Let's take a look at details of the vulnerability:

An unauthenticated attacker who knows the target device's serial number, can generate the default administrator password for the device.

Recently, the UK brought in some laws aimed at strengthening consumer protection - the Product Security and Telecommunications Infrastructure act (PSTI). There's a readable summary on the National Cyber Security Centre's website.

There are three interesting points to note in that blog post. The first is about passwords:

The law means manufacturers must ensure that all their smart devices meet basic cyber security requirements. Specifically:

1. The manufacturer must not supply devices that use default passwords, which can be easily discovered online, and shared.

Secondly, is a question of jurisdiction:

Most smart devices are manufactured outside the UK, but the PSTI act also applies to all organisations importing or retailing products for the UK market. Failure to comply with the act is a criminal offence

Thirdly, what is actually covered:

The law applies to any ‘consumer smart device’ that connects either to the internet, or to a home network (for example by wifi).

Is a WiFi enabled printer a "consumer smart device"? One of the things that techies find confusing is that the law is not code. It usually doesn't enumerate a definitive list of what is and what isn't in scope. It gives a general outline and then allows case-law to develop. This means laws don't need to be updated when someone invents, say, an Internet connected tinfoil dispenser.

Let's move beyond the consumer-friendly summary and go to the actual law. The Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023

2. Passwords must be—

   a. unique per product; or

   b. defined by the user of the product.

3. Passwords which are unique per product must not be—

   a. based on incremental counters;

   b. based on or derived from publicly available information;

   c. based on or derived from unique product identifiers, such as serial numbers, unless this is done using an encryption method, or keyed hashing algorithm, that is accepted as part of good industry practice;

   d. otherwise guessable in a manner unacceptable as part of good industry practice.

How does this apply to the printers? Rapid7, who discovered the vulnerability, have this to say about how it works:

[The vulnerability] allows an attacker to leak a serial number via the target's HTTP, HTTPS, and IPP services. However, should an attacker not be able to leverage [the vulnerability], a remote unauthenticated attacker can still discover a target device's serial number via either a PJL or SNMP query

So, yes. The default password is unique but it can be automatically derived from the serial number. That serial number is available to anyone with a network connection to the printer.

But, do printers fall under the scope of this act?

The Product Security and Telecommunications Infrastructure Act 2022 says:

4 Relevant connectable products

1. In this Part “relevant connectable product” means a product that meets conditions A and B.

2. Condition A is that the product is—

   A. an internet-connectable product, or

   B. a network-connectable product.

3. Condition B is that the product is not an excepted product (see section 6).

It goes on to define what Internet-connectable means, along with some other clarifying details. But is there a get-out clause here? Are printers an "excepted product"?

In this Part “excepted product” means a product of a description specified in regulations made by the Secretary of State.

OK, let's look at the regulations. I've expanded out the relevant bit:

Schedule 3 Excepted connectable products

5. Computers

   1. Products are excepted under this paragraph if they are computers which are—

      a. desktop computers;

      b. laptop computers;

      c. tablet computers which do not have the capability to connect to cellular networks.

Nope! The Brother printers don't appear to be exempt¹. What's the maximum penalty Brother could be subject to?

The greater of £10 million or 4% of worldwide revenue.

Ouch!

Of course, much like GDPR fines, these are headline grabbing numbers. The prosaic reality is that the enforcement policy is much more likely to suggest remedial steps. Only the most flagrant transgressors are likely to be punished harshly².

So, to recap. The law says an Internet-connected device (including printers) must have a password which is not "based on or derived from publicly available information". As I understand it, having a serial-number based password is OK as long as you don't publicise the serial number. I expect that if it were printed on a sticker that would be fine. But because the serial can be discovered remotely, it fails at this point.

In Brother's (slight) defence, unless the user has specifically connected the printer to the Internet this is only a local vulnerability. Someone on the same network would be able to monkey around with the printer but, similarly, they could plug in a USB cable for some illicit printing or break it with a hammer. Any damage is confined to the LAN.

Should users change default passwords? Yes. But manufacturers have a legal duty to ensure that people who don't are still protected.

The UK is currently prosecuting two men accused of a crime. Part of the prosecution's evidence is a video⁰. In showing it to the jury, the prosecution have said:

the two minute and 41 second-long video is "extremely dark" but the "unmistakeable" noise of a chainsaw can be heard followed by the sound of a tree falling.

Police experts have "enhanced" the video as much as possible but it has "not been interfered with", Mr Wright tells the jury.

BBC News

I think most reasonable people would agree that creating an AI "Deep Fake" by inserting the faces of the pair into the video, would be unacceptable.

What about boosting the brightness on the video? That seems pretty unobjectionable to me and, I suspect, most neutral parties.

Suppose the prosecutors used AI to enhance the image? Perhaps adding a background which wasn't there up maybe upscaling the video resolution and introducing elements which didn't exist before? I think that's a step too far. Algorithmic enhancement strays into manipulation territory.

But what if the police ran a face detection algorithm on the video and only boosted the visibility of those parts, rather than the rest of the video? Now I think we're haggling over price.

The photographer Paul Clarke has a wonderful blog post about enhancing photographs of MPs - take a look at those photos. Are they enhanced or manipulated? Do you feel differently if it is a photo of an MP from "your" side?

But just brightening and colour correcting is fine, right?

This is a well-known problem in legal circles¹. Boosting the colouring of a photo may make an injury seem more severe. Zooming or cropping an image may make someone seem closer to the action than they were.

The Crown Prosecution Service has this to say about video² evidence:

In terms of proving the authenticity of the video recording, the Prosecution must be able to show that the video film produced in evidence is the original video recording or an authentic copy of the original and show that it has not been tampered with.

CPS Legal Guidance - Exhibits

I suppose it's pretty easy to show that the produced evidence can be derived by taking the original and twisting the brightness and contrast knobs. I also guess that the defence could bring in an image manipulation specialist to show that the enhanced version introduces unacceptable changes.

Although that brings with it some problems about whether an expert in manipulation can say they're an expert about the contents of the media. (No, basically.)

I'll leave you with these words from a House of Lords report in 1998:

The existence of a technology that can be used to modify images in this way need in itself be of no great concern; even the widespread availability of the technology at low cost might not cause concern.

But an apparent lack of understanding of the implications of both these facts should cause concern and warrants further study. The public and all those in the legal profession should be made more aware of the technology, what it can do, and what its limitations are.

It was suggested that criminal convictions that were dependent on evidence captured by digital cameras could be at risk if defence lawyers began to realise how vulnerable such images are to manipulation.

Select Committee on Science and Technology Fifth Report

The trial continues.

Update!

The BBC reports:

The initial video was totally dark, with just the sound of wind and a chainsaw leading up to a giant crash.

A second version has now been shown to the jury, which has been enhanced by a Northumbria Police digital media examiner.

The contrast has been changed, a white border has been put around it and the image has been made brighter.

Here's a clip of the enhanced version:

If you were presented evidence of a completely dark video, how could you be sure that subsequent "brighter" version was derived from the original?

But if you read closely, you'll see there are a few instances where an errant question-mark pops up:

From context, it is pretty clear the word should be "flour" but is rendered as "?our" - why is that?

The original PDF judgement can be downloaded from the official Tribunals website (an ancient service which is long overdue for an update).

If you search the PDF the word "flour" and select it, notice what happens:

Looking at the metadata of the PDF, it appears the file was created with Office 365 which has "helpfully" used a typographic ligature - "fl".

Ligatures are handy for displaying characters in a pleasing manner - but they can really confuse some software.

One way to deal with this is to use a process called "Unicode Normalisation". It is rather dull and technical, but there are plenty of libraries which will split these characters.

Here's how it works for the "fi" ligature:

There are a few issues here.

Firstly, Office 365 should not be using Unicode ligatures. The text should have the letters "f" and "l" but it is the font which should display as a ligature.

Secondly, Bailii's processing of the PDF should either cope with normalisation or it should throw loud and explicit warnings when it runs into something it doesn't understand.

Thirdly, as well as Bailii and the Tribunal Service, the PDF is also available at the more modern Case Law service from The National Archive. Their HTML and PDF documents also have the ligatures, but have subtly different layouts because they have been re-rendered with LibreOffice 7.2.

I've reported the issue to Bailii via their contact form. I've also raised a bug with The National Archive.

And now I'm off to enjoy some tasty potato-based snacks which have been assessed at the correct level of tax!

It starts off reasonably enough by describing the evolution of our legal system:

1. Law 1.0 says "Thou shalt not kill".
2. Law 2.0 says "Thou shalt not pollute. But, rather than specific legislation, we'll spin up a body to do the tedious work of enacting our policy".
3. Law 3.0 says "Thou shalt not drive over the speed limit. And we'll fit all cars with a chip that prevents them doing so".

I think that's fair enough assessment. Is "Law 3.0" a good thing or a bad thing? Perhaps we can have a discussion about the limits of technology and political philosophy? No, we just get this "argument":

The tyrannical implications of such a mode of governance are so obvious that it really ought to go without saying.

Ummm.... no? Perhaps we could discuss these supposed tyrannical implications?

The author is terrified that the Government is going to stop him running his dishwasher. You see, the Energy Bill says that technical experts can send a signal to smart appliances asking them to reduce their electricity use at certain times.

That's it. That's the horror he is railing against.

Pollution a bit high? Send a signal to ask your freezer to reduce its cooling temperature. Electricity prices going to spike in an hour? Tell people's cars to start charging now, but to throttle back later. That sort of thing. You know, save you a bit of money, reduce pollution, stabilise the energy supply. Terrifying...

Now, there might be a dystopian use of this. Perhaps the state could command all TVs to turn off when the opposition's political adverts are on. Perhaps they could turn off the car chargers of known protestors - thus preventing them from attending a demonstration. Maybe they'd turn off everyone's freezers in order to boost Tesco's profits?

This leads to some interesting questions. What sort of safeguards should we have? What level of control do people want? Who chooses the experts? Who secures the system? What similar problems have happened before? What are the positive ways this could be used?

But, nope, the post doesn't discuss that. It just continually reiterates a pathological fear of "technical experts" telling people how to behave. He wraps it up in a vague coat of morality - saying that we should be allowed to choose to break laws and face the consequences.

But, what are we actually talking about here?

A Thought Experiment

Let's say a power station fails unexpectedly in the middle of winter. There are several options available to us.

1. Wait until Parliament can reconvene to debate and pass a law which limits people to x kWh of electricity per day with a maximum of y kW at any moment.
2. Let people suffer rolling blackouts / brownouts as the energy supply struggles to keep up with demand.
3. Have a team of technical experts send signals to people's washing machines asking them to only switch on when there's surplus power.

Quite obviously (1) is impractical. The lack of speed and expertise is one of the (many) reasons Law 1.0 doesn't work in large complex systems which require a swift reaction.

And (2) is the sort of self-sufficient Libertarian nonsense which imagines a hellscape for everyone except themselves. Great! You can choose not to follow the law and let everyone else suffer the consequences.

And (3) is... boringly pragmatic. I guess with the slight risk that it might be abused to... what? Deny people their constitutional right to run a high power vacuum cleaner whenever they want?

Morality

The article makes this moral argument:

The speed limit does not compel us: we can choose to abide by it, or not. And this, most crucially of all, means that we have moral agency. We can choose to do right or wrong.

[...]

in its way, [Law 3.0] is the worst affront to the dignity of man out of them all, because it destroys the very conditions of moral agency. I reiterate: if one does not have the freedom to choose, because one is compelled to act morally, then one’s moral conduct is not really moral at all.

I don't really get that. We ban guns so that people can't choose to wave them about recklessly - because impinging on your freedom is better than clearing up corpses.

Rather more prosaically, we ban the sale of inefficient domestic appliances. Yes, the experts are being mean by forcing you not to make a moral decision about whether to waste electricity. Boo-fucking-hoo.

But, if this moral agency is so important, why isn't it available to "the experts"? Why shouldn't they be allowed to choose to take a bribe from a washing line manufacturer to switch off the nation's tumble-dryers? They can suffer the consequences of being caught, tried, and punished.

Law 1.0 - which the author is so fond of - would do that.

Or, we could use Law 3.0 to implement a technical measure which says such a signal can never be sent unless 4 our of 5 experts agree to it.

Civic Hygiene

A decade ago, I wrote up my thoughts on Civic Hygiene.

Civic hygiene isn't about saying we distrust our current government - it's about not trusting the next government.

I still stand by that. We should make it hard or impossible for a corrupt entity to abuse the power it is entrusted with. But that doesn't mean giving them no power.

In a democratic society we accept that we sometimes have to do things aren't in our direct personal interests in order to keep society functioning. Sometimes we can choose whether or not to obey (e.g. by breaking the speed limit) other times the state restricts us (by banning the sale of poisons).

If we don't make the transition to smarter and more responsive energy consumption, then we risk grid stability, more pollution, and higher energy costs. That damages all of us.

We should embrace new ways of organising ourselves. And we should embrace technological limitations which protect the majority. And those limitations must be safeguarded.

I don't know whether this law is well written, or whether there are adequate safeguards, or whether abusers of its powers can be punished. But I do know that this moral pontificating doesn't even begin to address the practical issues.

How will law, regulation and ethics govern a future of fast-changing technologies?

Focuses on the practical difficulties of applying law, policy and ethical structures to emergent technologies both now and in the future. Covers crucial current issues such as big data ethics, ubiquitous surveillance and the Internet of Things, and disruptive technologies such as autonomous vehicles, DIY genetics and robot agents. Asks where law might go next and how to regulate new-phase technology such as artificial intelligence, 'smart homes' and automated emotion recognition. Uses examples from popular culture such as books, films, TV and Instagram - including Black Mirror, Disney princesses, Star Wars, Doctor Who and Rick and Morty - to bring hypothetical examples to life. Bringing together cutting-edge authors from academia, legal practice and the technology industry, this book explores and leverages the power of human imagination in understanding, critiquing and improving the legal responses to technological change.

This is a brilliant introduction to the way new technology will craft the need for new laws, and how new laws alter the way we craft new technology. It's a mish-mash of law, tech, and pop-culture - as per the Gikii way.

It starts with a barnstorming explanation of how GDPR relates to Disney® Princesses! It sounds daft, but it is an excellent way to discuss how a right to privacy can be beneficial - and the risks associated with automated data processing ("Mirror, mirror on the wall... What is your lawful basis for the processing of personal data in this manner?")

There's an fascinating section on how so-called smart contracts could be used to write a person's Last Will and Testament. Can automated decisions - and possibly AI - be used to represent a human after they die? If so, what are the legal and societal ramifications of that?

The essay on port mortem privacy was particularly thought provoking and troubling in equal measure.

Some of the essays are only tangentially related to geeky concepts. Including one weird essay where Boba Fett discussed how to use software vulnerabilities to catch Hans Solo!

A few of the essays were a little to lawyer-y for me. I had to skip over large chunks about sub-clauses of GDPR and old court cases. But that's the deal with any compilation - not everything will be to your taste, but there is something for everyone.

It's a great read for anyone interested in the intersection of new-tech and modern laws.

If you've ever moved house, you'll know how annoying it is to receive mail for the previous occupants. When those letters have a big red BAILIFFS ARE COMING warning on them - it is especially distressing.

The relevant section of the law is:

A person commits an offence if, intending to act to a person’s detriment and without reasonable excuse, he opens a postal packet which he knows or reasonably suspects has been incorrectly delivered to him.

Postal Services Act 2000 - Offences in relation to Postal Services - 84 (3)

You've just received a credit card through the post for the last tenant.

If you open it intending to steal money - that would be an offence.

If you open it because you're nosey - that is not a reasonable excuse.

If you open it so that you can call the company and let them know that their customer has moved - that would not be to someone's detriment, and would be a reasonable excuse.

That's what I do - several years after moving in and we're still getting post for the previous lot! A quick phone call is enough to stop most offenders. Occasionally a financial firm will be a bit sniffy about me not being able to confirm the recipient's account details - but most are happy to be informed.

It would be sensible to securely dispose of any mail afterwards - or mark it "return to sender - not at this address". But, yes, you can open misaddressed mail if you want to let the sender know their mistake.

I am not a lawyer - this is not legal advice!

They're currently soliciting for comments on the question:

The system of laws and law-making in the UK is complex, but is that inevitable given the highly developed and interconnected society which laws regulate? Should you need to be a lawyer to understand and use an Act?

You can leave your comment on their forum - here's what I submitted.

Albert Einstein said:

[T]he supreme goal of all theory is to make the irreducible basic elements as simple and as few as possible without having to surrender the adequate representation of a single datum of experience.

Or, as it is more commonly paraphrased "make things as simple as possible - but no simpler."

The law applies to every person - we should not have to become experts in how to be governed.

Let's take, for example, the Sale of Goods Act (1979). It is one of the most important pieces of consumer legislation yet is almost completely unintelligible to the lay reader. The state has published hundreds of different pamphlets, guides, posters, books, and websites trying to explain it. Not to mention all the work independent consumer organisations have done in trying to make the legislation legible.

I present a random extract from the act. Before trying to understand it, I'd appreciate it if you were to try to read it aloud on a single breath of air.

Where there is a contract for the sale of specific goods or where goods are subsequently appropriated to the contract, the seller may, by the terms of the contract or appropriation, reserve the right of disposal of the goods until certain conditions are fulfilled; and in such a case, notwithstanding the delivery of the goods to the buyer, or to a carrier or other bailee or custodier for the purpose of transmission to the buyer, the property in the goods does not pass to the buyer until the conditions imposed by the seller are fulfilled.

I've read this several times, and I think it means that "If you buy something, it doesn't become your property until you've fulfilled all the parts of the seller's contract. If you don't meet those conditions, the seller doesn't have to give you the goods." Am I close?

The law doesn't need to be in iambic pentameter - but it does need to be readable and understandable to those to whom it is targeted.

This may mean, in future, that an Act isn't written in paragraphs but drawn out as a flow chart or as UML diagram.

Ambiguity only enriches lawyers. Any adult with a GCSE in English should be able to parse a law and understand its impact. To often legal disputes seem to arise not from a willing breach of the law - but by misunderstandings.

I work on user-interfaces for software. If a user doesn't understand that how she has to fill in a form - I have failed. I would suggest that any law which requires a professional to assist with its understanding has also failed.

My suggestion is that all proposed bills undergo a period of UAT (User Acceptance Testing). This UAT would ask members of the public to try and interpret what a law does - and whether it meets those goals.

This can be done online - for example a quiz showing a paragraph of a bill, and then a multiple choice question to see if it has been understood.

Jack of Kent today pointed out the recent judgement on Operation Weeting - which is looking into the alleged illegal interception of voicemail messages.

The full text of the judgement is fairly simple to understand - although one curious part caught my eye.

Systems used to transmit voicemail messages

8. The provisions of sections 1 and 2 RIPA are intended to apply to a number of different technologies. In this appeal we are concerned only with voicemail messages left for an identifiable recipient on the voicemail facility of his or her private mobile telephone which is operated by a cellular network service provider and is part of a public telecommunication system to which the phone is connected.

9. For present purposes, it is convenient to adopt the description of such a system provided by the Crown and with which the appellants have not taken issue.

(1) The mobile handset operates as a radio transmitter/receiver.

...

(7) The relevant interception conduct ("hacking") involves remotely accessing the voicemail box by dialling, from another telephone, the telephone number relating to it and bypassing any security feature, so as to be able to listen to the content of the message, without the knowledge or consent of the subscriber, at a time when the recorded message is stored there, not yet having been deleted.

(8) It may be the case that the message either has or has not previously been heard in whole or in part by the subscriber. This will not be known by the hacker when the hack takes place and is outside his control.

(9) The hacker therefore achieves access to the message by "impersonating" the intended recipient. If the message is inaccessible to the intended recipient, it cannot be hacked. Whether before or after it has been listened to by the intended recipient, it will only be capable of being intercepted if it is stored in the system in a manner which means that the intended recipient has access to it.

I am loath to give ammunition to those who stand accused, but (8) appears to be factually incorrect to me

Here's a recording of me accessing my own voicemail:

"You have a new message and four saved messages."

Every voicemail system I've ever used will tell me if a message has previously been listened to or is brand new. Unlike with email, I'm not aware of any voicemail system in the UK which allows you to mark an old message as new. It is possible to save messages so they don't get deleted - but that's about it.

If a "hacker" were to access someone else's voicemail box - they wouldn't know if a message had been heard and then deleted, obviously, but they would instantly know which messages had been heard and which had not yet been heard.

Or have I fundamentally misunderstood something?