Archive for July, 2011

Should we restore capital punishment in the UK?

July 29, 2011 Leave a comment

I see that Guido has launched a petition and campaign for the restoration of capital punishment in the UK; specifically for the killers of children and police.

Now that the government has launched an e-petitions site, Guido will put all the resources at his command into a campaign for a vote on the restoration of capital punishment for child and cop killers.
Guido Submits “Restoration of Capital Punishment” Petition

This is such a difficult issue – and is probably the one area where I fundamentally disagree with his principles.

These are some of my difficulties:

  • No-one has the right to kill – but that should include the State.
  • Anyone who does kill must be punished – but that should include the State.
  • What if we get it wrong, and we murder an innocent person?
  • Why just children and police? Killing is killing, or is some killing worse than others?
  • Where do you draw the line between murder and self-defence?
  • If a demonstrator were to kill a policeman, should that demonstrator be executed? If a policeman were to strike and kill an innocent passer-by, should that policeman be executed?

Now let’s examine our collective emotions on this. Guido uses Baby P as an example. What revolts us the most: the fact that he was killed, or the fact that he was tortured first? I suspect the latter. Why should capital punishment be applied to murder but not to torture? I make this distinction solely to show that our emotions play a serious part in this debate when it is one that perhaps above all others should be governed by logic.

And what about China and Saudi Arabia? Most of us are horrified by capital punishment in foreign climes, yet most of us seem to want capital punishment here.

For me, however, the bottom line is not that I don’t think murderers deserve to lose their own life, but that the risks in getting it wrong are too great.

Categories: All, Politics

I am calling about the problems you are having with your computer

July 28, 2011 Leave a comment

I just had one of those phone calls about the problems with my computer (they’ve been increasing recently).

I lied. “I don’t have a computer,” I told her.

“Yes, this is about the problems you are having with it.”

“I don’t have a computer,” I repeated.

“But you do have broadband.”

The tone in her voice had changed. She was guessing that I had a computer because she knew that I had broadband.

How did she know that? Is it common knowledge available to anyone? Is it obtained nefariously? Or do our ISPs sell their customer lists?

Categories: All, Security Issues

Facial recognition and digital certificates: true security for mobiles?

July 28, 2011 1 comment

Two separate bits of news that caught my eye are Google’s purchase of PittPatt (a face recognition company as reported by the WSJ), and Entrust’s release of a digital certificate system for smartphones.

Google has acquired a seven-year-old company that develops facial-recognition technology for images and video, though the Web-search giant didn’t say what it plans to do with it.
Google Acquires Facial Recognition Technology Company

What will it do with it? Is it going to add it to Google+ in the same way Facebook introduced face recognition last year? Or will it be built into Android? (Could be both, of course, just like it could equally hive off into a new profit centre offering facial biometrics and recognition to law enforcement and border agencies…).

Bill Conner

Bill Conner, President and CEO, Entrust

Moving on, Entrust yesterday announced and claimed that ‘Entrust IdentityGuard strengthens mobile security with device authentication, network access (VPN), SMIME and application security — all with self-service capabilities’.

You have to look at the detail here. This is a self-service digital certificate for smartphones: “Authorised employees, staff or contractors simply log in to the Entrust IdentityGuard Self Service Module to enroll their mobile device — compatible platforms include the Apple iPhone, Apple iPad, Android, BlackBerry, BlackBerry PlayBook and more — and are issued a digital certificate.”

The problem is that a digital certificate authenticates the identity of the device, not the person using it. I asked Bill Connor, President and CEO of Entrust, to elaborate on the security of the digital certificates themselves.

The Entrust IdentityGuard Self-Service Module offers end users a simple and consistent way to enrol for and install certificates and keys for network access and secure email on their mobile devices.  The certificates and keys are stored within the devices’ native certificate stores and can therefore be leveraged by native device applications such as VPN clients and email clients.  Private keys are thus protected according to the mechanisms employed by the mobile device OS.
Bill Connor

But what if the device is lost, stolen or cloned? Could it be used as an authenticated device by an unauthenticated user?

As the private keys are stored natively by the mobile device, they are protected against device cloning and theft according to the mechanisms employed by the mobile device vendor, including device PIN protection, password protection and hardware-derived keys for the certificate store.  Certificates issued to mobile devices may be easily and immediately revoked by both administrators, through IdentityGuard WebAdmin, and users, via the IdentityGuard Self-Service Module, if/when users become aware of device theft or compromise.
Bill Connor

Notice those two key phrases: ‘according to the mechanisms employed by the mobile device OS’ and ‘according to the mechanisms employed by the mobile device vendor’.

So what we have here is an excellent product from Entrust that will authenticate the device and is perfect for business use; but is reliant on other systems for authenticating the user to the device. But the only way you can really authenticate the user is with biometrics – so we’re back to PittPatt.

It is coincidence rather than conspiracy that I learnt of these two developments on the same day – but what a co-incidence. Put the two together: facial recognition built into the operating system for user authentication and Entrust’s easy-to-use and established certificate system for device authentication and the result would be genuine security for mobile devices.

Two developments to watch, I think!


Categories: All, Security News

The DNA database and the lying government

July 27, 2011 Leave a comment

Good days to bury bad news occur when the existing news is already horrific. And the current news is truly horrific. In the UK we’ve been stunned by the depth and depravity of the press, the revelation that our police force embodies corruption, and that our politicians have been complicit. This against the background of a potential Eurozone implosion and US debt default; either of which could drag the world back into and further beyond any recession ever known. And, of course, the Norwegian massacre.

It was against this background that the UK government quietly announced on Monday that it was backtracking on its promise to remove innocent people’s DNA from the Police DNA database – despite being required by European law to do so. Despicable, underhand and cynical.

But don’t worry, they whisper. The data will be anonymised.

Clearly they think we are stupid. What good is anonymous DNA? If the DNA makes an anonymous match they’ll know that someone out of several million people is the culprit, but won’t know who. Of course it’s not anonymous. Anonymous means ‘unknown name, nameless, incognito, unidentified, unknown, secret’. What they really mean is that if a match is found, a unique code will have to be used to look up the actual name of the owner in a different database.

So to despicable, underhand and cynical we must add liars.


Categories: All, Politics

Anders Breivik: terrorists and the internet

July 25, 2011 Leave a comment

Jon Snow has blogged about Anders Breivik: Norway’s terrorist: a lone wolf?

But Anders Breivik, did not act alone. He swept the extremist sites of the free world for material to stoke his hatred. He was nicely rewarded by entirely legal entities both in Britain and abroad.

The web is a feeding ground for deranged individuals who seek justification for their anger and resentment. The wonder is that we have to go back to Timothy McVeigh, the Oklahoma bomber to find the closest parallel. And that was sixteen years ago – 168 dead, over 600 injured. He was judicially killed in 2001.
Norway’s terrorist: a lone wolf?

It’s a worrying comment. Clearly it’s true. But the first implication – not the statement, but a clear implication – is that we need to do something about it. And that’s what I find worrying.

Years ago the UK government was trying to establish a Key Escrow system so that nobody could use encryption to conceal their actions from law enforcement agencies. All of the liberty-leaning mailing lists were aghast. On one of the more reasonable but vociferous lists, the Home Office had its own advocate, always trying to put the Government point of view. All of this was before 9/11.

In the end, liberty won for now. But one of the last comments from the advocate was effectively, “you wait, it will take only one terrorist outrage for the people to be crying out for more restrictions.”

And then we had 9/11 and the Patriot Act and the anti-terror laws and the illegal invasion of Iraq and everything else. It takes just one terrorist outrage for governments to justify what they want to do anyway: increase their control by limiting our liberty.

Then we must consider the second implication in Jon Snow’s comments: “The wonder is that we have to go back to Timothy McVeigh… to find the closest parallel.” The implication here is just as clear: the internet doesn’t create terrorists. It is used by terrorists and criminals and racists – but it does not create them. Society does that. And repressive laws. And illegal wars.

So as free citizens we should offer our sympathy to Norway and Norwegians and we should grieve with them. But we must never let outrages be used by our governments to take away any more of our liberty.

Categories: All, Politics

Sorry, but I rather like Google; and I especially like Google+

July 25, 2011 Leave a comment

I can’t help it. I like Google. As a security commentator I shouldn’t. But I do. Apart from a few aberrations like Buzz and that email sharing thing that I can’t even remember, Google does good products. And apart from a few aberrations like that WiFi collection episode, it tends to do less evil than many others.

Now we all know there’s no free lunches in this life. Free comes at a price (excluding OSS which I salute!). So I know that there is an unseen contract between me and Google. Use of Gmail, use of Google Docs, use of the search engine is all paid for by my willingness to give up some personal information and receive (in Google’s case, really quite unobtrusive) advertising. (There’s a lot more involved, but so far I accept this contract.)

And now we have Google+. And this I really, really like. Take Facebook. I dislike the way it plays fast and loose with my privacy. And I dislike the way that confessions of last night’s party are available to all of my friends, whether personal or professional. I dislike Facebook.

Now take Twitter. Everybody’s rushing to get as many followers as possible, just to prove a bigger shoe size than everyone else. But to get someone to follow you, you have to follow him, or her, or them if it’s a company. So they follow you along with the other 20,000 tweeters they’re already following. Do you really expect them to see and notice your little tweet among that incessant stream of thousands that they couldn’t read even if they did nothing else all day?

Now take Google+. It gives me greater control over my privacy. It obviously integrates better with my other Google options. And it allows me to separate out, through Circles, my business contacts and my personal contacts, my clients and my suppliers, into as many different categories as I like. It is altogether more versatile, and probably a lot less evil than its competitors. It combines the social networking of Facebook with the information sourcing of Twitter with the business networking of LinkedIn.

Now all it needs is the same number of users as its competitors.

Categories: Uncategorized

Sir Paul Stephenson will be a loss to the House of Lords – what a politician!

July 18, 2011 Leave a comment

Well Sir Paul Stephenson must be hoping for a quick return to power for Labour because he’s never going to get his ermine from a Conservative government now. Which is ironic since he’s just demonstrated a brilliant example of ducking, diving and blame-shifting – absolute paramount pre-requisites for a successful politician.

This Neil Wallis thing is an absurd red-herring. That’s not why he resigned, nor why he had to resign. He has presided over and/or been a senior officer in the most important police force in the UK while it has demonstrated repeated examples of corruption – corruption that the next few weeks is likely to show was more widespread and endemic than we suspect. Unless attention can be diverted elsewhere.

Just like Coulson had to resign from No 10 because he knew things would get worse, so Stephenson has had to resign from the Met. But making a snide remark directed at Cameron draws attention away from the Met, and even away from the hacking. It suits the Labour party, it suits the Met and it suits the press  (who are all wondering who will be next after NoW).

Brilliant politicking. He will be a loss to the House of Lords.


Categories: All, Politics