Ensure your digital front door is not wide open

When any entity is attacked online it is quite common for accusations to be levelled at criminal gangs (presumably on a break from people trafficking).

Of course high level attacks are very sophisticated and are occurring regularly (see this free monitoring service from Google) but from direct experience in the IP piracy management space often the matter is much more mundane.

Companies leave the digital front door wide open and it is fairly likely that at some point someone passing by in cyber space will have a go. TalkTalk may prove to be a case in point if it turns out that the root of the problem was a 15 year old living with Mum & Dad using some freeware on page 1 of Google. The red faces in the security team at Talk Talk will not repair the damage done if, when the case come to trial, it becomes clear how easy it was.

A Digital Audit is a basic requirement now for all companies that use the internet. An independent double check that all is reasonably in order is vital given the multiple standards and skill levels that exist in the digital and IT security industries. Given that a Digital Audit can be obtained for less than £250 cost is not a barrier.

Inevitably one size will not fit all in this space but a minimum level of protection is a requirement for all companies who use email and the internet and manage digital IP.

Talk Talk gets the Tyson treatment

As Mike Tyson once memorably pointed out "Everybody has a plan until they get hit. Then, like a rat, they stop in fear and freeze"

Common sense suggests that Talk Talk as one of the UK's major ISP's would have a good sense of the risks online poses. In fact, in a truth is stranger than fiction moment, Talk Talk Business offer security related services. which really does suggest all is not right with Talk Talk.

The news therefore that a 15 year old boy in Ireland was arrested for suspected offences under the Computer Misuse Act relating to Talk Talk and subsequently bailed until November is a mixed blessing for Dido Harding and her team of cyber security experts.

On one hand it is good news if the attack is now over as the news cycle will roll on and other matters will come to the forefront. On the other hand if this is the work of a 15 year old acting alone (and probably using easily available / free brute force type cyber weapons) it does suggest that the Talk Talk digital front door was not just unlocked but off its hinges.

In fairness when Richard Ledgett, Deputy Director of the NSA comments on the Today programme "If you are connected to the internet you are vulnerable" he does frame the problem in an honest way.

The online attack surface for Talk Talk is huge with multiple points of potential vulnerability. Given that information security is such a broad church with multiple standards (ISO, SANS, NIST, OWASP, Crest, IASME, Cyber Essentials etc) populated by a mix of ex law enforcement, IT people , self categorised "Black Ops" and others it is understandable that a busy CEO gets caught out by some of the flagrant rubbish that gets bandied about. My personal favourite is that all cyber crime is carried out by ruthless gangs of organised criminals. I am sure this exists - but perhaps mainly to add glamour to the job of dealing with it.

Realistically companies are going to need to allocate increased budgets to online security and try to ensure that those budgets are managed by people with a genuine understanding of the new ecosystem to avoid being made to look foolish (and losing 10% of their share price) by a teenager with a broadband connection and £250 laptop (and maybe a white cat ?).

Sky sails on - 133,000 new UK broadband customers in Q1

Very strong results from Sky for the first quarter which now includes the more pan european focus of Germany and Italy (in anticipation perhaps of the potential digital single market).

Much was made at the time of the loss of Champions League rights in both the UK and Italian markets but in response Sky added 134,000 customers in UK with, if I have read this right, 133,000 taking a broadband package and 43,000 taking a TV package. Churn levels might have been expected to jump but stayed on trend at about 10%. As they might say to BT "take that sports lover".

It does not look like Sky engaged in insane levels of marketing spend to achieve this but perhaps that is hidden somewhere in the numbers.

On the specific point of the Champions League rights Jeremy Darroch commented "We've pretty much sailed on as we did in the fourth quarter". He also offered a view that the broadband customer adds had come from other operators not new entrants although suggested we wait for other results to come out in the next few weeks.

This is fascinating and raises a number of questions

1. Does this suggest that the Champions League has no real value to Sky in terms of customer acquisition and retention ? - Yes it looks like it which is not great news for UEFA but does explain why Sky did not try to outbid BT.

2. If so is the reverse true and will BT add relatively few customers as a result. - This is more complicated and will depend on the strength of BT's overall proposition but the quarterly results are out on the 29th October. Broadband penetration in the UK is at about 80% of adults so overall growth is possible without a positive impact from the Champions League.

3. Is this clear evidence that Sky has now diversified its offering via broadband, NowTV, Sky Store etc so much that it is no longer reliant on Premium Sports rights ? To old hands (& potential flat earthers) in the industry this is almost heresy but is starting to look accurate. Therefore is the current rights inflation in the UK of Premier League rights purely a result of competition between BT and Sky ?

This goes some way to explaining the relaxed attitude at Sky to widespread 24/7/365 content leakage via piracy. Content exclusivity is not what is was and the view is perhaps that consumers of pirate content are not ever going to be subscribers.

An alternative view is that due to the high levels of live piracy that exist in sport "exclusive" rights deals no longer have the power to create or shift a subscriber base.

Either way Sky have altered their offering so much that exclusivity of premium content is no longer the main driver but one of many drivers.

BT appear to be taking a more old school approach based on exclusive content  - so very interesting set of results on the 29th.

Crimes Figures Double after cyber offences are included

New figures from the office of national statistics released today show 5.1 million fraud offences and 2.5 million crimes under the computer misuse act.

The figures in respect of the overall increase is misleading as cyber offences were not previously included but this does show the very widespread growth of cyber crime.

Rear view (mirror) - cybercrime statistics and cord nevers

'When faced with a totally new situation,' McLuhan famously says, 'we tend always to attach ourselves to the objects, to the flavor of the most recent past. We look at the present through a rear-view mirror. We march backwards into the future.'

The announcement today that UK cybercrime statistics to be released on Thursday will show a massive jump - making them the biggest single grouping - is coming straight through the windscreen. Definitions are always a challenge but if file sharing etc was included in this then it is no real surprise. The gap in understanding has been caused by the time it takes to collect the figures.

Similarly the emerging data on cord nevers and cord cutting in the TV industry in the US makes sense given the ease of viewing pirate material from most major distributors nothwithstanding the technology that has been thrown at it.

Hawking suggests that the impact of intelligent machines on inequality is largely about re-distribution

There is a lot of concern floating about that as intelligent machines take jobs in "process driven" sectors inequality will grow. Basically the owners of the machines will become wealthy beyond imagination and lots of people will have no job and therefore survive on state support or nothing in the doomsday scenario.

The slight flaw in that argument is that if nobody has any (disposable) income who will buy the goods and services offered by the machines but that is a question for another day.

On a Reddit Q&A session Stephen Hawking offered the following views on this question;

What is the risk of "technological unemployment" where machines take jobs?

The outcome will depend on how things are distributed. Everyone can enjoy a life of luxurious leisure if the machine-produced wealth is shared, or most people can end up miserably poor if the machine owners successfully lobby against wealth redistribution. So far, the trend seems to be toward the second option, with technology driving ever-increasing inequality.

It seems likely that in a democratic society the voters rational self interest would prevent lobbying by machine owners being successful (hints of that already in the FaceBook debate on corporation tax) but that does leave the non-democratic societies open and according to Wikipedia only 12.5% of the worlds population live in full democracies.

Cord Nevers steaming into pay tv - by 2025 50% adults under 32 will not pay for TV

Some new research from James McQuivey of Forrester  suggests that by 2025 50% of adults under the age of 32 will not pay for TV.

He identifies a new group of cord-nevers who are in fact a larger group that cord cutters. On the face of it if armed with a high speed connection and some technical knowledge there is no need to subscribe to pay TV why would you ? This chimes with KLipcorp's less formal research which showed that 57% of people think that there is no need to subscribe to pay TV for sport due to the availability of pirate content.

The bloodbath in US Media stocks recently reflects a bundle of concerns regarding the shift to digital but possibly at its heart is the dawning realisation that control over distribution has been allowed to slip away. Anyone who has seen the fantastic new movie The Martian will agree that anything is possible given sufficient creativity and determination but the traditional distributors of media need to pretty quickly get a grip over distribution to avoid becoming candidates for the Darwin Awards.

A potential first step would be an independent Digital Audit to really identify the scale of current leakage and the adoption of a prioritised approach to fill the gaps.

The sector has a great fondness for machines that go ping but as in The Martian the thing that really saved Matt Damon at a key moment was a roll of gaffer tape.

Kim DotCom facing his Waterloo

Kim DotCom like Edward Snowden has his supporters and detractors. Some see both as battling a flawed system but what they have in common is that in all likelihood both have broken US law.

The law is often an ass and it is said that unjust laws cannot stand - but tell that to someone lounging around in Guantanamo Bay in an orange jumpsuit waiting for the snap of the rubber gloves.

Either way it looks like Mr DotCom is unlikely to escape the clutches of the US Legal system. He had been attempting to argue that since he had no funds left he was unable to afford to have any experts represent him in an extradition hearing. Therefore any hearing would be unfair.

The North Shore district court was not having any of this and the argument was made that since MegaUpload had been paying people to upload illegal material this was a straightforward matter where experts were not required.

The matter will rumble on and it looks likely that Mr DotCom will face the US Justice system in a very high profile case that is probably far from clear cut.

Understanding Digital vulnerabilities

The digital age has swept up so quickly that necessary adjustments to processes and behaviour are lagging. The legal system and regulation has struggled to maintain relevance and behaviour that would never be accepted in the physical world is accepted at the moment in the digital space with a shrug of the shoulders.

For many individuals and businesses there is a need for a Digital Audit which in a simple and low cost way helps them to quickly understand key vulnerabilities and issues.

From a customer point of view the machine or process that goes "ping" is only helpful if it helps them identify or solve a problem in a cost effective way. All the hackers out there have access to very powerful freeware and in order to avoid leaving your digital front door open and inviting them in to party (and maybe turn your data into bitcoin) it is necessary to carry out a digital audit.

Data and intellectual property are increasingly the key assets of small to medium businesses and this needs protection.

Anti-piracy group BREIN wins key battle in the protection of digital IP rights - pirates personal & banking details to be disclosed by infrastructure operators

One of the challenges facing groups attempting to protect their IP rights in a proportionate way is that when a pirate website is taken down, domains are cancelled or similar the individuals involved simply set themselves up again.

Up to this point the providers of web based infrastructure such as Google, Akamai, PayPal etc would not reveal the details of the operators even if services were cancelled. Some operators promote "absolute privacy" as a benefit of their services. Therefore the work done to close the operations down can appear to have little real impact unless the individuals concerned stop carrying out pirate activities for other reasons.

In fairness with the Snowden revelations there is no doubt that the protection of privacy is crucial and that data should only be provided in an approved and transparent way. However a balance needs to be identified between allowing companies and individuals to protect their property and the rights of individuals who are abusing that property to protect their anonimity behind a veil of privacy.

In the snappily titled C / 09/492 901 / KG ZA 15-1085  the case concerned the unlawful sale of a large number of pirate e-books via Google Play. Google agreed to remove the relevant app but would not reveal the identity of the people running the operation on the grounds of privacy.

Clearly the Court viewed this as  jejeune (naive,simplistic and superficial) and gave it both barrels as  outlined below (translated by Google translate) 

The judge commands Google to within 3 weeks of this judgment to the counsel of BREIN in favor of BREIN, the following information, to the extent that Google becomes available, provide with respect to the holder (s) of the Google Play Books Partner Center Publisher Account (s) from which books were uploaded under the Google Play Books URL (s) that BREIN has logged in its request removal of May 19, 2015 (Google zaaknr 76,488,000,007,259.), as described in the body of the indictment:

With regard to the Publisher Account:
a. subscriber information;
b. the IP address of the computer that the Publisher Account is created;
c. billing information, ie, mailing address and bank account number, bank name and name of the bank account;

In the case of the Google account that was used to create the Publisher Account:
d. the date and time the Google Account has been created;
e. the IP address of the computer that the Google Account has been created;
f. IP addresses of the computers that the user has logged into the Google Account;
g. The secondary email address and the specified first and last name specified for the Google Account;

this under the condition that the person concerned has not within 14 days of the date of this judgment to Google objection raised with the aim to prevent the provision of this information to BREIN;
2.5.
explains the order given under 5.1 enforceable, but only insofar as it relates to the provision of data relating to addresses, bank accounts and IP addresses within the European Union;

3.5.
hold any further decisions, pro forma until Saturday, December 12th 23:00 h to give and another version, which date will be the first party to the court in writing or a follow-session agenda must be desnodig forthwith with all relevant prevented from attending, or whether the case can be dismissed or canceled in writing.

This is a key step forward in helping rights holders to protect their IP in the digital age.

Periscope and Meercat not material in the piracy debate

Much has been reported about the risks of individuals using Periscope and Meercat as platforms for pirate activity and the mass audiences it may attract.

Perhaps unfairly this really does bring to mind Benny Hills antics at the end of his great TV shows (go on listen to that theme here one more time) where he has no real idea what is going on.

Perhaps at some point in the future this might be an issue but right now any analysis of the piracy landscape shows 24/7/365 live streaming being carried out with some enthusiasm by the pirate community with the DMCA technology based solutions forming a latter day Maginot line with similar effectiveness levels.

Why would you bother with Periscope and Meercat when an App like the one below delivers fully produced pictures live and free ?

No easy solutions here but Periscope and Meercat are a red herring (it was worth it) in the piracy debate.

Key points in the Digital Age & time for a Digital Audit

The digital age is considered to have started sometime shortly after 1945 (a subject really well covered in the excellent book Turings Cathedral)

However the pace of change did not "go large" until the internet came along in 1990's and started to disrupt some industries, such as TV & video based media, which had not themselves been around a long time.

Looking back the era of linear pay tv delivered by satellite to the home may be viewed with the soft nostalgia reserved for steam travel and valve amplifiers.

Recent data showing that this year, 181 million people in the US will watch video via an app or website that provides streaming content over the internet and bypasses traditional distribution (eMarketer) starts to show the pace of change.

For some the digital revolution has caught them somewhat off guard (Blockbuster for example) others have literally taken over the world - Google.

If OTT growth continues at this pace and is linked to cord cutting then many of the accepted truths about the media industry are about to get a solid going over. Maintaining control in the wild west of the internet is a very different proposition to the command and control approach adopted in pay tv.

Perhaps time for a Digital Audit to assess the risks and liabilities that are appearing over the horizon ? This is starting to look like the attempts by the phone companies  in the 90's to protect call revenues even after it was clear that the game was up.

Balanced approach to Cyber Risk

They say that it is a recession when your neighbour get fired and a depression when you get fired. Similarly IP protection tends to be front of mind when an issue emerges for an individual or company.

This excellent article from Chris Blackhurst in the Evening Standard illustrates the problem very well.

For a variety of reasons such as resourcing issues in the Police and corporate entities not wanting to end up with liability in an area they don't really grasp as yet  (and therefore not engaging with the problem) there is a perception that cyber crime is much more difficult to resolve than others.

At the corporate level standards such as ISO 27001 have emerged which contains guidance such as;

"Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organisation's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk".

For a medium to large corporate with dedicated IT function this may be helpful but for an SME this guidance probably seems very circular in nature unless there is a pretty high degree of knowledge of the risks to start with.

Reactions to cyber risk from TV companies to one man bands vary from denial to dusting off the typewriter and carrier pigeon and banning the internet and mobile devices. Budgets are possibly squeezed from the legal and IT budgets to deal with an issue that simply did not really exist 10 years ago.

Neither denial nor dashing off to a log cabin makes a lot of sense when cyber risk can be reduced by taking pre-emptive action to ensure that the very obvious vulnerabilities have been addressed. The equivalent of leaving the car keys in the ignition with the doors unlocked.

To discuss this further please contact us at KLipcorp IP.