Archive for March, 2011

I think I probably got that wrong – an apology to Samsung

March 31, 2011 Leave a comment

Oops. I might need to offer Samsung an apology…

It sort of struck me that it’s a bit silly trying to install a known keylogger and expect to get away with it. So I started to ask a few AV companies if their software would detect the ‘Samsung keylogger’. First to reply was Kaspersky:

Yes, it detects it. But there’s no certainty at this stage that it has been pre-installed by Samsung.

Kaspersky referred me to the Samsung statement:

The statements that Samsung installs keylogger on R525 and R540 laptop computers are false.

Our findings indicate that the person mentioned in the article used a security program called VIPRE that mistook a folder created by Microsoft’s Live Application for a key logging software, during a virus scan.

The confusion arose because VIPRE mistook Microsoft’s Live Application multi-language support folder, “SL” folder, as StarLogger.

That actually makes sense. A genuine false positive is a far more likely culprit than an incompetent conspiracy.


Just to demonstrate:

Firstly, the false positive from VIPRE


VIPRE recognising Windows/SL as StarLogger

And now AVG2011 correctly recognising the StarLogger keylogger:

The confusion is between WINDOWS/SL and WINDOWS/SL/WINSL.EXE


Categories: All, Security News

Factory farming our kids – or the EU and education

March 30, 2011 Leave a comment

Laugh or cry? If you’re not sure, just ask the EU. I’m sure it will tell you which way you should be thinking.

Education Ministers discussed active citizenship education, and related educational policy objectives… Minister of State Rózsa Hoffmann, pointed out, “We must answer the question, to whether our educational systems prepares the youth appropriately, to become active and responsible citizens.”

Whatever happened to education as a way of preparing youngsters for a fulfilling life? Now apparently education is designed to make good little European Citizens. Midwich Cuckoos?

The Minister of State for Education of the Ministry of National Resources stressed: the purpose of citizenship education is to teach students to think, and responsibly participate in economic, political, social and cultural life.

There was me thinking that the purpose of education was to teach us about Kafka; not to emulate his Castle. Now, all line up neatly and repeat after me: Credo in unum EU, EC omnipoténtem, factorem cæli et terræ, visibílium ómnium et invisibílium.

Still, we shouldn’t really have too much sympathy for our youth; after all, the current world economic crisis is entirely their fault:

The Minister of State did not conceal her opinion that “Perhaps the global economic crisis could have been less severe, if the youths had adopted a more conscious attitude to decision-making.”

We haven’t bequeathed our kids years of debt, because it was them as did it to us! Honestly, I’m not making up any of this. Please stop the world: I want to get off…

Youths need active citizenship education

Categories: All, General Rants, Politics

Buy a Samsung, get a free keylogger

March 30, 2011 2 comments

There is a short report of Samsung pre-installing spyware on its own laptops before sale:

In other words, Samsung wanted to gather usage data without obtaining consent from laptop owners.
Samsung responds to installation of keylogger on its laptop computers

The report adds:

Samsung’s conduct may be illegal; even if it is eventually ruled legal by the courts, the issue has legal, ethical, and privacy implications for both the businesses and individuals who may purchase and use Samsung laptops. Samsung could also be liable should the vast amount of information collected through StarLogger fall into the wrong hands.

Frankly, I cannot see how this could possibly be anything but illegal in the EU. The report, however, doesn’t say whether this is worldwide or just North American – so clearly we need to know more. Frankly, I hope that the FTC in the States and the EDPS in the EU stamps very hard on Samsung. This is simply unacceptable.

What I can say for certain, however, is that the Samsung R540 I was looking at is now not going to happen. Ever.

Categories: All, Security News

EU-US Negotiations on an agreement to protect personal information exchanged in the context of fighting crime and terrorism…

March 30, 2011 Leave a comment

Yesterday, Viviane Reding, Vice-President of the European Commission, announced:

Today the European Union and the United States opened negotiations on an agreement to protect personal information exchanged in the context of fighting crime and terrorism. The negotiations will build on our longstanding, robust cooperation and agreements in this area. The United States and the European Union are committed to ensuring a high level of protection of personal information, while fighting crime and terrorism. The United States and the European Union are strongly determined to reach without delay an agreement that will advance our mutual goals.

This needs to be watched very closely – especially since just a day earlier Peter Hustinx (the European Data Protection Supervisor) had announced his dissatisfaction over Passenger Name Record (PNR) information being disclosed between EU members.

55. …He is however obliged to observe that the essential prerequisite to any development of a PNR scheme – i.e. compliance with necessity and proportionality principles – is not met in the Proposal. The EDPS recalls that in his view, PNR data could certainly be necessary for law enforcement purposes in specific cases and meet data protection requirements. It is their use in a systematic and indiscriminate way, with regard to all passengers, which raises specific concerns.

56. The Impact Assessment gives elements aiming at justifying the need for PNR data to fight against crime, but the nature of this information is too general, and it fails to support the large scale processing of PNR data for intelligence purposes. In the view of the EDPS, the only measure compliant with data protection requirements would be the use of PNR-data on a case-by-case basis, when there is a serious threat established by concrete indicators.

If we can’t protect personal data amongst ourselves, how on earth are we going to stop the USA demanding and getting far more? “Air passengers’ personal data could certainly be necessary for law enforcement purposes in targeted cases, when there is a serious threat supported by concrete indicators. It is their use in a systematic and indiscriminate way, with regard to all passengers, which raises specific concerns,” said Hustinx. And we all know that the US authorities are renowned for declining to use their personal databases in a systematic and indiscriminate manner.

My bet is that there will be a lot of huffing and puffing, and pretending to get what we (the European citizen) wants; but America will eventually get all that it seeks simply because it is America and is supported (through national interest) by most of the individual national governments in Europe. We will be told by the Vice-President of the European Commission that our personal data is protected – but it won’t be.

Categories: All, Politics

The Judiciary and the Media – by the Lord Chief Justice of England & Wales

March 29, 2011 Leave a comment

The Lord Chief Justice of England and Wales, Lord Judge, has been talking about The Judiciary and the Media. He says:

My overwhelming belief is that the most emphatic feature of the relationship between the judiciary and the media is that the independence of the judiciary and the independence of the media are both fundamental to the continued exercise, and indeed the survival of the liberties which we sometimes take for granted.

Oh, how right he is!

As far as I can discover, there never has been, and there is no community in the world in which an independent press flourishes while the judiciary is subservient to the executive or government, or where an independent judiciary is allowed to perform its true constitutional function while, at the same time, the press is fettered by the executive.

Oh, how misleading this is!

To a large extent this speech is about how new technology is affecting the media, and how that is affecting justice through the courts. It’s interesting but misleading: misleading because it is entirely predicated on two false assumptions. Firstly that we have in independent judiciary. And secondly that we have an independent press.

It’s true that neither are hamstrung by excessive legal restrictions. In that sense they are both independent. But legal restriction is not the traditional (traditional in the conservative – with both a big and little ‘c’) way we do things in Britain. The socialist way is to impose laws against everything. The conservative way – and Britain is a conservative country by nature – is to manipulate.

Both the media and the judiciary are under the control of the executive in the good old-fashioned British way: patronage, favour and bullying.

The future of freedom is no longer dependent upon the independence and freedom of the judiciary and the press – those are both long gone. The future of freedom is dependent upon the independence and freedom of the internet; the home of the individual blogger, tweeter and rebel not yet swayed by patronage and bullying.

That is why governments around the world seek to control the internet. Not because of terrorism and pedophiles and organised crime; but because it weakens executive control over the people. And that is why we must fight for net neutrality and keep it out of the hands of the executive and government lackeys.

The Judiciary and the Media
Speech by Lord Judge, Lord Chief Justice of England and Wales

VigilancePro – a new approach to cloud security

March 29, 2011 Leave a comment

A conversation with Ed Macnair, chief executive officer of Overtis

Ed Macnair

Ed Macnair, CEO, Overtis

“The challenge for companies moving into the cloud,” says Ed Macnair, CEO of Overtis, “is that the traditional IT model gets turned upside down and inside out. We’re outsourcing data; but we’re also outsourcing responsibility.” That gives us two problems: we lose control of our data; and we lose control of who can access it.

The first is because we no longer know where that data resides. “Most of the big SaaS players are American – so if we use them we’ve got the whole EU Data Protection thing to worry about.” The problem with the cloud is that the more we use it and the more we maximise the value we get from it, the more we abdicate control. And without that control we can be neither secure nor compliant.

The second problem is exacerbated by the new wave of consumerisation within computing. “The security officers I speak to,” says Ed, “are having kittens because employees are demanding, not asking but demanding, to be able to use their own devices. And it’s being allowed – which makes good business sense in a lot of areas. But we now have this plethora of different devices – iPhones and iPads, Androids, netbooks, Mobile 7 and more – all accessing our corporate data from we don’t know where. And how do we control that? And how do we know who’s holding those different devices”

The traditional silo model for security, says Ed,  has failed. “The silo model is all about point products. We can have email security products and web security products, and a firewall and our intrusion detection and prevention systems; and they can all only look at their own specific area. But they don’t understand the user. SIM and SEM tries to paper over the cracks but still doesn’t provide end-to end visibility of what the user is doing.” If silo doesn’t work in traditional computing, how on earth will it work in cloud computing?

Ed’s new product (VigilancePro Web Application Manager) takes a fresh approach. To get security in this new world, he says, “we have to invest security into the browser.” It’s the only common point across all the different access devices and all the different data locations. “And that’s what we’re doing,” he says. “VigilancePro is a secure browser plug-in currently available for Internet Explorer and Firefox (with Safari to follow soon).”

The basic premise of this new product is that the user doesn’t know and doesn’t need to know his or her own secure log-in credentials – it’s all managed by the plug-in. “A new user coming into the organisation gets sent a link to a site from where he or she downloads and installs the browser plug-in. That browser plug-in has the user credentials and the user permissions that control which applications can be used and what can be done with them.” Complete security provisioning in a single step. “By logging into the browser plug-in, the plug-in automatically logs the user into all the web applications he or she is entitled to use. It doesn’t bypass any strong two factor authentication, it simply acts as a secure single sign-on to all the web applications that the user is entitled to use. And the plug-in has to be present before the user can access those applications.”

Needless to say, de-provisioning is just as easy. “Revocation is done centrally,” says Ed. “If someone leaves the company, a link to Active Directory decommissions the plug-in; and the user loses all access to the restricted areas.”

But useful as this is, it would be very wrong to think of VigilancePro as just a single sign-on system. Since it lies at the heart of the browser, it can provide tight control over what can be done via that browser; and detailed reporting on what has been done. “By implementing this as a browser plug-in, we not only get web single sign-on, but we get really granular management of all interactivity between the user and the web application – a full audit trail as to which page the user went to, and what he or she did on that page. But we also have the ability to block and actually prevent certain actions. We can control access to any tab, any URL or any view on a web page; and we can control the use of any HTML component. We can control any of the browser menu options – such as export, print, copy, cut, save as, and so on; and we have the ability to mask any regulated or sensitive data. We think this is a complete game-changer. So far we’ve been trying to manage identity in the cloud – but now we can manage user activity in the cloud.”


VigilancePro in action - masking data and hiding tabs

The problem with the cloud is that you cannot secure your data because you don’t know where it is. Nor can you secure the users because you don’t know who they are. But you can secure the channel used by the users to get to the data. That channel invariably goes through the browser. Control the browser and you can control the user. Control the user, and it doesn’t matter where the data resides. In short, by controlling the browser you can get both security and compliance (this is not legal advice!) in the cloud. Almost all public cloud computing is done via the browser. Add security to the browser and you secure almost all public cloud computing.


Categories: All, Security News

All in all just another brick in the wall

March 27, 2011 2 comments

I am ashamed to say that it took a Trades Union objection to alert me to this: the Education Bill. According to the BBC, NASUWT (National Association of Schoolmasters/Union of Women Teachers) general secretary Chris Keates said:

“The extra powers in the bill to search and confiscate and dispose of electronic equipment and data are disproportionate powers that teachers don’t really want, and actually could cause more conflict and more problems for schools rather than actually tackling discipline.

“In many respects they are reckless and they are putting teachers into confrontation with parents and with children and young people.”
NASUWT teaching union attacks school phone powers

So what’s this about? Well, according to the Bill itself:

(6E)   The person [eg, a teacher] who seized the item [eg, ‘an electronic device’ belonging to a pupil] may examine any data or files on the device, if the person thinks there is a good reason to do so.

(6F)   Following an examination under subsection (6E), if the person has decided to return the item to its owner, retain it or dispose of it, the person may erase any data or files from the device if the person thinks there is a good reason to do so.
Education Bill

What this means is that if a teacher finds a mobile phone (or an iPod or a tablet) on a pupil, that teacher can confiscate the device and examine any personal files it contains. Said teacher can then either delete the files or even destroy the device. That’s what it says. And it is a long time since I heard such a ridiculous, authoritarian, draconian, illiberal, high-handed and utterly absurd suggestion.

If a pupil is misusing an electronic device at school – confiscate it. Give it back at the school gates at the end of the day. But for God’s sake, Gove, you cannot really think you have the right to spy on young people’s personal data, to delete that data and even destroy the device? Next time you look at the Education Bill, have half a mind on the Freedom Bill.

And in the meantime, kids, you better look into two factor authentication to control access to your phones; and encryption to protect what you’ve got on them.

Categories: All, Politics, Security Issues