The UK/EU Brexit Agreement contains references to Netscape Communicator & Mozilla Mail

[Master Disaster]

I know this one is skirting the line so I'll post it and lets the mods decide if it meets the requirements or not.

 

Its emerged that the 8,000 page Brexit agreement between the EU & the UK which was agreed on Christmas Eve and will be signed into law on January 1st contains references to Netscape Communicator & Mozilla Mail which likely indicates someone somewhere simply copy pasted huge chunks of the document from a very old source.

Quote

References to decades-old computer software are included in the new Brexit agreement, including a description of Netscape Communicator and Mozilla Mail as being "modern" services.

 

Experts believe officials must have copied and pasted chunks of text from old legislation into the document.

 

The references are on page 921 of the trade deal, in a section on encryption technology.

 

It also recommends using systems that are now vulnerable to cyber-attacks.

 

The text cites "modern e-mail software packages including Outlook, Mozilla Mail as well as Netscape Communicator 4.x."

Perhaps even more worrying though, the document recommends the use of RSA1024 & SHA1, both of which have known vulnerabilities.

Quote

The document also recommends using 1024-bit RSA encryption and the SHA-1 hashing algorithm, which are both outdated and vulnerable to cyber-attacks.

 

"It's clear that something is amiss in the drafting of this treaty, and we'd go so far as to venture the opinion that a tired civil servant simply cut-and-pasted from a late-1990s security document," news site Hackaday commented.

 

Several people have suggested the words were copied from a 2008 EU law, which includes the same text.

Source - https://www.bbc.co.uk/news/technology-55475433

Better source - https://hackaday.com/2020/12/28/netscape-communicator-and-sha-1-written-into-brexit-agreement/

 

Gotta laugh at this one. I can imagine some underpaid and overworked civil servant copy pasting huge chunks of data from outdated sources and not understanding word 1 of it.

[Dominik W]

Oh, government! Just can't keep up haha.

[Monkey Dust]

This is what happens when you keep putting off doing something until the last possible minute, even when you've had 4.5 years to work on it. Muppets.

[Radium_Angel]

4 minutes ago, Dominik W said:

Oh, government! Just can't keep up haha.

Unless you have worked in gov't, you have no idea just how accurate this is.

The long and short of it is, the pay bands suck for gov't IT work, so all you can attract are either those who can't hack it in the "real" world (aka the criminally incompetent or terminally stupid) those who don't care about the quality of the work they do and know they can't get fired (once you've put in a year at the gov't, and become a full employee, it's virtually impossible to get fired) or just cruising until retirement and generally don't give a care about anything they do.

 

Source: I work in gov't.

[StDragon]

Ctrl-A

Ctrl-C

Ctrl-V

 

[colonel_mortis]

Let's please not let this turn into a discussion about whether Brexit was a good idea. I've removed one comment, and hope to be able to leave it at that.

[Dominik W]

8 minutes ago, Radium_Angel said:

Unless you have worked in gov't, you have no idea just how accurate this is.

The long and short of it is, the pay bands suck for gov't IT work, so all you can attract are either those who can't hack it in the "real" world (aka the criminally incompetent or terminally stupid) those who don't care about the quality of the work they do and know they can't get fired (once you've put in a year at the gov't, and become a full employee, it's virtually impossible to get fired) or just cruising until retirement and generally don't give a care about anything they do.

 

Source: I work in gov't.

I haven't worked in government, but I've heard about what you said. Government is behind in almost everything, they need to catch up slightly, basically what I was getting at. People need to realize that paying taxes is important, because then you get stuff like this. Underfunded departments, lazy and unmotivated workers, and systems that are vulnerable to attacks.

[Master Disaster]

16 minutes ago, colonel_mortis said:

Let's please not let this turn into a discussion about whether Brexit was a good idea. I've removed one comment, and hope to be able to leave it at that.

Could you pin this as an announcement at the top of the thread please.

 

Also, as an obviously accomplished web developer I'd love your input on the RSA1024 encryption & SHA1 hashing part. Just how bad of a recommendation is it?

[poochyena]

how could it even be copy/paste? Was outlook and Netscape ever actually relevant during the same period? Thats so odd.

[Master Disaster]

Just now, poochyena said:

how could it even be copy/paste? Was outlook and Netscape ever actually relevant during the same period? Thats so odd.

Someone found some old legislation from 2008 that contains the same wording verbatim. Seems it was CTRL + Ced CTRL + Ved from that without any kind of proof read from anybody who understands what it actually says.

[StDragon]

30 minutes ago, Master Disaster said:

Could you pin this as an announcement at the top of the thread please.

 

Also, as an obviously accomplished web developer I'd love your input on the RSA1024 encryption & SHA1 hashing part. Just how bad of a recommendation is it?

SHA1 has been deprecated. You can only get public certs in SHA2 now as the minimum.

 

SHA1 is also vulnerable to a collision exploit. It's only getting easier to pull off with faster hardware.

 

https://arstechnica.com/information-technology/2020/01/pgp-keys-software-security-and-much-more-threatened-by-new-sha1-exploit

[colonel_mortis]

42 minutes ago, Master Disaster said:

Also, as an obviously accomplished web developer I'd love your input on the RSA1024 encryption & SHA1 hashing part. Just how bad of a recommendation is it?

If I'm reading the document correctly, the use of SHA-1 here is not actually a problem at all (in the way that it's being used, it is still considered to be secure against even nation state attacks), although the industry is moving away from it.

 

SHA-1 is broken in that (with a huge amount of computational effort) researchers have managed to construct two different files that hash to the same value. That's not a problem here though, where it's being used to generate a Message Authentication Code (MAC), because generating a MAC involves a secret value that is not known to the attacker. If I'm remembering correctly, even MD5 (which IIRC a modern laptop could find a collision for within a few minutes) is secure enough to use for a MAC.

 

RSA-1024 is not secure, and could be compromised by a nation state attacker (or very determined criminals), so it should definitely not be used.

[charlie_root]

1 hour ago, Dominik W said:

I haven't worked in government, but I've heard about what you said. Government is behind in almost everything, they need to catch up slightly, basically what I was getting at. People need to realize that paying taxes is important, because then you get stuff like this. Underfunded departments, lazy and unmotivated workers, and systems that are vulnerable to attacks.

Absolutely every interaction I have ever had with government at any level has been an agonizing and infuriating experience. Everything from getting a car registered, to dealing with government contract processes, to trying to get records is mired in unfathomable amounts of bureaucracy and run by absolute brainless idiots.

[Dominik W]

39 minutes ago, charlie_root said:

Absolutely every interaction I have ever had with government at any level has been an agonizing and infuriating experience. Everything from getting a car registered, to dealing with government contract processes, to trying to get records is mired in unfathomable amounts of bureaucracy and run by absolute brainless idiots.

Exactly. The people just don't care. Why? Because people harass them for rules that are normal, and two, their pay is abysmal. They need to match job conditions to any other company, and it will make life easier for absolutely everyone.

[Dabombinable]

Laziness+being technologically inept...TBH that's just typical around the world. Technology just has moved too fast for those who should have been putting the most effort into keeping up with it.

[samcool55]

TIL there are natonal databases everywhere in the EU and UK that contain DNA information and are all connected together with a VPN.

Same for cars, but that's not so surprising.

Also FP, whatever that means.

[poochyena]

3 hours ago, Master Disaster said:

Someone found some old legislation from 2008 that contains the same wording verbatim. Seems it was CTRL + Ced CTRL + Ved from that without any kind of proof read from anybody who understands what it actually says.

but outlook was released in 2012

[Distinctly Average]

4 hours ago, StDragon said:

Ctrl-A

Ctrl-C

Ctrl-V

 

Yep, classic cut and paste from a 15yr old doc. Been there and done it myself, complete with the egg/face interface moment when found out. Still, give some civil servants something to do.

[demonix00]

What d'ya expect from a bunch of dinosaurs trying to relive the past.

[colonel_mortis]

Another 4 political posts have been removed. If your post expresses or implies any opinion on whether Brexit is a good idea (regardless of what that opinion is!), it is politics and not tech, and therefore not allowed.

Quote

No political content, regardless of your views.

• If something spans politics and tech, the discussion must remain clearly within tech and must not descend into politics
• This covers all parts of the site, including status updates

 

I don't want to lock the topic or hand out warnings, but prior experience has shown that even dipping lightly into politics on this site almost invariably leads to arguments which escalate into flame wars.

 

This is the final warning.

[Gamer Schnitzel]

You guys are just desperately looking for things to whine and ridicule. This is not weird at all because the purpose of the negotiations was what to keep and what to change so of course they are not going to rewrite the agreement but copy pasterino what they keep and what they change or leave out and the things that you found were simply things they kept because nobody cared about them. It's not a big deal. In the UK there is still an ancient law that allows the English to kill the Irish at a certain day in the year at a certain time and they never changed it because there was never a need and nobody is stupid enough to take advantage.

This also does not mean that it was "done by an intern". I assure you this was all done by overpaid lawyers who get several hundreds of thousands a year but during the negotiations they don't sit around and discuss every tiny little minority. They take a big chunk of papers and say "ok we want to keep this in" and then the UK takes a quick look at the headers and sees that this is not something they care about so they say "ok whatever" and then they hand it to their lawyers to review to ensure there is nothing weird and then it is just automatically put together. This does not imply that this was not done properly.

[williamcll]

Now that you've mentioned it I haven't seen a lot of green themed web browsers or email clients these days.

[syntactual]

4 hours ago, poochyena said:

but outlook was released in 2012

Yes, but Microsoft Outlook Express (usually just called 'Outlook' at the time) was released in 1997.

[StDragon]

1 hour ago, syntactual said:

Yes, but Microsoft Outlook Express (usually just called 'Outlook' at the time) was released in 1997.

There's some conflation here that needs to be corrected for the sake of discussion: 

 

Outlook Express (Microsoft Internet Mail and News was the precursor) was included in Windows 98 through XP. Messages were stored in *.dbx files (earlier it was *.mbx). This version was really for POP and IMAP access.

 

Outlook was part of the MS Office Suite, which was a paid for application. Originally released with Office 97, it was the client used in enterprise environments to access an on-prem MS Exchange server. Though it could also be used for POP and IMAP as well. If email was being cached from MS Exchange, the file database holding emails was named with the OST extension. If POP or as an offline archive, it was a PST file. 

[SpaceGhostC2C]

Seems like copy-pasted from previous legislation and regulations, probably themselves copy-pasted from even older regulation...

I guess it begs the question: who thought it would be a good idea to write specific software names in a law that is meant to outlast several generations of software and industry changes? Then again, one can understand while sometimes norms want to give explicit examples of instances it applies to. Still...

 

(worth noting: as an example of functionality, it's perfectly possible to use dead software, as long as it still helps to understand the behavior expected of the software subject to regulation; for example, the software that out-competed it.) 

 

7 hours ago, samcool55 said:

Also FP, whatever that means.

I would guess "Finger Prints".