Law Enforcement and Retrogressive Pressures upon Technology

Yesterday ORG / Privacy International / Big Brother Watch / Julian Huppert held a meeting at the Houses of Parliament to, um, “celebrate” the release of the new draft communications bill.

I raised a question, perhaps clumsily, which Julian fielded as “advice”, and which was something along the lines of the following, which I’ll expand for print:

Enterprise-class Networking Technology – the sort of stuff rolled-out at, and interconnecting, ISPs – churns at quite a high rate; that which was new and exciting one moment is obsolete 18 months later. There is no single standard architecture for deployment and competitive advantage almost demands diversity, especially when nobody is on the same schedule for upgrading their systems. This is the whole “Moore’s Law” thing in action, and it’s a great driving force in delivering ever better service to the end user; and this is to say nothing of the software, the e-mail servers, the web caches and all the other performance-critical ISP equipment kicking around at what we call “Layer 7”, the above network equipment occupying Layers 2 through 4*

These technologies are the fuel lines which drive the business engine which is the modern web.

And now? CCDP proposes a spy-in-the-cab at every Internet Point-of-Presence, or something akin to that; all the above innovation will be legally required to “integrate” with Government-specified national-security-providing hardware, not vice-versa.

What I fear most is mandated technological foot-dragging – the forward progress of Network Service Providers and Internet Service Providers will be hampered by continually having to re-integrate the “legacy” requirements of CCDP’s interception and monitoring solutions. Network architects are going to have to bend their otherwise “best” designs to ensure that the “SpookBox v5000” in the locked cage in the corner of the data centre will get a copy of every piece of data – because of pedophiles and terrorists, you know.

In case I’ve been unclear: it’s a bit like people not being allowed to upgrade to the latest Electric – or perhaps Neutrino-powered – cars and vans, because the Government’s mandated GPS/tachometer can only cope with Petrol and Diesel. It’s going to be a drag on progress – a subtle one, but a drag nonetheless; the alternative is quite substantial cost and hardware churn as CCDP hardware is continually flexed and upgraded to cope – for which £180m per year is a slender budget.

This is all about the Government having to jump onto the bandwagon of Moore’s Law – to date they haven’t been so good at that. It’s going to be doubly hard to explain to the lawmakers when the above are all dismissed as “mere technical issues” – yes, not every minister needs to know a GBIC from a XENPAK from a SFP, but at some point the realpolitik will have to bend to meet hardware and the economics thereof.

The results will either be expensive (investment) or impose cost (degradation of service).

And finally, as evidence in support of the proposition that law enforcement will resist improvements to internet technology, I submit the following CNET article which is somewhat horrifiedly being discussed on the NANOG (North America Network Operators Group) list:

FBI, DEA warn IPv6 could shield criminals from police

The FBI, DEA, and Royal Canadian Mounted Police say IPv6 may erode their ability to trace Internet addresses — and warn new laws may be necessary if industry doesn’t do more.

U.S. and Canadian law enforcement agencies are warning that a historic switch to the next-generation Internet protocol called IPv6 may imperil investigations by making it more difficult to trace who’s using which electronic address.
FBI, Drug Enforcement Administration, and Royal Canadian Mounted Police officials have told industry representatives that IPv6 traceability is necessary to identify people suspected of crimes. The FBI has even suggested that a new law may be necessary if the private sector doesn’t do enough voluntarily.


It’s worth a read but in a nutshell the article can be summarised as: law enforcement wants IPv6 not to be rolled-out until such time as the use of every IPv6 address and port number can be adequately book-kept to assure that traffic can be tracked; but we in the industry are having enough problems rolling out this industry-saving technology already, thank you very much.

Also IPv6 will be challenging to log in any case, by virtue of its scale and designed-in elements of “pick your own IP address” if nothing else.

The brake disks will start warming up real soon** after CCDP passes.


Introducing the #CCDP-compliant “SpookBox 5000” for the implementation of the #SnoopersCharter

Here’s an interesting thought for all of us on CCDP-day:

It’s obvious to geeks that the equipment which performs CCDP-mandated logging will have to be:

  • a synthesis of hardware and software
  • reasonably standardised
  • reasonably secure (doubtless the Home Secretary will say “very secure”)
  • permit secret-but-authenticated access to the police, security services and council dog-catchers to query the databases

…re: the latter: you don’t want to tip off some suspects within an ISP by letting them see that they are the subject of an enquiry.*

So let’s call this hardware the SpookBox 5000.

It will need to be a certified system – ie: built to a secure specification, include special crypto hardware like tamper-resistant keystores, tested, and then put in a tamperproof box/rack so it can’t be faffed-about with – because it will be trusted by government agencies and they like to have that sort of thing.

Therefore the SpookBox 5000 – plus a “free market” handful of “competing” solutions, making perhaps three in total – will be built by a small number of (trustworthy) British vendors, certified, have a huge price tag attached in order to reflect their “secure” qualities, and then sold to each and every major ISP, one or more for each and every Point-Of-Presence they have.


Dozens of SpookBox 5000s (and service contracts) sold to a captive market who must have them, by law.

This is what is known in the IT hardware-manufacturing trade as a license to print money.

In the Network Service Provider trade it’s known as massive cost overheads and a barrier to market entry.

Solution: CCDP logfile collection should be to an open-standards specification with no mandated implementation, and the proposal should be bent to accomodate this.

Or the whole thing should be thrown out for being the illiberal behemoth that is is.

* presumably access to the CCDP logging system itself would not be recursively logged by CCDP, that would be silly/exponential.

Password Cracking in a Nutshell

In response to my posting last night, Tom Ptacek kindly sent a few lovely tweets:

…which – aside from being the most nuanced way of saying “oops” that I’ve ever encountered – was both kind and funny.

The one point that Tom picked up on to which I wanted to respond was: you [meant not] a bite size piece of database – by which I believe he’s referring to my paragraph:

To make this short: history disagrees; of your few million hashes pick off a bitesize piece and have fun. Whoever said you had to break all of them?

I’ve already responded via Twitter, actually I am happy with any approach towards password cracking; they all have value.

If you are resource-constrained then you can pick a huge dictionary and a just enough user ciphertexts to make it worthwhile; or a small dictionary and a greater number of user ciphertexts, or you can sweep the entire password database looking for someone who has chosen 123456 as their password.

All of these are valid methods, depending on your goals.

It’s like Samuel Johnson’s walking dog – the problem with password guessing is not that it can be done well, but that it can be done at all.

The solution to guessability – even via brute force – is to get users to choose unguessable passwords; for that see the latter half of my original post.

And those passwords that they choose must most certainly be defended with the best algorithms possible on the server side to help keep them economically unguessable, hence bcrypt() or PBKDF2 implemented by security-aware developers.

I am no longer convinced that it is possible to wean people away from the method of reusable passwords, and fear that to do so may in other ways be unwise.

When I wrote Crack I could make three password guesses per second; @BrianKrebs readers plz note #security #hashcat

I published the first modern password cracker in 1991; the first with dictionary generation, the first with networking, the first with a fast crypt() implementation and (eventually) the first with a vector-friendly (and network-authentication capable) pluggable API, although this was originally meant for bitslicing rather than GPU which eventually superseded real vector processors.[1]

But when I started back in 1990 all I could manage was a few calls to Bob Morris’s libc crypt() per second, per CPU; on a Sun 3/60 (of which I had three) I could do 3 or 4 guesses per second; also I had a couple of DEC 5830s which could do perhaps a dozen guesses per second apiece, but they were “user service” machines which meant they were meant to be doing “real work”. I later discovered a DECstation 5000/200 which I could use, and which gave me another 20 guesses per second.

All told by scrounging spare university hardware I could make fewer than perhaps 100 guesses per second at peoples’ passwords, and there were a few thousand students to monitor.

So instead of speed I attacked peoples’ habits – at 100 guesses per second a good weekend will give you 20 million guesses, and with a userbase of 7500 students you could thereby make 2500+ guesses at each student’s password; you’d certainly catch some of them so long as you structured your guesses wisely. So I did that, and the results were astonishingly successful. The release of Crack kicked up a storm with rates of sub-1000 guesses per second, way before the thousands, millions or billions of guesses per second that systems have been able to achieve since.

But then there’s this article, regarding which I will not criticise anything that Tom Ptacek says, because his head is largely screwed on properly regards what we need to do:

Ptacek: It’s similar to if you said, let’s take SHA-1 password, but instead of just using SHA-1, let’s run SHA-1 on itself thousands of times. So, we’ll take the output of SHA-1 and feed it back to SHA-1, and we’ll do that thousands and thousands of times, and you’ll only know if your password hash is right, when you look at the result of that 1,000th SHA-1 run. So, in order to make that password hash work, you have to run the algorithm 1,000 times for each guess. That’s roughly the tactic that the modern, secure password hashes take. These are algorithms that are designed so that you can’t arrive at the result without lots and lots of work. I mean, we’re talking about 100 milliseconds [one-tenth of a second] worth of work on modern hardware to get the results of a single password attempt.

I’m with you totally, Tom … right up until:

Let’s say we have a Web application that lost 10 million password hashes, but they’re bcrypted passwords. So, I think in that last dump we saw from the LinkedIn dump, about like three million of those passwords had been cracked. It was really quick and easy to see if your password had been in there. In this case, if we lost 10 million bcrypted passwords, instead of 3 million of them being published and compromised, you might be looking at tens or hundreds of user passwords being compromised. Because you could maybe effectively look for every password that was “password,” but you certainly couldn’t run a dictionary against every password there anymore.

To make this short: history disagrees; of your few million hashes pick off a bitesize piece and have fun. Whoever said you had to break all of them?

There’s a pendulum that swings from structured-guessing to brute-force, and I think we’re on the return path at the moment; the complementary solution to widespread adoption of bcrypt() and PBKDF2 is to fix the user password management problem.

For me that means:

  • adoption of long pseudorandom passwords; plucking a number out of the air I go around telling people to use 16-character random mixed-case alphanumerics with punctuation, which are clearly untenable for human use especially when you…

  • change your passwords on a schedule – once a quarter, once a year, whatever the schedule it’s in case someone has picked specifically your ciphertext to break and is throwing a few thousand bucks’ worth of AWS and Hashcat at it specifically – so you need to change before their likely time-to-break is exceeded; because this is all such a pain you will need to…

  • use a decent password management tool like 1Password, PasswordSafe, whatever, so you can stop whining about how long the passwords are and how hard it is to choose and change them because most of the work is done for you; and finally you need…

  • user education and motivation. But you knew that already didn’t you?

Hateful, isn’t it? But this is what needs to be done on the user end; and as Tom clearly says the baseline for what needs be done on the server end can be expressed as use bcrypt() or better – although I prefer to push that a little bit further in terms of user interface requirements.

Two factor? Yah, no argument Tom, I totally love it so long as implementors don’t have to call out to a trusted third party or other identity hierarchy to achieve it. You know – like SecurID, or voice synthesis.


UPDATE: Commentary continues at

[1] …while we’re at it I believe I wrote the first network vulnerability scanner too, but that’s when I was working for Sun and they wouldn’t publish it due to legal fears. Take heed everyone, open-source full-disclosure would have given the community a Nessus-like tool 3 or 4 years earlier and we’d all have been better off…

I found something rather interesting in the alleged #LinkedIn password hashes – salting? corruption?

There is definitely some data weirdness.

My old LinkedIn password plaintext is cud5dfyy – yes I know that publishing a plaintext is probably stupid but it’s short enough to bruteforce in Hashcat, has been changed, was only used for LinkedIn and is really really old, so I might as well save you the trouble.

If somehow I get hacked because of this, so be it; at least morally I am OK.

Anyway – following a comment by Chris Goggans on Facebook:

Most of the hashes are valid SHA1 but with the first six positions of the hash apparently overwritten with 000000, 000001, 000002, etc.

The SHA1 for “password” is 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8, but this does not appear in the file.

The string “000001e4c9b93f3f0682250b6cf8331b7ee68fd8” does.

Either 1) LinkedIn was trying to be clever and used a modified SHA1 routine which never actually saved the whole hash and does a crypt&compare of the hash from position 6 onward, or 2) The guy who put out the dump purposely screwed with it before releasing.

Now, there are still 2.9M hashes in the dump without the 00000. I haven’t done anything with those yet to see if they are real.

Chris is sound so I decided to run a little test:

+ grep b85868504e74bbcd6e58ab4f86d9d20b83 combo_not.txt
+ echo :::: found cud5dfyy

Yep, if you accept Goggans’ theory and if losing six chars (actually five) bytes of prefix are not enough to induce hash collisions, then my old LinkedIn password is in there twice.

Thus lashing-up a mini password cracker:

$ more
while read word
pattern=`echo "$word\c" | openssl sha1 | sed -e 's/^......//'`
grep $pattern $file && echo :::: found $word

…yields results:

$ ./ < /usr/share/dict/words 00000bca9701606b01b6245d587d26c31b63a433 :::: found aardvark 000006b960572398e02f82878e2dfeadb4518899 :::: found aardwolf 00000c1e41f74b4e4a5950a0dda602fda275e4a1 :::: found abacate 0000058b1c71d517644ff6a4ed5e5421b83c4fca :::: found abacinate 00000267f9f1e4469f8eb7bf45704218293412db :::: found abacus 00000604ba82485d494fbc5fd8365509f36ee259 :::: found abalone 0000059e3099495023c7f4c15223e146e3fb6fdd :::: found abandon 00000d0fec22d3282d0e70911e563402b8429cfc :::: found abandoned 00000906d39b74998716738fbb2b6fa3620079f2 :::: found abased 0000059e4c7fcba827f22a25fe506baa6d011737 :::: found abattoir 000006e2be4ada6c7ce5b76554311a3330855949 :::: found abbacy 000001e35b00e6675efeef5d813dbf1ce62300cd :::: found abbasi 0000021312a4ec34d96bce4eca98a879c684878a :::: found abbess [...]

...which lends a little weight to the theory that the file primarily contains hashes which some script kiddie could not crack with basic tools, and hence makes us wonder what he's done with all the ones which he did crack - and how much of the LinkedIn corpus that would represent?

What I think is wrong with #VRM – HT @nzn @glynmoody @windley @dsearls @adriana872

What I think is currently wrong with VRM, so much so that I’ve essentially dropped out of it – sad, since I was there almost since very early on.

Working backwards:

  1. The fundamental requirements for truly personal platforms are not yet with us. Controlling your data unfortunately means being in physical control of it, or at least of the keys which encrypt it. There are no if’s and’s or but’s about this, alas.
  2. Too many people think in terms of data being (say) owned by the supermarket they have bought stuff from; you have the fact of your purchases already, so the data is already also yours – it’s just terribly inconvenient to scan data in from your receipts, so yes it would be better to demand your purchase history from Tesco/Walmart but this may or may not yield fruit because they also own that data.
  3. VRM as a movement has from the outset been usurped by the “if only people would use our new identity technology then this would all be easy” evangelists. Identity is bogus anyway, but this is particularly egregious solution-in-search-of-a-probleming.
  4. VRM as a movement has from the outset been usurped by the “if only people would use my new startup’s technology then this would all be easy” evangelists. Sometimes this is identity-related, but other times this bleeds into Let’s get everyone to give us their search-histories so we can use magic toolbars to offer them value independent of the corporations! But it’s OKAY for us to be middlemen BECAUSE WE ARE THE GOOD GUYS!
  5. VRM as a movement has from the outset been usurped by the “if only people would give us all our data to keep it safe for them! They can trust us” evangelists; this is for when you don’t want to foist a technology upon the masses but instead want all the data, you find some way to be “ethical” about it and do a data grab anyway. See “it’s OKAY for us to be middlemen BECAUSE WE ARE THE GOOD GUYS” again.

I still believe that the only person who ever understood VRM fully was Adriana Lukas because she realised (in the face of my arguments to the contrary) that it was not about storing data passively but instead about people using, mashing-up and sharing data in ways that they already understand – and critically that the definition of “controlling” data is not a techie-geeky DRM/DLP-like one, but instead a new relationship-oriented means of control that is so simple that people rarely understand the power of it.

As I put it frequently at the time: if you break up with someone then there’s no way to expunge all the embarassing things that they know about you; instead the point is that they don’t find out any further embarassing things. The whip hand is over the ongoing relationship and the mutual ability to terminate it, rather than access to previously-shared digital data which can be cached.

This understanding is why I got into Mine development in the first place[1] and why I implemented it twice-over, and why I understand that what has to happen first is the addressing of point (1) – almost all the software technologies exist, none of them require invention, all we need is a good bidirectional communications infrastructure and wide adoption of the ability by some means to selectively and easily unicast data in a direct point-to-point way, to replicate in the truest sense a “relationship” in the digital domain.

What we don’t need is to rely on identity hierarchies, or FOAF, or I-cards, trusted third parties, legal fictions for non-profit do-gooding, or anything else of that sort.

[1] Watch the first video, and the second if you are a geek; they are worth it

The day that my Father gatecrashed the Pope: 5 June 1944

My childhood was filled with stories and the excellent thing about that was that they were all utterly bonkers and quite true:

  • My father’s losing his lower lip to a swinging tank-barrel and having it reconstructed with a graft from his bottom, so he was always talking out of his arse.
  • The man-eating lioness which he tracked and shot precisely and fatally in the anus, and which we had as a living-room floor rug and on the head of which I used to sit.
  • Floating Land Rovers across rivers by wrapping them in tarpaulins.
  • Sir Ahmadu Bello, the Sardauna of Sokoto, who so loved my Mother that he ordered two silver rings to be made, gave one to her, wore the other, and smashed the ringmould in front of her so no more could be made
  • He also offered to adopt my sisters – way before I was born – in the instance that anything should happen to Dad, though in the end he himself was brutally murdered in the 1966 Nigerian coup; Dad himself was on a number of death lists.
  • That Kissinger was dad’s lunch buddy at Harvard.
  • The shotgun-wielding nutcases who tried to usurp a Canadian campground.

…and so on and so forth; but one of the greatest stories is evidenced by the discovery below.

Not long after Dad died we were sorting out his things and found a heavy-grade envelope containing a rosary and two air-mail letters; for the youth of today the Post Office of the time enforced a kind of IPQoS where you could buy special prepaid lightweight paper, write a message, seal it as a letter and receive express delivery – and these were two of they.

I reproduce the letters below; for background you need to know that Dad was a rapidly promoted Captain in the 1st Battalion Loyal Regiment (North Lancashire) which having fought their way up through Anzio and Cassino led to the liberation of Rome.

Wikipedia will also tell you that US forces took Rome 4 June 1944 under US General Mark Clark – because the Loyals were attached to the US Army at that point; further reading will provide a hint of what my father thought about Mark Clark:

At the time, Truscott was shocked […] He went on to write “There has never been any doubt in my mind that had General Clark held loyally to General Alexander’s instructions, had he not changed the direction of my attack to the north-west on May 26, the strategic objectives of Anzio would have been accomplished in full. To be first in Rome was a poor compensation for this lost opportunity”.


Over the next day, the rearguards were gradually overwhelmed, and Rome was entered in the early hours of June 4 with Clark holding an impromptu press conference on the steps of the Town Hall on the Capitoline Hill that morning. He ensured the event was a strictly American affair by stationing military police at road junctions to refuse entry to the city by British military personnel.

Unfortunately for Clark he missed someone; Dad always had a thing for historical military uniforms and – as a child – always harboured a wish to see the Vatican Swiss Guard… and he’d just arrived in Rome.

What else do you do when you’re a victorious Captain but requisition some transport and go sight seeing?

So I’ll let Dad pick up the story of Monday June 5th 1944; I’ve done what I can with the transcription but can only apologise for his lack of use of questionmarks, and anything in [brackets] or ******ed is where I can’t read his writing. Note also the censorship-approval stamps:

Capt. D J Muffett
1Bn Loyal Rgt

8 June

My Dear Mother,

Well well things have [moved] haven’t they? I suppose you hear quite a lot these days from the air force. However we will hold off from the Second Front a bit and see how it goes and I’ll tell you instead of a remarkable experience that I have had.

On Monday I went into Rome to see the sights and have a look round. Unlike most Iti towns it is quite remarkable and reasonably clean (which is surprising) and doesn’t even smell (which is more surprising). Well I and another chap had a look at the Coliseum and the Temple of Vesta and the Forum and then wandered into the Palazza Venetza where some Jocks were

playing themselves in as the massed pipes and drums. We were standing around watching when a lady (about 38-40) came up and said “Excuse me but are you English” we said “yes” and she said “oh I am so pleased, ten years ago I married an Italian and have been here ever since. I used to live in Barons Court.” She took us round the place and showed us the Tiber Bridge, etc.

Well we left her and chuntered into St Peters. Now comes the joke. We wandered around a bit and looked at the ceilings (Michael Angelo) and the statue of St Peter. Then I said I want to see a Swiss Guard. So we wandered outside and had a look at one (in his utility Blue uniform and got a [smashing] Present as a pike!! Well he said “straight up those stairs sir” and shot us inside where there were a couple more. (This time in full dress) who

passed us up another flight of stairs, and a third lot shot us into a room where there were some very comfortable chairs so we sat down. Then a very charming Irish Priest came in and said “His Holiness will receive you in a few moments” – I could have dropped dead!! There were [four] of us in there (one was the [******]) so we went into a huddle and [worked] out the [******].

About ten minutes later there was a crashing all along the corridor and in he came surrounded by the noble guard (magnificent uniforms). He came to each of us in turn (the correct thing is to drop on one knee and and kiss St Peter’s ring on the 4th finger R hand.) It is an enormous stone fully 1/2 inch sq. and Blood red. (I was quite adept at this.

The narrative will now be continued in another letter which I will send off at the same time as this.

Captain D J Muffett
1st Bn Loyal Rgt

Well to continue. He spoke to each of us in perfect english and asked how we were, and had we heard from our families and were they well, were we married and had we been particularly [******fortable] and then we fell out after he had given the Papal blessing. Incidentally he gave each of us a rosary which I will send you as a memento by sea. It really was a memorable experience. What with the Coronation and that I do [clock] for State occasions don’t I.

Well I am sure that you will be glad to know that I am unscathed and sound in mind and limb. A certain [******] impression will indelibly remain but on the whole I have been very lucky.

The weather has been very good to us and is still boiling hot. I am [waking] up a [*****] tan and am unfalteringly healthy. [Well*****on] please send me some Dettol. A tin if you can get it rather than a bottle. My love to Barney I suppose he looks grand. Encourage him to bring you things and perhaps about Sept Pa could arrange for him to go to a keeper for a month or so to finish off his [training]. Perhaps Mr Morton will know someone.

My love to Arthur and Joan and Maurice. Is he in the second front yet and haven’t they landed yet. Whatever happens you must keep your chin up and keep [smiling]. I am quite sure we will both be OK and anyway why worry.

I hope that the weather soon turns

you up and that you get fit and able to go out.

My only worry so far is that I have smashed my watch up which is a pity. However I will soon get another out here.

Well I have exceeded my quota this week by quite a lot this week and the well is beginning to run dry. So TTFN

All my love


That’s not all there is to the story – there is more, I have it on tape somewhere; he was the senior officer amongst the (ISTR) three British who were presented – and he had to order a Scots presbyterian who was “agin’ all this papist nonsense” to behave; I think one of the less-legible references in there is about them scrubbing-up prior to meeting the Pope; and then there was the American newspaper photographer who mid-ceremony shouted:


…when the pontiff raised his hand in blessing, so that he could get the perfect shot for the cover of (again, ISTR) the New York Times; and the BBC correspondent whom Dad later ran into in Nigeria, who had also seen and heard it all. I think that was Hugh Greene but my sisters will doubtless correct me if I’m wrong.

For a taste, perhaps not of the exact occasion but one around that time, I found a papal speech on the interwebs; but also there’s the US propaganda video on YouTube:

…and yes, there are Jocks.

Basic forensics / Why it sucks to lack Google Streetmap in Switzerland / Panorama Spaghetti Trees

Okay, this is a whim, but:

Via my sister’s blog I found a video of the 1957 Panorama “Spaghetti Harvest”:

And I thought: let’s find out where that was shot.

The video references Switzerland and Lake Lugano, but of course that may be all fake; but an establishing shot clearly shows Pensione [Ri]storante Taddei – which is Googleable… and lo, we find a Italian-language construction (?) website detailing the company’s history which says:

Il 12.08.1911 convola a nozze con Armida, nata Rezzonico, con la quale avvia, sempre a Castagnola, parallelamente all’impresa edile, l’attività che li accompagnerà per tutta la loro vita di ristoratori ed albergatori. Insieme gestiscono l’Albergo Villa Elisa e dal 1921 il Ristorante Pension Taddei, quest’ultimo nella bella e storica casa che ospitò Carlo Cattaneo (oggi proprietà della Città di Lugano e sede della Fondazione omonima).

– my emphasis; Google Translate shows this as:

The 12.08.1911 wed with Armida, born Rezzonico, which starts with, always in Castagnola, alongside the construction company, the activities that will accompany them throughout their lives of restaurateurs and hoteliers. Together they run the Hotel Villa Elisa, and since 1921 the restaurant Pension Taddei, the latter in the beautiful and historic home that housed Carlo Cattaneo (now owned by the City of Lugano and the seat of the homonymous Foundation).

…a bit flakey, but you can pick up that the Taddei was in/near the house of one Carlo Cattaneoan Italian philosopher, writer and patriot – so now we have to find his house. Wikipedia continues:

he died in Castagnola, close to Lugano in the Swiss canton of Ticino, where he had spent the last twenty years of his life in exile

So that’s a safe bet, and the page for Castagnola confirms the general area – but then you hit up Google and realise that StreetMap by and large does not work because the Swiss mistake obfuscation for privacy.

So we have to try something else; a bit more googling yields:


Castagnola, Lugano’s romantic quarter, situated at the foot of Mount Bré, represents the most important and coveted resort in the Canton Ticino.
Castagnola offers an ideal environment where residents can relax and enjoy themselves in a highly cultured setting. Residents can visit Villa Favorita, Carlo Cattaneo’s house, now Lugano’s Historical Archive and Museum dedicated to Latvian poets, Janis Rainis and Aspazija, as well as the well-known S. Michele’s park. The lake promenade to Gandria, offers a stunning panoramic view, much loved by tourists and locals.

So the restaurant (or possibly one of Cattaneo’s other houses, if he had them) is now Villa Favorita. More googling reveals some pretty pictures one of which suggests that the original inference from the Taddei website was not quite right – translation error, perhaps – but in short the Villa Favorita is on the waterfront, but well behind it and uphill is a church (?) tower:

crop from website

…which I think matches the one in the YouTube capture, above; I’m not sure but this would make Panorama’s Pensione Ristorante Taddei the small tan-coloured building below, and to the left, somewhere near where this photo was taken:

It would be nice to have 360-degree sweepable footage of Castagnola to back this up and get a finer location. Possibly the orange building in the latter picture is the one.

Oh, and time expended: 52 minutes, including time to blog this informative blog article; I’ve had a giggle and if you didn’t before, you now know a little bit about how digital forensics works.

How the Snooper’s Charter materially threatens the UK Coalition Government #CCDP #LibDems #telldaveeverything

Jenny Woods defending civil liberties
at Liberal Democrat Conference in Gateshead,
11th March 2012. (4m07s)

…in which the Liberal Democrat party is introduced to CCDP and Government interception, and unanimously approves amendments with the intention of putting a complete stop to it.

On thursday Matthew D’Ancona published a piece in the London Evening Standard:

The Coalition must hold its nerve over digital surveillance

If the Government is to protect its citizens from those who wish them ill, it must extend access to web technology

Popular governments listen to reasoned debate and respond accordingly with measured amendments to their original proposals. Unpopular governments perform “yet another embarrassing U-turn”. Popular governments consult; unpopular governments capitulate. The context of the shift matters more than its content.


Bluster and inaccuracies aside (“It may surprise you to learn, for instance, that the proposals would create no new powers”[1]) what particularly got me was his headline:

The Coalition must hold its nerve over digital surveillance

…and I thought: what does he mean by that? Who has been briefing him? What subtext is he echoing?

It could simply be a fortitudinous call to arms – that the Government absolutely must do this, specifically and perhaps especially because hundred thousand person petitions have sprung up on the Internet and areas of cyberspace the size of Wales are now dedicated to CCDP and Interception news coverage – and basically that the voting public must be reigned in to acquiesce to sensible Westminster and Home Office demands, for their own good and for the sake of the children.

But there is another perspective:

Perhaps it is literally the Coalition that must hold its nerve – having declared CCDP to be be a joint project it must be seen through else disaster could befall the entire coalition Government?

The issue is that the Liberal Democrat Parliamentary Party are in (or are accessory to) power, whereas the grass-roots Liberal Democrat organisational party are not; however unlike any other major political party the LibDems grass roots are in charge; what motions are passed at the Liberal Democrat party conference become policy.

Where this gets embarrassing for Clegg and the Parliamentary Party is that when CCDP leaked last weekend the party machine came out spinning its response with choice quotes from LibDem junior Home Office minister[2] Lynne Featherstone:

The current proposals have one aim and one aim only: to maintain the capability of our law enforcement agencies to investigate and prosecute dangerous people. Where there is no business case for Communication Service Providers to gather this data, the government will provide financial and technical assistance to allow it to be collected on companies’ local systems.


At spring conference 2012, in Gateshead, the Liberal Democrats passed a conference motion calling for the following safeguards to put into place to protect peoples’ privacy:

[… details elided …]

We believe these safeguards to be in place already with the current proposal and will not support any legislative changes without these measures.

…and making that claim was the big mistake; because only days before, as Lynne notes, Liberal Democrat activist Jenny Woods stood on stage at the conference and flatly and specifically named CCDP as a threat to civil liberties, calling it a black-box white elephant with an eye-watering cost … and all of the Liberal Democrat civil-rights Twitterati knew about this speech because they were immensely proud of its having come from one of their own.

The amendments proposed were framed as putting a complete stop to CCDP and its kin, were voted upon and approved unanimously. They are now meant to be dogma.

The Coalition’s misreading of this situation – though perhaps better characterised as a betrayal of liberal principles at behest of political interest – led rapidly to some of the finest political comedy of recent years when a cadre of LibDem SpAds and spindoctors ran into a wall of infuriated and informed LibDem activists[3] who were weaponised with transcripts of Nick Clegg’s interviews and a firm belief that LibDem party leadership is subordinate to LibDem policy.

I apologise to Richard Morris for quoting at length, but this is just really too good not to share. My italics:

2. The call started badly. The general view of the SpAds seemed to be – as is so often the case – that we simply don’t understand. Position 1 was that the press reports are wrong, there are simply no agreed proposals to discuss. When it was pointed out that the Home Secretary had written a piece in The Sun that morning telling everyone how much the new powers were needed, this was abandoned.

3. Next we were told that there will be no new central database. As was again pointed out, this is disingenuous – with ISPs required to hold data for up to two years, there will be a multitude of non centralised data bases. It’s also a Red Herring – it’s any increase of powers in this area at all that we object to.

4. Next we were told Nick – 48 hours after the event – had been in the media that day telling people he was firmly against these plans. Despite the fact that we were all looking at the transcript from his World at One interview in which he most certainly did not say that at all. These being the plans we’d been told earlier didn’t actually exist.

5. There was a clear desire from the SpAds to persuade us that this was a messaging problem – lots of mea culpas and ‘with the benefit of hindsights’. Undoubtedly, there has been a messaging problem – Nick should have been on the airwaves first thing Sunday Morning saying ‘over my dead body‘. But the real problem is that the party really didn’t seem to get that its not how the message is conveyed that is the problem – we, as a party, do not want these powers extended. Full stop. That’s not messaging. It’s philosophy.

6. At one point one SpAd asked the ‘rhetorical question’ of the group ‘are you saying there’s no way in which we should be extending the current powers to cover other forms of technology’. He seemed genuinely non plussed when he got a chorus of ‘yes’ comments. Not so rhetorical after all…

7. Finally, no one on the call seemed to understand that the party is expecting the coalition agreement to deliver powers like these being reduced – actively. We would like legislation put forward in the Queens Speech, agreeing how this can be rolled back. We don’t want an ‘extension of the status quo’. We want action to reverse the status quo.

Perhaps this is payback for the NHS Bill debacle – that now the grassroots are squarely planted on their home turf of civil liberties they are not going to yield ground for their leadership to barter it away… and there’s the problem. Nick and friends have to keep their organisational party happy and that party does not want CCDP; but the Home Office – and by extension quite a few Tories, Ministers and Civil Servants – do want CCDP and will not brook opposition.

If the Home Office are denied the funding and toys that they have desired for so long – through three Prime Ministers and innumerable Home Secretaries – they will not be happy; less so if they perceive that this is due only to the “principles” of unwashed hordes of the Liberal Democrat membership.

The coalition might not bear the strain.

[1] Other than, for instance, to require communication service providers to log information that they currently do not bother with, just in case the Government wants it.
[2] Home Office. Funny, that.
[3] Useful index of relevant posts

Nice to see the #Police using #Twitter to crowdsource crimefighting amongst themselves; shame if it was #censored

So all those scare stories about Twitter being only for rioters? Now you have a response…