re simply accepting money from advertisers. It’s this low-level petty deceit that I find both disturbing and frankly pathetic.
My peers may remember playing Saxons and Normans on the beach as small children (it was before black and white television and the rise of cowboys and indians and cops and robbers). The alternative was Saxons and Vikings; but suffered because apart from Harold we only knew two Saxons: Alfred and Aethelred. Aethelred was the short straw, because he was never ready – or more accurately, he was ill-advised and accepted bad or no counsel.
Well Aethelred and the Vikings are making a comeback. Aethelred is business and the Vikings are hackers; and it doesn’t seem to matter what good advice is given, Aethelred ignores it and the hackers come back – again, and to gain and again.
Good counsel: encrypt, but Aethelred does not. Use and enforce strong passwords, but he doesn’t. Undertake staff awareness training on a continuous basis, but he doesn’t bother. The list goes on and on.
But the absolute perfect proof that the spirit of Aethelred yet lives and breathes can be seen in a comment from Ashley Stephenson, CEO of Corero Network Security. He was talking about the DDoS attack on Battlefield 3, “yet another in a long line of attacks aimed at disrupting gamers.”
Sometimes such attacks come from the competition; other times its just for the lulz. But, he adds, “Another motive our clients in gaming and across other sectors continue to experience is cyber extortion. Malicious users specifically threaten gaming and other sites, demanding to be paid a ransom or be the victim of a Distributed Denial of Service attack. More often than not these blackmail threats go unreported as some companies opt to pay the ransom rather than go public with the attack in the hope that this will satisfy the hackers, though this is rarely the case and may lead to the site continually being targeted.”
Aethelred, a long-standing Anglo-Saxon tradition that believes we can yet get peace in our time, lives on. Looks like the Vikings are winning again.
It’s worth repeating. The law is an ass.
A fundamental purpose of law is to protect the individual. Sadly, this purpose has long since been appropriated by big business – the purpose of the law is now to pander for business at the expense of the citizen through the collusion of politicians.
The result is that the law has become ridiculous.
In the past it used to be an unwritten rule in the UK that parliament would not pass unenforceable laws. The reason is that a law that cannot be enforced makes the law look an ass. Worse, it makes parliament look as big an ass as the law that cannot be enforced.
Here’s an example. Parliament has created the laws that made the courts attempt to block The Pirate Bay (TPB) at the behest of the music industry (and film and video and video gaming etcetera). Parliament has become the pimp of the music industry (ironic, really, since neither prostitution nor the employment of prostitutes is illegal – because it is unenforceable – but pimping is illegal).
But back to The Pirate Bay. The courts have been forced by the alliance of parliament and the music industry to order the ISPs to block TPB. But blocking TPB is so unenforceable it is absurd; confirming that the law and parliament has become a collective ass.
The easiest way to get round the block is to use a proxy service. You go to a site in a country that doesn’t operate a block, and that website redirects you to TPB. A quick search on Google turned up at least 150 TPB proxies.
But you don’t even need to look for them. There’s a Chrome add-on and an Android app that will do it for you automatically.
If you don’t use Chrome and don’t have Android you could use TOR, which will both provide anonymity and bypass the block. Or use a VPN. Both of these require some effort and a little knowledge.
So you could simply switch to the Opera browser and turn on Turbo mode. Turbo mode is designed for users with slow connections. It speeds things up by going via Opera’s own servers. But since you are going to Opera rather than TPB, you don’t get blocked when you go through Opera Turbo to get to TPB.
This is TPB via Opera Turbo from the UK today. Note that although I asked for thepiratebay.se (Sweden), I automatically got redirected to TPB’s latest home at dotSX. TPB moved from Sweden to “Sint Maarten, a tiny island in the northeast Caribbean located 190 miles east of Puerto Rico,” a few days ago (TorrentFreak). This follows the latest court case in Sweden against TPB by the music industry. Incidentally, TPB also has an Icelandic domain. The music industry case in Sweden is trying to get the Icelandic domain closed because it is registered to a man of Swedish nationality. I salute Marius Olafsson of Iceland’s domain registry ISNIC, who told TorrentFreak: “ISNIC will legally fight attempts to use the domain name registry system to police/censor the net. We believe that to be ineffective, wrong and dangerous to the stability of the DNS as a whole.”
Or you could simply use the Google cache. Chrome direct:
The long and the short of it is that the UK blockade of The Pirate Bay (or any other website) is unenforceable.
Only about 30% of the UK electorate bothered to vote in last Thursday’s local elections. Pompous political spinners try to tell us that it’s mid-term and people are more concerned with national rather than local issues. I give them an alternative – the people are totally disillusioned with politics and politicians and the whole political process because the law and parliament has become an ass in the pocket of big business.
And that’s a tragedy.
I wish it related to something other than the right to bear arms, but I wholeheartedly support and applaud the stance being taken by Kansas. “The Obama Administration,” wrote Kris Kobach, Kansas Secretary of State, to US Attorney General Eric Holder, “has repeatedly violated the United States Constitution for the past four-and-a-half years. That abuse cannot continue. The State of Kansas is determined to restore the Constitution.”
On 4 April the Kansas legislature passed SB102: The Second Amendment Protection Act. The Second Amendment is a difficult one, with academic debate on whether it provides a right to bear arms, or restricts Congress from preventing citizens from carrying arms, or whether it relates to individuals or a collective militia. It is, however, generally considered the right to bear arms.
There is a current debate in the US on whether this right should be restricted. Obama wants it restricted. Kansas does not. Its new law states:
Any act, law, treaty, order, rule or regulation of the government of the United States which violates the second amendment to the constitution of the United States is null, void and unenforceable in the state of Kansas.
It goes further in authorizing Kansas law enforcement to arrest and prosecute any federal agents seeking to enforce unconstitutional laws within Kansas.
Attorney General Eric Holder is not amused. He wrote to Governor Brownback in no uncertain terms:
I am writing to inform you that federal law enforcement agencies… will continue to execute their duties to enforce all federal firearms laws and regulations. Moreover, the United States will take all appropriate action, including litigation if necessary, to prevent the State of Kansas from interfering with the activities of federal officials enforcing federal law.
He claims in the letter that SB102 “directly conflicts with federal law and is therefore unconstitutional.” That is, the Feds trump the States every time.
Not so, responds Kobach (a former professor of constitutional law); not every time:
It was drafted with the intent to assert Kansas’s authority as a co-equal sovereign under the United States Constitution to regulate a subject matter that is outside of Congress’s jurisdiction under the Interstate Commerce Clause of Article 1, Section 8.
That is, the Feds cannot interfere with commerce inside and confined to an individual State; and this law refers to “a firearm that is assembled in Kansas, that is stamped ‘Made in Kansas’, and that never leaves the State of Kansas.”
If you want to bear arms regardless of anything that Obama might say or do, get thee to Kansas and buy a Kansas gun. Not sure if you can buy a Russian or Israeli flat-pack and assemble it in Kansas, but it will be tested by someone sooner or later.
That more US States take a similarly pro-active stance to protect the US Constitution whenever the Obama (or any other) Administration arbitrarily acts against it; because once freedom and liberty has gone from the United States, there will be little to prevent other Western governments doing the same.
Lisa Vaas, a journalist I respect, has an interesting post on NakedSecurity. It discusses the problem of revenge porn sites, and the distress and harm they can cause.
In particular, it highlights the cases of Holly Jacobs and a separate class action by 17 women against one particular site, and GoDaddy for hosting the site. Lisa is right in that something must be done about revenge porn – nobody has the right to inflict pain on any other person. But what to do is the problem.
Lisa supports the action against GoDaddy:
The notion of GoDaddy being taken to task hardly seems confused. It seems appropriate, the hosting provider being an accessory to the alleged crimes and having profited off them, to boot.
This is an understandable but dangerous reaction. ISPs and hosting companies must not become tasked with censoring what they host unless it is clearly and plainly illegal (and even then the alleged criminal site should have clear legal recourse to appeal and be reinstated if it is not illegal).
If GoDaddy is found liable for the content of the websites it hosts, where will it stop? There’s a conceptually similar case in Belgium, where the music rights group SABAM is suing ISPs for lost revenue through illegal music downloads, and also demanding a general 3.4% tax levy on users to pay for illegal downloads.
If cases like these succeed, then ISPs will become afraid of legal action against them whenever a hosted site publishes material that might offend or upset powerful vested interests: ISPs will err on the side of bland to protect their revenue, and freedom and liberty will take a serious hit. ISPs must be protected conduits, like snail mail, and not be responsible for what they carry.
Lisa is right that something needs to be done about revenge porn sites – but the target must be the people who post the material, not the sites themselves and most certainly not the ISPs and hosting companies.
I was talking to Dr Guy Bunker, SVP products at Clearswift, about BYOD and his content-aware gateways for web and email. So, I said, you’re effectively saying that since users will always get around traditional security, the best solution is to protect the content rather than simply attempt to restrict the user. “Essentially,” he answered, “that’s correct.”
Then, I suggested, we can place you squarely in the data-centric school of security thought?
Not really, he said. I prefer to think of us as information-centric. “Data-centric,” he said, “would indicate… well, it’s basically a blob of data, and there’s no understanding of the information that’s contained within that blob of data.”
Data is just bits and bytes. Knowledge, however, comes from understanding the information contained in those bits and bytes.
I’ll give you a simple example, he said. “If somebody sends your company an order, and in that order is a list of things they want to buy, and also information around their credit card details; well, as a lump of data it’s an order (which is good). But you might decide that some of that order will be fulfilled by third parties, so you send it out.
“But not understanding all of the information in it could then put you foul of something like PCI DSS where you are not allowed to send credit card information out to those third parties. So if you were to do traditional (data-centric) DLP then you can detect the credit card information and block the communication. That,” he said, “is taking a very data centric approach to security.”
It’s not good enough, because in blocking a very small amount of dangerous data you prevent the circulation of a larger amount of beneficial information: OK for security; not OK for business.
However, “if you go to the next level of granularity, and become information-centric, then you can start to be a bit smarter. You know that you’re not allowed to send credit card information out, but in fact all the other information is good. Why not, then, simply redact the credit card information and allow the rest?” You can only do that if you understand the information held within the data.
But he doesn’t stop there. “We’re not merely information centric, we’re information-in-context-centric. So if you’re sitting in-house behind all of your perimeter defences then your access to the information contained in the data will be at one level; but if you’re outside the perimeter sitting in a cyber cafe with an untrusted terminal on public WiFi, then the information that you should be presented with should be far more limited. It might be that you get to see the email including the credit card data when you’re in-house; but when you’re outside you get to see the email, but not the credit card. It’s all about becoming information-centric rather than just being data-centric – you need that extra level of granularity in order to maximise control of how much company information can be accessed by which users in what locations and contexts.”
That is being information-centric. Data-centric is so yesterday.