Australia’s NBN rollout a global embarrassment

Australia’s disastrous roll-out of the high speed National Broadband Network (NBN) has continued to make global headlines in the last 24 hours – including coverage in the New York Times – and for all the wrong reasons.

According to this story on TechGuide, not only does Australia rank well behind the US, Western Europe, Japan and Korea but we also “embarrassingly” fall below countries such as Thailand and Kenya, ranking number 51 on the Akamai ranking of internet speeds. And perhaps most disparagingly, this is despite a $50 billion investment over the last 8 years.

So why have we become the laughing stock of the world – and as the TechGuide writer so aptly put it, a ‘technology backwater’ despite boasting a rich resources market and enviable lifestyle?

What should have been a consistent roll-out of the latest and greatest technology has been chopped and changed more times than one can recall.

The original plans for Fibre to the Premises (FTTP) have been replaced with a mish mash of Fibre to the Node (FTTN) or Fibre to the Curb (FTTC) coupled with existing copper wire infrastructure – and in some areas, now reportedly wireless connections via dedicated NBN towers.

One Australian NBN provider, Telstra has even been forced to start offering existing NBN customers their money back due to unacceptably slow speeds as reported below on Channel 10’s The Project.

So what impact will these continued NBN issues have on small businesses trying to effectively operate in the digital age, and will Australians ultimately get the high speed internet speeds originally promised? Only time will tell.

Click here to read the full story TechGuide or New York Times article here.

 

Brisbane Hosting & Website Hosting’s products and services include Website Hosting, Domain Names, DNS Services, Website Development, Website Design, Website Revamps, Website Maintenance, Social Media Campaigns and more.

Contact Brisbane Hosting on (07) 3889 2977 or via email info@brisbanehosting.com.au for further information. 

Aussies clueless that NBN will be compulsory

Are you one of 6 million Australians who didn’t know it will be mandatory for you to switch to the new NBN network?

According to a new survey from Finder.com.au and a story published on msn.com here, more than one in three Australians (37%) have no plans to switch to the NBN or don’t know what it is.

What is most surprising about the research is that so many people mistakenly believe the NBN is optional, and haven’t twigged to the fact that their existing telephone and internet will be cut off if they don’t make the transition.

In short, the NBN will be the new universal communications infrastructure network, completely replacing the existing copper network that landline telephones and many home broadband connections rely on.

And this changeover is not that far away with the Government imposing a deadline of 2020 for all 11.9 million Australian premises to switch over to the NBN network.

So how come 6 million Aussies could be left in the dark, disconnected? 

Of the 2004 Australians surveyed, 17% said they would not make the switch, while 18% didn’t know what they would do or didn’t understand what the NBN was about.

Even a small percentage of those who did plan to move across to National Broadband Network aren’t in a hurry – claiming they would take 18 to 24 months to make the transition. Little do they realise that their phone and internet would be cut off during this time with telecommunication companies obliged to deactivate existing copper within 18 months of NBN arriving in their area.

Click here to read the full article.

Brisbane Hosting & Website Hosting’s products and services include Website Hosting, Domain Names, DNS Services, Website Development, Website Design, Website Revamps, Website Maintenance, Social Media Campaigns and more.

Contact Brisbane Hosting on (07) 3889 2977 or via email info@brisbanehosting.com.au for further information. 

Microsoft Pays Out Again Over Forced W10 Upgrade

An IT worker has been paid US$650 by Microsoft after he threatened to sue the company following a forced upgrade to his grandfather’s computer that was running Windows 7.

In 2013, Jesse Worley had built a machine running Windows 7 for his granddad but made it look like a Windows XP interface because his relative suffered from Alzheimer’s and an XP environment was something the old gentleman could remember, according to Digital Trends.

But during its frantic bid to push Windows users to upgrade prior to 29 July this year, Microsoft had at one stage changed the behaviour of update notifications, such that clicking on the close window button caused the machine in question to update. For 21 years, that button, with an X on it, has done nothing but closed windows when anyone clicks on it.

Worley wrote to Microsoft about the upgrade using the company’s recommended Notice of Dispute procedure.

The company has admitted that the upgrade pop-up window was misleading and that customers who were misled can seek redress.

Worley donated the money he received to an Alzheimer’s charity. He had initially asked Microsoft to pay him for the time he had spent to rework his granddad’s computer and donate to an Alzheimer’s charity, but the company only agreed to the former demand.

In June, a travel agent in California was awarded US$10,000 by a small claims court after she sued Microsoft over a Windows 10 upgrade.

By: Sam Varghese

Posted On: http://www.itwire.com/home-it/76038-microsoft-pays-out-again-over-forced-w10-upgrade.html

 

Brisbane Hosting & Website Hosting’s products and services include Website Hosting, Domain Names, DNS Services, Website Development, Website Design, Website Revamps, Website Maintenance, Social Media Campaigns and more.

Contact Brisbane Hosting on (07) 3889 2977 or via email info@brisbanehosting.com.au for further information and quote today.

Hidden challenges emerge as data breach notification laws finally hit Australia

Australia’s new mandatory data breach disclosure law is attracting a lot of attention, and a lot of criticism. But it will also have some interesting – and perhaps unintended – consequences.

Most commentary has been about the fact that it will give Australia some of the strictest disclosure rules in the world. That is a good thing to some people and a bad thing to others.

Some critics, such as the recently formed group Data Governance Australia, are still trying to stop the law.

The chief executive of Data Governance Australia, Graeme Samuels, former head of the ACCC, says the legislation is “heavy-handed” and wants instead an industry voluntary code of conduct.

It is almost certainly too late for that.

After a long and tortuous path through Parliament that began five years and three governments ago, the bill has now been introduced to Parliament. It will almost certainly pass, because it has support from both sides of politics.

The legislation places a strong responsibility on public and private sector organisations to ensure they are aware of data breaches, and that they act on them promptly.

It sets the bar lower than many such laws in other jurisdictions. It will mean it is not enough that an organisation makes a disclosure after it discovers a breach. Reading the legislation literally, the disclosure must be made even if the organisation simply believes a breach has occurred.

The bill will have the effect of significantly raising the profile of data security in most organisations. That is a good thing – in the modern world nearly all our information assets are in electronic form, and those assets have significant value.

Unexpected consequences

But the legislation also has the potential to significantly affect planning for a national electronic ID plan, and for any attempts to harmonise state and federal moves in that direction.

The Australian Government’s Digital Transformation Agency – formerly the Digital Transformation Office – has indicated that it wants to introduce a voluntary electronic ID system, perhaps using voice identification technology already adopted by the Australian Taxation Office and Centrelink.

It would be used with the MyGov system, which enables a single sign-on by citizens wishing to deal online with multiple government departments.

But the NSW Government has developed a separate system for Service NSW, which does the same thing for people dealing with separate agencies in that state.

Other states are also considering electronic ID systems. There has been some talk of unifying them all through MyGov, but this is unlikely to happen without uniform privacy and data breach notification in each state.

The new data breach notification legislation covers Australian Government agencies and private organisations with an annual turnover of more than $3 million.
But it does not cover state government agencies, all of which operate under their state’s own privacy laws, none of which include mandatory data breach disclosure.

The fact the states and territories are specifically excluded from the federal legislation makes co-operation on an electronic ID standard problematic.

Section 109 of the Constitution says federal law overrides state law, but the states may not wish to subject themselves to the more onerous reporting requirements of the federal data breach reporting legislation, which could act as a disincentive to any co-operation in this area.

Opportunity for harmony

This is a problem, but it is also an opportunity. It is an opportunity for the states to update and harmonise their privacy laws so that there is a uniform regime operating across the country.

That will ensure all government agencies – federal, state and local – will be able to take advantage of the requirements of the new law to improve the integrity of their systems, and to take advantage of a unified national electronic ID system.

That would have many advantages. A single sign-on for citizens dealing with governments at all levels would greatly facilitate the growth of e-government in Australia, and would mean all government agencies would need to be much more serious around security, and in particular around their ability to monitor, detect, respond and report on data breaches.

Originally, the new mandatory data breach disclosure legislation said that a notification must be made “if an entity is aware, or ought reasonably to be aware, that there are reasonable grounds to believe that there has been a serious data breach of the entity, the entity must, as soon as practicable after the entity becomes so aware, or ought reasonably to have become so aware, as the case may be”.

It stated that an organisation cannot claim it did not know a breach had occurred. It cannot be wilfully blind to breaches, and it cannot claim plausible deniability around security incidents.

It also means that breaches need to be properly investigated, and in a timely manner – you have a 30-day limit to conduct your investigation.

Reports since the draft bill was developed have stated that the government is considering changing the language to remove the requirement for notification if an organisation “ought to have been aware”, however, we are yet to see these changes take place.

Important change

Data breaches are not good for public trust and they are not good for people whose personal details are compromised. The bill marks an important change, because it says essentially that if a data breach occurs there are no mitigating circumstances.

Organisations will need to properly determine the amount of harm the breach causes.

It is clear that the intent behind the terminology in the legislation is to make it an imperative for organisations, in the private and public sectors, to step up their cyber security capabilities.

Over the last few years we have seen a large number of highly publicised data breaches, with substantial evidence that many organisations did not have effective process or procedures, or the right people, to prevent the breaches, remediate them, or to properly inform affected parties.

The new legislation is intended to ensure there is much less chance of that happening in Australia in the future.

All organisations will have to take cyber security more seriously, and be more proactive in improving their monitoring, detection and reporting.

By: Leonard Kleinman – Leonard Klienman is chief cyber security adviser, Asia Pacific and Japan, for security company RSA.

Posted On: http://www.afr.com/technology/web/security/hidden-challenges-emerge-as-data-breach-notification-laws-finally-hit-australia-20161125-gsxnri

 

Brisbane Hosting & Website Hosting’s products and services include Website Hosting, Domain Names, DNS Services, Website Development, Website Design, Website Revamps, Website Maintenance, Social Media Campaigns and more.

Contact Brisbane Hosting on (07) 3889 2977 or via email info@brisbanehosting.com.au for further information and quote today.

FBI wants companies to back off end-to-end encryption

The agencies want tech vendors to retain access to encrypted data to comply with court-ordered warrants.

U.S. tech companies should retain access to the encrypted information of their customers, instead of providing end-to-end encryption, in order to give police the tools they need to investigate crimes and terrorist activity, two senior law enforcement officials said.

The U.S. Department of Justice and the FBI aren’t seeking new legislation to require tech companies to comply with warrant requests, at least for now, and they don’t want companies to build encryption back doors that give the agencies direct access to communications and information stored on smartphones, said Sally Quillian Yates, the DOJ’s deputy attorney general.

Instead, the DOJ and FBI, in their continuing efforts to combat the use of encryption by criminals and terrorists, are proposing that tech and communications companies retain internal access to encrypted information so that they can comply with court-ordered search warrants, she told the Senate Judiciary Committee Wednesday. Several tech companies already retain some access to customers’ encrypted data, she said.

Legislation may eventually be necessary, but the DOJ is now looking for voluntary compliance from tech companies, she said.

With new encryption services from tech companies, “critical information becomes, in effect, warrant-proof,” Yates said. “We are creating safe zones where dangerous criminals and terrorists can operate and avoid detection.”

A recent push by tech companies toward end-to-end encryption, partly in response to reports of mass surveillance programs, has led the DOJ and FBI to raise concerns about law enforcement agencies “going dark” when investigating crime. Last September, FBI Director James Comey Jr. first questioned decisions by Apple and Google to offer encryption by default on their smartphone operating systems.

“The world has changed in the last two years,” Comey told senators. “Encryption has moved from something available to something that is the default, both on devices and on data in motion.”

Terrorist group ISIL (Islamic State of Iraq and the Levant) has used encryption effectively, Yates said. ISIL makes first contact with many potential recruits on Twitter, where the group has about 21,000 followers of its English language feed, but then directs them to communicate further on an encrypted messaging service, she said.

“This is a serious threat, and our inability to access these communications with valid court orders is a real national security problem,” Yates added. “We must find a solution to this pressing problem, and we need to find it soon.”

U.S. tech companies should be able to find a way to provide law enforcement access to encrypted data and still provide many of the security and privacy benefits of encryption, Comey said. “The tools we are being asked to use are increasingly ineffective in our national security work and in our criminal work,” he said. “I don’t come with a solution — this is a really, really hard problem.”

But Comey also rejected arguments by some computer scientists who say it’s impossible to allow police access to encrypted data without also opening it up to hackers.

“I think Silicon Valley is full of folks [who] have built remarkable things that changed our lives,” he said. “Maybe this is too hard, but given the stakes … we’ve got to give it a shot.”

While companies like Google and Apple were not included in the hearing, senators gave a mixed reaction to the testimonies of Yates and Comey. Some senators suggested it would be nearly impossible to prevent foreign tech vendors from offering encrypted communication products.

Senator Al Franken, a Minnesota Democrat, pressed Yates to provide statistics about the number of criminal cases affected by encrypted data.

Before creating new regulations, Congress needs to have a “clear understanding of the scope and the magnitude of law enforcement’s security interests,” Franken said.

Yates couldn’t provide a number of cases affected, saying it was difficult because, in many cases, police don’t seek a warrant when they know the information they want is encrypted. But Cyrus Vance Jr., district attorney in Manhattan, told senators his office has tried to pull data off 92 Apple phones running iOS 8 in the past six months, and on 74 of those devices, the data was encrypted.

Other senators were sympathetic to the encryption dilemma faced by law enforcement agencies. Senator John Cornyn, a Texas Republican, pressed Comey to tell lawmakers that U.S. residents will die if a solution wasn’t found. Comey declined, saying he doesn’t want to scare people. The FBI will do the best job it can with the crime-fighting tools it has, he said.

Still, Cornyn questioned companies that offer encryption without retaining some access to the data. “It strikes me as irresponsible, and perhaps worse, for a company to intentionally design a product in such a way that prevents them from complying with a lawful court order,” he said.

By Grant Gross, IDG News Services
Posted on: http://www.computerworld.com.au/article/579237/fbi-doj-want-companies-back-off-end-to-end-encryption/?fp=16&fpid=1

Optus admits handing user phone numbers to websites

Without customer’s knowledge.

Optus has admitted to handing over its customer’s phone numbers to certain third-party websites accessed by the user.

As first flagged by a user on telco forum Whirlpool, when a user browses certain websites, Optus provides the customer’s mobile phone number to the website operator where a “commercial relationship” exists.

The practice, known as HTTP header enrichment, includes a mobile browser’s phone number in the HTTP header of the website request. The process aims to streamline direct billing for customers.

The Whirlpool user discovered the practice after receiving alerts about a subscription to a site they had not signed up to.

Optus confirmed its use of HTTP header enrichment to iTnews but said it only provided the details to certain sites involved in a “trusted” commercial relationship with the telco.

“When consumers browse the internet, information about the device they’re using is passed on to website owners in order to optimise websites for those users,” a spokesperson said.

“Optus adds our customers’ mobile number to the information in select circumstances where we have a commercial relationship with owners of particular websites.”

The telco said numbers were only sent to sites where user authentication is required – such as for premium content services with direct billing to Optus.

iTnews has contacted other telcos about their apparoach to the practice.

Optus customers have raised concerns about the privacy implications of these information sharing habits.

One user, who declined to be named, said there was no way for the end user to opt out of third-party sites being able to see their mobile number if they are an Optus customer.

“This raises huge privacy concerns,” the user said.

Optus’ privacy policy states that it may share some “personal information” with third parties, but does not specifically mention mobile numbers.

“We sometimes team up with other companies to offer products,” the policy advises.

“If you purchase a product that is delivered by one of our partners, we’ll give them the personal information they need to provide it and manage their relationship with you. In these circumstances, we have arrangements in place with our partners that limit their use or disclosure of your personal information to these purposes.”

In the United States, Verizon Wireless’ use of HTTP header enrichment to track users with a “super cookie” became a privacy cause celebre, and led to a “please explain” letter from US senators in January this year.

Verizon Wireless modifies network traffic and injects an X-UIDH HTTP header that was thought to uniquely, and silently, identify the telco’s customers to advertisers.

The cellular provider denied the X-UIDH header contained customer information, instead calling it a temporary anonymous identifier sent to advertisers, and therefore not a privacy threat.

After official uproar arose over the practice, Verizon Wireless was forced to introduce an opt-out scheme for customers who did not want to be tracked in this manner.

By Allie Coyne, Juha Saarinen
Published in: http://www.itnews.com.au/News/405656,optus-admits-handing-user-phone-numbers-to-websites.aspx#ixzz3eV0Wj300

Microsoft won’t fix Internet Explorer zero-day

HP researchers release exploit code after Microsoft declines to issue patch.

HP researchers have published details and proof-of-concept exploit code for a number of zero-day vulnerabilities in Microsoft’s Internet Explorer web browser which allow attackers to bypass a key exploit mitigation.

The researchers – part of HP’s zero-day initiative team – have a policy to only disclose details of bugs reported to vendors after patches are issued.

But the team decided to go public after being informed by Microsoft that it did not intend to fix the bugs as the company feels the vulnerabilities don’t affect enough users.

The flaws were serious enough, however, for Microsoft to earlier award the HP team a US$125,000 bug bounty.

The researchers had discovered that an attacker could fully bypass address space layout randomisation (ASLR) and data execution protection (DEP) in Windows, beating the Isolated Heap and MemoryProtection mitigation measures Microsoft introduced last year for IE.

ASLR makes it difficult for attackers to work out where data is located in a computer’s memory; DEP uses the system processor to mark areas of memory as non-executable, preventing malicious code from running in that space.

The HP team said it reported the vulnerabilities to Microsofft last year and had opted to wait to release full details of the flaws until they were fixed.

However, the security researchers were told by Microsoft that as the flaws didn’t affect 64-bit systems, they would not be patched.

HP researcher Dustin Childs said while Microsoft was technically correct – “a 64-bit system has a much larger address space than a 32-bit system, which makes ASLR that much more effective” – millions of 32-bit systems were still at risk from the flaw.

Microsoft’s forthcoming Windows 10 operating system will also have a 32-bit edition.

“To demonstrate this, we have released proof-of-concept (PoC) code to demonstrate this bypass on Windows 7 and Windows 8.1,” Childs, formerly the group manager of response communications at Microsoft’s security department, wrote.

The exploit abuses the Internet Explorer MemoryProtection protective measure to work out where in memory a certain dynamic link library (DLL) is stored, bypassing ASLR.

By leveraging a use-after-free (UAF) vulnerability, the researchers were able to use the address of the DLL to update a return-oriented programming chain, and transfer execution to it.

This process bypasses the hardware DEP security measure, and the PoC executes a benign shell-code to launch the Windows calculator application.

He said his team had decided to release the proof-of-concept exploit code and full details to arm users with as much information as possible to defend against potential attack.

“Since Microsoft feels these issues do not impact a default configuration of IE (thus affecting a large number of customers), it is in their judgment not worth their resources and the potential regression risk,” Childs wrote.

“We disagree with that opinion and are releasing the PoC information to the community in the belief that concerned users should be as fully informed as possible in order to take whatever measures they find appropriate for their own installations.”

By Allie Coyne, Juha Saarinen
Published in: http://www.itnews.com.au/News/405645,microsoft-wont-fix-internet-explorer-zero-day.aspx#ixzz3eUzBwOYD

Australia passes law to block overseas piracy sites

Content owners allowed to apply to take down copyright infringing sites.

The Australian Senate today voted through legislation which allows rights holders to apply to a court to block overseas websites facilitating copyright infringment.

The legislation passed despite strong opposition from the Australian Greens and a number of independent and minor party MPs, the telecommunications industry, technology companies and consumer groups.

The final vote count was 37 ayes and 13 noes, with Labor and the Coalition voting in favour of the bill and the Greens along with senators Glen Lazarus, Ricky Muir and David Leyonhjelm voting against it.

Greens Senator Scott Ludlam said the scheme becomes Australia’s “second internet filter” behind so-called section 313 powers that allow law enforcement agencies to block websites in order to disrupt illegal online activites.

“The only effective way to deal with copyright infringement on the kind of the scale the government is concerned about is to just make [content] available conveniently, affordably and in a timely way,” Ludlam told the Senate.

“The distribution model where you could sit on your 20th century distribution bottleneck and put a property up on screen, and then wait for two months to do the TV release, then wait another two months and release it on DVD — that model is broken.”

The Labor Party united with the government to vote down a number of amendments by the Greens which covered VPNs, geoblocking and allowing a third party to join court proceedings, among other things.

The bill’s passage through parliament looked set earlier this month when the Labor contingency of a parliamentary committee reviewing the bill sided with the Coalition to give the legislation a stamp of approval.

Communications Minister Malcolm Turnbull introduced the proposed law into parliament in March.

It amends the Copyright Act to allow rights holders to apply for overseas websites used for downloading and uploading copyright infringing content – such as The Pirate Bay – to be blocked.

The government estimates the scheme would cost ISPs $130,000 per year to comply with the legislation.

The committee recommended the bill be passed once a number of minor changes – including the introduction of a landing page for blocked sites and a review of the bill’s effectiveness after two years – were implemented by the government, which the Coalition later agreed to.

The bill adds to a growing legislative and financial burden being imposed on the telecommunications industry since the government’s mandatory data retention bill was passed in March.

That burden includes the recent industry-led copyright code aimed at tackling infringement.

It was developed after the federal government last year gave rights holders and the telco industry four months to come up with a scheme for self-regulation of copyright infringement or have one enforced on them.

The code applies to around 70 of Australia’s biggest internet service providers – or all ISPs that provide residential fixed internet services to more than 1000 account holder – and involves an escalating notice scheme for fixed-line residential users who rights holders claim have infringed copyright.

The industry has previously tentatively estimated the cost of the scheme to be upwards of $30 per IP address.

The government has said it would provide the telco industry $131 million over three years to help companies meet their new obligations under the mandatory data retention scheme, but the scheme has been forecast to cost up to $319 million to set up and $4 per customer annually to maintain.

By Allie Coyne
Published in: http://www.itnews.com.au/News/405557,australia-passes-law-to-block-overseas-piracy-sites.aspx#ixzz3ePs3drD0