STE WILLIAMS

Wartime codebreakers HQ Bletchley Park has won a grant of £4.6m from the Heritage Lottery Fund.

The much-needed funds will be used to build a visitor centre at the historic WWII number-crunching centre as well as carrying out restoration work on other buildings at the facility – once matched funding of £1.7m from private-sector donations has been raised.

Bletchley Park has launched an “Action This Day” campaign to raise the required private funding.

The codebreakers at Bletchley Park played a vital role in cracking the German wartime Enigma and Lorenz codes providing intelligence that was vital to the Battle of the Atlantic and the D-Day landings. Historians credit the work with shortening the war by up to two years.

After the conflict and while the work remained a top secret, many of the huts and blocks in which the code-breaking boffins toiled away quietly descended into near-dereliction. Over recent years the facility has been transformed into a museum that attracts 130,000 punters a year.

The grant will not only allow the conservation of the buildings but improve the educational offering and visitor experience at Bletchley Park. ®

Bootnote

The Action This Day campaign’s name was derived from Churchill’s reaction to requests for help from the codebreakers, starved of funding and resources at the time, in October 1941. Churchill immediately ordered, “Action this day! Make sure they have all they want on extreme priority and report to me that this had been done.”

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/05/bletchley_park_grant/

Mozilla is advising Firefox users to disable a McAfee plugin that the open-source browser supplier blames for a high volume of crashes.

McAfee’s ScriptScan software causes “stability or security problems”, according to Firefox. Users of the software are confronted with a message stating the plugin has been “blocked for your protection”.

“Users are strongly encouraged to disable the problematic add-on or plugin, but may choose to continue using it if they accept the risks described,” the notice states.

“When Mozilla becomes aware of add-ons, plugins, or other third-party software that seriously compromises Firefox security, stability, or performance and meets certain criteria, the software may be blocked from general use. For more information, please read this support article,” it explains.

ScriptScan is a component that comes bundled with McAfee’s VirusScan security software. The technology is designed to scan websites for hostile code. Unfortunately ScriptScan does not play well with Firefox. Versions 14.4.0 and below reportedly cause all versions of Firefox, even the latest 7.x release, to crash.

The issue has generated a splattering of comments on McAfee’s support forums. The Intel security division is reportedly working with Mozilla in developing a fix. In the meantime, surfers have the choice to either re-enable ScriptScan; rely on McAfee SiteAdvisor or other tools to warn about bad sites; or choose a different browser. The problem appears to be restricted to Firefox.

Recent versions of Firefox, prior to the 7.0 release, were memory hogs that had a tendency to crash all on their own, so it may be that McAfee is only partially to blame for this problem. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/05/moz_mcafee_security_plugin_crash_warning/

The Belgian Anti-Piracy Federation (BAF) has urged all Belgian ISPs to block Swedish freetard site The Pirate Bay after a higher Antwerp court ordered Belgian cable company Telenet and telco Belgacom to make the site inaccessible to their subscribers.

The banning order comes after an Antwerp Commercial Court last year believed such a measure was “disproportionate”.

In 2010 BAF took Telenet and Belgacom to court after lengthy negotiations fell through. BAF believed that many Belgian films, TV shows and albums of Belgian artists were offered unlawfully for download online alongside international titles.

“It is the government’s responsibility to protect the legal economy and to enforce the law, also on the internet,” managing director Christophe Van Mechelen said in a statement.

“Our entertainment industry needs to be protected from incurring further losses caused by illegal downloading and sharing.”

The Antwerp Court of Appeal has now overruled the decision of the Commercial Court and ordered Belgacom and Telenet to initiate DNS blockades of at least 11 domains related to The Pirate Bay, the infamous bittorrent site. Telenet and Belgacom represent over 80 per cent of the Belgian broadband internet market.

Non-profit Belgian advocacy group NURPA was quoted as saying the decision sets a “dangerous precedent” for blocking of content by internet service providers in Belgium and abroad.

Until recently, only a district court in Hamburg had ordered a German ISP to unplug access to the site or see its staff face two years in prison or a $250,000 fine for each example of copyright infringement found.

However, in the Netherlands a lower court last year decided that cable operator Ziggo and KPN-owned ISP XS4ALL do not have to block The Pirate Bay as was requested by Dutch lobby group BREIN. The court believed blocking the entire site was “unjustified” since ISPs can’t be held liable for the actions of individual users. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/05/belgian_piratebay_ban/

Analysis A judge in a (sadly unnamed) British case has decided that Bayes’ Theorem – a formula used in court to calculate the odds of whodunnit – shouldn’t be used in criminal trials.

Or at least, it shouldn’t be relied upon as it has been in recent years: according to the judge, before any expert witness plugs data into the theorem to brief the jury on the likelihood that a defendant is guilty, the underlying statistics should be “firm” rather than rough estimates. The decision could affect things like the odds of matching drug traces, fibres from clothes and footprints to an alleged perp, although not DNA.

In a murder appeal case, brought after a man was convicted on the basis of his footwear almost matching a print linked to the crime, this precise point was made:

The data needed to run these kinds of calculations, though, isn’t always available. And this is where the expert in this case came under fire. The judge complained that he couldn’t say exactly how many of one particular type of Nike trainer there are in the country. National sales figures for sports shoes are just rough estimates.

Mathematically leaning Reg readers will be able to make much more sense of the details than I as a mere journo will be able to. But from a legal point of view this looks like a good ruling.

Yes, Bayes’ Theorem can indeed be used most usefully to make estimates, which give us a good idea of what is likely to have happened. However, that’s not quite the same as giving us the information leading to “beyond reasonable doubt” which is what we require before locking someone up.

More than that, the way that the statistics are presented can be more than a tad misleading. For a start, the jury is made up of the general population, not exactly a hotbed of sophisticated statistical reasoning, and being told by experts that there’s a one in a million chance leads to an all too common error.

A DNA match to one in a million does not mean that it’s a million to one against the bloke ‘aving done it, m’lud. Rather, it means that in a population of 65 million that 65 people, based purely on the DNA, could have done it. Our DNA tests thus mean that we now have to go and exclude those other 65, or at least regard them as the prime pool of suspects, not convict our man in the dock purely on the basis that one in a million is beyond that reasonable doubt. Yes, these sorts of mistakes are made in the chain of reasoning.

It can get worse, of course – mentioning no names, no pack drill as it’s still a case that gets people het up – the likelihood of any one child dying a cot death is 1 in 79,000 (entirely made up number for illustrative purposes). Two children from the same family dying of cot death is thus 1 in 79,000 x 79,000 which is 1 in 6,241,000,000. One in six billion, so, members of the jury, you know what to do: lock up the mum.

This was actually the logic used by one eminent expert witness: the appeal was eventually allowed, some years later, when it was pointed out that cot death might not actually be an independent event, that perhaps there is a genetic predisposition to it, perhaps the environment means that one cot death increases the chance of a second one. Given one cot death, the chance of a second might only be 1 in 1,000. Or 2,000 (again, made up numbers) which we most certainly wouldn’t want to use as the basis of “beyond all reasonable doubt”.

Neither I, the judge, nor anyone else has any serious doubt about the usefulness of Bayesian reasoning in evaluating evidence in court cases. But the techniques have been so badly understood, even by experts, in recent years that a rethink, a stop and a reasoning through all of the implications, doesn’t sound like a bad idea. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/05/bayes_formula/

Security by obscurity may not be so bad after all, according to a provocative new research paper that questions long-held security maxims.

The Kerckhoffs’ Principle holds that withholding information on how a system works is no security defence. A second accepted principle is that a defender has to defend against all possible attack vectors, whereas the attacker only needs to find one overlooked flaw to be successful, the so-called fortification principle.

However a new research paper from Prof Dusko Pavlovic of Royal Holloway, University of London, applies game theory to the conflict between hackers and security defenders in suggesting system security can be improved by making it difficult for attackers to figure out how their mark works. For example, adding a layer of obfuscation to a software application can make it harder to reverse engineer.

Pavlovic compares security to a game in which each side has incomplete information. Far from being powerless against attacks, a defender ought to be able to gain an advantage (or at least level the playing field) by examining an attacker’s behaviour and algorithms while disguising defensive moves. At the same time defenders can benefit by giving away as few clues about their defensive posture as possible, an approach that the security by obscurity principle might suggest is futile.

Public key encryption works on the basis that making the algorithm used to derive a code secret is useless and codes, to be secure, need to be complex enough so that they can’t be unpicked using a brute force attack. As computer power increases we therefore need to increase the length of an encryption key in order outstrip the computational power an attacker might have at his disposal. This still hold true for cryptography, as Pavlovic acknowledges, but may not be case in other scenarios.

Pavlovic argues that an attacker’s logic or programming capabilities, as well as the computing resources at their disposal, might also be limited, suggesting that potential shortcomings in this area can be turned to the advantage of system defenders.

The paper, which is likely to spawn a lively debate, Gaming security by obscurity, can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/05/security_by_obscurity/

HTC has admitted some of its Android handsets have a flaw which could allow malicious apps to read customer locations and account details, but a fix is on the way.

The flaw was spotted last week and HTC were alerted to the flaw; now the mobe maker has admitted the problem exists and is working towards developing a fix that will be pushed out to handsets as soon as it’s properly tested.

The vulnerability stems from HTC’s decision to log user activity using an application which was, itself, unsecured. Applications that successfully asked for internet privileges could access the logging application and slurp details of user accounts and locations as well as various bits of system information.

The flaw was spotted by one Trevor Eckhart, who dropped HTC a line and gave the company five days to respond before taking the matter public, on the grounds of responsible disclosure, with a detailed breakdown of the vulnerability and some demonstration code.

HTC is keen to point out that they’ve no evidence of anyone exploiting the vulnerability, at least not yet, and that it is “working very diligently to quickly release a security update that will resolve the issue on affected devices”. That patch will be sent out over the air once its been given the green light by testers, so HTC users should expect to see it soon.

Until then they might like to hold off installing applications which ask for internet privileges, though that is most of them these days. HTC reckons customers should avoid “installing and updating applications from untrusted sources”, but given the security of Google’s Marketplace relies entirely on peer reporting it might be better to hold off installing any unknown brands until the fix is in. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/04/htc_security_fix/

Bungling hospital staff accidentally destroyed patient data after a worker put 10,000 records in the wrong room, an investigation by the Information Commissioner’s Office [ICO] revealed today.

The lost records were boxed up and put in a ward waste disposal room because there wasn’t enough space in the proper storage room, the ICO probe found. It is believed that the records were then accidentally removed and destroyed between the 28 and 31 December 2010.

Darent Valley Hospital, in Dartford, Kent, failed to clock that the information was missing for three months.

It’s unknown exactly how much personal information was in the 10,000 records but it is believed that they contained the addresses and contact details of some staff and former patients and a limited amount of medical information relating to the patients’ previous treatment. The majority of the records are believed to be several years old.

The Dartford and Gravesham NHS Trust has told the ICO that the loss of these records does not pose a clinical risk to the people affected.

Acting Head of Enforcement at the ICO, Sally Anne Poole, said: “Although the majority of information lost was several years old and only being kept for archiving purposes, there is no excuse for failing to keep it secure. The hospital should have ensured that the records were kept in a safe area.”

The ICO ruled that the trust had breached the Data Protection Act by accidentally destroying the archived records and has ordered it to take action to ensure that staff are aware of data protection policies.

Maybe they should get a bigger storage room, too. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/04/nhs_bins_patient_records/

Facebook has rebuffed claims that a patent it was recently granted describes the ability to track logged-out users.

A company spokeswoman told The Register that the “Communicating Information in a Social Network System about Activities from Another Domain” patent, which was granted by the US Patent Trademark Office (USPTO) on 22 September, was about “creating a social experience”.

She said it wasn’t intended to track users as claimed by various bloggers over the weekend, adding: “That is my understanding, anyway.”

Facebook pointed at section 0099 in the patent document, in an effort to assure us that it wasn’t tracking anyone not logged into the network.

“Some people have suggested that this application is intended to patent tracking of logged out users. Nothing could be further from the truth,” retorted the company.

“Instead, a careful reading of the application shows that the patent is actually describing a fundamental part of Facebook Platform – creating social experiences across the web without logging into Facebook repeatedly or third-party sites at all.”

Facebook applied for the patent on 8 February this year, and the invention was granted by the USPTO last month. On the 23 September – the day after the patent was anointed – the company revised its data use policy.

But there isn’t actually a smoking gun in the document, even if does mention the word “unicorn” by way of explaining how its “conversion tracking” works.

Conversion tracking – measuring how many people actually go on to buy or do something with a site after clicking through an advert – is a method long used by the likes of Google and Microsoft to grease their ad engines and ultimately generate more cash from marketing campaigns.

In fact, conversion tracking isn’t new to Facebook either. It seems the latest patent simply demonstrates how the company is trying to refine its tech to squeeze more revenue juice out of other websites that use its social plugins, and in turn help advertisers nail how effective their ads are.

Here’s more from the firm’s spokeswoman: “What is being described in section [0099] of the application is the fact that you don’t have to log into Facebook again at each third party site in order to see social plugin content. You just have to be currently logged in to Facebook when you visit the site.”

A unicorn shies away from an approaching patent lawyer

Put another way, if you’re running Facebook on the same browser as the one you use for all your surfing needs on the net, then expect the ubiquitous social network to track many of your online clicks via its huge, pulsating [horrid biztalk alert] partner ecosystem.

And it’s important to note that Facebook confirmed two years ago that it would soon be sharing much more user data with its ad pals.

“Most advertisers already do this [conversion tracking] in other places on the web. Should Facebook provide this, we’ll continue to respect your privacy by not sharing your information with advertisers, and we’ll anonymise any information we receive,” said the company in October 2009.

Now, ahead of going public next year, the “Communicating Information in a Social Network System about Activities from Another Domain” patent simply demonstrates that Facebook is serious about playing with the big boys when its comes to juicing data online.

For some time the Mark Zuckerberg-run outfit has been morphing into a platform. Its wonks insist, too, that they don’t really think of themselves as a social network.

All very true. Facebook is a company vying to be the world’s biggest ad broker by building its very own content silo with search powered by Microsoft’s Bing. Third parties are invited to enter Zuck’s ranch as long as they play by his rules. See the recent Spotify romance for reference.

Facebook might argue convincingly that it doesn’t need Google to achieve all of this. But the truth will out only after the company that is said to be worth more than UK retail giant Tesco drops its private tag and starts sharing its revenue secrets with the world. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/04/facebook_patent_conversion_tracking/

Facebook has launched new ways to help its advertisers bank sackfuls of cash and no doubt cause privacy advocates to despair.

The social network has introduced Page Insights tools, due to go into the wild in the next week or so, which let Page owners see the number of friends of fans of a page, the total likes of the Page, the weekly total reach of a Page and the new ‘people talking about this’ metric.

Its emailed statement opined:

Facebook has enhanced Insights to show brands how to get more people talking about and sharing the things brands put on their Pages, which is key to getting a brand’s message out to more people. And research shows that word-of-mouth conversations among friends are the most influential for getting a brand’s message across.

The ‘people talking about this’ metric will count “stories” – meaning anything that is “eligible to appear in a user’s news feed”. According to Facebook, this will – deep breath – include:

• Page likes
• Posts on the Page’s wall
• Liking, commenting or sharing Page posts, photos, videos, albums or any other type of content
• Answering a question posted by a Page
• RSVPing to an event
• Merely mentioning a Page
• Tagging a Page in a photo
• Liking or sharing a check-in deal
• Checking in at a Place.

So anytime anyone does any of that long list of things, it’ll be added to a public post of the number of times the brand has been talked about. The actual “story”, i.e. the post, like or whatever, will not be shown.

The metric will include numerical breakdowns, private to Page admins, that will show how much a certain topic the brand posted on its Page was talked about.

A Facebook spokesperson told The Register that “there will be a range of numerical insights designed to help brands understand which types of engagement are most effective – through figures for reach, engaged users, people talking about this and virality”.

Facebook is also introducing the ‘premium ad unit’, an ad for a product that combines Page posts about it with “social context” from your friends. In other words, you’ll see an ad for, let’s say Yummy Vulture Cola, that has a post from its Page and if any of your friends have liked the Page or commented on it, you’ll see that too.

Facebook said:

Social context in advertising makes ads more effective and persuasive. It leads to a 68 per cent increase in people recalling the ad. And better yet, people are 2 times more likely to remember the message of the ad and 4 times as likely to make a purchase.

Although the new Insights are anonymous because only the figures are given out, they’re likely to spark the ire of those already wound up about so-called social ads, who say that Facebook is daring to use people’s personal online activity for profit.

The Facebook spokesperson said that users were in a sense already opting in when they chose to like a brand’s Page or post on its wall, and when it came to social ads like the ‘premium ad unit’, people could choose to opt out through their settings.

They also emphasised that “Facebook only shares anonymous and aggregated data with brands”.

“No personally identifiable information is shared,” they added.

The social media firm is used to running afoul of privacy pushers, particularly as it has grown ever larger and more integrated with the rest of the web. Most recently, Facebook has been defending itself against claims that a patent it was recently granted describes the ability to track logged-out users. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/04/facebook_starts_counting_conversations/

McAfee and IBM have both bought into the expanding security intelligence market with the acquisition of start-ups NitroSecurity and Q1 Labs, respectively. Financial terms on both deals, announced Tuesday, were undisclosed.

Both NitroSecurity and Q1 Labs make software tools that allow enterprises to make sense of security logs collated from multiple sources (such as firewalls, anti-virus defences and IDS/IPS systems) in order to spot incoming hacking attacks and malware outbreaks. HP bought the most established vendor in the market segment, ArcSight, for $1.5bn last year.

IBM intends to add Q1 Labs to its newly established Security Systems division, which will integrate various security software, appliances, lab offerings and services under a single umbrella. Q1 Labs is the latest in 10 security acquisitions IBM has made over the last decade, and one of the most notable. The deal will help IBM to compete in the mainstream security technology products marketplace and not just in services and consultancy, its traditional sphere of expertise.

NitroSecurity and Q1 Labs competed in what some analysts refer so as the security information and event management (SIEM) market. The segment grew 15 per cent from $858m to $987m last year, according to Gartner.

Veteran analyst Clive Longbottom of Quocirca told El Reg that whether NitroSecurity and Q1 Labs continue to compete will depend on how the new owners position their respective technologies. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/04/mcafee_ibm_security_buys/