Category: IT Security

Posted on

The Italian Home Affair Minister To Call For Another Internet Crackdown

In the aftermath of the Charlie Hebdo massacre, as a way to improve the “safety” of the citizen, the Italian Home Ministry Affair, Alfano (a right-winger) ? called for:

  • a “registration” of “dangerous” websites,
  • a further enhancement of the ISPs duty to block access to
    (terrorism-related) Internet resources,
  • an exception to the data-protection regulation, to allow the law
    enforcement agencies to easily access “sensitive” data.

This is an exploitation of the recurring rhetorical locus: “enhance safety needs the fundamental rights to be weakened”.
It is easy to answer with an often quoted statement by Benjamin Franklin:

Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.

But this is not the point.

From a “terrorism” fighting point of view, what Alfano is calling for is simply useless.

If the target is to gather as much information as possible to prevent new attacks, blacklisting websites obviously doesn’t help. It neither stops terrorists from talking each-other, nor allows to spot upcoming threats.

If the target is to gather advance information to run “pre-emptive actions”, it is useless to “weaks” the data-protection regulation to ease the law enforcement agencies access to “sensitive” (i.e. political-related) information. Those who need a fast and direct access to such king of information, in fact, are the secret services (whose activities are neither handled nor reported to a magistrate) and not the law enforcement bodies, that can only act, in Italy, AFTER a crime has been committed (having, in this case, full access to everything they need, under the control of the public prosecutor.)

Then, a couple of questions:

  • why does Alfano calls for measures that don’t help fighting terrorism, but allow a crackdown against normal citizens?
  • why the ISPs should be burdened to act as censors and central scrutinizer on behalf of the government?
Posted on

Child Pornography And Computer Crime Still a Criminal Offense in Italy

Several misinformed Italian blogs are currently claiming that the Renzi-led government just passed a draft-legislative decree making child pornography and computer crimes no more a criminal offense.

This is not true because what the government actually did was setting the principle that as soon as a crime is punished with a jail term up to five years AND the judge thinks that the crime is of “minimum damage” then either the prosecution or the trial must end. To put it different: only “serious crimes” are going to be tried in court.

One may argue over the ethic or legal acceptance of the notion of “petty-vs-serious” difference (as Cicero use to said, what matters – and deserves the maximum punishment – is the act of killing, not the fact that you killed one man or hundred people) but this legislative decree only turns into a law what already happens on a daily basis in the Italian courts: a confession of failure, in other words.

 

Posted on

Twenty Years Of Hacking In About 4 Minutes

Twenty years of hacking in about four minutes. This is a short documentary on the life of ? Metro Olografix, one of the oldest and most active digital NGO in Italy.

Proud to be there since the beginning.

https://www.youtube.com/watch?feature=player_embedded&v=eoNBNaKfB4A

p.s. The video is full of trivia about people and technology. But unfortunately, Google can’t help. You have to rely upon memory, culture and experience. Brain, in other words 🙂

 

Posted on

Are All 27000-1 Certifications Created Equal?

Say you have to outsource the storage of your corporate data.

Say you have to assess the quality of a couple of (apparently) both “good looking” potential suppliers that give you both access housing/cloud services.

Say both of them are “ISO 27000-1 Certified”.

Which are you going to choose?

Answer: ask to see the “perimeter” that has been certified.

In other words: advertising on the corporate website or wherever else that a company is “ISO 27000-1 compliant” doesn’t always means that the WHOLE company actually is.

Maybe the certification has been obtained for the data-centre only, or just for a small part of the infrastructure, or – say – for the financial departement.

Thus, a fair use of the “label” would be a statement like this: “we are ISO 27000-1 certified for X,Y,Z” instead of a simpler (and deceptive) “we’ve got the ISO 27000-1”.

Next time, ask first.

Posted on

The (defunct) Data Retention Directive Still Causes Harm

Notwithstanding the Data Retention Directive has been bashed by the EUCJ Ruling, there is a wide agreement on the fact that its national implementation might still be valid if not in contrast with the main Data Protection Directive.

Just yet, neither the Italian Parliament nor the Data Protection Authority ran the “stress test”, thus leaving ISPs into a void of uncertainty.

Furthermore, the news is new as today, there is a case where the actual providing of Internet access whose contract terminated back in 2010 has been challenged in court by the former customer. Under the Italian Supreme Court jurisprudence, in this case it is the ISP who must provide the evidence that the agreement has been fulfilled. But, guess what? Under the strict (and wrong) interpretation of the Data Retention Directive this ISP deleted the log files and now has problem in supporting its defense.

True, keeping the traffic data for legitimate purposes (such as legal defense) is allowed by the Data Protection Directive.

True, the Data Retention Directive can be interpreted as an exception that doesn’t overrule the Data Protection Directive.

True, an ISP has more than a chance (in theory) to successfully support its choice of keeping the traffic data for legal defense purposes even exceeding the mandatory term seth forth by the DRD.

But all this means fighting an all-round legal battle, explaining to the Court that the traffic data have been legally retained and are, thus, valid evidence, standing against a possible Data Protection Authority investigation, and so on.

To put it short: a waste of time, money and resources, that could be spared if only the Powers-that-be had dedicated a fraction of their time to solve this riddle, instead of toying with this Internet Bill of Right nonsense.