Very strange since the BBC is probably the UK’s leading news service and certainly the UK’s national news service paid for by the UK people – and it omits to mention that the UK also signed this document at the same time in the same place in Tokyo.

Isn’t it strange that the EU’s news service says nothing about it also signing the ACTA agreement at the same time in the same place in Tokyo?

And that neither news service seems to be aware that Kader Arif, the appointed rapporteur for ACTA in the European Parliament, has resigned in protest, saying he will not take part in this masquerade?

Conspiracy of silence? Too damn right.

UPDATE
And finally the BBC catches up – 24 hours after the news breaks. The BBC is supposed to let the cat out of the bag, not chase after it when it escapes.

This would not necessarily require data stored locally: patient sequence data could be stored securely in a national database, making it accessible to the centres but also to the patient’s physician or GP.

let’s be clear: this is a national DNA database. But it’s OK, because this is for health rather than law enforcement. And it will, yeah right, only be available to health officials, and health researchers, and pharmaceutical companies and academics and probably anyone who pays for it – internationally. The report makes very clear that if national research is good, international research is very much better.

It is, in effect, a national DNA database writ large. It has all the worst elements of the police DNA database combined with the NHS central records database and will undoubtedly cost a great deal more than both and be more dangerous and insecure than either.

And for what? “Government should not be duped by hype about genomics: some useful applications will exist but most diseases in most people and many adverse drug reactions are not predictable from people’s genes,” said Dr Helen Wallace, Director of GeneWatch UK. “Storing personal genomes for no reason would lead to a massive marketing scam, based on selling drugs to healthy people who are told they are at risk of getting diseases in the future.”

My concern is that government is quite relaxed about a new national DNA database from which it will gain all the benefits with none of the blame; that, in effect, a national genome database is already a conspiracy between government and the pharmaceutical companies in just the way that ACTA and DEA and SOPA and PIPA and others are a conspiracy between governments and the entertainment industry.

• Law Society tougher than the ICO on Andrew Crossley
• Mixed but depressing findings in European corporate governance recruitment
• Ransomware pretending to be law enforcement
• Olympic security dossier left on London train
• Voice biometrics will be the authentication of choice, says Opus Research
• SP Toolkit illustrates the dangers inherent in many security audit tools
• HMRC’s failure to recruit security staff shows education must change
• Ten years of Microsoft’s Trustworthy Computing initiative: Has it delivered?
• A road-map towards meaningful security data sharing
• Research by Sophos reveals the gang behind Koobface
• Children’s online games used to distribute malware
• AXA global insurance company adopts data analytics to reduce fraud
• Health Software firm develops Android app while NHS warns on tablet security
• New version of Sykipot malware targets DoD smart cards
• How DarkCoderSC reveals SFX files methodology

But what I want to consider now is perhaps more philosophic: is a jailbroken iPhone basically an Android? Opinions vary.

David Harley, the independent researcher behind the Mac Virus website, thinks ‘not really’. Jailbreaking alters the Apple’s kernel. If this is done you would get no further support from Apple. As a result, software that really requires co-operation between the developer of the software and the developer of the hardware would be at a disadvantage. Anti-virus software running on a jailbroken Apple, for example, would suffer. “So no,” he says, “jailbreaking isn’t precisely analogous to an unrooted Android: while most Android AV is pretty patchy in performance, you can get AV that could be described as commercial standard.”

Luis Corrons

But yes, thinks Luis Corrons of PandaLabs. “At the end of the day, the main difference between both platforms is that Android gives me, as a user, the option to decide what applications I want to install.” Confirming his view, Luis has a jailbroken iPad 1 and used to use a jailbroken iPhone 3GS (which he has now replaced with an Android Galaxy SII).

David Emm

Kaspersky’s David Emm has a similar view. “It’s the commercial models taken by Apple and Google that are different.” The result of these commercial differences is that a jailbroken Apple has access to hundred of thousands of secure apps plus a few hundred unknown apps from Cydia Store. Android users have access to hundreds of thousands of unknown apps. The inference I draw, unstated by David, is that a jailbroken iPhone remains more secure, albeit more restricted, than an Android.

So what can we conclude? Not a lot really. If you jailbreak an iPhone you can technically gain the freedom inherent in an Android – but since most users will still be limited to third-party apps, you don’t gain many more. And you lose the security of the iPhone. In the final analysis, you simply pay your money and take your choice: Apple if you want security; Android if you want freedom. Jailbreaking seems to give you neither.
Kaspersky
PandaLabs
Absinthe download (unchecked, unverified)

Of course people in these situations should be held personally liable as if the council is fined, then that fine is paid for out of the local council taxes. It essence it is a double tax – once for collecting/storing the data and again for losing it.
Should staff, not the taxpayer, pay fines for public sector data breaches?

Grant Taylor, UK VP of CryptZone is agin the idea of fining the staff rather than the organization, and puts forward a strong case. “If the penalties are applied to nominated senior managers in the relevant NHS trust, council or other government agency – as is the case with corporate responsibility, for example within transportation authorities – then the public sector could be forced into building liability insurance remuneration into management salaries, as has been required by medical professionals for some time,” he argues. This will simply have the effect of “moving the cost of data breach penalties across the government spreadsheet – with the taxpayer continuing to foot the bill.”

Grant believes that education and open discussion is the solution. “But to reduce the argument to individual ICO penalties within the workforce would only result in the departure of the most talented member of staff – who will be streamed off into the private sector – with predictable results. This is what makes this argument something of a non-starter in our opinion,” he concludes.

I sort of agree; but I don’t think education will ever be enough to protect our data. The bottom line is the current arrangements just are not working. Personal data continues to be lost, councils are fined, and the ‘double tax’ described by the TaxPayer’s Alliance is a reality. But potential remedies exist, and always have existed, without any action from the ICO. It is the concept of responsibility – when things go wrong, there is always someone at fault.

Consider this. Organizations will have procedures that are part of the security policy and part of the employment contract. If these procedures are followed, then data will not be lost. If they are followed and data is still lost, then the author of the procedures is responsible because he or she simply didn’t do the job properly. If the procedures are not followed and data is lost, then the person who loses the data is responsible because he or she didn’t follow procedures. Because the procedures are part of the employment contract, failure to follow them is a disciplinary offence. It’s not a case of the ICO fining individual staff, it’s a case of the organization sacking staff who haven’t done their job.

The advantage of this simple approach is that it doesn’t frighten off good staff (good staff will always be confident in their own abilities), but it does weed out poor staff. And it doesn’t cost the taxpayer an additional penny.

There are even in-built safeguards in this approach. Organizations always have bullies. Middle managers at fault will generally blame their staff. But that’s why we have employment protection laws and tribunals. If a scapegoat is selected and sacked to protect a manager, that scapegoat has recourse to the law. So we don’t need to fine individual staff or the organization. We don’t even need the ICO. We just need to do what we always could do: in the event of a data breach, the person responsible should automatically be sacked.

CryptZone

The International Olympic Committee (IOC) has issued what it calls ‘guidelines’ but what are actually instructions in a document titled IOC Social Media, Blogging and Internet Guidelines Instructions for participants and other accredited persons at the London 2012 Olympic Games. The document itself is fully copyrighted, so the IOC could tell me to remove this.

IOC guidelines for journalists/bloggers

Guido highlights section 2:

2. Postings, Blogs and Tweets
The IOC encourages participants and other accredited persons to post comments on social media platforms or websites and tweet during the Olympic Games, and it is entirely acceptable for a participant or any other accredited person to do a personal posting, blog or tweet. However, any such postings, blogs or tweets must be in a first-person, diary-type format and should not be in the role of a journalist – i.e. they must not report on competition or comment on the activities of other participants or accredited persons, or disclose any information which is confidential or private in relation to any other person or organisation. A tweet is regarded in this respect as a short blog and the same guidelines are in effect, again, in first-person, diary-type format.

Postings, blogs and tweets should at all times conform to the Olympic spirit and fundamental principles of Olympism as contained in the Olympic Charter, be dignified and in good taste, and not contain vulgar or obscene words or images.

Such instructions are, frankly, a bloody nerve; and I would dearly love all journalists to decline to become ‘accredited’ in response. But the bit that really bothers me is this:

The IOC will continue to monitor Olympic on-line content to ensure that the integrity of rights-holding broadcasters and sponsor rights as well as the Olympic Charter is maintained…

and if not

The IOC reserves all its right to take any other appropriate measures with respect to infringements of these Guidelines, including issuing a Take Down Notice…

Take down? The Olympic spirit has degenerated into a threat to take down stories/websites it doesn’t like? Jesse Owens wept!

Email message

This friend is big in the Truth movement – so ‘persuasion’ is strong in his agenda. He also collects, distributes and televises independent ‘truth’ videos. So it’s all reasonable, and because of the friendship I’m tempted to view.

But…

He doesn’t usually SHOUT. He invariably says ‘hello’ and ‘how are you’ – and we haven’t spoken since before the holidays. His grammar is usually a bit better, and a belated ‘happy new year’ would be typical.

So I had a niggle. Rather than checking the video I checked the sender.

Hi Friend

Happy new year! Can you confirm you sent me this?

If you did, I’ll have a gander. If you didn’t, you’ve been hacked…

Within half an hour I got a reply:

Happy new year.

I’ve been hacked!

The link in the email is redirected here, by the way. I didn’t, and wouldn’t recommend, going any further. In fact, I wouldn’t recommend going this far…

Scam email destination

The moral to this tale is simple: Look before you Link.

This week’s stories are:

PwC report shows public sector fraud rising globally
Cyber risk now in the top five global risks
European SMBs lack formal disaster recovery plans
Has India got backdoors into Rim, Nokia and Apple? Probably
Malicious URLs being disguised by QR codes
UK Fraud in excess of £2bn per annum
Spam site becomes one of the most popular locations on the web
Security concerns are slowing but won’t stop the growth of instant messaging
Game cheat keys can be dangerous: this one is a rootkit
December VIPRE Report suggests that old phishing tactics are best
ESET’s latest ThreatSense Report shows that business still doesn’t patch
No connectivity means no cloud AV: true or false?
FBI issues a new warning about the Zeus variant called Gameover
The Stratfor breach exposes the emails of hundreds of military and defense personnel
Internet action against SOPA under discussion within Net Coalition

I mention this here because Detica comments that “insurers are fighting back with sophisticated analytics solutions that alert fraudulent behaviour by understanding the hidden links in their data. This enables the insurer to build a true and comprehensive picture of individual and groups of claimants, clearly identifying who are the fraudsters…”

Detica is what I classify as a ‘good’ company. However, the comment (unintended, I’m sure) simply strengthens the whole problem with our current ‘claims’ culture: it reduces the human being who has been injured through no fault of his or her own to statistics on a sheet of paper.

It also paints the victim as the culprit. The victim is the victim: the claims machinery is the culprit. I don’t have any precise figures, but I’m willing to bet that the amount the insurance company pays to the ambulance-chasing RealLawyersJust4U, and the host of expert witness ex-medical businessmen hangers-on who prod and poke the physical and emotional victim, will dwarf the amount paid out in compensation to the injured human being.

Castigating the victim is all wrong. 75% are honest. The remaining 25% are irrelevant since no-one listens to the victim anyway. It is not compensation to the victim that needs to be reduced. What is required is a change in the process so that the victim receives more and the lawyers and experts (who treat the victim as little more than a very lucrative meal-ticket) are removed from the equation. That way victims are better compensated, insurers pay out less, and insurance premiums can come down again.

Mark Reeves

The first thing is not to abandon what exists; business must not abandon traditional barrier defences (firewalls, anti-malware, filters, data loss prevention, encryption, access control and so on) just because it isn’t enough. On the contrary, business must redouble its efforts in layered security. “Only layered security can fully defend the corporate environment, as it’s incredibly risky to rely on just one level of protection against unauthorised access to a network,” explains Mark Reeves, SVP International at Entrust.

The second step is to abandon the traditional view, if not the traditional defences, of information security. It is not a business category that stands on its own; it is part of the risk mitigation aspect of risk management – and must be treated as part of the overall function of corporate risk.

Bruce McIndoe

Bruce McIndoe is president of iJET Intelligent Risk Systems, one of the new breed of companies that takes an holistic view of security and risk management. “Our company is founded on taking a risk management approach to the overall threat in order to provide predictive solutions rather than simple event reporting.” As mobility grows in global business, he gives as one example, so must our attitudes change. Right now, since security isn’t working, it is easier for the criminal to hack the system. But as we improve technical security with encryption and location-aware logins, then the traveling user becomes more exposed. “Criminals are going to start going after the employee rather than trying to circumvent security technically.” iJET analyses the overall threat environment around the world, then analyses corporate data exposure so that companies can focus their threat mitigation effort on their areas of greatest hazard. This is an attitude that we must develop: a predictive and holistic view of risk management – we need to get ahead of the criminals.

Nigel Hawthorn

The third step is that we need to share global threat information. The UK’s new Cyber Security Strategy is clear on this. Government will, it says, “establish a new operational partnership with the private sector to share information on threats in cyberspace.” It is less clear on how it will do so; but the model already exists. The cloud.

“What’s needed,” says Blue Coat’s Nigel Hawthorn, “is a means to exploit the power of crowds and create a system of sharing that traces threats between millions of users. Like a herd of zebra, we can be the eyes and ears looking out for new threats and keeping each other safe. A collaborative defence cloud system that joins together millions of users, to track and block the malnets that are responsible for launching attacks, will proactively protect users from future attacks.”

Those are three of the major steps that need to be taken to rebalance the battlefield and make cybersecurity work: an increase in layered traditional defences, the adoption of a new holistic and predictive risk management attitude, and the sharing of threat information on a global scale.