Data Protection for Persons of Interest to State Intelligence Agencies: A Window into Technology
A Window into Technology
[Image: the core of technology, or a window into it.]
Published: 2022-12-04
Update 2022-12-05: Corrections due to wonderful feedback are applied. The Culture section is now complete.
Update 2022-12-06: The technical discussion at the fora of the Craig Murray site have been converted to “private” which means they are no longer publicly available. The two comments made there and the intial “gratuitous advice” are now added as a three part Annex to this article.
Dear Reader,
I must apologize for this publication at the outset. It is esoteric. I hope some of you find it of interest.
This newsletter predominately addresses geopolitics, or geoeconomics. Occasionally, it addresses elements of science (e.g the recent two articles on the history of Astronomy), or technology and its interaction with society.
This article addresses the later. The other 5 000 odd words by your author are not transcribed here but are linked have been added in the Annex. This is all original work. Thus, the sources section is rather bereft.
Introduction
I hope that most readers are familiar with Craig Murray, a former UK Ambassador, an author, the first whistleblower on the CIA "rendition" program, a close associate though not a member of Wikileaks, and such a good friend of Julian and Stella Assange that he was invited to their wedding. Mr. Murray is currently touring Europe predominantly via railway to deliver a collection of speeches which raise awareness of the horrid duplicity of "the west" in its persecution of Mr. Assange and other members of his publishing platform Wikileaks.
Mr. Murray has been so kind as to write a travelogue of his journey. In recent weeks I have become rather depressed by the stupidity of Europe's vassal leaders and the idiocy of the continuing war in Ukraine. I have taken to reading reports of daily life. Reports by Gilbert Doctorow of return to his beloved St. Petersburg are one example. Craig's travelogue is another.
At the beginning of Craig's journey he described the lamentable situation in which he found himself. Somebody had stolen his aging laptop on the train in which he was traveling whilst he made use of the train's toilet. Despite the inconvenience of not having his computing equipment he also needed to withstand the "I really don't need this now" challenge of controlling potential identity theft.
Identity Theft
If you are as unimportant as I then jumping to the conclusion that you are the target of direct surveillance and direct human interaction to surveil or compromise your identity is a shade of paranoia. However, if you are Mr. Murray, this is not paranoia. State funded intelligence agencies are tasked with "maintaining tabs" on dissidents and others who threaten the "status quo". Apart from being a close associate of Wikileaks and friend of the Assanges Mr. Murray is also a staunch advocate for the independence of Scotland from rule by Westminster. He is an intelligent political dissident who Scotland decided to jail for quite some months because of his exposé that the trail of Alex Salmond was a political witch hunt. This exposed political corruption in the Scottish parliament and this, of course, is why he was prosecuted and jailed.
While on his harried rail tour of Europe he notices a strange connection to his mobile phone operating as a wireless hotspot and some time later takes his leave to the bathroom. On return he finds his aged, battered laptop stolen and the cash not too far from it untouched. Recall that the "name of the game" as we have learnt since the 2013 Snowden revelations is the drawing of social graphs. An individual is interesting. Their social connections are of extreme interest to intelligence services. The signs of this theft all point to this motivation. Mr. Murray has not claimed this likely motivation, but we can all see it.
[Update: the police to which Mr. Murray spoke advised him that petty theft on trains has become common. A friend of mine has fallen asleep on a train twice recently and had his mobile phone stolen. Thus, my inference that the theft is by some government operative should be considered as a possibility rather than a probability.]
Data Protection
Of significant annoyance is being offered advice which could have assisted in preventing a disaster after the disaster has occurred. Damn these "know it alls"!!!!! Your author is one these painful individuals.
To set the scene we need rewind a decade.
Jacob Appelbaum, also a friend of Julian Assange, traveled to the HOPE conference in the USA to represent Assange in his stead. He had already been digitally man-handled by border authorities as he was traveling in and out of his native USA. He finally developed a strategy to rid himself of this constant annoyance.
Back then in around 2010 personal computers were able to find an operating system or "boot" from not only inbuilt hard disks but also external storage. The external storage would likely be a USB "stick". Armed with this capability, before traveling Mr. Appelbaum would copy his data, encrypted, to a network storage provider. He would then travel with a laptop, probably two copies of his chosen operating system (Debian), and an encrypted copy of the key to decrypt his data stored in the network storage location. Upon being digitally roughed up by whomever chose to do this he could hand over all of it. He was essentially saying "no amount of physical force can solve a maths problem". The laptop had no storage. Pushing the power button just issued beeps. The USB sticks contained publicly available operating system code, or were tiny and encrypted. This placed the "border guards" in an intellectual quandary. All of their attempts at intrusive surveillance were defeated.
I note that Mr. Appelbaum came under examination for sexual allegations. The story is complex. One of the best analysts on the side of Jacob is Suzie Dawson (Suzie3D). Jacob's accusers remain hidden behind pseudonyms. This is not to invalidate their claims. The story is complex and I shall not delve further into it.
To return to ex-Ambassador Craig Murray, he was assaulted with potential identity theft. Those who read and comment upon his excellent newsletter were aghast. We understood what was going down. Many a comment of support was registered. Advice as to how this could have been avoided was offered. I was with the former rather than the latter until the second article in the travelogue at which point I came forward offering my technical advice.
Moderators
We now return to a topic covered not so long ago, that of moderators. My recent comment was that independent media are taking care of their own publications by employing or utilizing time offered by volunteers to guard their publications against compromise or rubbish instigated by people with crazy (or racist etc.) views, or by persons from the intelligence apparatus who impersonate the same crazies under the anonymity which the Internet and established technologies provide.
As for my technical advice to Mr. Murray, one of the moderators at his site calmly and helpfully informed me on two occasions. The first was not of the technical note about data/identity theft but on an offering of some sub-editing on the second travelogue article. The second advice was about the technical response. In both cases the helpful moderator advised where these "out of topic" type comments could be usefully registered in their fora.
System Design
Ignoring the sub-editing and focusing on the technical advice for data protection, I composed an extension of the advice. I took to one of my "former" skills, system design. Mr. Murray is a target of surveillance. He needs to use good data protection practice. I moved from technical advice to considering the problem and expressing it in human terms.
The motivation for the apology which begins this publication is that most people are not interested in how it is that technology upon which we depend is developed. I consider this a gross error, but that is probably because I have more experience in this field than most. What follows is an "as it happened" documentation of my approach to thinking about Craig's problem, or to broaden it, information technology problems faced by those who are of interest to state funded security organisations.
I come to this challenge with some credentials. I have taught University level courses on software design and have been writing software for over 30 years. This does not mean I am a good software engineer or a good system designer. It does mean that I have thought about these challenges for at least two decades.
After the gratuitous though well-meaning offering of advice, I moved to considering the person and their challenge. I wrote down how I saw their challenge and what a solution to it would look like from a system perspective. This is what is known in the software development process as a Requirements Specification. What should this system do? This must be written in the language of a person who will use it, not in the techno-speak of a software developer. This is a subtle but extremely important distinction.
I was going to publish this at the forum site suggested by the moderator. But, it’s northern winter. The nights are long and I felt a little cheap in just flinging this humanized advice at the wall. I needed to "put my money where my mouth is".
I needed to consider the design of such a system. This was indulgent. There are many persons who know more about this than I. However, I am in a fairly small group who know more about this than the vast majority of the human population. And the nights are long, so why not?
The polemic on the system design [link broken due to actions by the Moderators at Craig Murray’s site, see the Annex instead] turned out to be a little under 3 000 words. It is far from complete. It is a high level system design and skirts around many of the details which need be addressed in an implementation. I do attempt to describe trade-offs and other challenges which need to be addressed by an implementation.
Interestingly, the design is arse-backwards, putting the cart before the horse. Even as someone who is familiar with software/system design, and having recast my advice into a "user perspective", I begin the design thinking I understand the problem. As I found, I did not.
The final stage of the design is a consideration of the system's use by the person using it. I repeat this is the final stage. It should have been the first. At least I got to it in the end. The design proposes a user interface, describes the core components, and identifies the challenges which I could see any implementer requiring to face.
Should you be interested in any of this esoteric process, I offer the three parts of the gratuitous advice, the requirements specification and the system design. [See the Annex below. Two of these links are broken due to actions by the Craig Murray site administrators/moderators.] Added to that are the comments by the moderator at Craig Murray's site which can be found below the gratuitous advice.
Conclusions
One of the truisms of software development is that most major successful software projects actually begin as a cobbled together demo version to be displayed to a customer or to fill an emerging empty market segment. Thus, the technology that you are using is not some pristine beautiful thing, but an evolution of a prototype often rushed into existence. This is not only true of software, but technology in general.
This is neither good nor bad. It just is. The scrabble for an operational prototype often involves beautiful leaps of understanding. It can also employ terrible ideas. A classic example of the latter is the 3rd-party trust model which we are still forced to use in the Certificate Authority paradigm of which Internet sites your browser chooses to "trust".
Another piece of cultural truth can be seen in my thinking about the "system". Yes, we strive to do our best. We are also limited. We need a wider conversation. It is the community of interest which is most important, not a single voice.
I attempt to echo this in my sign-off from the design. Please criticize!!! Here I am echoing that recently stated by James Corbett:
embrace epistemological humility
Afterword
There is a piece of perhaps too subtle humor hidden at the end of the graphic which headlines this article: while True <break> <comment> no-op. For those who have not written programs, or for those who have not branched into event based programs this may be difficult to understand. The forever loop (while True) says do whatever is below forever. The below is no-op (no operation), i.e do nothing forever.
The software’s job is to respond to changes in events, either by a timeout trigger or by a change in the physical or network environment for the computer on which it runs. This is analogous to a low intelligence organic system. It responds programmatically to changes in input stimulus. The difference here is that these routines to monitor changes are registered on purpose. We expect changes and place our observers to notice them so that we can react.
We are not “forever doing nothing” but have placed observers to watch expected changes. We are ready to respond to these changes. We are forever watching and ready to act.
Annex
Data Protection: Initial “advice” with the response by the Moderator and the reply with an additional response
How to Travel with Computing Equipment and Data
The computing equipment (CE) amounts to the hardware and the operating system. The data is you “home directory” or equivalent. The aim is that loss of hardware is not also a loss of data. Thus one is less worried about identity theft or loss of one’s data and need only be concerned with replacing hardware.
One must separate the CE from the data. The CE amounts to the laptop and 2 USB sticks which contain an operating system from which one boots. The second is merely a backup of the operating system. The hardware is just hardware. The operating system is a choice, and being required to download it again is avoided by the copy version on the second USB stick.
The data, your “home directory” goes on another USB stick. Again, you need two, one primary and one for backup. One keeps two little bags. In one bag, one has the “to be used” OS and Data USB sticks, and potentially a cable to connect the mobile phone to the computer as a SECURE hotspot. This is used during the day. Each night, or at some regular interval, one performs a backup of the Data from one USB stick to the other. When traveling the backup OS and backup Data go in their little baggy in your luggage. This solution works well for people working with documents. If you are dealing in high density media like video, go talk to Laura Poitras. What I mean is that USB sticks don’t cut it. You need far higher density storage, which is specialist hardware (solid state disks).
To add another layer of security, the Data is backed up to a cloud storage service every so often (once a week?). A good example of this storage service is Mega offered by Kim DotCom. There are others. The “advantage” of Mega is that it encrypts/decrypts on the fly. Better is that you do this yourself, only uploading encrypted data. Thus, the storage provider is irrelevant. However, one must then keep three additional records, the public/private keypair (well only the private, then we get technical). Two of these are just a duplicate digital copy (again, USB sticks). The third is a printed copy — non-digital — as a fallback, which should be given to a trusted individual for storage. For without the key you are in just the same position as no-backup and your laptop is stolen. The encrypt locally strategy involves doing just that, encrypting, which requires additional storage and time making the whole process more likely to fail. Thus, the advantage of services like Mega. Choose what will work for you.
I presume that you are using a GNU/Linux operating system. Linux people tend to be very helpful(*). Find a local user group to obtain assistance.
The above design will also work with non-GNU/Linux systems, though will be more difficult.
(*) This advice is an example of the helpfulness of GNU/Linux users.
PS: I do understand that being given advice to avert a disaster after it has occurred is painful medicine. Sorry about that.
PPS: I omitted one point, one takes the “active” Data USB stick with one to the bathroom.
—
[ Mod: Again, thanks for your helpfulness, YesXorNo. Many other commenters were happy to offer their advice (of varying quality) on the previous thread Electronic Grief. Such suggestions may prove useful for other readers – though some may want to offer contrary opinions on certain technical aspects, and this isn’t the place to discuss those matters. You’re welcome to raise them in the Blog Support Forum; or, if they relate specifically to political topics, in the Discussion Forum.
Craig is very well connected to Wikileaks and has immediate access to some of the world’s leading experts in data security and surveillance evasion. He also has a tech team well trained in data protection working behind the scenes. Obviously the methods can’t be shared publicly, but you’re welcome to discuss these and other security issues in the forums. ]
[I replied and the moderator commented:]
Hi Mod,
Thank you again for your polite and helpful comment.
You note below that Craig has access to in-house expertise in data security and that he has failed to avail himself of said expertise. I hope that this recent horrible event will provide him with motivation to do so.
I recall hearing Jacob Appelbaum’s trouble with international travel wherein he would have his electronic equipment searched. His solution was where I draw my advice from. He would use a network storage platform and travel with only hardware and an operating system and then download the data once he reached his destination. This is over a decade ago. I mention this as it offers a similar story; a person in whom intelligence services had special interest.
—
[ Mod: To reiterate the main point – Craig can receive advice directly from his senior associates at Wikileaks (who are renowned experts in data security and the evasion of surveillance), not to mention former NSA and CIA operatives in VIPS such as Bill Binney and Ray McGovern. It’s not obvious why he would need to garner security tips from the blog team, commenters, or anyone else. ]
The “Requirements Specification” posted at the Craig Murray fora
Thanks again to the Moderator who informed me that this is the better location to discuss the data protection advice which I offered in part 2 of the Trains, Planes and Automobiles travelogue.
For those interested the comment/advice is at
https://www.craigmurray.org.uk/archives/2022/12/trains-mostly-planes-and-automobiles-part-2/comment-page-1/#comment-1030320
The Mod also inform me (us) that Mr. Murray has access to expertise both in-house and via his connections with Wikileaks. I assume that given the current crisis his support team are doing their best to address the current challenges. Below I offer gratuitous, though well-meaning advice to the support team, and by way of extension to others.
What Mr. Murray or any "person of interest" to state intelligence institutions needs is infrastructure and tooling. I shall assume that a variant of the advice I offered is available to Mr. Murray, i.e a network storage platform and some form of encryption either locally or "on the fly" via the storage system, and local storage and operating system devices (e.g USB sticks).
The first thing Mr. Murray needs are the two little baggies. The "daily use" bag needs to a) fit into a jacket pocket, b) be stylish, and c) contain a mobile phone, the USB cable, and the Data storage (USB stick) such that the mobile phone surface is not damaged. The last issue is solved by a protecting jacket in which lives the mobile phone. It must be easy to disconnect the phone and cable, and the USB stick (or whatever the storage device is) and set them in this stylish bag. Equivalently it must be easy to extract the components and add them to the computer. This is where the tooling comes in. I presume that his support team have some expertise in programming, and are familiar with software development paradigms. What we have above is the beginnings of a Requirements Specification.
The solution to the data security challenge must be very easy to use. Thus the tooling. The bag has a set of requirements. The operating system needs to be augmented to support Mr. Murray's workflow. Obviously various software like secure browsers, document editing software etc. are required. Additionally, custom tooling is needed for a) the update of the current daily storage to the backup storage, b) the backup to the cloud storage, c) ease of use for integrating the daily data storage and mobile phone as a network provider with the operating system. It must be easy for Mr. Murray to:
1. Set up his work environment: laptop, phone, data storage, operating system.
2. Remove phone and storage when he leaves his work environment (e.g bathroom trips or whatever)
3. Re-connect his phone (network) and storage upon return
4. Backup daily storage locally
5. Backup daily storage to network storage
6. Close down and secure his work environment and the backup.
Thus, a collection of physical object (laptop, bag, USB sticks, USB cable or equivalent from mobile to computer), and a collection of software tools are required to facilitate the above.
The all important training is required to demonstrate the ease of use of the system. And the software tooling needs to be taken care of using some software management system (e.g git) and *documented*.
In the true style of software development the system to be developed for Mr. Murray should be seen as a prototype which hopefully can grow to support other "persons of interest". Thus, having an agreed requirements specification one should make the minimal set of assumptions possible: we have access to USB ports (3), we have a GNU/Linux operating system with core tooling like bash and python. The ease of use components are both documentation and a graphical display, thus we need a graphical display engine (e.g via python or whatever). The system needs to automate everything possible and provide graphical feedback for its actions.
When it is unclear how to solve an automated process, the system should ask for user input. E.g you've tried to temporarily mount all available storage devices and cannot find a home directory. Thus you state and ask "No home directory can be found. Has the Data storage been connected?". Similarly, the networking subsystem should assess availability on being able to ping a remote location and being able to use DNS. If one can do both the network indicators are green, else one or both are red and appropriate information is provided asking "Has the mobile network been connected?" It seems to me that the system needs to run an event loop of polling for a home directory and network availability. Have a home directory? Ok, do nothing. Else, search for one. Same with network. Displaying a pop-up for "cant find a home directory" should not stop the event loop, it should just keep hunting based on its event loop timeout. If it finds a home directory, the pop-up should be removed and the status indicator changed to "green".
You get the idea.
I was going to say "good luck". But, the old saying goes "put your money where your mouth is". So, I have considered this system and come up with a basic design for it. This will be issued as a follow up comment.
Please feel free to call me an idiot or point out where either the requirements specification above or the resulting design are stupid, inadequate or poorly considered. Lets consider this as a work in progress.
Again, thank you to the Moderator(s). I hope that this comment and the following design pique your interest.
The High Level Design
Designing a Data Protection System, or How to Help Mr. Murray
The full "system" contains physical components, a computer (i.e laptop), two copies of an operating system, two copies of a "home directory" (called Home hereafter), two cables which will connect a mobile phone as a source of network, the mobile phone and the all important remote network storage location (NetHome).
This design is for the "tooling" part. Its job is to indicate to the user via a graphical interface if the Home can be seen and whether the two core network services (ping and DNS) are operational or not. The system will also facilitate the backup of the "daily" Home to its backup, and uploading the differences in the Home to NetHome.
Ease of use is a primary design goal. We use the analogy of a car for our system. The indicators for Home mounted and the two networking components take on the equivalent of a car's driver display: Home is fuel, ping is oil and DNS is break fluid.
The system (hereafter DP) is to work with the operating system's automounter to provide the external storage as a home directory, and to poll a collection of external IP addresses and resolve a collection of Internet hostnames. The status of these systems is coloured in the graphical display using the familiar traffic light analogy. Orange/Amber means that the system is starting up. Red means the resource is unavailable, with Green meaning available.
DP uses a logging system of rolling logs keeping the most recent four (configurable) sessions. All log messages are prefixed with a date/time stamp (including timezone) to the nearest preceeding second, and the hostname. Each session's initial message also includes the computer's unique identifier (i.e UUID) and type of GNU/Linux operating system. There are two locations for storing the log. One is in the Home, the other is under a system log which is writable by the relevant user account.
Additional to ease of use is the minimal use of privileges. Hopefully DP will not need super-user privileges. If it does, these are to be carefully isolated and will require user interaction.
From this we see two "objects" the GUI and the Log.
DP is a user service. It should be started upon a user logging in to the computer and assume the privileges of that user. Upon startup it asks the OS for datetime, hostname, UUID and GNU/Linux family variant. This is recorded in the Log as the first message for the session. Process shutdown due to user logout or system power-off are registered such that the Log is flushed to storage.
DP's configuration file is loaded. This is a third object. The configuration file contains a SHA-3 hash of how it looks in memory (without the hash) when loaded. This is used to detect changes in the config file. A change generates an Alerts (see below).
The Log has three classes of message, informational, alerts and panics. Panics cause a DP shutdown. Alerts generate a graphical notification. Informational are just Log messages which are recorded but require no user interaction.
Next, a collection of sanity checks are made. Are we in graphical mode (e.g run-level 5), what is the state of the mount table and do we have a root partition?, and can we launch the graphical application?. DP records the status of this assessment in a Log message. Failure of any of the above are Panics.
Once sanity is established, the graphical system is launched in startup mode (Amber indicators). The timeout loops for assessing the key resources (Home, Ping, DNS, and BackupHome) are registered and DP enters this main timeout loop with the checks being scheduled at the tightest of the loops (e.g 1 second). When a resource is found (and becomes green) the event loop is set to a looser loop (e.g 10 seconds). BackupHome probably requires a looser set of loops; 20 seconds and 5 minutes?
Whenever a resource evaluation is made a Log message is issued stating the type of resource being evaluated, a code for the status obtained, and a human readable version of this status. Every damn time. Successful resource evaluation is Informational. Unsuccessful resource evaluations are an Alert. A repeat of a previous alert merely adds the time offset from the first time since the resource moved from Available to Unavailable. We do not spam the user, we give them useful data. The extended messaging lives in the Log, not on screen.
What is the structure of Home? The two external storage devices representing Home and BackupHome are initialized. They are essentially interchangeable, but each possesses an identity A or B. This creates a problem. The worst mistake that the system can make is to copy the BackupHome to Home which will remove work performed between "now" and the "last backup". This must be prevented. There are multiple strategies but we need one that is foolproof. Thus, when both homes A and B are available DP should find the most recently modified file (not including the Log) from both A and B. If that file is in A and the user is instructing to backup B to A a serious red-flag warning needs to be issued which requires two confirmations. Over to the implementers as to how best solve this problem, but it must be solved.
The best manner of navigating the challenge of delivering useful information to the person using DP is a skill in itself (user interface design) at which this author does not excel. The following suggestions may be of use. When the person mouses over an icon which is red it displays the most recent log message (including offset as mentioned) of the last Alert. The entire Log should be able to be viewed and filtered to eliminate Informational (indeed, this would be the default display). The principles are only useful information, and as easily accessible as possible. Hence, mouse over gives most recent information for that subsystem and one (I repeat) one click for the Log containing only Alert messages. A parameter can perhaps be selected by the person to active "clippy mode". By clippy I am referring to that abomination created by Microsoft. This is a mode which will provide suggested actions to remedy lack of resource availability. i.e please plug in the BackupHome storage, or please connect the mobile phone and active "hotspot". By default this should be Off.
How to work with the automounter? A GNU/Linux system takes a default position when a user logs in and their home directory is not available. For DP this is a valid state. Another strange but valid state is when the home directory disappears. DP needs to take both positions in its stride, providing information both via its graphical interface and Log. "Taking it in its stride" is easy to say, but requires a deep technical understanding of the system automounter and how to potentially dynamically change a user's home directory as understood by programs. This is where the "nasty details" emerge. The core strategy is choose an OS distribution and thus automounter and work with someone who knows the automounter beast very well.
If DP is to become a more general product its home evaluation system needs to work with the collection of system automounters which exist in the GNU/Linux ecosystem. Get it working on the first target OS, but parameterise it. The DP Home evaluation system needs to know the GNU/Linux system variant which is why DP obtains this core information at startup.
On the network assessment side we have another problem, privacy. If the network assessment tools (Ping and DNS) have a unique signature (which IP address, which domain resolution) then DP becomes a signal for the individual using it. If we assume that these people are fairly rare and of interest to state intelligence agencies this is a disaster. Not quite as bad as backing up HomeBackup to Home, but pretty bad.
Ping is essentially a Layer 4 UDP packet, but it carries with it the source IP address handed to the mobile phone by the mobile provider. The mobile phone is essentially serving as a router for the computer. The address will change as the user moves in space between different network providers which then generate a potential trace in the network packets. There are two obvious ways to hide this. The first is stenographic by using one of the most commonly used IP addresses for testing internet connectivity with ping. An example would be Google's 8.8.8.8. This potential solution can be improved upon somewhat by using a random selection from a very large (I'm talking about 10's of thousands) collection of addresses which are known to respond to ping. Maintaining this database may be somewhat challenging. There are lots of trade offs to be made in designing this component of DP. Using 8.8.8.8 (or a small collection of IPv4 and IPv6 addresses which are highly used for ping testing) seems a simple solution which requires less work. However, with a small address collection DP will need to add random delays to its signaling. The delay extension should be proportional to the loop extent. E.g for the 1 second loop add 0 to 1 seconds, for the 10 second loop add 0 to 10 seconds.
The next privacy challenge is the DNS system. One solution is to use an anonymizing network like Tor. With this one can perform DNS resolution which occurs at the end of the Tor circuit rather than locally, thus hiding the individual. If this solution is chosen the system needs to be aware of it, and again it needs to be parameterised. There are other anonymity networks which may be chosen. Nonetheless, the use of one of them is a good idea. Again, we combine this with a large collection of resolvable internet hostnames which are chosen from at random to reduce the signature of DP. Again, random time offsets may also be used.
Assuming that decisions are made on the trade-offs for the Home and Network systems DP looks like the following in pseudo-code:
1. Start up: get the system details, load the config and set the Log flush when DP exits.
2. Sanity check: record with the Log all core sanity checks and abort if things are really screwed up.
3. Register the resource checks at the tight loop and launch the graphical interface in "Amber" mode.
4. The events loop begins. Upon each resource evaluation the result is registered with the Log. If a resource becomes "green" the loop is moved to the slower timeout. Equivalently, a red evaluation shifts the loop back to its faster or tighter variant. In all cases, the graphical display is adjusted to indicate state.
Two "button" actions are available, Local Backup and Network Backup (actually, there are three which we get to below). They each have resource requirements. For Local Backup these are the Home and BackupHome storage devices. For Network Backup that is naturally the network and Home. Both of these interactions, when the required resources are available, require some human interaction. There are actually two variations of this.
In a perfect world the event goes like this: In a secure location the person connects both of the storage devices and has network. DP sees this and prompts or perhaps just makes available a button "Combined Backup". If selected and confirmed this instigates a combined operation, first backing up Home to BackupHome and then Home to NetHome.
There are two other "buttons" Local Backup and Network Backup which are made usable when both Home's are available or Home and Network are available, respectively. Again, assessments need to be made for each. The big error of backing BackupHome to Home is equally problematic for backing up BackupHome to NetHome. It would seem sensible for the assessment of the Local Backup to be made on-the-fly. However, the protection of an error in NetHome backup should probably be a stage of the preparation for this backup. Again, some form of Amber indicator may need be issued while checking that we are not backing up an outdated local storage over the NetHome.
We can, thus, finally describe the user interface. The human using DP needs to be able to view the Log in default filtering, see the four resource indicators and mouse over them for latest Alerts if they are red, and invoke the three operations of Combined, Local or Network backup.
How should we present these? Let us consider "normal operation".
A. The person connects the "daily operational" OS and Data storages, and the mobile network. They turn on the laptop. As they select the boot device (the OS storage) and the OS boots power will be delivered in default "recharging" mode to the phone. The person then enables network for the laptop (hotspot via cable). The person then logs into the computer. DP sees the automounted home and tests the network. Indicators all move to green, and the Network backup button becomes active. The person just goes about their activities. DP has nothing to say at all apart from indicators becoming green.
B. The person needs to temporarily leave the computer, taking their phone and Home with them. Indicators go red. No "pop-ups" are issued. The timeout loops move to their shorter/tighter version. Mouse-overs will now display the timeouts since resource availability is lost. The human returns and reconnects the Home (which DP detects quickly, shows green and moves to the longer timeout), and reconnects the mobile. They know that they need to tell the phone to be a 'hotspot' again and do so. DP assess that both ping and DNS are working and shows this by turning both indicators green and moving to the slower timeout. Again, no "pop-ups" are issued. All is well in the world. The Network backup button becomes active again.
C. Our human is in their hotel (or wherever) at the end of a long day and repeats the start of A. They fish out the BackupHome from their luggage. ...
AAAAAAAAH, we have a fourth indicator light; whether BackupHome is available !!!!! This is why one does "use case" analysis. (Yes, I know I mentioned this above, but that was an edit after I'd realised this. I'm trying to display how system design works.)
The beloved person who is using our toolset has connected the BackupHome. We now have all FOUR of our desired resources, and all three of the "Action" buttons, Combined, Local and Network backup become available. The person clicks on Combined.
Instantly, the Local and Network backup buttons become unavailable. The Combined button becomes Amber. The assessment of whether the system is about to screw up is being made. Assuming all is good, the button turns green and a confirmation dialogue is issued. User interaction in terms of entering credentials may be required. Indeed, this is the one case where I see privilege escalation being required. The confirmation needs to provide this privilege escalation. This is acceptable. This happens once a day and the security of this transaction is of paramount importance. Once okay'd DP shows two progress bars, one for each of the Local and Network backup.
Our diligent "user" goes off to brush their teeth. Upon return they glance at the progress bars and see that the Local backup is making some progress. They take their repose.
Meanwhile DP completes the Local backup. Once complete, and this is where the privilege escalation may be required, it un-mounts BackupHome to protect it. DP them moves to the Network backup operation. Now we find TWO MORE required indicators: the time elapsed since the last successful Local or Network backup.
As each operation is completed the elapsed time is reset to zero. These "time since last successful backup" indicators need their own timeout events. Perhaps every half an hour. They should also use the Red, Amber, Green signaling. Red means backup is overdue. This needs to be configurable with sensible defaults. Say, 2 days for Local backup and 4 days for Network backup before they become red. Orange means DP does not know when the last backup occurred. Green means it does and the offset is within limits.
NOW we can consider the interface. At the top are the 4 indicators from left to right, Home, Ping, DNS and BackupHome with a "Log" button to the right hand side. Below this are the two counters of offset since last successful backup coloured by status. Below this are the three backup buttons, Local, Network and Combined.
There we have it!
The consideration of encryption has been passed over. There seem two modes. Travel mode requires the encryption to be done server side. This is too much for the laptop on a travel mission. It can become local encryption in non-travel mode. But, this gets complicated. I leave this to the implementers.
Here stands a lesson in system design. The key takeaways are you are building something for someone and the someone is the most important part. Secondly, there are always trade-offs and your job as a system designer is to clearly describe these to the person for whom the software is being built. One cannot escape these trade-offs. Finally, Use Case analysis is the only way for a system designer to understand all of the components of a system. I repeat, the ONLY way.
Have fun.
Sources
Mostly in situ.
Episode 431 - Unknown Unknowns, James Corbett, Episode 431 (or 5 years earlier), 2022-11-01
The story of epistemological humility
"We Don't Live in a Free Country": Jacob Appelbaum on Being Target of Mass Govt Surveillance, DemocracyNow!, 2012-04-20
Having fun at the border"
The Roundtable #37: The Expat Experience with Alex Christoforou and Brian Berletic, Gonzalo Lira discusses with Alex and Brian the “expat experience”, Gonzalo Lira’s youtube channel, 2022-12-06
Culture
Dark Side of the Moon, composed and performed by Pink Floyd, was published in 1973 by Harvest Records. The youtube upload embedded below was by Marcel Hetz on 2019-07-04.
This is one of the greatest popular music albums of all time. It announced a new form of “record”, the “concept” album. The artistic beauty of the soundscape can be accessed from any state of mind. Many a young person has remarked that an imbibement of Tetrahydrocannabinol can assist in finding its deeper meanings. As an old dude, I wish them well, but deny their claim. This album needs no augmentation, just patience and an open mind.
If you like what you read here, you can please the author by sharing it.
Notification
Subscription is optional. Subscribers can expect notifications for most articles. Better is to use RSS, or bookmark the "Archive" page and visit at leisure. If you use Twitter, following @YesXorNo1 is also an effective notifications strategy.
Copyright and Licensing
This work is copyright to the blog's author with CC BY-SA 4.0 licensing. Have fun, reuse, remix etc. but give credit and place no further restrictions. Let’s build culture.
Hi YesXorNo, this is the aforementioned moderator. Thanks for offering your assistance on the Craig Murray blog wrt sub-editing and data security. Your IT expertise could be useful in future; if and when there's a call for it, we'll let you know. In the meantime, let me offer some quick proof reading in return.
Typos: "He is an intelligent political {dissent}" => "dissident"; "the former rather than the {later}" => "latter"; "{its} northern winter" => "it's"; "{analgous}" (sounds rather disgusting!) => "analogous"; "{programatically}" => "programmatically"; "{assessements}" => "assessments". "some pristine beautiful thing{,} it is an evolution of a prototype" => ";" (semicolon).
There are also some American spelling variations (are you US-based?) and several compound terms that should be hyphenated, as well as some ambiguous expressions that could be clarified, not to mention some dubious stylistic quirks. Admittedly, most people wouldn't be bothered about such trivial issues; but, as you noted yesterday, linguistic and typographic anomalies can grate on the nerves of sub-editors and other pedants.
Your notion that "these assessments for changes are forward registered" is a little unclear. Are you referring to watch events or procedural conditions (or maybe variables in a declarative conditional clause, as in Prolog)? Are you invoking something like perceptual anticipation or operant conditioning in behaviourist psychology? (Sorry if I'm misconstruing.)
Your political thoughts are very welcome on the CM blog, but your own blog/newsletter would seem a more apt location for complex ideas about system design; thanks for directing us to it. (Incidentally, you might want to save your outline of the security schema in the discussion forum as that thread may be marked 'private' for use by the tech team.)
Best wishes.