Archive

Archive for June, 2011

Fear sells – and governments are accomplished salesmen

June 28, 2011 Leave a comment

One of the phrases I like to use in relation to security is ‘fear sells’. The more we are afraid, the more we will buy to protect ourselves. Some security vendors implement this theory as a serious strategy (most don’t). But all governments do. And what we are expected to buy from them is their authority over us.

Today, the four horsemen of the apocalypse (internet) are terrorists, pedophiles, drug & gun runners and money launderers. We have to be afraid of them so that we accept and do what we are told by governments. We have to do this so that governments can protect us from the four horsemen who will run off with our children and blow us up with dope bought with illegal money. Protect by Control is the modern slogan.

Now I’m not saying that we should not be wary. The internet is a dangerous place. But so is the M25.

Now consider this statement released by the Arizona Department of Safety:

The week of June 20, 2011, the Arizona Department of Public Safety became aware that their email system had been compromised by a known cyber terrorism group, known as LulzSec… The cyber terrorism group has posted the stolen information on their website.
DPS Victim of Cyber Attack

What is terrorism? My dictionary says simply: “the use of violence and intimidation in the pursuit of political aims.” There are lots of other definitions – but that word violence or the threat of violence is always there. Wikipedia has an interesting comment:

The concept of terrorism may itself be controversial as it is often used by state authorities (and individuals with access to state support) to delegitimize political or other opponents, and potentially legitimize the state’s own use of armed force against opponents (such use of force may itself be described as “terror” by opponents of the state).
Terrorism

So where do we place LulzSec (now gone, of course) and the Arizona DPS? Graham Cluley of Sophos, never a fan of LulzSec, is far more temperate and accurate. Referencing, although not talking specifically about LulzSec, he commented today, “While there’s obviously a vast contrast between DDoS attacks and the bad guys looking to steal sensitive information for financial gain, the biggest concern is the attitude towards these attacks, with hackers portraying that it’s all a bit of fun.  Companies and computer users mustn’t sit back and laugh along, thinking that these attacks won’t affect them.  Businesses need to be sure of the quality of their security systems and all of us who entrust our sensitive information to third parties should be aware that the problem could affect us too.”

He was talking about the renewed attacks against MasterCard (of which, more here). But my point is this: according to Graham, MasterCard was taken down by hacktivists, not terrorists. He’s not trying to terrorise us into accepting the need for greater internet control – he’s simply telling us how it is.

That’s what the members of LulzSec were: hacktivists. Sadly, in the long run, they do their own cause more harm than good. Because political machines like the Arizona DPS will play the fear card, turn them into terrorists and turn the people against them and their message. And sadly, most of us will believe the political machines; and we will accept more and more political control over both our physical and cyber lives in order to protect ourselves from these terrorists, pedophiles, drug and gun runners, and money launderers.

Sophos

Categories: All, General Rants, Politics

Microsoft sued again. And Apple. And Sony. And others…

June 28, 2011 Leave a comment

I do like a guy who refuses to do things by half. Mediostream is suing Microsoft, Apple, Sony and others for misappropriation of trade secrets and more. It’s strong stuff:

To protect its valuable Windows monopoly against such potential competitive threats, and to extend its operating system monopoly into other software markets such as consumer electronics, Microsoft has engaged in a series of anti competitive activities. Microsoft’s conduct includes agreements tying other Microsoft software products to Microsoft’s Windows operating… etcetera and etcetera and etcetera…

It’s fascinating reading! (Courtesy of Courthouse News Service)

But it’s also inspiring. Am I too late?

Design for ICL Quattro booklets

Design for ICL Quattro booklets

Way back in 1986 – before MS Office – and working as Townsend & Taphouse, we produced a booklet for ICL, and retained copyright. The design is almost exactly the one that Microsoft subsequently used for Office (you can see the story here: Sample Design Work – circa 1986). May I suggest that the entire Microsoft Empire was built on this design? Do I deserve a percentage (even a tiny one)?

Oh damn – they changed the rotation of the pieces! And the colour shades are a bit different. And MS Office didn’t have any writing on the pieces.

Ah well. I can always dream of what might have been…

Categories: All

Christopher Shales: Great reasons to join. No reasons not to

June 27, 2011 1 comment

I’ve just read Christopher Shales’ memo entitled Great reasons to join. No reasons not to (courtesy of Guido). All the press coverage might make you think that it was the other way round: no reasons to join, great reasons not to. But it’s not. Shales clearly believed that the latter is merely the perception, and that the perception has to be changed. And that is what his memo is about.

If the Conservative party follows his advice, then I’m sure that they will increase membership. But I think he misses one fundamental point. He talks about people being either politics heavy or politics light, and the latter section is the difficult one. What he misses, however, is that the majority of people are neither wholly Labour, nor wholly Liberal, nor wholly Conservative whether they are politics heavy or light.

I voted Conservative at the last election because I was frightened by the Orwellian direction that Labour was taking our nation. The Conservatives promised to end this march into autocracy. So I voted for them. Not because I believe in everything Conservative, but because I believed them in this.

They lied. They didn’t repeal the ridiculous Digital Economy Act. It looks like ACTA will be nodded through. Surveillance has diminished not one jot. The police still maintain the largest DNA database in the world. And that’s just off the top of my head.

So who will I vote for next time? I don’t know yet. But how can I join a party with whom I have fundamental disagreement? And there’s no way I could join this Labour party despite the fact that I consider myself socialist (small ‘s’) at heart.

That’s why people don’t join political parties – it’s the perception of all or nothing. And no party in the country can match the political aspirations of the individual. They all betray us in the end.

Categories: All, Politics

Creeping Control…

June 24, 2011 Leave a comment

This is a tale of three ISPs, two governments and one LEA: T-Mobile, Vodaphone, and Virgin Media, the UK and Australia, and SOCA.

A couple of days ago, T-Mobile (I was using a dongle attached to a netbook in a car park far from home) blocked my unequivocal access to an article on James Firth’s blog. You can read my comments at the time here (T-Mobile blocks ‘Slightly Right of Centre’), and T-Mobile’s policy here (Content lock). I don’t think there is anything sinister in this. But I don’t think T-Mobile’s system is anywhere near as advanced as it claims. And I am offended by its behaviour, and will exercise my right to go elsewhere in future.

Two days ago the No DPI blog published an article describing the discovery that Vodafone is using a Blue Coat web filter. No DPI is a bit upset at this, and you can read the post here (Vodastalk; Vodafone and Bluecoat Stalking Subscribers). I asked Blue Coat’s Nigel Hawthorn, VP EMEA Marketing, to explain for me.

Nigel Hawthorn

Nigel Hawthorn, VP EMEA Marketing, Blue Coat

“Around 2005, Vodafone was concerned that children might access inappropriate content on their mobile phones, and the blame for this access could fall on Vodafone,” he told me. “So, as a measure of corporate responsibility they felt that even though parents and guardians are responsible for children’s Internet access at home, a mobile phone operator bears some responsibility when minors are using mobile phones. Of course, from a public opinion point of view, they also didn’t want a ‘Johnny’s accessing Playboy in the playground and it’s all Vodafone’s fault’ in the press.  So, they looked at various options and deployed the Blue Coat WebFilter in their network.” Blue Coat actually announced this back in 2006 (Blue Coat Provides Mobile Operators with Web Filtering, Anti-Virus, Web Acceleration and Services Platform), which is important. It demonstrates that there was no attempt to do anything secretively.

“Vodafone split users into two categories: ‘children’ and ‘adults’,” he continued. It blocks various adult categories from phones that are owned by children. But “the next step was that Vodafone decided to be even more careful and consider that any phone that is owned by someone who they are unsure is a child or adult is considered a child until the owner contacts Vodafone and confirms that they are an adult.” Which seems to be exactly the same policy as that used by T-Mobile.

I asked Nigel to take me through the technology. “What happens technically,” he explained, “is that Vodafone has ProxySG devices installed in its network running Blue Coat WebFilter. WebFilter is doing the same job as it does for large enterprises – it just categorises websites. The actual policy about what is blocked or allowed is set by Vodafone.  I believe that more than 99% of web requests are categorised by the WebFilter systems installed in the Vodafone network.  However, if a person surfs to a previously unknown site, the ProxySG asks the cloud-based WebPulse service to check out that site.  WebPulse then surfs to that page on behalf of the user and performs its various functions to try to ascertain the content categories that are appropriate (a single page can be in up to four categories).”

I had only one further question: does Vodafone send Blue Coat any user-identifiable information? “No. All we ever see is the URL, and the IP address of the ProxySG server – nothing about the individual user; and nothing else.”

Once again, I can see nothing sinister about this. In fact, even less than T-Mobile’s system, since in this case Vodafone is using an independent 3rd-party to categorise the web pages rather than imposing its own prejudices.

A week ago, Virgin Media broke the news that it had written to 1500 customers to tell them they were probably infected with the SpyEye trojan. This is an altogether different kettle of fish since it isolated the ‘infected’ users with the help of the Serious Organised Crime Agency (SOCA); and despite very common praise for VM’s proactive attitude towards the security of its customers, I believe that this deserves closer examination. My understanding is that SOCA monitors known SpyEye control servers. IP addresses that connect to or are contacted by these servers are likely to be infected PCs. So it effectively gave those IP addresses to VM, who said yes, this 1500 are our customers and we’ll write to them.

But this leaves me with several questions. Why has this service been given to VM only? If it was offered to the other ISPs, why didn’t they take it? Why did VM go with a law enforcement agency rather than doing it themselves or employing a third-party security specialist (like Vodafone and Blue Coat)? For example, VM could have freely used the list of SpyEye servers maintained by SpyEye Tracker.

SpyEye Tracker

SpyEye Tracker: monitors known SpyEye control servers

Other questions are why write to the customers rather than email or telephone? Given the nature of SpyEye, that minimum of a 24-hour delay could be catastrophic for the infected users. And what if the user was a tenant in a building with an absentee landlord? The registered user might be in a different country to the actual user – and again, the delay in getting the message could be catastrophic. All in all, it doesn’t quite seem to add up.

And that brings us specifically to SOCA. SOCA is the law enforcement agency that lobbied Nominet to agree to take down UK websites that SOCA declared to be illegal. Without the need for judicial oversight. And now take a step further back to the UK Home Office, the Ministry in charge of the UK law enforcement agencies. This month the Home Office published its ‘Prevent Strategy’ (my comments: So you thought this Coalition was less draconian than New labour? Think again). It includes

We want to explore the potential for violent and unlawful URL lists to be voluntarily incorporated into independent national blocking lists…

Note that word ‘voluntarily’. In politic-speak, that means ‘without our need to get a court order’. So, put bluntly, the Home Office and SOCA are set on a course of obtaining extra-judicial control of the internet without the need for either parliamentary debate or a court order. By partnering with one of the UK’s major ISPs, that idea of SOCA and ISPs working together for the good of the people is almost subliminally injected into our subconscious. But the truth of the matter is that it is more like a form of creeping control.

Now let’s look at the final part of our story: Australia. Australia has succeeded in implementing the Home Office plan.

Starting next month, the vast majority of Australia’s Internet users will find their access censored, following a decision by the country’s two largest providers–Telstra and Optus–as well as two smaller ISPs (itExtreme and Webshield), to voluntarily block more than 500 websites from view.
EFF: Australia Heads Down the Slippery Slope, Authorizes ISPs to Filter

EFF then enumerates four reasons we should worry about this:

  • there is no transparency in the selection of URLs to be blacklisted, and no accountability from the regulatory bodies creating the blacklists
  • filtering does little to curb the trade of child pornography, much of which is traded across peer-to-peer networks and VPNs. Filtering it from the world wide web may simply push it further underground
  • there appears to be no appeals process in the Australian ISPs’ scheme, thereby making it difficult for sites erroneously caught up in the filter to challenge the block
  • the introduction of a filter sets precedent for the ISPs to filter more sites in the future at the behest of the Australian Communications and Media Authority. If the ACMA were to make the decision that sites deemed “indecent” or politically controversial–for example–should be off-limits, would the ISPs comply?

This is where we are heading in the UK, and that’s why we should worry about this relationship between SOCA and Virgin Media. I cannot prove an ‘evil partnership’ between the two; but in the EFF’s words, ‘it sets precedent’ for ISPs to get more and more involved in ‘voluntary’ blocking. What I do know is that SOCA and the Home Office would like control of the internet without judicial oversight; and that this relationship between SOCA and Virgin Media will make that all the more likely. I would be much happier if the ISPs do their filtering individually and without law enforcement or government input: T-Mobile’s Content Lock and Vodafone’s Blue Coat are infinitely better than Virgin Media’s SOCA.

Is it safe to carry on using Dropbox? Yes and No

June 23, 2011 1 comment

Dropbox is a great little company. I use Dropbox. It allows you to store your files in the cloud for free. I use it move work files between my various different platforms, mainly Windows and Mac, in various different locations.

Recently, however, it has had some bad press. Firstly it suddenly and apparently arbitrarily changed its T&Cs. The privacy policy includes:

Compliance with Laws and Law Enforcement Requests; Protection of Dropbox’s Rights. We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.

This has upset a lot of people. However, it seems to me that the company is simply complying with the law; it has no choice.

The second concern is with the more recent announcement of a freely available Dropbox Reader. This ‘product’ can apparently read anybody’s Dropbox files without needing a password to access the account. It is not produced by Dropbox. It was developed by Cyber Marshal. “Dropbox Reader is a suite of command-line tools for parsing configuration and cache files associated with the Dropbox cloud storage software. These tools can run on Windows, Macintosh, and Linux systems,” says the Cyber Marshal website.

More sinister to my mind, however, is the statement on the About page:

Cyber Marshall

Lifted from Cyber Marshal’s About page

So I asked Dropbox to comment on Dropbox Reader. Would it do anything to counteract it? I haven’t had a reply. That’s a shame.

But there is really only one takeaway from this. You don’t need to stop using Dropbox, or any of its competitors, or Google Docs – just never, ever put anything confidential or legally dubious anywhere in the cloud. Just don’t.

[See also: Is it safe to carry on using Dropbox? Yes and No: Part II - 5 August 2012]

Dropbox
Cyber Marshal

Categories: All, Security Issues

Viviane Reding’s future Data Protection Law includes ‘serious’ breach notification

June 23, 2011 Leave a comment

Viviane Reding, Vice-President of the European Commission, EU Justice Commissioner, gave a very important speech at the BBA (British Bankers’ Association) Data Protection and Privacy Conference in London on 20 June 2011: Assuring data protection in the age of the internet. Interest has focused on her statement:

I intend to introduce a mandatory requirement to notify data security breaches – the same as I did for telecoms and internet access when I was Telecoms Commissioner, but this time for all sectors, including banking and financial services.

This is something Europeans have been calling for (for example, see The Institute of Directors – talking net neutrality, compliance and breach notification with Richard Swann on this blog).

The thrust of the speech was that she would create a level playing field across Europe, so that precisely the same data protection rules would apply in every EU country.

This is what I will do for businesses.

But in return,

People must know how their data is being used. Service providers have to increase transparency on how a service operates, what data is collected and further processed, for what purposes, and where and how it is stored. In light of recent data theft scandals, let me add that I expect companies to do more to keep their customers’ personal data secure.

Mandatory breach notification is seen as a key motivation for ensuring that increased security. But there are further hints for the future, including:

Take the cloud, the story goes that the data in cross-border and cross-continent flows is impossible to regulate. This is not my vision of the future… I am considering the inclusion of the “accountability principle” in my reform so that data of citizens exported to third countries is always exported with their rights attached.

and

Garry Sidaway

Garry Sidaway, Director of Security Strategy at Integralis

Or take the “right to be forgotten”. “Impossible” some say, “get over it”. Well, I don’t agree… I cannot accept that individuals have no say over their data once it has been launched into cyberspace.

All of this is fine a noble – but we should remember that at the moment it is just an aspiration. The devil will be in the detail; and we can already see how this will work. The phrase ‘serious breach’ already occurs:

I do believe that an obligation to notify incidents of serious data security breach is entirely proportionate and would enhance consumers’ confidence in data security and oversight mechanisms.

‘Serious’ is underlined – not by me, but by Ms Reding. So who defines ‘serious’? Well, it can’t be the EC, because if there is no notification, they have nothing to judge. So this is in effect a pretty meaningless statement; if it is not serious, does it not have to be disclosed?

Garry Sidaway, Director of Security Strategy at Integralis believes that industry will feel compelled to comply. “Legislation and audit pressures are huge on businesses at the moment due to the global crisis,” he told me. “The auditors do not want to be caught out again and are driving and enforcing compliance and demonstration to policy – businesses who ignore the pending disclosure law will face increased audit pressures and they can’t afford to ignore that.”

Matt Peachey

Matt Peachey, VP EMEA at Veracode

Matt Peachey, VP EMEA at Veracode, however, sees potential problems. “The challenge for both governments and businesses will be in implementation. As we’ve seen recently with EU regulation around cookies, each member state looks at these areas differently. Although some EU member states, notably Germany, already have data breach notification laws in place, we are likely to see something similar to the US State-driven model, where we have multiple standards in place for enforcement, regulation and financial penalties.” And he foresees additional problems. “These can prove unduly arduous on small businesses, but could also potentially result in the consumer ignoring notifications, as they become immune to the constant noise.”

And I’d like to throw a further thought into the mix. In the UK, the Data Protection Act is enforced, well officially if not practically enforced, by the ICO. I have extreme doubts over whether it has either the balls or the teeth to take on, for example, a major bank in serious undisclosed breach. Time will tell. I hope I’m wrong – but my fear is that this will be just more PR legislation riddled with get-outs for all the companies that can afford them.

Integralis
Veracode

 

Categories: All, Politics, Security Issues

Lulz + Anonymous = AntiSec. But is it modern society that is really to blame?

June 22, 2011 1 comment

This is an exhortation: think beneath the surface of what you are told. The subject is Lulz Security and the Anonymous group. They have aligned themselves in the AntiSec operation against the Establishment; but before simply condemning them I would like us all to consider the issues.

Let’s look at some of the few facts we know. Firstly, there is no evidence of what most people consider to be criminal behaviour: theft for personal gain or simple wanton destruction (it is criminal behaviour simply because what they do is against the law). Rather do they consider themselves engaged in political activism on the internet, although Lulz also claims that it is just plain ‘fun’.

AntiSec is aimed at both the government establishment and what Lulz calls the whitehat security industry:

Operation Anti-Security is in effect. Join the fleet and tear the government and whitehat peons limb from limb – #antisec winds are strong.

Government I understand. But why wage war against the security industry? Lulz offers this:

Your tax money is being used to pay for things to not be secured so that people like us can take what you expect to be kept inaccessible.

Is that a pop against the billions of tax dollars and pounds used by government to store our personal details online? Or is it a pop against the security industry that uses additional tax money to maintain, but fails to maintain, the security of that data online. Consider the following from a press release put out by Idappcom (a whitehat security company):

Yesterday, the Serious Organised Crime Agency (Soca) was subject to a distributed denial of service (DDoS) attack designed to bring down its website. Today LulzSec say they have ‘blissfully obtained records of every single citizen who gave their records to the security-illiterate UK government for the 2011 census’.

But Lulz says:

Just saw the pastebin of the UK census hack. That wasn’t us – don’t believe fake LulzSec releases unless we put out a tweet first.

Idappcom added:

The attacks of yesterday were not damaging but a Twitter post today has threatened that future attacks will be.

I’ve looked. Believe me I have looked. But I cannot find a Lulz tweet that says anything like this. The nearest I can find is this:

DDoS is of course our least powerful and most abundant ammunition. Government hacking is taking place right now behind the scenes. #AntiSec

But that’s not a threat of damage, it’s a claim that they are breaking into sites and not just taking them down.

So some aspects of government and industry (and I have to add, media) are playing up the threat from Lulz. Why? Well, fear sells. If we are afraid of all hacking activity we will more likely accept the loss of personal liberty that governments demand in the name of security for purposes of control. And if we are afraid of hackers we will more likely buy security products from the whitehat industry. And the more afraid we are, the more we will buy from both government and industry.

So, sadly, I would suggest that the methods chosen for AntiSec will be counterproductive to the ends: it plays into the hands of the establishment they attack. But this is what I want you to ask yourselves: what else can the politically conscientious youth of today do? It’s not like my day back in the ’60s and ’70s. We’re not allowed to protest peacefully today: we get illegally corralled, beaten, filmed, and stored. So what I want you to ask yourselves is this: is AntiSec today’s version of taking to the streets in the way that my generation did all those years ago? And do they not have a point? Consider the illegal wars that our governments engage in. Think of the lies they tell us. Think of the way the banks control us through control of the (and usually our) money. Think of the way in which dissent is quashed. Think of Dr David Kelly. Think of the war against terror that fills the coffers of our munitions industries but has made the world less safe for everyone. I’d like to suggest this: in a few years time, AntiSec will be part of our university sociology and psychology courses. Is AntiSec the inevitable result of a government divorced from its people: discuss.

Categories: All, Politics, Security Issues
Follow

Get every new post delivered to your Inbox.

Join 138 other followers