mailto: blog -at- heyrick -dot- eu

Navi: Previous entry Display calendar Next entry
Switch to desktop version

FYI! Last read at 18:59 on 2024/11/21.

But first a word from our sponsors...

This is a pseudo-political rant. If this sort of thing does not interest you, click here for pictures of Justin Bieber.

...

No idea who the hell Bieber is, I've seen the name crop up a few times. Looks like some tweeny trying too hard to be an imitation rapper. Whatever.

Failing that, click here for loveliness!

Still here? Okay, let's get on with the show!

 

France does it again

It seems France has a knack of voting in dubious legislation. One could be bitchy and ask how much this is for the good of the country, and how much this is for the good of the Sugar Daddy.

Anyway, the 1st of March saw the introduction of (ready?) "Décret n° 2011-219 du 25 février 2011 relatif à la conservation et à la communication des données permettant d'identifier toute personne ayant contribué à la création d'un contenu mis en ligne" (phew!).

Translation: Decree 2011-219 (of 25th Feb) relating to the preservation and communication of identifying information for everybody who puts content on-line.

Scary? Not really. For the most part this is just codifying in law that which has been kicking around for ages. Like if you're a big torrent seeder and you upload dozens of bluray rips, somebody is going to come looking for who you are based on a time and an IP address.
What we are effectively looking at is some legislation to put into place a measure of how to identify who posted specific content on-line.

Here are the requirements (from article 1):

Actually, some of the recording going on here (protocol, nature of the operation) reminds me a little of Phorm. I am thinking that more and more people ought to start to consider an encrypted VPN. Well, at least until that is defined as unlawful...

For subscribers they also want access to:

Translation: The password and the information needed to verify or change, in their latest updated version.

There isn't enough WTF in my head to wrap around that one.

No way in hell this should have passed into legislation. Given the government and the legal process is giving themselves the ability to walk in and snarf all your information, there is absolutely nothing you can say or truths you can spin that will justify the transmission of passwords (if in cleartext) or hashes (if not). It is like your bank asking you for your PIN, or your sysadmin asking you for your login password. You bank already has access to your account, PIN not required. Your sysadmin can manage your user account, login password not required. And likewise, under the provisions of this law, officials can access your ISP's account information, password not required.
This might have been a vote-in by technically illiterate people who were given a good sob story, it might have been a data grab that didn't get noticed. But in any case it is overstepping the mark to ask for passwords. This isn't the same as a police official demanding you provide encryption passwords for files on your computer, this might not even involve you. Which means if you are "suspected" of something, sufficient information can be released to stand a reasonable chance of impersonating your identity elsewhere. Do I trust the police and the government? Tell me why I should trust a government that voted this in in the first place?

It is, however, fundamentally flawed. For only very lame sites store passwords in the clear. These are the ones that helpfully email you a non-encrypted confirmation message which... includes your password.
Better sites perform a "hash". A (usually) one-way algorithm which converts your password into a unique identification code. A dead-simple idea could be a five-digit code like "8E4F1" which is comprised of the length of the password (the '8') followed by the 16 bit CRC of the password (0xE4F1). When you enter the password in the future, the same calculation is performed and if the result value matches you are granted access. Real-world systems are better, but you get the idea.
However... Hashes are weak in that when the hash code is known, it is wide open. To give an example, I have (somewhere, it is from fifteen years ago) a big text file which provides suitable passwords for every possible hash value of the ArcBBS login system. I don't actually need this, as being the SysOp I had access to the management tools, however if my login hash was 49A1, I could just look it up in the list and find a working alternative password. How was this possible? Simple - with the hash algorithm known, somebody just threw a few spellcheck dictionaries at it, and whenever a hash result was encountered that was not already known, that result was remembered. It took time, and a fair bit of processing. But the end result was a file that provided a working word to use for any hash value.
The way around this, in addition to tweaking the hash algorithm, is to use a salt value that is specific to that particular service. For example, in our CRC routine, we could fudge in starting from the value 0xDEAD instead of from zero. So identical logins (only with different salting) would give entirely different CRC values.
Which means, in essence, that there isn't a lot of point in trying to ask for hashed passwords unless you plan to legislate that service providers are obliged to release all of the details of their security management. And if that is considered, the Sarko government might find The Big Boys pack up shop and leave France. Security and encryption are worthless if you blab (or are forced to blab) to whoever (who probably does not have a rock-solid process to ensure this data is treated with the respect it requires).

It then carries on to include for subscription payments, the type of payment (direct debit? plastic? chocolate chip cookies?), the payment reference, the amount, and the time of the transaction.

This all should be preserved for one year (and in the case of contracts, for one year following the termination of the contract).

There is little I need to say in addition to this. In fact, there is little that can be said without having to pick my jaw up off the floor.

But remember - France is the country where the idea of three strikes is, supposedly, active. Where the process is weighted strongly in favour of the content owner (to the degree of sidestepping most of the tenets of "innocent until proven guilty"), and where it was not deemed necessary to inform you of what the supposed infringement was, and who is complaining. While, I should point out, the original levy on blank media continues.
I would hope that the next government (which is unlikely to be Sarko's rowdy mob) would look to sorting out some of the dodgy legislation, but I doubt it. Only if it becomes a big election point (like UK's Con-Dem and the widely detested ID cards) will anybody bother to do anything...

Read the full text of this legislation (in French... duh! ☺)

 

It is a difficult call. There is unlawful activity taking place on-line. I myself have been a party to it, every time I listen to a song on YouTube that I cannot easily obtain elsewhere. Technically it is unlawful. In reality it is a missed sales opportunity, but the content providers wouldn't see it that way.

In any case, it looks as if the mood of The Powers That Be has swung from targetting known suspects to just simply suspecting and monitoring everybody.
Hello France, 2011. Just like the Soviet Bloc, 1970. Perhaps it is time to learn how to spell (and say?) "Komitet gosudarstvennoy bezopasnosti"...

 

Your comments:

oje, 17th April 2011, 17:03
Very scary, what's next the mind control? 
It look looks like Orwel was right about our future.
Steve, 24th May 2011, 23:53
Yeah, it sucks. But it's been the same in the UK for ages, I think - RIP Act, c 2005? (We do lead the world in oppressive social monitoring.) Any idea which countries *don't* suck? I guess I need to know which language I should start learning ready to emigrate...

Add a comment (v0.11) [help?]
Your name:

 
Your email (optional):

 
Validation:
Please type 18012 backwards.

 
Your comment:

 

Navi: Previous entry Display calendar Next entry
Switch to desktop version

Search:

See the rest of HeyRick :-)