The truth often gets distorted by the hidden agendas of society’s three primary security reporting mediums: the government, the mainstream media, and the industry itself.
Government DNA is ‘control’. It controls via restrictive legislation. It warns of the coming cyber apocalypse to justify both its control, and its agencies’ budgets. It recognises four apocalyptic horsemen that will spell the end of civilization as we know it: terrorists, paedophiles, drug dealers and money launderers – and it continually stresses the threat they pose. The greater the perceived public threat, the easier it is to justify and pass restrictive controlling legislation, for the good of the people who have nothing to fear if they do nothing wrong.
The mainstream media is dying in its print form and struggling online. It desperately needs to sell more copies and attract more visitors. To do this it needs to stay on track with the government (in order to have access to ministers and the latest news) and to be sensational. The truth is often a casualty caught between these two pressures.
The security industry is generally the best of the bunch; but with some serious problems. All too often it generates reports and studies that confirm government’s latest prejudices (governments are invariably the single biggest market for their products), and heightens the threat to better sell its products.
This blog is different. It is independent of all external pressures. It receives no funding from any source and is in thrall to no-one. Independent blogs, in whatever subject, may well be our best long-term hope for unbiased opinion.
This blog attempts to present news and information from an independent and unashamedly cynical viewpoint. The hope is that readers will be encouraged to look beyond official reasoning and, let’s face it, official propaganda. It tries to do so in an entertaining fashion.
It is my hope that readers will vote for their favourite blog – because blogs are the future of independent opinion. If you have a few minutes, please do so here: http://www.ashimmy.com/2014/01/2014-social-security-blogger-award-voting-is-now-open.html. This blog has been nominated for ‘most entertaining security blog‘.
It usually gives me great and smug pleasure to be able to say, “I told you so”; and this blog has done that on a few occasions. This time it gives me no pleasure – and I’ll come to that later.
David Miranda was detained at Heathrow airport for 9 hours, and his computer equipment confiscated by the Metropolitan Police. There was huge concern voiced by civil liberties groups; and a judicial review was launched.
At the time I said that all the police had to do was justify the suspicion that Miranda was a terrorist as defined in the Terrorism Act; which would be easy. I was taken to task on Twitter by bmaz:
What I said was this:
…and assuming that his laptop contained Snowden documents (which would be reasonable suspicion),
- the stated purpose of the leaks is to influence government
- the stated purpose could be described as both ‘political’ and ‘ideological’
- the effect, according to government, could result in increased terrorist attacks against the UK (that is, “a serious risk to the health or safety of the public”) and is also designed “to interfere with or seriously to disrupt an electronic system” (that is, GCHQ’s Tempora surveillance system).
I think it is quite clear that under the Terrorism Act, David Miranda is a terrorist.
Yesterday, Saturday, the Guardian quoted from the police documents referred to in the judicial review. The final Port Circular Notice – the document used by the police to justify Miranda’s detention – includes the following paragraph:
We assess that Miranda is knowingly carrying material, the release of which would endanger people’s lives. Additionally the disclosure or threat of disclosure is designed to influence a government, and is made for the purpose of promoting a political or ideological cause. This therefore falls within the definition of terrorism and as such we request that the subject is examined under schedule 7.
Well, I told you so. But this time it gives me no pleasure to say so, because it confirms my final statement in that post:
“This is a police state in action; and the Terrorism Act is one of its tools.”
It’s the throwaway last comment in yesterday’s Le Monde report on NSA spying that worries me most: “In Europe, only Germany and the United Kingdom are beyond France in terms of number of interceptions. But for the British, this was done with the consent of their government…”
Did you know that? That the British government specifically allows the NSA to spy on British citizens? How bloody dare they!
But when you think about it, it’s fairly obvious. Britain is now a full-blooded police state, controlled by MI5, GCHQ and now including the National Crime Agency. How much do you know about Tempora and other GCHQ surveillance programs? I’m willing to bet that it’s very little, just a few passing comments in the Guardian and other serious newspapers.
The whole thing has been effectively stifled by the government and its agencies. Government officers entered the Guardian’s premises and forced and oversaw the physical destruction of the hard drives containing Snowden’s documents. In Washington, British agents called on the editor of the New York Times and asked her not to publish Snowden’s documents. Luckily she was protected by the US constitution, and declined. But back in the UK, the government’s lap dog known as the Daily Mail published an opinion calling the Guardian irresponsible and accusing it of putting lives in danger.
And all the time the British government ceaselessly works to undermine the European Union’s proposed data protection law, claiming that it will stifle growth and burden business. Palpable nonsense. Cameron and his cohorts simply fear that it could put a stop to its secret surveillance programs.
Right now a group of civil liberties organizations is taking the government to the European Court over GCHQ’s illegal activities. Britain’s response? To threaten to abolish the Human Rights Act and remove itself from the European Court’s jurisdiction.
Frankly, it all beggars belief. But you’d better believe it, because this is Britain today.
I subscribe to a number of paper.li dailies. I use them to aggregate news stories for me that I probably wouldn’t find on the BBC – Anonymous, civil liberties, censorship etcetera.
So I was a little perturbed when I couldn’t access them yesterday. I got the emails with the links alright, but the links didn’t work. Rather than my selected Daily, I got this:
My first thought, naturally, was that some sinister, subtle censorship was underway – perhaps one of the dailies included a proxy for The Pirate Bay and BT felt it necessary to ‘block’ it. Far-fetched, maybe – but the society we now have makes such thoughts inevitable. It turned out not to be censorship, but (or so I understand) ‘DNS issues’ at paper.li.
But I’m still concerned. Look at the page that BT/Yahoo sent me to. Did I mean ‘gap.co.uk’? Now by what stretch of the imagination does mis-typing ‘paper.li’ end up with ‘gap.co.uk’?
Gap Inc, says Gap, “is a leading global specialty retailer offering clothing, accessories, and personal care products for men, women, children, and babies under the Gap, Banana Republic, Old Navy, Piperlime, and Athleta brands.” Yeah, well, I guess that can easily be confused with an off-the-wall news aggregator.
Then there’s the ‘related searches’. Now, how can there be a related search when I haven’t made a search?
The simple fact is that these are all paid-for adverts. I don’t actually mind that. But what I seriously object to is BT/Yahoo trying to pretend that they’re providing me with a service when they’re simply accepting money from advertisers. It’s this low-level petty deceit that I find both disturbing and frankly pathetic.
Before I say anything else, let me just say that I really, really like Sophos; and I really, really like NakedSecurity; and I really, really like Graham Cluley. This is really, really just a comment on how the internet has upset the status quo rather than a criticism of any of the above.
Purely coincidentally I was talking to a fellow freelancer who, like me, is old enough to remember the golden, halcyon days of freelancing back in the mists of the last century. The internet has destroyed all that, along with the majority of magazines
I used to write for for whom I used to write.
“Today,” I said, “company blogs have replaced independent magazines. Just take NakedSecurity, which competes head on with the security magazines in terms of content.”
I stand by that. It’s a great blog and a great read written by experts in their subject. But the one thing it isn’t is ‘independent’.
Consider one of today’s news items: Microsoft and Symantec jointly took down the Bamital botnet (my news story is on Infosecurity Mag here). The problem is that Symantec, a direct competitor of Sophos, gets hardly a look-in on the Sophos blog – which is headlined: Bamital botnet dismantled, as Microsoft seizes control of malware servers.
In fact, you wouldn’t think that Symantec was involved in the actual takedown at all judging from the Sophos account – despite the fact that it published an excellent and detailed analysis of Bamital today.
Coincidence? Possibly; but I doubt it. The problem is that NakedSecurity is so good and so popular that it is often taken as news. It isn’t. It’s a marketing machine for Sophos – and readers should always bear in mind (not just for NakedSecurity, but for all of the company blogs that are replacing the magazines) that the one thing you cannot get from a company blog is independent news.
As you know, I love statistics because they never add up and always lie.
Here’s another. It’s from the UK’s ‘let’s go digital’ programme.
The digital strategies set out how departments will redesign or create new online services with the support of the Government Digital Service. The first wave of services to be totally redesigned to serve the user includes driving test bookings, tax returns, and state pension applications. They will be easier and quicker to use, and cheaper to run, saving the taxpayer £1.2bn by 2015. Just last week, a report by the National Audit Office confirmed that government ICT reforms and spending controls saved the taxpayer £316m last year alone.
Francis Maude tells technology suppliers: “We’re open for business – let’s turn government digital”
It’s a little bit ambiguous. Take tax returns. Are they going to be redesigned, or have they been redesigned? If the former, thank God! If the latter, God help us! and everything else in the statement is clear poppycock. The government’s existing online self-assessment tax returns are a scam designed to collect a stealth tax. Government says, ‘tax needn’t be taxing’; a clear breach of the Trades Description Act designed to lull the taxpayer into a false sense of security. It takes weeks simply to get into the system; then it is full of ambiguity and impossibility; and just when you think you’re getting close it logs you out and makes you start again.
By the time you succeed, you’re past the deadline and facing an automatic fine. Think I’m joking?
Those who miss the midnight Thursday deadline for online tax returns will still be fined £100 even if they have no tax to pay or if they pay all the tax they owe before this date.
Penalties mount up when your tax return is three, six and 12 months late: £10 daily fines if you are three months late, and £300 penalty or 5 per cent of tax due – whichever is higher – if you are six months late.
Last year, the taxman raked in an estimated £1billion from these fines.
Five tips to get that self-assessment form in before midnight
So here’s where the statistics come in. The taxman’s scam earned him £1 billion last year. How is that accounted? Presumably it goes into the Chancellor’s public pocket and not his private pocket – which would mean that it’s £1 billion he doesn’t have to get from overt taxes, which means he’s saved the taxpayer £1 billion even though he took it from the taxpayer in the first place.
But from the Cabinet Office we have learned that “government ICT reforms and spending controls saved the taxpayer £316m last year alone.” What happened to the other £684m from the self-assessment scam alone? The implication has to be that the reforms have cost the taxpayer that amount which is offset by the self-assessment income. OK, I doubt that’s the whole story – but it just confirms what I already know: don’t believe anything government ever says.
January 28 is Data Protection Day in Europe and Data Privacy Day in US/Canada. The basic purpose is the same: to highlight personal privacy issues and reduce identity theft.
To get some idea of the problem, I visited the UK’s Stop-IDfraud website – a site supported by Fellowes, CIFAS, Norton, Equifax, Get Safe Online and Action Fraud. Heavyweight stuff.
New research shows that 24% of UK citizens have been a victim of identity fraud, which is the highest figure in Europe, plus a further 75% have been exposed to scams used by identity fraudsters.
How I hate this sort of stuff.
New. When exactly?
Research. By whom, and how was it done?
24% of UK citizens. So is that all residents, all residents with a UK passport, all residents with a UK passport over a certain age?
There is no clue to any of this – not even a date for when the details were published on the site.
So my first thought is that these figures cannot be trusted. They could have been made up on the spot. But let’s look at that 24%.
Glance up and down your street. You’re likely to have 100 UK residents living within a stones-throw. Scary to think that 24 of those neighbours have been a victim of ID fraud. OK, so neighbours these days tend not to talk to each other. So think of your immediate family and friends – again you’ll rapidly approach 100. Have anything like 24 of them indicated that they are victims of ID fraud, with two-thirds of them losing more than £1000, and have warned you to be careful? I’m here to be shot down, but I very much doubt it.
Now the second statistic. 75% have been exposed to scams used by identity fraudsters. Really? I get half a dozen or more spam scam phishing emails every day. I find it hard to believe that 25% of the population have never received a spam scam phishing email.
So, put simply, these unjustified and uncorroborated and unsupported figures make no sense to me whatsoever. Except they do sensationalize a very worrying fact: ID fraud is a serious problem. So serious that we really ought to support the government’s plans for the Communications Bill so that law enforcement can track and come down hard on all of these criminals that have defrauded so many of my friends and neighbours to such an extent that they won’t even tell me about it.
You couldn’t make it up. Except, maybe they did.
Last summer I interviewed Space Rogue and did a story on his history of security hype: A cyber terrorist ate my hamster.
I must now report that the process is alive and well, courtesy of eWeek.
Over the last couple of days the media has been full of a story about two virus outbreaks in US scada installations. eWeek is clear in its own story USB Storage Drive Loaded With Malware Shuts Down Power Plant:
The U.S. Computer Emergency Readiness Team reports that a U.S.-based power generating facility was shut down after a contract employee introduced malware into the turbine control systems and into engineering workstations. The contractor routinely used his USB drive to perform updates on control systems as well as workstations in the power plant.
I would just like to point out, very politely, that this is what is known in polite circles as a ‘lie’. ICS CERT did not say that.
I covered this story in Infosecurity Magazine way back on January 4: The lessons of Shamoon and Stuxnet ignored: US ICS still vulnerable in the same way.
The truth is less dramatic than eWeek suggests – although dramatic enough. The virus was discovered while the system was in a scheduled shutdown. It delayed its restart, it did not cause its shutdown. But that’s far less dramatic and far less worrying…
The next stage in the security hype process is for politicians to seize on the eWeek story to justify the need of the next draconian piece of anti-terrorist cyber legislation, or the next exponential increase in some LEA’s budget request. Journalists really should read what they talk about before they talk about what they haven’t properly read.
…he’s really a rather nice young chap. But he’s certainly feeling a bit peeved right now, and with some reason. He’s upset about the unquestioning articles in the New York Times (31 December) and the Register (1 Jan) discussing a new report by Imperva. Actually, I discussed it in Infosecurity Magazine on 28 November.
Imperva concluded that anti-virus products are not that good (“The antivirus industry has a dirty little secret: its products are often not very good at stopping viruses,” says the NYT). Imperva’s proof is that VirusTotal (an online collection of AV engines) failed to block many of the 0-day viruses it threw at it. What I said in Infosecurity was that “the real value of VirusTotal is in allowing users to check whether a suspect file is actually malware – it was designed to check malware, not to check AV products.”
Mac Bloggit doesn’t have to acknowledge the niceties of journalism, and can be more succinct. “Perhaps the NYT would care to look up the terms heuristic analysis, behaviour blocking, sandboxing, behaviour analysis, whitelisting, integrity checking, traffic analysis, and emulation, among other approaches that a security program might use to detect possible malicious activity.” His point, and he has a point, is that VirusTotal does not and cannot measure the efficiency of these parts of AV products. The fact that Stoppem Anti Virus on VirusTotal doesn’t detect the latest virus doesn’t mean that Stoppem Anti Virus on a PC won’t detect and/or block the very same latest virus.
Using VirusTotal to judge an anti-virus product isn’t merely bad form, it is positively dangerous – it might tempt users into abandoning AV altogether. That would be a very, very bad idea. The Imperva report is actually a sleight of hand by a non AV vendor. But here’s the rub: the AV industry isn’t innocent of its own sleights of hand.
The one that gets me personally rather hot under the collar is the ‘destroys all known bacteria dead’. Well, that’s the clear message. The actual terminology is ‘stops 100% of viruses in the Wild’. What it is really saying is that Stoppem Anti Virus detects every virus in the Wild List. And the Wild List is very different to ‘in the wild’. In fact, the Wild List is effectively compiled by the AV industry; so in reality, any AV company that doesn’t score at least 99.99% success against viruses in the Wild is largely incompetent.
So I would say this. Imperva, you have been a bit naughty in your report. AV industry, you can be a bit naughty yourself. So stoppit, both of you. Anti-virus is good, not perfect, but essential. Just tell us the truth.
David Harley includes quite a lengthy comment on this blog in his post, Going beyond Imperva and VirusTotal. In particular he delves into the pros and cons of WildList testing. He doesn’t completely disagree with me; but nor does he completely agree – so it’s well worth a read.