Archive for September, 2011

Does Neelie’s Compact for the Internet signal the end of net neutrality in Europe?

September 30, 2011 Leave a comment

Neelie Kroes has made another speech: Taking care of the Internet.

It’s another act of political ambiguity full of high-sounding phrases that mean nothing. Even the title is ambiguous: taking care as in nurturing, or taking care as in solving a problem? She has this vision of the internet, her ‘Internet Essentials’. She calls it her ‘Compact for the internet’:

Civic responsibility
One Internet that is
Architecturally sound, inspiring
Confidence and
Transparently governed

It’s nothing more than a contorted sound bite, and when policy is forced into suiting a sound bite we do not get good governance. (Being mono-lingual I can only guess at the effort that has to go into producing multi-lingual sound bite anagrams – or do we have different policies to suit different languages?)

But basically it is the traditional eurocrat speech: I’m good, I believe in freedom, but I may have to exercise control for the benefit of everyone. One paragraph, a single sentence, stands out as being full of platitudinal menace:

Ultimately, different actors have different fields of expertise and responsibility: that must be respected, and due weight must be given accordingly.

That sounds to me like the nail in the coffin of net neutrality.

Taking care of the Internet

Categories: All, Politics, Security Issues

Computer Aid: re-using rather than recycling is a better way to comply with WEEE

September 29, 2011 2 comments
Neelie Kroes in Nairobi

Neelie Kroes in Nairobi's WEEE centre

In politics, one good sound bite is worth a thousand good deeds; and the truth gets mislaid in the middle. This is what happened when Neelie Kroes tweeted: “Me recycling computers at the WEEE centre, #Nairobi”. And there’s another photo of her with a crowd of schoolkids. Africa, kids, recycling… What could be better?

The truth could be better; and the truth is that while recycling is good, re-using is better.

The EU WEEE Directive requires responsible decommissioning for old computers. You can’t just dump them in landfill – that’s irresponsible, dangerous and illegal. So to help responsible decommissioning, manufacturers pay a levy for every computer they sell. This levy then funds the Producer Compliance Schemes, which decommission defunct hardware responsibly – and legally. The problem is that WEEE is passively promoting recycling rather than actively promoting re-use. Consider this:

  • High levels of product replacement and the concentration of energy intensity in the ICT production rather than use phase (80 and 20 percent, respectively) means that any activity that extends the life of ICTs–such as reuse–should be prioritised
  • Reusing working computers is up to 20 times more energy-efficient than recycling them. Also, reuse has lower resource depletion costs than recycling. Thus, the waste hierarchy, which has reuse as more environmentally beneficial than recycling, equally applies to unwanted ICTs as to other wastes
    ICT and the Environment

Change may happen. An amendment to the WEEE Directive is under discussion, and may come to fruition next month (October 2011); and come into UK law next year. The aim is to set a target of 5% re-use on old hardware. Five per cent! Anja ffrench, the director of marketing and communications at Computer Aid (a charity that concentrates on re-using rather than recycling) is too much of a lady to complain. “The European Parliament is proposing a 5% re-use target, which we would most definitely welcome,” she says – although the reality is it should be a 75% target.


Anja ffrench, marketing and communications director, Computer Aid

“Computer Aid,” she told me, “is a WEEE-authorised treatment facility approved by the Environment Agency to take in equipment for re-use. We’re not signed up to any Producer Compliance Scheme – although we use DHL, which does belong to the Producer Compliance Schemes, for any recycling we have to do. So we’re a part of WEEE without directly being a WEEE compliance scheme.”

When you consider the cost of recycling in order to recover a fairly minimal value from the valuable metals contained, combined with the energy cost of manufacturing a new computer, then there is a clear environmental argument in favour of re-use. “And if you donate to a charity like Computer Aid,” continued Anja, “then there is a social argument as well. We take full legal liability for all of the equipment donated to us. We use Ontrack to data wipe all laptops, desktops, servers, and base units – and if for any reason we can’t do that, the disks are crushed and melted. Then it goes to a good cause.” And it’s all certified and guaranteed.

So you can donate to a good cause and have confidence that you are simultaneously destroying any data accidentally left on your systems. Everything that is reusable finds a deserving and needy home, and you can check this on Computer Aid’s Flickr streams.

“We have a waiting list right now for donations of old computers,” said Anja. “We have a continuous need for computers, laptops and monitors.” So, if you want the satisfaction that comes from combining environmental friendliness with legal compliance and adding more than a sprinkling of the warm, fuzzy feeling you get for doing absolutely the right thing, call Computer Aid now on +44 (0) 208 361 5540. Decommissioning should be more re-using than recycling.

Computer Aid

Categories: All

The future of security is analytics and sharing – in conversation with RSA’s Uri Rivner

September 27, 2011 1 comment

I was talking to Uri Rivner – as one does – about the future of security. Uri is Head of New Technologies, Identity Protection at RSA; and knows a thing or two.

But first a background. Security isn’t working. Ask Google or Sony or Nintendo or Mitsubishi or, indeed, RSA. Nobody is saying we need to chuck out all our existing security products and processes; but we need to do more to make it work. And that’s what we were talking about.

Uri Rivner

Uri Rivner, security expert at RSA

“Two things.” said Uri. “Firstly, in the future you will see more advanced analytics: automated detection systems, like the on-line banking fraud detections systems or online credit card fraud detection systems. We will see things that are automated and will learn, rather than have to rely on the rules that an expert writes.” At the moment, much of our attack detection is based on the rule definitions of our security experts; and it is difficult to write a rule to detect something we’ve never seen before. “Computers,” added Uri, “are much better at finding software attacks.”

Hold on to that thought: the future of security is in advanced, intelligent, automated analytics.

“Secondly,” he continued, “the future will include data sharing. Corporates today just don’t share their data with anyone else. If you are under attack, you’re on your own. But the future will have to include some level of data sharing in realtime. There will have to be some way to collaborate in realtime, so that rather than relying just on your own security operatives, you actually rely on the industry’s wisdom to help you find these attacks. In many cases the attackers don’t go after a single specific target; they go after lots of targets within a certain industry or country. So it will be crucial to share data in realtime.

“How will we do it? As always, the devil is in the detail. Not all of the technologies or directions are ready yet. There are tools and technologies that are being deployed as we speak, but I would say that it will take the industry a couple of years to actually do something that has a fighting chance against APT-type attacks.”

There are indeed many problems; not least the reluctance of one company to share information with another company that might be, or become a competitor. Government seems to be a good starting point, where inter-departmental co-operation can be mandated before ultimately evolving into inter-governmental collaboration. But governments are naturally secretive: they believe their function is to gather intelligence, not to share it out. And then there’s the legal pitfalls of multiple legal jurisdictions, each with subtly different data protection requirements.

But Uri insists on both the necessity and inevitability of data sharing. “The idea is not,” he continued, “to configure a big shared repository and say, hey, we’re under attack. We have to be more subtle. We have to abstract the data, anonymise the data, and we have to do all the things that will make it even legal to share data between competing operations and different countries. But the bottom line is this: we have to do it; it’s a must.

APT Findings

What CISOs want – from the RSA/TechAmerica APT Summit

“Ask any US CISO,” he continued. “The USA has been heavily attacked over the last 18 months, and all the CISOs agree: we want to share data, we want it at machine speed and in realtime, and we don’t want to share it several days later. So we need to work out how we can do this and be both legal and practical. It will happen at some point. The banking sector is already doing this. They actually share data in realtime. Not everybody knows this, but it’s one of the measures the banking sector has already taken. If bank A is being attacked – I’m talking about financial fraud here, not APT – by some hacker or criminal and they learn about it, automatically it goes into a central repository which means that everyone is now protected from this attack. There are ways to solve this sort of thing. Exposure, legal issues, customer trust issues – there are ways to share data.”

So the future of security is in the combination of large-scale automatic and intelligent analytics with wide-scale security data sharing. Now here’s a co-incidence, and it really is purely a co-incidence: on Thursday a new security product that fulfils the first and could be used for the latter will be announced. I’ll tell you more about that on Thursday.

APT Summit Findings

Categories: All, Security Issues

Infosecurity Virtual Conference: featuring the great and the good and me

September 24, 2011 Leave a comment

Mark this day and keep it clear: Tuesday 27 September. That’s this coming Tuesday. It’s the day of Infosecurity’s Autumn Virtual Conference. And it’s packed full of goodies: secure software development, responsible breach disclosure, tablets in the enterprise, governance and compliance, e-crime, a career in security and, of course, APTs.

And the speakers! Marc van Zadelhoff, Director of Strategy at IBM Security Solutions; Professor John Walker; Microsoft’s Jeremy Dallman; Raj Samani, Strategy Advisor for the Cloud Security Alliance and CTO EMEA at McAfee; Chenxi Wang from Forrester; Paul Simmonds, co-founder of the Jericho Forum; and many more.

Oh yes. And me. E-crime. 11:00am. 27 September. Be there.

2011 UK Infosecurity Virtual Conference – Conference Programme
2011 UK Infosecurity Virtual Conference – Registration

Categories: All, Security News

The European Data Protection Supervisor is like Cnut facing down a tide of bureaucratic encroachment into our privacy

September 24, 2011 Leave a comment

I should preface this post with two comments:

  • My degree is in English Language and Literature. This leaves me sadly unqualified to understand European legalese, for which the minimum of a two-one in Contorted Logic is required.
  • I like Peter Hustinx. I respect the European Data Protection Supervisor. But I cannot see him as anything other than a latter-day Cnut merely demonstrating that nothing can stop the tide of bureaucratic incursion into our personal privacy.

It is with this background that I looked at his latest ‘Opinion’ on the Proposal for a Regulation of the European Parliament and of the Council on European statistics on safety from crime. I own that I struggled as much to understand it as I did to stay awake; and had little success with either.

Article 8(2) to (4) of Directive 95/46/EC and Article 10(2) to (4) of Regulation (EC) No 45/2001 contain exceptions to the prohibition of processing these categories of data. In the present case, Article 8(4) of Directive 95/46/EC and Article 10(4) of Regulation (EC) No 45/2001, which allow the processing of such data for reasons of “substantial public interest”, could apply.

So I readily admit that I have not a clue what this Opinion is about, other than it appears that the EDPS is exhorting the EU to obey EU laws. And that might be the problem. EU law is a complex, contradictory mess. It can be accepted by most people that personal data can be kept private by making it anonymous. If data cannot be associated with any particular individual, then that personal data is confidential and effectively remains anonymous.

The problem is, the EU doesn’t seem to understand what this means.

As regards the possibility of identifying data subjects, two different notions are relevant in the EU legislation on statistics: “confidential data” and “anonymous data”. According to Regulation (EC) No 223/2009, data which allow statistical units (which might be natural persons, households, economic operators or other undertakings) to be “identified, either directly or indirectly”, are considered “confidential data” and are therefore subject to statistical confidentiality. However, Regulation (EC) No 831/2002 defines confidential data as data “which allow only indirect identification”.

Throughout this Opinion, poor Mr Hustinx has continually to specify which piece of EU legislation to which the EU should, in his opinion, adhere. That much is simply a farce. But the actual definition of legal anonymity beggars belief:

…the definition provided in Recital 26 of Directive 95/46/EC and Recital 8 of Regulation (EC) No 45/2001, according to which personal data are “rendered anonymous” when the data subject is “no longer” identifiable, taking into account “all the means likely reasonably to be used either by the controller or by any other person to identify the said person”

I have no idea what this means. But this is what it sounds like to me: anonymous does not legally mean anonymous, it means obfuscated. And obfuscation can be described as anonymous if the process of clarification would defeat the script kiddie in his bedroom. This means that data is still defined as legally anonymous even though it is not anonymous to the supercomputers of our own and/or foreign law enforcement or other agencies; or any other person or organization willing to use more resources than is likely reasonably to be used. In short, anonymous is meaningless.

So the moral of this little post is simple. If any European agency asks for your personal data and promises anonymity, don’t give it up. Europe lies in the classic Orwellian fashion: it redefines the truth.


Categories: All, General Rants, Politics

The worst enemy of women in business is women in politics

September 23, 2011 Leave a comment

I’ve commented on Neelie Kroes’ and Viviane Reding’s EU desire to get more women into the higher echelons of business (Net neutrality and business gender neutrality in the EU) and absolutely endorse the intent. Here in the UK we have our own poor man’s (sorry about the sexism) Kroes/Reding double act in the Harman/Cooper comedy pairing.

Tomorrow, with thanks to Guido pointing to the excellent WomenOn blog, Harman/Cooper will be hosting a ladies-only meeting + Ed Miliband. Guido, of course, sees the funny side of things:

…Harriet Harman and Yvette Cooper are hosting a ‘What Women Want’ meeting tomorrow at Labour Party conference. What they apparently don’t want is men at the meeting. However Mrs Dromey and Mrs Balls are giving Ed Miliband a sex change for the day and making him an honorary woman so that he can address the meeting of the wimmin.
Ed Miliband to Have Sex Change Tomorrow

WomenOn sees the tragic side:

This is an outrage… It makes all those involved look out-of-touch, but more importantly, it does untold damage to the cause of equality for women.  Why should men support equality for women if they are treated in this way?
Men, know your place! Harriet Harman doesn’t want to hear you

And that’s what it is: funny and tragic. The tragedy is that serious businessmen will continue to consider women as a lunatic fringe. All the good work done by Kroes/Reding, and indeed WomenOn, will be undone by the absurdly funny Harman/Cooper double act.

Categories: All, Politics

Apple will be laughing all the way to the bank – as if they need help from Microsoft

September 21, 2011 Leave a comment

Concern is growing that Microsoft might be trying to pull a fast one. Windows 8, shipped with new PCs, is quite likely to lock out any other operating system on that PC. You can get more technical details from the blog of Matthew Garrett:

A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux.
UEFI secure booting

Ross Anderson also discusses the issue:

There seems to be an attempt to revive the “Trusted Computing” agenda. The vehicle this time is UEFI which sets the standards for the PC BIOS. Proposed changes to the UEFI firmware spec would enable (in fact require) next-generation PC firmware to only boot an image signed by a keychain rooted in keys built into the PC. I hear that Microsoft (and others) are pushing for this to be mandatory, so that it cannot be disabled by the user, and it would be required for OS badging.
Trusted Computing 2.0

But we needn’t worry, because EDRi points out that it would all be illegal in Europe:

This measure would be illegal according the EU competition law, such as article 102 of the EU Treaty, as it would give the possibility for a company to leverage a dominant position on one market (operating systems) in order to become dominant on another market (hardware).
Free operating systems might be blocked by Windows 8

Isn’t it reassuring (not – if you don’t recognise sarcasm) that the EU has such a strong record in enforcing its laws against big business. Apple will be rubbing its hands in glee with the thought that disgruntled PC users might flock to Mac and its Boot Camp software (which allows disk segregation to run Windows on the same system). Better still, if Microsoft persists with this idea, vote with your feet and migrate to Mac or Linux or anything that isn’t Microsoft.