Blog

Posted on

My Two Cents on the Hacking Team Hack

What happened to Hacking Team neither is the first nor will be the last time a security company that lives by the sword, dies by the sword. Neither this is the first nor will be the last time that huge quantity of critical data are made available through the Internet.

So, to some extent, there is actually nothing new under the sun in the fact itself. This is why – putting aside the legal issues involved – I can hardly understand all the rants aimed at Hacking Team.

It is interesting, though, analyze the “claims” that some “expert” did about the story. To make my points, instead of talking about someone in particular, I’d rather refer in general to the accusations made against HT, so:

  1. Hacking Team has been “unethical”. A company is just supposed to be legally compliant. Ethic is a horse of different colours: it’s a personal thing, is relative and – thank to the French Revolution – is not mixed with laws. As soon as Hacking Team didn’t break any law by selling its stuff, it can’t be blamed because “money doesn’t smell”.
  2. Hacking Team sold its technology to human-rights bashing countries. While I’m in the digital rights world since 1994, I wasn’t aware that there were so much human-rights (keybord) warriors… Anyway, as soon a state has a seat in UN, and the sell is compliant to international laws and treaties (such as the Wassenaar Agreement), doing business with it shouldn’t raise any concern (as international weapon dealers are well aware of.)
  3. Hacking Team has jeopardized investigations and covert activities all around the world. No, the investigation have been jeopardized by the choice made by governments of “going private” instead of developing in house its intelligence-gathering tools, and by the lack of a “Plan B” in case things – as just happened – screwed up. In particular, is rather curious that nobody checked the fact that the HT’slicense was associated to the customer identity in clear, instead of using a nickname or a cipher.
  4. There will soon be a “black” Hacking Team’s software clone that will be used against the “good guys”. This malware is far from being the “only kid in town” and the Internet is full of brilliant (rogue) programmers able to build a “HT-like” software. So this statement is just a nonsense.
  5. The are hints suggesting that ?Hacking Team’s malware has been exploited to plant fake evidence in the targeted computer. So what? Blackmailing is a standard tool-of-the-trade in the intelligence world and the way this is done is irrelevant. And to shut down the disturbing voice of a political opponent it’s easier to frame him with conventional means (drugs, sex) that are cheaper while very effective, then using a costly and complex to manage application.
  6. Hacking Teams’s software is untraceable and now can and will be used without control. No, HT malware is not invincible and while it is able to fly under the antivirus’ radars, it doesn’t mean that there are no defense. Guess how you can reduce its’ might? Use pure text emails, don’t click links and attachments, check your machines and data-traffic for odd behaviours… In other words, stop using ? wisthle&bell operating systems and fancy features and go back to basics. Ain’t no fancy, but is safer.
  7. Hacking Team helped intelligence agencies to gain access to everybody’s computer. Again, so what? Are intelligence agencies around the world supposed to play bridge, instead? As much as I dislike the fact, I cannot but pragmatically accept that the powers-that-be can do whatever they want, without actual accountability. They call it “democracy”.

Post Scriptum: Though I met David Vincenzetti about eighteen years ago at the Department of Computer Science in the Milan University and a couple of times in the following years, I never worked with or for him.

 

Posted on

If You Really Dislike Google, Just Do A Better One

The usual, questionable and acritical article raises “awareness” about the “danger” represented by the way Google handles the results of users’ queries, this time the “victims” being the “consumers”. The source of this article is a study supported by Yelp.

While I’m not a statistician, I wonder how is possible to give general credit to a study based on a “random sample” (no method to build the randomness is disclosed) of less than 3.000 people compared to the billions of users that daily query the web through Google, furthermore without taking into account the huge ethnic and cultural differences of the countries whose users come from.

And I wonder why the journalist wrote it ? without asking an independent expert opinion. She just released what ? seems just a summary of the study’s summary, without ? actual knowledge of the topics involved. In other words, this article is somehow in between disinformation and misinformation. And, to be clear, I’m not questioning the integrity of the journalist (for instance she duly exploited the Yelp’s involvement in the study);what I criticize is that she didn’t actually deliver informative contents. No matter if this comes from a poor grasping of the mathematics methods, or by way of a lack of knowledge of the digital business world. Fact is the her readers aren’t given sound information, and what they got, instead, is the usual “Is-Google-evil?” article that, from time to time, appears all around the net.

Moving to a general issue, at the end of the day, things are pretty straightforward: Google neither is perfect nor necessarily “friendly”, but if you dislike Google, just build a better one, instead of using spin, FUD and the law.

Of course, If you ????.

Post Scriptum: I neither work for Google, nor have other kind of involvements with it.

Posted on

My “Cookie Law” Legal Notice (in English and Italian)

This is how I amended the data-protection information page on my street-photography website to meet this stupid “cookie law”;

A plain wrong Italian enforcement of the EU “cookie” directive makes mandatory to obtain a prior consent to allow the use of Google Analytics, even if – as in this case – the personal identity of a user is unknown by me and Google only “might” be able to exploit the anonymous information collected through this website. So, in case you want to know if Google is able to identify you by means of this website’s access, please send me your identity together with your IP and I will forward your request to Google… or you might better do it on your own, without telling ME who you are.

And this is the Italian translation:

Un’applicazione semplicemente sbagliata della direttiva europea sui cookie impone di ottenere il consenso preventivo per usare Google Analytics anche se, come in questo caso, ignoro l’identit?? personale di chi accede al mio sito e solo Google “potrebbe” essere capace di usare le informazioni raccolte per fornirmi le statistiche. Dunque, se volete sapere se Google ? in grado di identificarvi tramite l’accesso a questo sito, per favore inviatemi le vostre generalit?? e l’IP che avete usato, e girer? la vostra richiesta a Google… oppure, meglio, potreste farlo direttamente voi, senza dire A ME chi siete.

Posted on

When Losing Is Winning

A couple of days ago I got an message from a perspective client in the food industry whose need was data-protection consulting services : he didn’t feel like accepting my proposal, so he kindly turned it down.

I should have been saddened by this lost opportunity but I was actually not.

Before sending the quote for my services, I met the client in his plant, talked extensively about his company’s situation and needs. We had different opinions about what were the issues to fix and what the related time and costs would have been.

Yes, I could have had the costs fall as he asked, and the services “reshaped” according to the customer perception of his condition. But I did not.

A fair consultancy work can be done only with a full agreement with the client and a clear mutual understanding of goals and methods. If it isn’t so, then is better not to take the assignment because the client will finally be unsatisfied and the consultant’s professional reputation is hampered by what is perceived as as a cheap and poor quality job.

At the end of the day, then, we both won: no time has been wasted, money has been saved, and a business relationship has been preserved.

Posted on

Italian “Cookie Law” and the Misinformation about Google Analytics

There is a lot of hype in Italy about this “cookie law” put into force since June, 2 that makes mandatory to obtain the consent of a user accessing a website to allow his “profiling” through the use of cookies.As always, a ? fleet of ? “advisers” kept, full steam, pushing companies to comply with this regulation, foreseeing dire consequences for the non-abiding companies, especially those using Google’s Analytics.

This is not entirely correct, so it is better to clarify a few points:

First of all: “cookie law” is not a “law”, but just an order issued by the Data Protection Authority under its “peculiar” view of the EU Data Protection Directive(s),

Second: the data protection directive (and its local enforcements) work only with “personal data”, i.e. data that identify or made possible to identify a natural person,

Third: a user that access anonymously a website doesn’t reveal his identity, thus the data protection act doesn’t come into play,

It comes from above that a website using Google Analytics without looking of the identity of the user is not subjected this stupid “cookie law”.

Simple as that.