Brexit Deal Copied And Pasted Recommendations For Netscape, Outdated Encryption
from the I'm-sure-this-will-all-go-great dept
You’d think a massive and controversial deal to sever the UK from the European Union, impacting the lives of millions of people over the better part of the next generation, would contain a certain amount of… precision.
Not so much.
After a long, contentious debate and some last minute <a href=”https://www.bloomberg.com/news/articles/2020-12-23/outline-of-brexit-trade-deal-has-been-reached-officials-say”https://www.bloomberg.com/news/articles/2020-12-23/outline-of-brexit-trade-deal-has-been-reached-officials-say”>haggling over fish, the final agreement governing the United Kingdom and European Union?s trade relations for decades was finalized last week. But when security researchers dug through the wording of the final agreement (which you can peruse here (pdf)), they found a bunch of indications of laziness.
Including, apparently, recommendations to protect yourself from cyberattacks by using a web browser (Netscape) that stopped being updated somewhere around 1997 or so:
Netscape Communicator is mentioned in Brexit document … Almost feels like it is 40 years old …1K RSA and SHA-1 … one day we will build a digital world fit for the 21st Century … pic.twitter.com/1cg6uX3clw
— Prof B Buchanan OBE (@billatnapier) December 26, 2020
As the BBC notes, the language appears to have been copied and pasted from a 2008 law, and the recommendations were already outdated then. While it’s reflective of the rushed and sloppy nature of the effort, the Netscape recommendation isn’t that big of a deal, given it’s simply cited as an example of a “modern e-mail software package? and will likely be ignored. More troubling however is the document’s recommendation of using 1024-bit RSA encryption and the SHA-1 hashing algorithm, both outdated and vulnerable to cyber-attacks:
” the SHA-1 hashing algorithm has been demonstrated to be vulnerable to collision attacks, and computing power has advanced such that 1024-bit RSA encryption can be broken in a sensible time frame by anyone with sufficient GPU power to give it a try. It?s clear that something is amiss in the drafting of this treaty, and we?d go so far as to venture the opinion that a tired civil servant simply cut-and-pasted from a late-1990s security document.”
While you’d hope the recommendations won’t be taken seriously, it still suggests a certain amount of… half-assedness that doesn’t bode particularly well for the broader agreement, the finer details of which will impact the lives of real human beings for decades.
Filed Under: brexit, copy paste, encryption, eu, trade deals, uk
Companies: netscape
Comments on “Brexit Deal Copied And Pasted Recommendations For Netscape, Outdated Encryption”
'... and a bowl of only green M&M's.'
I can’t help but think of ‘absurd’ riders that performers put into their contracts in order to check whether the other party actually read the contract, minor but immediately visible indicators that the other party read the entire thing and didn’t just skim it, which can have noticeable consequences should something like safety instructions be in there.
In this case if the people writing up a trade agreement between the UK and EU can’t be bothered to actually write the thing and instead just copy/pasted text from old, outdated documents, that… doesn’t bode well for the rest of it or future agreements, as if they can’t be bothered to take something as serious as internet security seriously what else are they slacking off on?
politics of politics.
You should read some of what they have done to the last 2 bills. They changed NAFTA AGAIN.
How do you change a CONTRACT, without telling the other side you did and have them AGREE?
Re: politics of politics.
Easy. You just be a telecom provider, IPS, Internet platform or similar and write the ability to do so into your TOS.
Re: Re: politics of politics.
that needs no comment, DONT tell landlords they can do that.
Re: Re: politics of politics.
Not necessary.
One Russian delivery company (link https://vc.ru/claim/192669-dostavista-ne-dostavil-posylku-i-ne-vozvrashchaet-dengi-za-dostavku , text in Russian), basically uber but for courier services tried even more interesting thing.
Client send package. Courier didn’t deliver it. Package was lost.
Company says they will refund package price but not delivery price. Reason? Client somehow have direct contract with courier so it’s client’s (and courier’s) problem. Or police. No, client can’t see this ‘contract’ because of personal data legislation. Also, refunding package price is implemented in such way that company just takes money away from courier on behave on client (basically like collectors work).
Bank chargeback is not possible in this specifc case.
It’s interesting if such ideas will be implemented in places which have much more freedom of contract.
And we are all surprised?
This pretty much sums up the current UK government, all talk about how cutting edge and forward looking they are. So much so that words like "groovy" and "man" are thought to be "with it"…
In reality, a great deal of lazy rhetoric and grandstanding, with little to no real substance. The word "pitiful" has been applied to them, only after careful consideration to have been replaced by the word "abysmal".
Re: And we are all surprised?
…I’m pretty sure people still use the word "man", man.
Re: Re: And we are all surprised?
They do but they’re not "with it". There are newer terms used for the same purpose.
Re: Re: Re: And we are all surprised?
Aww. Feels bad man.
And the ignorance of civil servants and politicians shows yet again. How many times must we say, they need technologists and experts in the room when discussing subjects about which they clearly know next to nothing. I’m sure other industries have the same problem, but it seems to be most obvious in IT … or is that "cyber"?
Re: Re:
There’s no part of Brexit that isn’t a total clusterfuck.
Re: Re: Re:
"There’s no part of Brexit that isn’t a total clusterfuck."
Not exactly – the entire point of Brexit was to avoid new EU anti-tax shelter rules, and the people who benefitted from that have made their profits and got themselves EU passports/businesses that protect them from the fallout.
There’s also people like myself who have managed to have careers that will be ultimately unaffected by Brexit as our host countries have been determined to keep us, although sadly newer generations won’t have the opportunities we had.
But, in terms of people left in the UK and/or beholden to the UK’s good decision making on their own? Yeah, not so good.
Re: Re: Re:
Brexit did give us more Lord Buckethead snark, so that’s one thing about it that’s not a clusterfuck.
Re: Re: [correct terms]
Actually, the correct term is “Hungarian Group Entertainment”, sometimes abbreviated HGE. Please update your systems.
Re: Re:
Yes, that’s the correct term. "Cyber" is a word used exclusively by people in government to let everyone know that they don’t understand how computers work.
If the Scots leave though
There won’t be much haggling about haggis.
Given the time period the tories want to take the country back to, I’m surprised it’s Netscape they mentioned and not numbers stations, the Enigma machine and valves.
i doubt if there’s that many people in the UK that will be particularly shocked to read this. from what i understand, this is typical of the Tory party in general, for PM Johnson and the majority of those in Govt. the amount that things are truly screwed up wont be revealled until it’s much too late, with, as is usual, the UK people being on the receiving end of crap and the EU being the one that benefits. when you consider that Barnier has been the UK’s biggest problem but the EU wanting the same as when the UK was a member, to take and get as much from the UK as possible, giving nothing in return but crap! i’m waiting to read about energy, water and technology price increases because so many companies were sold to the EU or came under EU company rules, that the people cant afford to pay for the necessaties of life, because you can bet that the UK govt wont increase wages to cover price increases (and that’s without the problems caused by covid). consider as well that for a country that is so high on the ‘wealth’ table, the numbers that are on the poverty line, that have to rely on charities and food banks, it dont say much for the present govt! the shit that’s been caused since Cameron became Prime Minister that affected everyone except the rich and their friends, shows where the loyalties and priorities lay and have continued to lay. there’s gonna be a massive amount of shit hitting fan in the not too distant future in the UK, especially when giant corporations and mega companies are still gonna be allowed to pay a pitence in taxes and the already stomped on UK public is going to be forced to repay the debt caused by covid!
Re: Re:
lol
This is what "taking back control" looks like.
I’m in the UK, so this is my future.
The whole Brexit saga started because some people felt it wasn’t right that the UK be subject to regulations passed by the EU. Never mind the fact that 99% of these regulations were about fiddly details of stuff like a standardised description of wholesale fruit and veg (which led to the myth of the Bendy Banana Ban), and the rest were things like fishing quotas that genuinely need to be international because fish have no respect for international borders.
So we voted to Leave. Ever since then we’ve been trying to negotiate what comes next. Negotiations everywhere always go to the line because the party in the biggest hurry always gets the worst of the deal. This was no exception.
An agreement like this gets negotiated in general non-legal terms by the people sitting at the table. It then gets handed off to lawyers in the back room to tie down the intent in actual legal language. These lawyers are of course experts in EU law, not anything else. To be experts in everything that this agreement covers would require a brain the size of a planet. There wasn’t time to consult with any actual experts because of course the decisions were being taken at the last minute (see above).
On top of this, a lot of the points of agreement on "unimportant" issues will have been to carry on with the status quo. In that case the obvious thing for the back-room lawyers would be to cut and paste the law describing the status quo into the agreement.
Hence this section about Netscape Navigator and encryption, which seems to have been cut and pasted in this way at least once before.
Meantime the UK members of parliament get a couple of days to read 2,000 pages of legalese to decide whether they agree with it. Not that there is much point: this is Must Pass legislation, and because its a negotiated agreement you can’t amend anything.
So yes, parliament is now back in control, for a suitably small value of "control".
Re: This is what "taking back control" looks like.
"The whole Brexit saga started because some people felt it wasn’t right that the UK be subject to regulations passed by the EU"
No, realistically? Brexit started because a bunch of rich people didn’t want to get caught in the new anti-tax haven rules being enforced by the EU. They’d already laid the groundwork with idiotic propaganda in the Daily Fail, Express, etc. blaming the EU the things the UK government actually did, but the reason for Brexit is the rich not wanting to lose their sweet deals.
"These lawyers are of course experts in EU law, not anything else"
We were trying to negotiate based on EU law, so which other expertise were you after?
"So yes, parliament is now back in control, for a suitably small value of "control"."
The sad thing is that they’re always been in "control", the Tories just liked to blame the EU for the things they messed up. Now that they have lost that excuse, let’s see how they spin the issues (probably blaming the EU still)
The sad fact is that the UK is now in a worse position than they were before, with no real benefit other than the whole nebulous "sovereignty" thing, which doesn’t have the same currency as it did in the time the leavers imagine they want to return to. I hope something positive comes of this, but the amount that’s already been wasted and the rights that have been destroyed for UK citizens, not to mention the massive political split of the country, are unlikely to be worth it.