Welcome!

Featured

Welcome to my private blog. From time to time I may post here some personal observations and comments as well as links to events and noteworthy news. Mostly, these may be about the Information Society, including Internet Governance, and ICT for Development (ICT4D). Since I have started my own company Arete Publica Associates® in April 2017, my professional life will be more accessible there, and this blog will be more of a private concern.

If you find something worthy of criticism or praise, please feel free to comment.

Peter H. Hellmonds

(last edited: 07 February 2018)

August 22, 2017

Website down Fri Aug 17 through Tue Aug 22, 2017

 

This weekend I learned the hard way why it is important to have multiple ways to back up your website or blog.

= What happened? =

On Friday evening, I was working on some updates to this site, and something went wrong. All of a sudden I was unable to access the admin interface via login, and something else was throwing the website into a fit, where only the top half of each page was shown, omitting most of the content.

No problem, I thought, this website is hosted at the data center of the largest ISP in Europe, and they do regular backups, so all I need to do is call their 24/7 support hotline, get my site restored to the previous day, and all is fine.

= Support Hotline =

Which is what I did. The support person at the other end told me there is a self-help option: “Just go to the control center, under hosting you will find the option to restore from your backups”, he told me. But when I went to that option, it said: “Sorry, the restore function is not available right now since we’re doing maintenance, please try later.” The support person was unable to tell me when that maintenance session would be over. I tried again on Sunday. The same error message about maintenance. Wow. Called support again, the same person on the line. He said to try again Monday morning. Which I did.

= No Backups? =

When I called and mentioned the story to the new support person on Monday morning, she looked into my file and said: “Well, it seems we sent you an email on 5 November 2015, informing you that you are migrated to a server where there is no backup, because you have too many files.” My thought was: “Woot??”

= Hitchhiker’s Guide to the Galaxy =

I was reminded of the HHGTTG opening sequence, when Arthur Dent learns that Earth will be destroyed immediately to make place for an intergalactic starship superhighway. When he complained he was told that the plans had been on display for a long time on some distant planet in an obscure star system.This was how I felt when I was told that amongst the pile of constant emails from my ISP, most of which are not quite spam, but almost so, was one important one that I should have read instead of filing it away automatically according to some mail program algorithm.

Yes, she told me (on Monday), you only get a daily backup of the previous day. So, this meant, I could restore on Monday to the state of affairs from Sunday, but my problem had started on Friday, so I was doomed!

= There are Backups! = 

I realized I was on my own. So, I checked the file system, and lo and behold!, I remembered that my WordPress site did have a plugin that made some automatic backups, and these were all well preserved. Phew! Saved by the towel (ok, inside joke, but if you know Arthur Dent and Ford Prefect, you know what I mean!)

= Lessons learned =

I was able to restore my site on Tuesday, after various trials and tribulations. I was lucky. But who knows whether I will be so lucky again next time?

This story has taught me some important lesson: Do not just rely on your ISP to make backups for you! They may fail you. Also, do not simply rely on your website installation to make automatic backups. What if the backups are destroyed, since they are on the same server? Therefore: Do also regularly make backups manually and store them in another physical location, so you can go back to some previous stage when necessary.

December 2, 2015

Beware of massive brute force attacks on your WordPress blog

If you are running a WordPress blog, be aware about your blog’s security. Make sure you update to the latest release of WordPress and also to keep themes and plugins up-to-date. Make sure you have a backup of your blog’s contents and to add some security features to prevent brute force attacks.

To show you the scale of the threat: this morning I was alerted to over 20,000 attempts to break into this website, all happening within about ten minutes last night. Overall, in the past two months, there were over 50,000 break-in attempts that were successfully averted.

I won’t detail what I do to keep my site protected (this secrecy is one part of the safety measures), but if we know each other personally and if you send me an email from a recognized email address, stating from where we know each other, then I’ll be happy to give you some tips.

April 16, 2014

Running a WordPress blog? Update Jetpack Plugin!

https://i0.wp.com/s1.wp.com/wp-content/themes/a8c/jetpackme/images2012/logo.png?w=584

If you are running a WordPress blog, it’s very likely that you’ve also enabled the popular plugin from Jetpack. A few days ago, Jetpack has announced a Critical Security Update for sites running their plugin. Any site with a Jetpack Plugin version number after 1.9 and up to 2.9.3 (which fixes the security hole) should update their installation.

“During an internal security audit, we found a bug that allows an attacker to bypass a site’s access controls and publish posts. This vulnerability could be combined with other attacks to escalate access. This bug has existed since Jetpack 1.9, released in October 2012.”

http://jetpack.me/2014/04/10/jetpack-security-update/

UPDATE (2015-04-27): The latest version of the Jetpack Plugin is now V. 3.5. See: https://wordpress.org/plugins/jetpack/

February 11, 2014

Demand an End to Mass Surveillance

TDWFB

Today, I am joining hundreds of organizations and thousands of individuals to demand an end to mass surveillance.

Please join as well and Take Action: Sign the International Principles on the Application of Human Rights to Communications Surveillance.

January 10, 2014

Privacy and the NSA – the International Covenant on Civil and Political Rights

On a mailing list which I am following, someone suggested in relation to privacy and the NSA:

“There is probably already an international treaty or resolution at https://www.treaties.un.org dealing with privacy of communications. But, the NSA probably does not pay much attention, if they are even aware of these statements at all. NSA will, however, pay attention to the US Executive, US Courts and/or US Congress because these agencies have real power over it.”

Somehow the suggestion to check on an international privacy treaty seemed like an interesting challenge to me. It has been a very interesting exercise, even though I need to add the caveat that I am not a member of the legal profession, but only an interested lay person.

Summary (for those who don’t want to read my full and lengthy commentary):

There is such an international treaty, the ICCPR, it has been signed and ratified by the US Senate, but it does not create a law of the nation that can be independently executed, and Congress has not passed any enabling legislation. The US has already been notified by the UN HRC that this is not ok, and a review will take place in March 2014.

Full commentary below.
(Referenced URLs have been included at the bottom for better readability.)

The resolution on “The right to privacy in the digital age” that Brazil and Germany proposed and which the General Assembly adopted at the UN (1) was referring to such an international treaty dealing with privacy of communications, namely the International Covenant on Civil and Political Rights (ICCPR).(2)

It has been noted by the US Senate that

“The Covenant is part of the international community’s early efforts to give the full force of international law to the principles of human rights embodied in the Universal Declaration of Human Rights and the United Nations Charter. The Civil and Political Rights Covenant is rooted in western legal and ethical values. The rights guaranteed by the Covenant are similar to those guaranteed by the U.S. Constitution and the Bill of Rights.” (4.A)

Clearly, it is correct to say that the NSA does not have to directly pay attention to
such a treaty. However, through ratification in the US Congress, usually (in theory) such treaties become part of the law of the nation.

In such a case, the President, who is the Chief of the Executive Branch of Government, and who takes an oath of office to protect the Constitution (and the laws of the land), would need to tell his executive agencies, including the NSA, to follow the law created through
ratification of such a treaty and through follow-on enactment of national laws giving power to such treaty stipulations.

However, here comes the caveat. While the US did sign and ratify that treaty in 1992, they did also include a number of reservations, understandings, and declarations. (3)

The first of the declarations states:

“(1) That the United States declares that the provisions of Articles 1 through 27 of the Covenant are not self-executing.” (4)

As a clarification, the Senate added in its report on the deliberations:

“For reasons of prudence, we recommend including a declaration that the substantive provisions of the Covenant are not self-executing. The intent is to clarify that the Covenant will not create a private cause of action in U.S. courts. As was the case with the Torture Convention, existing U.S. law generally complies with the Covenant; hence, implementing legislation is not contemplated.” (4.A, page 20)

This means that the ratification does not create independent US law that could be pursued in a US Court, but only binds the US internationally. This interpretation has been upheld in Court (5, 6), but is being challenged by some constitutional scholars. (7)

According to the US Court of Appeals for the Sixth District:

“‘Courts in the United States are bound to give effect to international law and to international agreements, except that a ‘non-self-executing’ agreement will not be given effect as law in the absence of necessary authority.’ Restatement (Third) of Foreign Relations Law 111 (1987). Neither the American Declaration nor the International Covenant is self-executing, nor has Congress enacted implementing legislation for either agreement.” (6)

The general comment by the Human Rights Committee (1994) condemns this practice:

“Of particular concern are widely formulated reservations which essentially render ineffective all Covenant rights which would require any change in national law to ensure compliance with Covenant obligations. No real international rights or obligations have thus been accepted. And when there is an absence of provisions to ensure that Covenant rights may be sued on in domestic courts, and, further, a failure to allow individual complaints to be brought to the Committee under the first Optional Protocol, all the essential elements of the Covenant guarantees have been removed.” (8)

And in 2006, the Human Rights Committee concluded its remarks about the reports by the US government, and under section C. Principal subjects of concern and recommendations makes specific mention of the NSA:

“[..] the Committee is concerned that the State Party, including through the National Security Agency (NSA), has monitored and still monitors phone, email, and fax communications of individuals both within and outside the U.S., without any judicial or other independent oversight.” (9)

The HRC (2006) further recommends:

“The State party should review sections 213, 215 and 505 of the Patriot Act to ensure full compatibility with article 17 of the Covenant. The State party should ensure that any infringement on individual’s rights to privacy is strictly necessary and duly authorized by law, and that the rights of individuals to follow suit in this regard are respected.” (9)

A review meeting scheduled for the 109th session of the UN HRC in the second half of October 2013 has been postponed until March 2014 on request by the USA citing the government shutdown as a reason. (10, 11) The next review on 14 March 2014 could become interesting, having the NSA as a subject at sections 332ff of the US Report. (12)

In light of this, it appears to me that the US may perhaps be liable by international law to ensure the human and civil rights of its citizens and those of people from other nations. However, if any individual feels his/her rights may have been violated by the US executive (e.g. NSA), and presses charges in a US Court, such Court will refuse to make a
judgement, citing lack of jurisdiction under the circumstances of the ratification with the given reservations and declarations.

The only way out could be to challenge this interpretation in the Supreme Court. The Supreme Court of North Dakota in January 2004, however, has already upheld the interpretation of the “not self-executing” clause of the Senate ratification, summarizing a number
of appelate court cases. (13) The (federal) US Supreme Court has to my knowledge not yet made a judgement specifically on that particular clause in relation to the ICCPR.

What is known is an opinion of Chief Justice Marshall, writing in Foster v. Neilson, 27 U.S. 253, 314-15 (1829):

“Our constitution declares a treaty to be the law of the land. It is, consequently, to be regarded in courts of justice as equivalent to an act of the legislature, whenever it operates of itself without the aid of any legislative provision. But when the terms of the stipulation import a contract, when either of the parties engages to perform a
particular act, the treaty addresses itself to the political, not the judicial department, and the legislature must execute the contract before it can become a rule for the Court.” (14)

Perhaps we need to realize that laws and international treaties have entered a new era and we need to continuously challenge and advance human rights. I think this is the essence of the concluding remark by Harold Hongju Koh, legal adviser to the US Dept. of State, in his speech at Georgetown Law in October 2012:

“Make no mistake: this is not your grandfather’s international law, a Westphalian top-down process of treatymaking where international legal rules are negotiated at formal treaty conferences, to be handed down for domestic implementation in a top-down way. Instead, it is a classic tale of what I have long called “transnational legal process,” the dynamic interaction of private and public actors in a variety of national and international fora to generate norms and construct national and global interests. The story is neither simple nor static. Twenty-first century international lawmaking has become a swirling interactive process whereby norms get “uploaded” from one country into the international system, and then “downloaded” elsewhere into another country’s laws or even a private actor’s internal rules.” (15)

 

References:

  1. Draft of Resolution: “The right to privacy in the digital age”
  2. International Covenant on Civil and Political Rights (ICCPR)
    1. http://www.hrcr.org/docs/Civil&Political/intlcivpol.html
    2. https://treaties.un.org/doc/Publication/UNTS/Volume%20999/volume-999-I-14668-English.pdf
  3. Wikipedia entry:
  4. US Senate Ratification (and reservations):
    1. (search for treaty 95-20, 95th Congress)
    2. Background on US ratification:
  5. US Court of Appeals (First Circuit) judgement including a reference on non-self-execution of the treaty:
  6. US Court of Appeals (Sixth Circuit) notes (Footnote 134):
  7. Berkeley Law School: John C. Yoo, “Globalism and the Constitution: Treaties, Non-Self-Execution, and the Original Understanding, 99 Colum. L. Rev. 1955 (1999)”
  8. Human Rights Committee (1994) report (CCPR/C/21/Rev.1/Add.6):
  9. Human Rights Committee (2006) concluding observations (CCPR/C/USA/CO/3/Rev.1):
  10. Postponement of US review by UN HRC (2013)
  11. Agenda for the 110th session of the UN HRC
  12. US Report (CCPR/C/USA/4) to the 110th session of the UN HRC
  13. Supreme Court of North Dakota decision
  14. US Chief Justice Marshall’s opinion:
  15. Twenty-First Century International Lawmaking
July 30, 2013

NSA surveillance hurts U.S. businesses

For many years I have been a strong believer in the benefits of the technology powering our modern information society. I have advocated that the eco-system arising from the merger of computers and communications will ultimately help people in their socio-economic development. I have been a staunch supporter of triple-play (merger of IT, telecom and TV) and quadruple-play (IT, telco, TV and mobile) technologies, thinking that the more we can share information, the better it will be for us individually and for our society overall.

Uncle Sam Listens In

Original image by Jeff Schuler. Licensed under the Creative Commons Attribution 2.0 Generic license.

Surveillance changes everything

However, the revelations triggered by Edward Snowden over the past eight weeks about widespread snooping in on the electronic information we leave behind in this information-rich environment, the news about widespread spying by our own government agencies, and by those of friendly and not-so-friendly governments have made me re-examine my own assumptions and attitudes towards sharing my details with various commercial Internet services.

Turning away from U.S. products and services

Whereas before, I have not had a problem maintaining phone numbers, email addresses or my Skype name on Facebook, today I deleted those. Whereas before, I had no problem keeping my résumé and other personal files in my Google Drive, today, I deleted all files from the service. Whereas I am glad that Microsoft is offering me SkyDrive, today I have decided that I will refrain from using the service.

Next will be Apple’s iCloud, where my iPhone syncs a lot of personal things from me. From now on, I am working with a cloud service under my control. I stopped using Google Chrome today over concerns that I may be tracked more than I would like to be, and switched back to Mozilla’s Firefox browser, which is giving me more control over my privacy settings. As of this week, I am no longer using Microsoft Outlook and have changed to Mozilla’s Thunderbird, although Outlook has provided me with a very good user experience over the past decade or more. My Outlook Calendar is no longer, and the other calendar(s) which I used to sync with Yahoo and Gmail and iCloud is now going to be synced only with my cloud, using open source software under a free license.

Surveillance hurts business interests

This is what surveillance does to U.S. businesses. Customers like me will turn away from proprietary software, from commercial vendors, and increasingly will turn to free and open software. And if even I, who for over twenty years have been a strong supporter of all these technologies, if even I am starting to turn away from U.S. based providers, then it is clear that many others will do the same. And this will hurt U.S. business interests. And if U.S. businesses lose money, then also the U.S. as a whole will be hurt. I really feel sorry for the mostly U.S. based businesses, where many of my professional friends and colleagues work. I trust most people in these businesses are good people. I also trust that most of these businesses don’t want to share my personal data with anyone. However, the current situation with secret laws, secret courts, widespread data collection by U.S. intelligence agencies operating “lawfully” forces me to turn away from U.S.-based services. I have regrettably lost trust in “the system”.

Re-evaluating assumptions and attitudes towards data privacy

It is really ironic that someone like me, who has been an outspoken advocate for all the good things this information society and information technology revolution is bringing us, is going through this exercise. But maybe it will turn out to be a healthy exercise. With whom do I want to share this or that information about myself? In the past, I have of course thoroughly examined, evaluated and adjusted my privacy settings in Facebook, Twitter, LinkedIn, Google+ and other such online services. But in other respects, I have been more trusting that the companies offering email services like Yahoo or Gmail, or cloud services like Microsoft Skydrive, Google Drive, Apple’s iCloud, etc will keep my personal data private to myself. However, what we all have had to learn in the past few weeks results in a loss of our trust in the ability (and perhaps the willingness) of those companies to protect our privacy when ordered by law enforcement authorities.

Nothing to hide – nothing to worry?

NSA headquarters

The NSA headquarters in Fort Meade, Maryland. Photograph: EPA

Well, there is the argument that “those who have nothing to hide” will have nothing to worry about. This is the argument that I have trusted in the past, that the law enforcement and spy agencies will only go after criminals and terrorists. That they will do so only after having obtained a warrant from a judge, that there will be sufficient judicial and parliamentary oversight over the process, ensuring my civil rights. But what has transpired over the past weeks is that this argument is thoroughly wrong-footed. Because these information-hungry agencies are conducting a sweeping vacuuming of all available data, regardless of reasonable suspicions about people, regardless of whether the data belongs to domestic or foreign individuals. So, the “nothing to hide” argument is wrong, because it is not targeted individuals whose data is being vacuumed into the great data abyss of those intelligence agencies, but the data of all of us, regardless of any suspicion.

NSA spying on 4chan

Everyone has something to hide – it’s a central aspect of the right to privacy

And just like most people, of course do I have something to hide. Nothing that would be criminally suspect, of course, but my bank account is and ought to be private, just like my medical records, my phone records, my religious affiliation, the friends I speak with, the letters I receive, the pictures I take of my son, or the books I buy on Amazon. We have a constitution that demands our government to respect our civil rights, yet I get the distinct feeling that these constitutional rights are now under threat precisely by those who claim to be working for us, to guarantee for our security. Thus, somehow, I feel less secure now, less secure because I fear for my freedoms, I’m afraid that someone is taking away my civil rights.

 

Vote for change – talk to your representative

Briefwahl

© dpa

I want to live in a free society, where we can speak out freely what we think, without the fear that whatever we say anywhere anytime can be used against us. That’s why I’m not going to give up and hide. We have elections, and our politicians need to listen. We need more oversight, a stop to suspicion-less data collection, and a lot more transparency and accountability of the surveillance agencies worldwide. I don’t have a vote in the U.S. elections, so I hope my many American friends will do the right thing and call their Congressman, their Senator. I hope they will make sure their voices are heard. I have to trust my ability to engage with lawmakers in my country to protect my constitutional rights, my civil rights, my human rights. Our next election is less than two months ahead.

May 9, 2013

Brute force attack failed!

This morning, my personal Website was subject of an attempt to break into the administrator account with a brute force attack. Due to the advanced security features that I have put in place at this Website, the attempt failed and I was notified of the attack after a certain threshold of login failures was reached that was significant enough to trigger such a notification. The IP number identified could be traced to a location near the city of Changsha in the Hunan province in east-central China.

Brute force attack from China

Dear attacker,

thank you for testing (and failing to break into) the security of my Website. You provided me with a convincing argument to keep the security features in place, despite making it more cumbersome for myself to log into the admin account. Needless to say I will not reveal the nature of these features.

Have a nice day!

April 22, 2013

INET Denver considers Internet life without IPv4 addresses

See on Scoop.itInformation Society

After Asia and Europe, North America is next in line to run out of IP addresses.

Peter H. Hellmonds‘s insight:

We’ve got to get this transition to IPv6 right over the next few years or we’re going to wreck the Internet as we know it today.

See on arstechnica.com

April 13, 2013

IPv6 ready

Today, I can proudly announce that my website is IPv6 ready!

ipv6 ready

Originally posted on April 13, 2013:
While I am happy that I found the feature on the configuration page of my hosting provider 1&1, I am still unhappy with the fact that my ISP (the same 1&1), which claims to be one of the biggest ISPs in Europe (see http://en.wikipedia.org/wiki/1%261_Internet) can not yet provide me with an IPv6 routing. This means, while my blog is reachable from the IPv6 Internet, I still can not reach any IPv6 websites. Hopefully this will follow, soon. I’m in touch with their support staff and will post follow-ups here.

Update May 22, 2013:
I’ve been in touch with support staff at my ISP and worked on enabling an IPv6 tunnel using the tunnelbroker from Hurricane Electric. As mentioned in my previous post, I got IPv6 enabled on my blog a few weeks ago by flipping a switch in the config at my ISP. Now finally my insistence with my ISP was successful so that I have now both IPv4 and IPv6 working from home. 🙂

IPv6-yes IPv4-yes

April 8, 2013

The ‘right to be forgotten’

See on Scoop.itInformation Society

Viktor Mayer-Schönberger

Peter H. Hellmonds‘s insight:

What do you think? Should there be a “right to be forgotten”?

 

While this may sound right if you think of pranks done by teenagers who don’t want to be reminded of them when they apply for a job years later, would this “forgetting” also apply to crimes, human rights abuses etc?

 

Perhaps a “fading into history” function would be preferable, allowing for past activities to no longer show up in the usual search results, but giving researchers and reporters access to the past.

See on ideas.foreignpolicy.com