Wednesday, 30 December 2015

2016: Year of the Red Fire Monkey

2016 has some interesting features with a leap year, the summer olympics in Rio and the space craft Juno hopefully arriving on Jupiter.

In Chinese culture the New Year in February moves from the year of the sheep to the year of the red fire monkey. Much more exciting.

In the digital space I am going to make a few general predictions for review this time next year (hopefully broadly worded so that a degree of success can be claimed in any event).

1. Security of digital IP will move further up the agenda with large scale hacks continuing. Awareness will grow that increased resource needs to be applied to this sector and business models altered. Technology only solutions will be seen to be only one part of the puzzle.
2. The internet of things will accelerate even faster which feeds into point 1 above.
3. Automation via intelligent software will advance even more quickly biting into certain job sectors and again feeding into point 1. Analog only & and human heavy administrative models will be severely squeezed.
4. Governments will seek & secure much greater control over the internet via legislation and the sins of the past will weigh heavily on them in the freedom & privacy versus security debate.
5. A major consumer brand in the digital space will run out of cash due to an inability to monetize its user base
6. The fastest revenue growth will be in automated software based models with worldwide application requiring minimal human input. Some stars will emerge in this area in 2016.
7. The digital single market will play a role in the debate over whether the UK should stay in the EU and David Cameron will secure enough concessions for the UK to vote to remain in. With France sniffing around the politics of Le Pen, Germany would be insane to let the UK leave.

To end on a high note have a few laughs courtesy of Modern Family via YouTube..............

Tuesday, 22 December 2015

Information control: individual trust in the state

2015 may been seen as the year when the state started to try to regain control over the internet.

In the UK we have the Investigatory Powers Bill, in Europe the new Data Protection Act and in the US the Cyber Security Act.

Going the other way the United Nations chipped in with a Draft Resolution supporting freedom of the internet from state control and stressing the need for freedom of expression, privacy and right to peaceful assembly.

Arguably everything was going along quite nicely with massive levels of state surveillance going on undetected until Edward Snowden decided enough was enough in what are supposed to be liberal democracies. Hero or villain he certainly made an impact.

Quite clearly the internet should not be a free for all and the state should be able to check for illegal activity in a reasonable way to protect national security and be able to stop blatantly illegal activity quickly. Incidents in Paris and elsewhere in the world make an unanswerable case.

However, at the other end of the scale, petty and vindictive activities of the type described re Constable Savage below (Happy Xmas) are facilitated by mass surveillance and should be clearly ruled out.   The odd bad apple who misuses state surveillance powers for their own ends needs to be dealt with as harshly as the journalists put through hell on phone hacking charges.

The elephant in the room is a question of trust by the individual in the state and the importance therefore that the state does not abuse the surveillance powers it is granting to itself.

Friday, 18 December 2015

The Force Awakens - but not on YouTube

The much anticipated new Star Wars movie "The Force Awakens" provides an opportunity to get a snapshot of how effective the various anti-piracy initiatives of the Hollywood Studios are at this point.

The movie opened simultaneously worldwide which removes massive unmet demand spikes in delayed territories. The preview evening on Thursday night was reported to generate $50-55 million and the opening weekend looks to be on course the break the current revenue record of $208.8m held by Jurassic World.

A quick review of Google with a request for a free download of the new movie showed the following options on page one suggesting that perhaps Darth Vader / Kylo Ren is not managing the anti-piracy initiatives on the Google search platform.

Some links look to have been removed using the Google DMCA process but this is limited at this point to 8 against the identified search terms

YouTube by contrast seems very much under control with very little in the way of rebel activity being tolerated.

So a very brief summary would conclude that the "legitimate" platforms such as YouTube are under control, the outer reaches of the web are clearly not and the movie is likely to break all box office records.

Just for fun the best piece of Star Wars tribute video ever (IMO)

Thursday, 17 December 2015

The liability aspect of handling personal data - 4% of turnover

It seems that Europe has had enough of companies processing personal data without appropriate consideration and safeguards in place.

Earlier this week wording was agreed for new data protection legislation which is expected to come into force in 2 years.

Key wording is that personal data must be "processed in a way that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures".

The agreed wording identifies the types of issues that companies might consider to meet this threshold;

1. Pseudonymisation / encryption of personal data
2. Ability to ensure ongoing confidentiality, integrity, availability and resilience
3. Data restoration post breach
4. Regular testing

The bottom line is that the profitability of data processing will drop as the costs of maintaining a secure digital environment are material and most businesses will face additional compliance costs. As a minimum companies who process personal data will require either in house or as a contractor an individual who can assess digital security risks sensibly and address problems (a data protection officer).

Amusingly the governments have secured broad exceptions to these rules even though they tend to make the greatest howlers in this area - see Edward Snowden.

On that note a clip from Catch 22...............

Wednesday, 16 December 2015

EU starts to get to grips with the Digital Age - new data protection rules text agreed

Despite a lot of lobbying activity from "big data" the EU has managed to agree the text of a new data protection framework with new rules to come into force in 2018.

The previous directive was established in 1995 which is now a world away in terms of technology and data storage.

The key difference is that companies can be fined up to 4% of turnover for failing to comply and in particular for failing to keep personal data safe.

The chain of liability also extends beyond the data controller to any data processors and third parties involved. The significance of the latest hacks would be much greater and more financially punitive for those attacked and their suppliers if they had failed to adequately protect data.

Other elements are the right to be forgotten (or erasure), the need for a data protection officer, the requirement to report breaches, parental consent for 13-16 year olds to use social media, a single supervisory authority and some rights regarding portability of content.

No doubt much will be lost in translation into local legislation and if the UK votes to exit the EU this will be rather irrelevant.

However hats off to MEP Jan Philipp Albrecht for guiding this through the European Parliament. It is far from perfect but does seem a reasonable attempt to bring legislation up to date with the Digital Age and force companies who harvest our data to take reasonable steps to protect it.

Monday, 14 December 2015

Top Hack of 2015 ? Tesla Model S

In the past I have been referred to as a "bit of a hacker" but that was before Edward Snowden decided to be a hero / villain (delete as preferred) and change the landscape & narrative completely.

Some of the hacks of 2015 can be listed as worthy of mention - here goes - Ashley Madison, V tech, Vodafone, Talk Talk, JD Wetherspoon, Office of Personnel Management, Anthem, Premera, IRS, Slack, the FBI portal, Car Phone Warehouse, Samsung and Hilton. This does not include the long running media company hacks of live feeds by sites such as CricFree.

Without a clear definition of Hack it is very difficult to identify a winner. The OED defines hacker as below

This leaves a lot of room for manoeuvre and does not necessarily suggest that hacking breaks the law.

With that latitude my favourite is the hack of the Tesla Model S by Marc Rogers and Kevin Mahaffey - watch the video below.

Wednesday, 9 December 2015

Spear phishing cyber attacks successful 17-35% of the time

In mythology mermaids would lure sailors onto the rocks with the beauty of their singing.

Today spear phishers target companies and individuals with custom made malware that provides full system access. This is delivered mostly via email which appears legitimate and entices the receiver to click on a link of some kind in return for information or reward.

Once clicked systems can be completely taken over and valuable IP taken and the reputation of the company trashed.

As the attack is custom made automated detection systems mostly miss the threat as they cannot by definition exist on any previous scanning database

No real surprise then that according to Arun Vishwanath, Associate Professor at the University of Buffalo, these attacks are so successful. In 2014 there were apparently 400 million cyber attacks in the USA so the scale of this threat is huge (a favourite term of that odd man Donald Trump)

The easiest defence against spear phishing  is never to open an email from someone you don't know and most particularly not to click on links of files within that email. It is also necessary to check exact email addresses as spear phishers are keen on email addresses that look very similar to addresses you might know.

That coming awareness will badly damage email marketing and introduce some healthy caution into how companies and individuals manage their digital affairs. Slapping on a free anti-virus and hoping for the best will start to look negligent.

Tuesday, 8 December 2015

Polestar going down ?

Reports in the Sunday Times over the weekend suggested that the UK's largest newspaper and magazine printer would be insolvent by Xmas. The source of the information was a leaked report provided by Deloittes. Similar businesses like DC Thomson in Dundee have experienced difficulty as everything switches to digital so is this another classic story of creative destruction ?

The main shareholder in Polestar is Florida based SunCapital who have about $8.9 billion of capital under management. Is it possible that there is another angle to this story and that Sun Capital have spotted that if Polestar goes down then a large number of publishers will not be able to get the paper product to the customers. This would leave them facing liability with consumers and advertisers over the vital Xmas period. Digital is of course a route to market but the subscription rates and advertising rates are still wildly disparate between the two areas with old school publishing commanding much higher rates.

This is an extreme negotiating tactic but may force better commercial terms for Polestar from its key customers who cannot survive without them.

Friday, 4 December 2015

Wetherspoons don't notice major hack for 6 months - proposed European legislation could mean fine of £65 million

Hot on the heels of TalkTalk and Vtech being hacked news emerges that over 650,000 Wetherspoons customers have had personal details stolen.

The hack occurred in mid June of this year with Wetherspoons apparently unaware of this until this week. Anyone using the pub wifi or registering with them has probably had details taken.

This suggests that no active monitoring of the network traffic under Wetherspoon's control was occurring or if it was it was ineffective or the results were kept quiet while the gaps were fixed. Time will tell if Wetherspoons have breached the Data Protection Act as the matter has been reported to the Information Commissioner. Maximum fine is currently £500,000 but proposed European Legislation would bump that up to to £65 million maximum if the hack occurred with the legislation in place.

These hacks are popular as personal details can be sold for about £10 each via the dark web and therefore the Wetherspoons hack is worth about £6 million to the  cyber criminals.

In all probability a hacker wandered into a Wetherspoons with a fast WiFi connection, logged onto the network directly, bypassed security and downloaded the database in about 30 minutes - before he or she had finished their pint (or white wine for the lady).

Organisations handling personal data will need to take a more active approach to prevention and monitoring to avoid big fines and reputational damage.

Thursday, 3 December 2015

Proposed EU Data Protection regulations grow some serious teeth in the Digital Age

It is amazing what people will do to get noticed as this young lady in Thailand demonstrates. At the other end of the scale the smooth law makers within the EU gently slide obligations towards us almost unnoticed.

The Digital Single Market and the associated Data Protection regulations are scheduled to come into force in December 2017 and bring with them a very different regime for managing personal data. Within the UK the Data Protection Act 1998 requires six core principles to be followed. One of these principles is that personal data is kept safe and secure.

The maximum fine under the DPA is £500,000 and therefore while this is a substantial sum it is possibly less than the cost of required data security for a large organisation such as Talk Talk (just for example).

Under the proposed new regime fines can be between 2% and 5% of turnover up to a maximum of £100 million. Using Talk Talk as an example with a turnover of £1.8 billion the maximum theoretical liability would be £90 million. Possibly worth addressing the SQL injection issues then ?

The guiding principle under the proposed new regime looks to be that companies or individuals handling personal data (which is pretty much anything) need to meet "reasonable expectations of data privacy" and liability follows if they do not.

The suggestion is made that encryption is one potential way to meet this requirement but this is not a given. If an encryption system is found to be flawed or have a back door it presumably does not meet this threshold ? Implementing one encryption system is tricky enough but having to change systems in a hurry is breakdown material if encryption is cracked.

Another aspect to the proposed legislation is the right to erasure. This immediately brings to mind the popular club music duo of Andy Bell and Vince Clarke but this was probably not the aim of the law makers involved. The serious point is that information will need to be actively managed so it does not remain for ever which will impose a layer of further cost.

Massive organisations such as Banks, Telcos and ISP's who hold personal data are looking at chunky liabilities and costs as are the the service providers who manage the data.

Within the SME community this will be even more challenging as the IT systems and suppliers often fit into the cheap and cheerful category and don't have much resource to direct at IP and Cyber protection and data management.

For about 15 years there has been a relaxed attitude to IP protection in the Digital Age but post Snowden, Sony Pictures and TalkTalk this is drawing to a close and regulation (with cost) is on its way.

Monday, 30 November 2015

Drakula (stream) rises ! 60% improvement in Alexa ranking in 6 months

The former Drakula Stream / Streamhunter pirate site which was blocked in the UK by ISP's has popped up as RealstreamUnited and is now within the top 2000 websites in the UK. 6 months ago it was outside the top 115,000.

With the Police struggling for resources this presents a real dilemma for content owners as DMCA type activity is pretty pointless in respect of a site with this profile. A machine that goes ping and cleverly detects that this is a popular but pirate website is not bringing much to the party.

Our ongoing survey into attitudes to piracy shows that 33% of people would still use a pirate site even if they know it is illegal and 44 % think there is no need to subscribe to Pay TV services in sport.

Overall a more co-ordinated approach is necessary but that is easy to say and tricky to do.

Tuesday, 24 November 2015

Logic Bombs Away !

A logic bomb is a cyber weapon that is some code that triggers an event at a specific time. It is distinct from a virus in that it does not replicate. An example would be some code that destroys the Docs file on a computer on valentines day.

Made famous by Roger Duranio, a disgruntled IT insider, it showed the massive damage that can be done by a malicious insider. All files in the central server were deleted at Paine Webber and then all files on every server in every branch - 2000 servers and 400 branch offices. Duranio had shorted the stock but was perhaps ahead of the analysts who did not seem to notice. Fast forward to today and a less serious breach at Talk Talk took an axe to the share price.

It is a bit of an urban myth that hackers are all high IQ misfits with ADHD or suchlike. This "how to" video on YouTube gives you an idea of what information is freely available and the type of skill level needed.

For anybody wondering how secure public wi-fi is this provides a convincing answer. What is shown in this video may be an offence under the Computer Misuse Act and accessing paid for wifi for free doing this would be illegal but the skill level required is moderate. Do not try this at home !

The Destover trojan which is considered to have been the culprit in the Sony Pictures hack is a very different proposition however according to McDonald and Kharouni experts at Damballa;

“The Destover trojan is a wiper that deletes files off of an infected system, rendering it useless … for ideological and political reasons not for financial gain,”

The penny is dropping that those neutral looking pieces of computer hardware that are so useful to us all need very careful handling.

Friday, 20 November 2015

12-15 year olds prefer YouTube to TV

Technology clearly has its limits. When researching this piece and looking for a suitable image representing a "digital native" the stock photo library we use offered this good but rather irrelevant image. A world where humans are replaced by machines might have more laughs than we think.

To the point - Ofcom have released some new research which continues the tracking of the behaviour of the digital natives and some key points emerge;

12-15 year olds now spend 3.5 hours more per week online than watching TV. 15.5 hours for TV and 18.9 hours online.

Within that same group who watch both TV and YouTube a greater number now say they prefer YouTube to TV for the first time.

Whilst the spin on the report highlights that children trust the internet more than they should the substance of the report paints a picture of changed habits among the next generation that will make the traditional Pay TV model quite niche.

This possibly explains the new SkyQ ultra premium concept where a smallish group who are not price sensitive at all pay top dollar for an all you eat package while the bulk of the market take smaller pay as go type packages.

Into the mix will come YouTube Red (ad free subscription based), NetFlix etc etc and when the dust has settled the primarily linear pay tv model will be gone.

Thursday, 19 November 2015

Cloudflare surf the wave - but gets caught between Anonymous and ISIL

Cloudflare protects websites from DDOS and provides a degree on anonymity online. Given that its entry level service is free it is highly popular - and sometimes with the wrong people.

It looks to be heading for a float in 2017 and a potential valuation of $8 billion dollars - hats off to CEO Matthew Prince if that works out.

Cloudflare do not provide hosting services but typical digital forensic activity such as traceroutes to an IP address end with them thus concealing the hosting entity and making removal activities more difficult. Not by design but as a consequence of providing DDOS protection.

It has been suggested by Anonymous that some ISIL related websites use Cloudflare and that therefore Cloudflare are protecting them with anonymity - an amusing turn of events from a group of that name.

In reality (and KLipcorp work with Cloudflare in this respect)  Cloudflare will reveal end point IP addresses if the proper procedures are followed so this is a bit of a misleading storm in a teacup - but a decent excuse for a good photo.

Wednesday, 18 November 2015

The dark side of digital needs regulation

The utopian idea that the internet would lead to the world uniting for the greater good (Tim Berners-Lee) is starting to look optimistic.

Tremendous benefits have come from improved communications and access to information but the internet economy has started to be a mirror to the human condition with a balance between good and bad.

The core difference is that the internet is unregulated in any effective sense and that behaviours that would not be tolerated elsewhere (such as totally disrespect for property / IP) are considered the norm.

Understandably freedom and privacy are jealously guarded but if the robber barons of history had been unregulated 12 year olds would still be working in factories for minimal wages in the name of progress. Some of the current tech giants, despite lots of cuddly advertising, are looking like wolves in sheeps clothing.

Andrew Keen has identified that the internet has driven income inequality, a crisis in jobs and a surveillance state but there are always 2 sides to any argument and libertarians like Peter Thiel argue effectively the other way. Even so the core argument that is starting to look shaky is that the internet should not be regulated.

The startling rise in cyber crime and hacking generally probably tips the balance towards sensible, democratically mandated regulation. The coming wave of cyber warfare will require that the intermediaries and pipes of the internet introduce more effective controls.

The jurisdictional hurdles need to be crossed or dramatically simplified as a matter of urgency as an unregulated internet that is very powerful can do significant damage. The majority of hacking tools used now are HaaS (or hacking as a service) requiring minimal skill from the operator.

This is a situation similar to having free automatic weapons with unlimited ammunition available on every street corner with minimal regulation. Certainly the Government should stress the need for companies and individuals to take reasonable steps to protect themselves but at the same time a clear regulatory framework needs to be in place to deter criminals and apply proportionate sanction when needed.

Any sane person would recognise that a free cyber weapon to launch DDOS attacks should not be easily available online and that there should be a simple process in place for instant removal. Currently no effective regulation exists in this regard which is great news for the bad guys (and girls).

Tuesday, 17 November 2015

Do ISIL have a Stuxnet ?

The stamp commemorating Andre Maginot recognizes his sterling if ineffective efforts to prevent the Germans invading France in 1939.

As the German Panzers simply whizzed around the side of the heavily fortified emplacements he must have been spinning in his grave.

The emergence on the scene of the Stuxnet cyber weapon which was / is capable of closing down and controlling computer operating systems in heavy machinery showed the game had changed back in 2009. The worm was capable of closing down a nuclear reactor (and possibly worse). It was speculated that Stuxnet was created jointly by the USA and Israel.

A key question now is the extent of the online attack surface we present to those seeking to cause damage ? The attack surface is a term used in ethical hacking to identify the extent of a systems weaknesses. Footprinting is the process used to determine the extent of the attack surface.

George Osborne has clearly identified a potential weakness in UK cyber defences as the austerity Chancellor has suddenly started to find funds to shore up our cyber security and has doubled the budget. When Mr Dusty Wallet is suddenly getting the first round something is clearly up.

If ISIL have an equivalent of Stuxnet they could potentially wreak enormous financial damage. That said given that some of the leading people in digital (Turing, Berners-Lee) have been from the UK we should be able to hold our ground on the coming digital battleground.

In a new twist Anonymous have announced on their YouTube channel (see below) that they intend to track down members of ISIL and "totally mobilise" against them. I am sure we would all pay good money to attend the meeting where members of Anonymous and the UK Armed Forces met to share information.

Monday, 9 November 2015

Rise of the Machines - a challenge for free market capitalism

It is only human to think in quite black and white terms about the rise of artificial intelligence and imagine flashy looking robots roaming around doing all the jobs that we are so keen on. The more pessimistic may favour a "Terminator" based view of the future where malign machines crave power (oddly human) and seek to wipe us all out.

In reality artificial intelligence of a type has been with us for ages tied up in the programmes of Microsoft and the algorithms of Google. Jobs have certainly gone in the typing pool and basic analysis and information gathering is possible for anyone with an interest. The rate of change is phenomenal and the low cost automation that products like Google Adwords and Hootsuite offer makes a human alternative non viable. Hiring someone to manage a twitter / social media feed is a big ask with the range of cheap automated alternatives on offer.

This Attack Map showing live DDOS attacks would take a big group of people a really long time to maintain whereas it probably runs with attention as needed from a small group.

In conversation with a true digital native from the West Coast he remarked that in business, in his view, people were the problem in the way of generating massive profit.

A very small group of people armed with the right software, hardware and finance can achieve almost anything due to the global and networked nature of the internet. In this model there is no room for middle and lower management just the few key people supported by machines / software running 24/7. Those few people and machines can operate anywhere and may operate purely for financial return.

It might be then that the rise of the machines challenges free market capitalism more profoundly than any left wing activist and forces the development of new social norms.

Friday, 6 November 2015

Results from Disney and Time Warner show bleak outlook for traditional Pay TV

This week saw results from Time Warner and Disney both of which suggested that traditional Pay TV services are in managed decline.

Disney delivered a very solid cable performance against expectations but this had the feeling of an exceptional set of results (think Rugby World Cup Japan v South Africa) rather than a trend.

There are many potential explanations for this (piracy, OTT services etc) but clearly the search for yield is starting to look elsewhere. Most revealing perhaps was the stress placed by Bob Iger of Disney on the release of the Force Awakens (56 million views for the trailer on YouTube) and the opening of a massive theme park in China. The revenue opportunities from the distribution of content owned by other over Pay TV platforms was taking a back seat.

The rise of the broadband internet was always going to challenge the centralised command and control model of traditional pay tv distribution and the results of that shift are now obvious. Some of the media companies are better placed than others to adapt to the changed landscape and there is always the option of trying to acquire your way out of trouble.

In the meantime the Force Awakens keeps the show on the road at Disney while Time Warner absorbs a very big hit to its share price ($274 Dec 10 1999 to $69 Nov 5 2015);

Thursday, 5 November 2015

Have TalkTalk breached the Data Protection Act ? Certainly a possibility..........

With admirable gusto TalkTalk have answered the above question on their own website by saying "No, this is a criminal attack. We have notified the ICO and we will work closely with them over the coming weeks and months".

There we are - no need for any type of judicial system we can all simply decide for ourselves if we have complied with legislation.

In the real world (and given the sanctions from the ICO that TalkTalk has received previously) it is not likely to be as simple as that.

Principle 7 of the Data Protection Act states that "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

If reports are true that the attack on TalkTalk was based on SQL injection then, given that Input Validation methods will prevent this, a company the size of TalkTalk would not appear to have taken appropriate measures.

No doubt a commercial decision was taken somewhere within TalkTalk that the cost of defending against an SQL type attack was not justified and that the risk was acceptable.

The problem perhaps is that TalkTalk were trusted to keep customer data safe and had they asked the customer base to decide between staff bonuses or slightly better protection against having all their data stolen the decision would probably have been the latter.

Until we know the nature of the attack and whether appropriate measures had been taken to prevent it it is too early say if a breach has occurred.

Tuesday, 3 November 2015

Investigatory Powers Bill - are the politicians entitled to be trusted not to abuse power ?

The statement "War is a mere continuation of politics by others means" (von Clausewitz) illustrates that politics is a dirty business mainly about the pursuit of power. There are always exceptions but history shows a fairly consistent pattern with shameful incidents such as "weapons of mass destruction", IRA immunity letters, guantanomo bay  and such like. At a different level even highly respected organisations such as the RSPCA seem to have spun totally out of control when given too much power without effective checks and balances in place.

The current PR charm offensive seeks to blur the lines between the legitimate requirements of the Security Services and Armed Forces in the digital age and other branches of Government.

The forerunner to the Investigatory Powers Bill, RIPA, was sold in on the basis that the check and balance was the Investigatory Powers Tribunal which up until quite recently was so low key it made MI6 look like Graham Norton (sorry Graham) and has upheld only 10 cases since 2001. Go figure.

It is a terrible thing to give airtime to Joseph Goebbels (Hitler's PR man) but he pretty much sums it up;

“If you tell a lie big enough and keep repeating it, people will eventually come to believe it. The lie can be maintained only for such time as the State can shield the people from the political, economic and/or military consequences of the lie. It thus becomes vitally important for the State to use all of its powers to repress dissent, for the truth is the mortal enemy of the lie, and thus by extension, the truth is the greatest enemy of the State.”

Over the course of history the doctrine of the separation of powers between the legislative, executive and judiciary has been maintained to keep balance and prevent abuse of power.

Given how many Acts of Parliament, Statutory Instruments and sections of Common Law are currently "live" it is probably safe to say we are all guilty of something if you look hard enough for long enough.

It is therefore crucial that a signature from a judge is obtained before warrants are granted under the proposed Investigatory Powers Bill. This should reduce the extent to which the politicians and petty officials can target and destroy their enemies using these considerable powers. If the only remedy is an approach to the Investigatory Powers Tribunal we have a pretty clear idea already which way that one will go based on performances to date. Slip on the orange jumpsuit and prepare for the full cavity exam.

If national security is at risk there should be no problem securing a signature. Hopefully though the judges hand will pause if the real objective of the warrant is to help someone meet a budget target and keep their job or to destroy the reputation of a political enemy in the run up to an election.

If a politician is holding the pen I think it is clear what the outcome would be and how attempts would be made to cover it up. As Jean Claude Junker, President of the European Commission and "uber" politician in Europe famously said;

"I am for secret, dark debates.....when the going gets tough, you have to lie."

This is not an attack on politicians but a recognition that power needs to have independent checks and balances - we need judicial oversight.

Wednesday, 28 October 2015

Ensure your digital front door is not wide open

When any entity is attacked online it is quite common for accusations to be levelled at criminal gangs (presumably on a break from people trafficking).

Of course high level attacks are very sophisticated and are occurring regularly (see this free monitoring service from Google) but from direct experience in the IP piracy management space often the matter is much more mundane.

Companies leave the digital front door wide open and it is fairly likely that at some point someone passing by in cyber space will have a go. TalkTalk may prove to be a case in point if it turns out that the root of the problem was a 15 year old living with Mum & Dad using some freeware on page 1 of Google. The red faces in the security team at Talk Talk will not repair the damage done if, when the case come to trial, it becomes clear how easy it was.

A Digital Audit is a basic requirement now for all companies that use the internet. An independent double check that all is reasonably in order is vital given the multiple standards and skill levels that exist in the digital and IT security industries. Given that a Digital Audit can be obtained for less than £250 cost is not a barrier.

Inevitably one size will not fit all in this space but a minimum level of protection is a requirement for all companies who use email and the internet and manage digital IP.

Tuesday, 27 October 2015

Talk Talk gets the Tyson treatment

As Mike Tyson once memorably pointed out "Everybody has a plan until they get hit. Then, like a rat, they stop in fear and freeze"

Common sense suggests that Talk Talk as one of the UK's major ISP's would have a good sense of the risks online poses. In fact, in a truth is stranger than fiction moment, Talk Talk Business offer security related services. which really does suggest all is not right with Talk Talk.

The news therefore that a 15 year old boy in Ireland was arrested for suspected offences under the Computer Misuse Act relating to Talk Talk and subsequently bailed until November is a mixed blessing for Dido Harding and her team of cyber security experts.

On one hand it is good news if the attack is now over as the news cycle will roll on and other matters will come to the forefront. On the other hand if this is the work of a 15 year old acting alone (and probably using easily available / free brute force type cyber weapons) it does suggest that the Talk Talk digital front door was not just unlocked but off its hinges.

In fairness when Richard Ledgett, Deputy Director of the NSA comments on the Today programme "If you are connected to the internet you are vulnerable" he does frame the problem in an honest way.

The online attack surface for Talk Talk is huge with multiple points of potential vulnerability. Given that information security is such a broad church with multiple standards (ISO, SANS, NIST, OWASP, Crest, IASME, Cyber Essentials etc) populated by a mix of ex law enforcement, IT people , self categorised "Black Ops" and others it is understandable that a busy CEO gets caught out by some of the flagrant rubbish that gets bandied about. My personal favourite is that all cyber crime is carried out by ruthless gangs of organised criminals. I am sure this exists - but perhaps mainly to add glamour to the job of dealing with it.

Realistically companies are going to need to allocate increased budgets to online security and try to ensure that those budgets are managed by people with a genuine understanding of the new ecosystem to avoid being made to look foolish (and losing 10% of their share price) by a teenager with a broadband connection and £250 laptop (and maybe a white cat ?).

Thursday, 22 October 2015

Sky sails on - 133,000 new UK broadband customers in Q1

Very strong results from Sky for the first quarter which now includes the more pan european focus of Germany and Italy (in anticipation perhaps of the potential digital single market).

Much was made at the time of the loss of Champions League rights in both the UK and Italian markets but in response Sky added 134,000 customers in UK with, if I have read this right, 133,000 taking a broadband package and 43,000 taking a TV package. Churn levels might have been expected to jump but stayed on trend at about 10%. As they might say to BT "take that sports lover".

It does not look like Sky engaged in insane levels of marketing spend to achieve this but perhaps that is hidden somewhere in the numbers.

On the specific point of the Champions League rights Jeremy Darroch commented "We've pretty much sailed on as we did in the fourth quarter". He also offered a view that the broadband customer adds had come from other operators not new entrants although suggested we wait for other results to come out in the next few weeks.

This is fascinating and raises a number of questions

1. Does this suggest that the Champions League has no real value to Sky in terms of customer acquisition and retention ? - Yes it looks like it which is not great news for UEFA but does explain why Sky did not try to outbid BT.

2. If so is the reverse true and will BT add relatively few customers as a result. - This is more complicated and will depend on the strength of BT's overall proposition but the quarterly results are out on the 29th October. Broadband penetration in the UK is at about 80% of adults so overall growth is possible without a positive impact from the Champions League.

3. Is this clear evidence that Sky has now diversified its offering via broadband, NowTV, Sky Store etc so much that it is no longer reliant on Premium Sports rights ? To old hands (& potential flat earthers) in the industry this is almost heresy but is starting to look accurate. Therefore is the current rights inflation in the UK of Premier League rights purely a result of competition between BT and Sky ?

This goes some way to explaining the relaxed attitude at Sky to widespread 24/7/365 content leakage via piracy. Content exclusivity is not what is was and the view is perhaps that consumers of pirate content are not ever going to be subscribers.

An alternative view is that due to the high levels of live piracy that exist in sport "exclusive" rights deals no longer have the power to create or shift a subscriber base.

Either way Sky have altered their offering so much that exclusivity of premium content is no longer the main driver but one of many drivers.

BT appear to be taking a more old school approach based on exclusive content  - so very interesting set of results on the 29th.

Thursday, 15 October 2015

Crimes Figures Double after cyber offences are included

New figures from the office of national statistics released today show 5.1 million fraud offences and 2.5 million crimes under the computer misuse act.

The figures in respect of the overall increase is misleading as cyber offences were not previously included but this does show the very widespread growth of cyber crime.

Wednesday, 14 October 2015

Rear view (mirror) - cybercrime statistics and cord nevers

'When faced with a totally new situation,' McLuhan famously says, 'we tend always to attach ourselves to the objects, to the flavor of the most recent past. We look at the present through a rear-view mirror. We march backwards into the future.'

The announcement today that UK cybercrime statistics to be released on Thursday will show a massive jump - making them the biggest single grouping - is coming straight through the windscreen. Definitions are always a challenge but if file sharing etc was included in this then it is no real surprise. The gap in understanding has been caused by the time it takes to collect the figures.

Similarly the emerging data on cord nevers and cord cutting in the TV industry in the US makes sense given the ease of viewing pirate material from most major distributors nothwithstanding the technology that has been thrown at it.

Tuesday, 13 October 2015

Hawking suggests that the impact of intelligent machines on inequality is largely about re-distribution

There is a lot of concern floating about that as intelligent machines take jobs in "process driven" sectors inequality will grow. Basically the owners of the machines will become wealthy beyond imagination and lots of people will have no job and therefore survive on state support or nothing in the doomsday scenario.
The slight flaw in that argument is that if nobody has any (disposable) income who will buy the goods and services offered by the machines but that is a question for another day.
On a Reddit Q&A session Stephen Hawking offered the following views on this question;
What is the risk of "technological unemployment" where machines take jobs?
The outcome will depend on how things are distributed. Everyone can enjoy a life of luxurious leisure if the machine-produced wealth is shared, or most people can end up miserably poor if the machine owners successfully lobby against wealth redistribution. So far, the trend seems to be toward the second option, with technology driving ever-increasing inequality.
It seems likely that in a democratic society the voters rational self interest would prevent lobbying by machine owners being successful (hints of that already in the FaceBook debate on corporation tax) but that does leave the non-democratic societies open and according to Wikipedia only 12.5% of the worlds population live in full democracies.

Monday, 12 October 2015

Cord Nevers steaming into pay tv - by 2025 50% adults under 32 will not pay for TV

Some new research from James McQuivey of Forrester  suggests that by 2025 50% of adults under the age of 32 will not pay for TV.

He identifies a new group of cord-nevers who are in fact a larger group that cord cutters. On the face of it if armed with a high speed connection and some technical knowledge there is no need to subscribe to pay TV why would you ? This chimes with KLipcorp's less formal research which showed that 57% of people think that there is no need to subscribe to pay TV for sport due to the availability of pirate content.

The bloodbath in US Media stocks recently reflects a bundle of concerns regarding the shift to digital but possibly at its heart is the dawning realisation that control over distribution has been allowed to slip away. Anyone who has seen the fantastic new movie The Martian will agree that anything is possible given sufficient creativity and determination but the traditional distributors of media need to pretty quickly get a grip over distribution to avoid becoming candidates for the Darwin Awards.

A potential first step would be an independent Digital Audit to really identify the scale of current leakage and the adoption of a prioritised approach to fill the gaps.

The sector has a great fondness for machines that go ping but as in The Martian the thing that really saved Matt Damon at a key moment was a roll of gaffer tape.

Friday, 9 October 2015

Kim DotCom facing his Waterloo

Kim DotCom like Edward Snowden has his supporters and detractors. Some see both as battling a flawed system but what they have in common is that in all likelihood both have broken US law.

The law is often an ass and it is said that unjust laws cannot stand - but tell that to someone lounging around in Guantanamo Bay in an orange jumpsuit waiting for the snap of the rubber gloves.

Either way it looks like Mr DotCom is unlikely to escape the clutches of the US Legal system. He had been attempting to argue that since he had no funds left he was unable to afford to have any experts represent him in an extradition hearing. Therefore any hearing would be unfair.

The North Shore district court was not having any of this and the argument was made that since MegaUpload had been paying people to upload illegal material this was a straightforward matter where experts were not required.

The matter will rumble on and it looks likely that Mr DotCom will face the US Justice system in a very high profile case that is probably far from clear cut.

Thursday, 8 October 2015

Understanding Digital vulnerabilities

The digital age has swept up so quickly that necessary adjustments to processes and behaviour are lagging. The legal system and regulation has struggled to maintain relevance and behaviour that would never be accepted in the physical world is accepted at the moment in the digital space with a shrug of the shoulders.

For many individuals and businesses there is a need for a Digital Audit which in a simple and low cost way helps them to quickly understand key vulnerabilities and issues.

From a customer point of view the machine or process that goes "ping" is only helpful if it helps them identify or solve a problem in a cost effective way. All the hackers out there have access to very powerful freeware and in order to avoid leaving your digital front door open and inviting them in to party (and maybe turn your data into bitcoin) it is necessary to carry out a digital audit.

Data and intellectual property are increasingly the key assets of small to medium businesses and this needs protection.

Wednesday, 7 October 2015

Anti-piracy group BREIN wins key battle in the protection of digital IP rights - pirates personal & banking details to be disclosed by infrastructure operators

One of the challenges facing groups attempting to protect their IP rights in a proportionate way is that when a pirate website is taken down, domains are cancelled or similar the individuals involved simply set themselves up again.

Up to this point the providers of web based infrastructure such as Google, Akamai, PayPal etc would not reveal the details of the operators even if services were cancelled. Some operators promote "absolute privacy" as a benefit of their services. Therefore the work done to close the operations down can appear to have little real impact unless the individuals concerned stop carrying out pirate activities for other reasons.

In fairness with the Snowden revelations there is no doubt that the protection of privacy is crucial and that data should only be provided in an approved and transparent way. However a balance needs to be identified between allowing companies and individuals to protect their property and the rights of individuals who are abusing that property to protect their anonimity behind a veil of privacy.

In the snappily titled C / 09/492 901 / KG ZA 15-1085  the case concerned the unlawful sale of a large number of pirate e-books via Google Play. Google agreed to remove the relevant app but would not reveal the identity of the people running the operation on the grounds of privacy.

Clearly the Court viewed this as  jejeune (naive,simplistic and superficial) and gave it both barrels as  outlined below (translated by Google translate) 

The judge commands Google to within 3 weeks of this judgment to the counsel of BREIN in favor of BREIN, the following information, to the extent that Google becomes available, provide with respect to the holder (s) of the Google Play Books Partner Center Publisher Account (s) from which books were uploaded under the Google Play Books URL (s) that BREIN has logged in its request removal of May 19, 2015 (Google zaaknr 76,488,000,007,259.), as described in the body of the indictment:

With regard to the Publisher Account:
a. subscriber information;
b. the IP address of the computer that the Publisher Account is created;
c. billing information, ie, mailing address and bank account number, bank name and name of the bank account;

In the case of the Google account that was used to create the Publisher Account:
d. the date and time the Google Account has been created;
e. the IP address of the computer that the Google Account has been created;
f. IP addresses of the computers that the user has logged into the Google Account;
g. The secondary email address and the specified first and last name specified for the Google Account;

this under the condition that the person concerned has not within 14 days of the date of this judgment to Google objection raised with the aim to prevent the provision of this information to BREIN;
explains the order given under 5.1 enforceable, but only insofar as it relates to the provision of data relating to addresses, bank accounts and IP addresses within the European Union;

hold any further decisions, pro forma until Saturday, December 12th 23:00 h to give and another version, which date will be the first party to the court in writing or a follow-session agenda must be desnodig forthwith with all relevant prevented from attending, or whether the case can be dismissed or canceled in writing.

This is a key step forward in helping rights holders to protect their IP in the digital age.

Tuesday, 6 October 2015

Periscope and Meercat not material in the piracy debate

Much has been reported about the risks of individuals using Periscope and Meercat as platforms for pirate activity and the mass audiences it may attract.

Perhaps unfairly this really does bring to mind Benny Hills antics at the end of his great TV shows (go on listen to that theme here one more time) where he has no real idea what is going on.

Perhaps at some point in the future this might be an issue but right now any analysis of the piracy landscape shows 24/7/365 live streaming being carried out with some enthusiasm by the pirate community with the DMCA technology based solutions forming a latter day Maginot line with similar effectiveness levels.

Why would you bother with Periscope and Meercat when an App like the one below delivers fully produced pictures live and free ?

No easy solutions here but Periscope and Meercat are a red herring (it was worth it) in the piracy debate.

Monday, 5 October 2015

Key points in the Digital Age & time for a Digital Audit

The digital age is considered to have started sometime shortly after 1945 (a subject really well covered in the excellent book Turings Cathedral)

However the pace of change did not "go large" until the internet came along in 1990's and started to disrupt some industries, such as TV & video based media, which had not themselves been around a long time.

Looking back the era of linear pay tv delivered by satellite to the home may be viewed with the soft nostalgia reserved for steam travel and valve amplifiers.

Recent data showing that this year, 181 million people in the US will watch video via an app or website that provides streaming content over the internet and bypasses traditional distribution (eMarketer) starts to show the pace of change.

For some the digital revolution has caught them somewhat off guard (Blockbuster for example) others have literally taken over the world - Google.

If OTT growth continues at this pace and is linked to cord cutting then many of the accepted truths about the media industry are about to get a solid going over. Maintaining control in the wild west of the internet is a very different proposition to the command and control approach adopted in pay tv.

Perhaps time for a Digital Audit to assess the risks and liabilities that are appearing over the horizon ? This is starting to look like the attempts by the phone companies  in the 90's to protect call revenues even after it was clear that the game was up.

Thursday, 1 October 2015

Balanced approach to Cyber Risk

They say that it is a recession when your neighbour get fired and a depression when you get fired. Similarly IP protection tends to be front of mind when an issue emerges for an individual or company.

This excellent article from Chris Blackhurst in the Evening Standard illustrates the problem very well.

For a variety of reasons such as resourcing issues in the Police and corporate entities not wanting to end up with liability in an area they don't really grasp as yet  (and therefore not engaging with the problem) there is a perception that cyber crime is much more difficult to resolve than others.

At the corporate level standards such as ISO 27001 have emerged which contains guidance such as;

"Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk".

For a medium to large corporate with dedicated IT function this may be helpful but for an SME this guidance probably seems very circular in nature unless there is a pretty high degree of knowledge of the risks to start with.

Reactions to cyber risk from TV companies to one man bands vary from denial to dusting off the typewriter and carrier pigeon and banning the internet and mobile devices. Budgets are possibly squeezed from the legal and IT budgets to deal with an issue that simply did not really exist 10 years ago.

Neither denial nor dashing off to a log cabin makes a lot of sense when cyber risk can be reduced by taking pre-emptive action to ensure that the very obvious vulnerabilities have been addressed. The equivalent of leaving the car keys in the ignition with the doors unlocked.

To discuss this further please contact us at KLipcorp IP.

Monday, 28 September 2015

Parallels in road and online safety

When driving licenses were first issued in the UK in 1903 they were purely for identification purposes. By 1931 when the Highway Code was published there were 2.3 million vehicles on the road and 7,000 deaths.

There are now about 27 million vehicles on the road in the UK with under half the number of deaths.

On the digital highway we may be starting to exit the first wild west phase but there is still not much awareness of the scale of risk online or what reasonable and effective steps can be taken to reduce it.

The significant cost savings from digital transmission and storage have been warmly embraced without a full understanding of how leaky some of them are.

Snowden shone a bit of light on this issue but no doubt some other juicy scandals will emerge before some frameworks for regulation appear which are acceptable.

Thursday, 24 September 2015

Consumer attitudes to online intellectual property

In theory all types of property (physical or intellectual) should receive equal levels of protection within the legal system. Why should stealing a car be different from stealing a painting or a piece of music or a line of code ?

The old adage that possession is nine tenths of the law may hold a clue as to why people seem to view them differently - perhaps because ownership is generally much clearer with physical property. In addition concepts such as fair use do not confuse matters.

In any event regardless of my opinions on the matters as part of KLipcorp's survey into IP issues we asked a couple of questions in this area and the responses were pretty stark.

57% of people thought that intellectual property should not be protected as much as physical property.

However the answers to the next question were a bit of a shocker for those who subscribe to the view that customer confusion has a large part to play in the large volumes of unlicensed content consumed online. It may be that the sample was not representative - but 100% of people surveyed said they would still use pirate sites even if they 100% knew they were unlicensed / illegal.

If this response is valid it seems that only direct action against pirate sites will be effective.

Wednesday, 23 September 2015

57% of people think that there is no need to subscribe to pay TV for sport due to the availability of pirate content

Piracy of live sport has been around for a while but really started to go mainstream in about 2009/10. As a relatively recent issue it is therefore hard to analyse and as is often the case in the absence of any decent information individuals and companies tend towards the version of the truth that suits them at the time.

Therefore to start the ball rolling and to try to get the beginnings of a picture of consumer attitudes towards sports piracy and the link with sport on Pay TV we started an online survey.

High audience pirate sites do not respond to DMCA style notices at all - as the video below clearly shows - but what impact does this really have ?

Only a few questions to keep people engaged and responses from UK, Sweden, Canada, Ireland and Germany. 60% of responses were in the 25-44 range with an even split across the other age ranges.

Amazingly 43% of those surveyed thought that the types of sites featured in the video above might be legal. This highlights the challenge of complex copyright laws and the effective job some of the search engines have done to muddy the waters (excuse for "Mannish Boy" reference).

The chart below shows solid awareness of the existence of these sites.

So what seems to be emerging is that the public are aware of sites in a "grey area" as they see it and that these sites are not impacted by DMCA style activity.

So what if this makes very little difference to the decision to subscribe or maintain a subscription to a relevant Pay TV service ?

Well as the chart below shows it does seem that with the prevalence of free alternatives the sport driven subscription decision for pay tv is getting tougher

We will keep our research activity going in this area and welcome any constructive contribution to this emerging debate.