My own issue was with BT – but since there is a close relationship between BT and Yahoo, it may well be exactly the same problem. The answer lies within the comments on my earlier page. Put simply, the BT password rules exclude certain characters that get generated by password managers (such as vertical bars), and is limited to 16 characters.

If you go over 16 characters and include vertical bars then you get a ‘password too weak’ error when actually your password is being rejected because it is too strong.

I don’t use Yahoo so cannot confirm whether this is the same issue. However, if Yahoo is continually rejecting your password as ‘too weak’ it would be worth checking the small print; and perhaps limiting your password to 16 characters – and no vertical bars.

So I was a little perturbed when I couldn’t access them yesterday. I got the emails with the links alright, but the links didn’t work. Rather than my selected Daily, I got this:

Silly lies from BT/Yahoo

My first thought, naturally, was that some sinister, subtle censorship was underway – perhaps one of the dailies included a proxy for The Pirate Bay and BT felt it necessary to ‘block’ it. Far-fetched, maybe – but the society we now have makes such thoughts inevitable. It turned out not to be censorship, but (or so I understand) ‘DNS issues’ at paper.li.

But I’m still concerned. Look at the page that BT/Yahoo sent me to. Did I mean ‘gap.co.uk’? Now by what stretch of the imagination does mis-typing ‘paper.li’ end up with ‘gap.co.uk’?

Gap Inc, says Gap, “is a leading global specialty retailer offering clothing, accessories, and personal care products for men, women, children, and babies under the Gap, Banana Republic, Old Navy, Piperlime, and Athleta brands.” Yeah, well, I guess that can easily be confused with an off-the-wall news aggregator.

Then there’s the ‘related searches’. Now, how can there be a related search when I haven’t made a search?

The simple fact is that these are all paid-for adverts. I don’t actually mind that. But what I seriously object to is BT/Yahoo trying to pretend that they’re providing me with a service when they’re simply accepting money from advertisers. It’s this low-level petty deceit that I find both disturbing and frankly pathetic.

Vikings embarking on a denial of service attack – source Wikipedia

Well Aethelred and the Vikings are making a comeback. Aethelred is business and the Vikings are hackers; and it doesn’t seem to matter what good advice is given, Aethelred ignores it and the hackers come back – again, and to gain and again.

Good counsel: encrypt, but Aethelred does not. Use and enforce strong passwords, but he doesn’t. Undertake staff awareness training on a continuous basis, but he doesn’t bother. The list goes on and on.

But the absolute perfect proof that the spirit of Aethelred yet lives and breathes can be seen in a comment from Ashley Stephenson, CEO of Corero Network Security. He was talking about the DDoS attack on Battlefield 3, “yet another in a long line of attacks aimed at disrupting gamers.”

Sometimes such attacks come from the competition; other times its just for the lulz. But, he adds, “Another motive our clients in gaming and across other sectors continue to experience is cyber extortion. Malicious users specifically threaten gaming and other sites, demanding to be paid a ransom or be the victim of a Distributed Denial of Service attack. More often than not these blackmail threats go unreported as some companies opt to pay the ransom rather than go public with the attack in the hope that this will satisfy the hackers, though this is rarely the case and may lead to the site continually being targeted.”

Aethelred, a long-standing Anglo-Saxon tradition that believes we can yet get peace in our time, lives on. Looks like the Vikings are winning again.

A fundamental purpose of law is to protect the individual. Sadly, this purpose has long since been appropriated by big business – the purpose of the law is now to pander for business at the expense of the citizen through the collusion of politicians.

The result is that the law has become ridiculous.

In the past it used to be an unwritten rule in the UK that parliament would not pass unenforceable laws. The reason is that a law that cannot be enforced makes the law look an ass. Worse, it makes parliament look as big an ass as the law that cannot be enforced.

Here’s an example. Parliament has created the laws that made the courts attempt to block The Pirate Bay (TPB) at the behest of the music industry (and film and video and video gaming etcetera). Parliament has become the pimp of the music industry (ironic, really, since neither prostitution nor the employment of prostitutes is illegal – because it is unenforceable – but pimping is illegal).

But back to The Pirate Bay. The courts have been forced by the alliance of parliament and the music industry to order the ISPs to block TPB. But blocking TPB is so unenforceable it is absurd; confirming that the law and parliament has become a collective ass.

The easiest way to get round the block is to use a proxy service. You go to a site in a country that doesn’t operate a block, and that website redirects you to TPB. A quick search on Google turned up at least 150 TPB proxies.

But you don’t even need to look for them. There’s a Chrome add-on and an Android app that will do it for you automatically.

If you don’t use Chrome and don’t have Android you could use TOR, which will both provide anonymity and bypass the block. Or use a VPN. Both of these require some effort and a little knowledge.

So you could simply switch to the Opera browser and turn on Turbo mode. Turbo mode is designed for users with slow connections. It speeds things up by going via Opera’s own servers. But since you are going to Opera rather than TPB, you don’t get blocked when you go through Opera Turbo to get to TPB.

The Pirate Bay, via Turbo Opera, from the UK

This is TPB via Opera Turbo from the UK today. Note that although I asked for thepiratebay.se (Sweden), I automatically got redirected to TPB’s latest home at dotSX. TPB moved from Sweden to “Sint Maarten, a tiny island in the northeast Caribbean located 190 miles east of Puerto Rico,” a few days ago (TorrentFreak). This follows the latest court case in Sweden against TPB by the music industry. Incidentally, TPB also has an Icelandic domain. The music industry case in Sweden is trying to get the Icelandic domain closed because it is registered to a man of Swedish nationality. I salute Marius Olafsson of Iceland’s domain registry ISNIC, who told TorrentFreak: “ISNIC will legally fight attempts to use the domain name registry system to police/censor the net. We believe that to be ineffective, wrong and dangerous to the stability of the DNS as a whole.”

Or you could simply use the Google cache. Chrome direct:

The Pirate Bay direct – as blocked by UK ISPs

Google’s cache:

The Pirate Bay via Google cache from the UK

The long and the short of it is that the UK blockade of The Pirate Bay (or any other website) is unenforceable.

Only about 30% of the UK electorate bothered to vote in last Thursday’s local elections. Pompous political spinners try to tell us that it’s mid-term and people are more concerned with national rather than local issues. I give them an alternative – the people are totally disillusioned with politics and politicians and the whole political process because the law and parliament has become an ass in the pocket of big business.

And that’s a tragedy.

Background
On 4 April the Kansas legislature passed SB102: The Second Amendment Protection Act. The Second Amendment is a difficult one, with academic debate on whether it provides a right to bear arms, or restricts Congress from preventing citizens from carrying arms, or whether it relates to individuals or a collective militia. It is, however, generally considered the right to bear arms.

There is a current debate in the US on whether this right should be restricted. Obama wants it restricted. Kansas does not. Its new law states:

Any act, law, treaty, order, rule or regulation of the government of the United States which violates the second amendment to the constitution of the United States is null, void and unenforceable in the state of Kansas.

It goes further in authorizing Kansas law enforcement to arrest and prosecute any federal agents seeking to enforce unconstitutional laws within Kansas.

Attorney General Eric Holder is not amused. He wrote to Governor Brownback in no uncertain terms:

I am writing to inform you that federal law enforcement agencies… will continue to execute their duties to enforce all federal firearms laws and regulations. Moreover, the United States will take all appropriate action, including litigation if necessary, to prevent the State of Kansas from interfering with the activities of federal officials enforcing federal law.

He claims in the letter that SB102 “directly conflicts with federal law and is therefore unconstitutional.” That is, the Feds trump the States every time.

Not so, responds Kobach (a former professor of constitutional law); not every time:

It was drafted with the intent to assert Kansas’s authority as a co-equal sovereign under the United States Constitution to regulate a subject matter that is outside of Congress’s jurisdiction under the Interstate Commerce Clause of Article 1, Section 8.

That is, the Feds cannot interfere with commerce inside and confined to an individual State; and this law refers to “a firearm that is assembled in Kansas, that is stamped ‘Made in Kansas’, and that never leaves the State of Kansas.”

Conclusion
If you want to bear arms regardless of anything that Obama might say or do, get thee to Kansas and buy a Kansas gun. Not sure if you can buy a Russian or Israeli flat-pack and assemble it in Kansas, but it will be tested by someone sooner or later.

Proposal
That more US States take a similarly pro-active stance to protect the US Constitution whenever the Obama (or any other) Administration arbitrarily acts against it; because once freedom and liberty has gone from the United States, there will be little to prevent other Western governments doing the same.

In particular, it highlights the cases of Holly Jacobs and a separate class action by 17 women against one particular site, and GoDaddy for hosting the site. Lisa is right in that something must be done about revenge porn – nobody has the right to inflict pain on any other person. But what to do is the problem.

Lisa supports the action against GoDaddy:

The notion of GoDaddy being taken to task hardly seems confused. It seems appropriate, the hosting provider being an accessory to the alleged crimes and having profited off them, to boot.

This is an understandable but dangerous reaction. ISPs and hosting companies must not become tasked with censoring what they host unless it is clearly and plainly illegal (and even then the alleged criminal site should have clear legal recourse to appeal and be reinstated if it is not illegal).

If GoDaddy is found liable for the content of the websites it hosts, where will it stop? There’s a conceptually similar case in Belgium, where the music rights group SABAM is suing ISPs for lost revenue through illegal music downloads, and also demanding a general 3.4% tax levy on users to pay for illegal downloads.

If cases like these succeed, then ISPs will become afraid of legal action against them whenever a hosted site publishes material that might offend or upset powerful vested interests: ISPs will err on the side of bland to protect their revenue, and freedom and liberty will take a serious hit. ISPs must be protected conduits, like snail mail, and not be responsible for what they carry.

Lisa is right that something needs to be done about revenge porn sites – but the target must be the people who post the material, not the sites themselves and most certainly not the ISPs and hosting companies.

Dr Guy Bunker, Clearswift

I was talking to Dr Guy Bunker, SVP products at Clearswift, about BYOD and his content-aware gateways for web and email. So, I said, you’re effectively saying that since users will always get around traditional security, the best solution is to protect the content rather than simply attempt to restrict the user. “Essentially,” he answered, “that’s correct.”

Then, I suggested, we can place you squarely in the data-centric school of security thought?

Not really, he said. I prefer to think of us as information-centric. “Data-centric,” he said, “would indicate… well, it’s basically a blob of data, and there’s no understanding of the information that’s contained within that blob of data.”

Data is just bits and bytes. Knowledge, however, comes from understanding the information contained in those bits and bytes.

I’ll give you a simple example, he said. “If somebody sends your company an order, and in that order is a list of things they want to buy, and also information around their credit card details; well, as a lump of data it’s an order (which is good). But you might decide that some of that order will be fulfilled by third parties, so you send it out.

“But not understanding all of the information in it could then put you foul of something like PCI DSS where you are not allowed to send credit card information out to those third parties. So if you were to do traditional (data-centric) DLP then you can detect the credit card information and block the communication. That,” he said, “is taking a very data centric approach to security.”

It’s not good enough, because in blocking a very small amount of dangerous data you prevent the circulation of a larger amount of beneficial information: OK for security; not OK for business.

However, “if you go to the next level of granularity, and become information-centric, then you can start to be a bit smarter. You know that you’re not allowed to send credit card information out, but in fact all the other information is good. Why not, then, simply redact the credit card information and allow the rest?” You can only do that if you understand the information held within the data.

But he doesn’t stop there. “We’re not merely information centric, we’re information-in-context-centric. So if you’re sitting in-house behind all of your perimeter defences then your access to the information contained in the data will be at one level; but if you’re outside the perimeter sitting in a cyber cafe with an untrusted terminal on public WiFi, then the information that you should be presented with should be far more limited. It might be that you get to see the email including the credit card data when you’re in-house; but when you’re outside you get to see the email, but not the credit card. It’s all about becoming information-centric rather than just being data-centric – you need that extra level of granularity in order to maximise control of how much company information can be accessed by which users in what locations and contexts.”

That is being information-centric. Data-centric is so yesterday.

Now Stephanie Wehner and Esther Hänggi at the National University of Singapore’s Centre for Quantum Technology have taken a new tack, recasting the uncertainty principle in the language of information theory.

The upshot is that without uncertainty, a particle defies the second law – it effectively becomes a perpetual motion machine; ergo, the universe requires uncertainty to maintain this false sense of reality we call existence. If everything was in perpetual and perpetually increasing motion and commotion, we would be living in Pandaemonium. Don’t answer that.

Forgive the ramblings of a non-scientist, but where is the problem with uncertainty? Matter is simply a physical manifestation of energy. The smallest possible particle of matter is the manifestation of a very small amount of energy. The very small amount of energy in that very small particle is sufficient to display position or motion; but not both simultaneously. In order to display both, the matter would need to comprise more energy than the energy it takes to comprise the matter. Nevermind defiance of the second law of thermodynamics, this is a simple absurdity.

It’s just like when you find granddad – or me, for that matter – standing gormlessly at the larder door. He, or I, just about have enough energy to get there, but not enough energy to simultaneously know why we got there. That’s the uncertainty principle in practice; and it’s perfectly understandable.

Mrs Marie Smith actually wants to give me a lot of money, because we can “become good friends in the Lord” and do good deeds together.

It is sad, though. She’s childless, 57 and only has two months to live; so probably can’t have any children of her own now. Her math is no better than her idiom.

So, Mrs marie_smith38 at AOL, you’ll need a better story than this, for chrissake!

It is, of course, far from enough. SHA1 hashed passwords will take only a few seconds to crack using standard rainbow tables. Salted SHA1 hashed passwords will take a little longer, but not much. The only ‘correct’ thing LivingSocial has done has been a forced password reset for its users, and a subsequent shift to the more secure bcrypt hashing algorithm. But frankly that’s too late for any users that have had their passwords stolen if they’re re-used on other accounts (statistically highly probable).

LivingSocial has so far given no details on who perpetrated the hack, with what, or when. That last is important since all of the users’ other accounts using the same password have been vulnerable since the moment the hackers exfiltrated the data. Nor do we know if the hackers gained access to any salting scripts on the server – which would largely nullify any benefit from the salt process.

I don’t have a LivingSocial account, so I’m OK. But I decided to sign up after the hack. The sign-up page wanted an email address. I gave it ‘yougottabejoking’. It also wanted a password. I entered ‘12345678’. It accepted both, and gave me an account – this account:

My LivingSocial Account – no prizes for guessing the password…

Had I done this before the hack, said hackers would now be in possession of both my email address and my password – a password that even salted and hashed would not take long to crack. If I used the same password elsewhere – as many users do – then all of those other accounts would also be cracked.

My point is this. Salting and hashing is pretty useless if the password is weak. Salting and hashing (especially with bcrypt) is very good if the password is strong. So rather than allowing me to enter a 12345678, LivingSocial should be imposing a strong password policy that forces all users to use a strong password.