I give you two blogs. The first is Slog (a contraction of ‘the bollocks log’) from the pen of John Ward. The second is Informationlaw, from the pen of Ibrahim Hasan, a lawyer specialising in information law including data protection, freedom of information and surveillance law.
From the first I give you the quote of the year:
You see, while the EU is deluded, disorganised, retarded and obese, it will never match the UK for stark-staring intelligent madness. As and when the EU finally implodes, this means we can go back to being global brand leader in bollocks.
Intelligent British bollocks will soon be a world leader once again
And from the second a discussion on how the government intends to remove some of the madness from the Regulation of Investigatory Powers Act (RIPA). For those out of the loop, RIPA, basically an anti-terrorist law, has been used by local councils to monitor dog fouling, watch constituents who leave their waste bins out too early or too late, and follow children home from school to discover where they live. The government is ‘amending’ this with its new Protection of Freedoms Bill currently going through Parliament. But…
The Government has forgotten to do any thing about section 80 of RIPA which says that RIPA is permissive legislation. This point was explained more fully by the Investigatory Powers Tribunal in the case of C v The Police (Case No: IPT/03/32/H 14th November 2006 http://www.ipt-uk.com/default.asp?sectionID=17):
“Although RIPA provides a framework for obtaining internal authorisations of directed surveillance (and other forms of surveillance), there is no general prohibition in RIPA against conducting directed surveillance without RIPA authorisation…”
Changes to RIPA – Will they have the desired effect?
QED, Slog; but I suggest that we’re not even waiting for the implosion.
Isn’t this wonderful? Google, never one to miss an advertising opportunity, advertises ‘Spam Swiss Pie’ in my Spam folder.
Strictly speaking, of course, they’ve got it wrong (although it could be part of the joke): it should be SPAM not spam. It’s a genuine recipe using the SPAM meat product, reproduced here from recipesource.com.
Marnix Dekker, one of the authors of the ENISA report on Appstore Security, has responded to my post in its comments (Appstore security: a new report from ENISA) and I would like to thank him for doing so. It’s worth reading, and I reproduce it here in full:
As one of the authors, allow me to briefly reply to your comments.
First of all thank you for reviewing the paper, I appreciate the feedback. Rants can be very refreshing.
It is true that the lines of defense are not in anyway controversial and may seem obvious. We felt that there was the need to outline the different defenses that can be used, as most of the app stores and platforms are not very explicit about these defenses. This is confusing for consumers.
Allow me to comment on your criticism of the killswitch. I would like to note that we do not exclude that there are other (than military) settings where a killswitch is unwanted. Bare in mind that most of the users do not want to keep malware on their device. We even mention that an optout where appropriate should be offered.
About jails: We are not saying that jailbreaking should be illegal, or that consumers should have no means of using alternative appstores… only that this should not be made so easy as to allow drive-by download attacks (email+link, genuine looking appstore, install approval, click, infected).
Your alternative proposal, to hold appstores liable for software vulnerabilities, is really a legal solution. I think it is a very interesting subject, but (big disclaimer) I am not a legal expert:
Some issues with this:
- It would be easy to set up a rogue appstore, run it from some obscure country, fill it with some infected apps. It would also be relatively easy to trick users into installing from there. Your solution, to simply find a suspect, and a court to fine, sounds to me a bit complicated. Just think of all the extradition procedures, harmonisation of laws, etc. that would be needed. Let’s ignore rogue appstores in the sequel.
- If I look at other platforms/software I do not see many consumers being granted compensation by courts, nor do I see many software vendors being fined for selling/distributing flawed software. Now this could change in the future, but I think we should address security in the meantime as well.
- Secondly, judges usually start fining people when it is clear they have been negligent or had malicious intent. That requires some kind of definition/agreement of what are best practices and sufficient measures/defences.
- Another issue with liability is – I think – the following: Imagine the opensourcing of software to continue. Android, Linux, Openoffice, etc, are example of this trend: A couple of volunteers decide to solve a problem (text editing say) by writing some software routines (say openmoko)… they publish them free of charge and they disclaim that you should only use this software at your own risk. Would you think it is fair to still fine them for flaws? What I am trying to say is that there are numerous examples of free opensource software/apps/platforms, and that we still need to address security there as well. Do you agree that the liability solution would only work for commercial software/platforms? In that case, what do we do about the rest?
Looking forward to discuss with you – software liability is a fascination topic
The day after the Russian embassy in London was taken out by a DDoS attack (was it Russians objecting to a visit by a UK prime minister who had declined to join the KGB; or the Blue Rinse objecting to him going there at all) I was speaking to Adam Rice, global chief security officer for Tata Communications. He had just announced that Tata’s DDoS detection and mitigation service is now available to any company operating on the internet irrespective of its network provider (ISP). Tata Communications is a tier 1 ISP, and the fourth largest in the world. “With this scale, we have successfully defended every DDoS attack levied against our customers. By expanding our offering to be network agnostic, we’re now making the capability available to a much larger community – a community that requires access to a high-capacity infrastructure where their traffic can be scrubbed rather than black-holed.” It was an opportune time to learn more about DDoS in general, and Tata’s detection mitigation service in particular.
“DDoS,” he told me, “by its very nature is an attack that overwhelms the target’s resources, so we’ll see an increase in traffic going to the customer. It might ramp up slowly or very quickly, but it draws our attention.” The key to this is a monitoring tool used for its customers. “The tool that we deploy becomes smarter and smarter over time. It analyses what is considered normal traffic for a site; and it does that for what is normal on a Tuesday at lunchtime, or what’s typical for a weekend, or what’s typical during Christmas. The longer we have these sites under management, the more the tool understands what is normal traffic.
“So when we begin to see variations against the mean,” he went on, “if the standard deviation goes beyond a certain point, left or right of normal, then an alert will occur. And that can be caused by either volumes or types of traffic. DDoS attacks come in several different flavours, and the tool will be able to see the kind of attack from the meta data of the packet. So we can tell whether it’s a UDP attack or a SYN flood attack or any other variety of DDoS attack. When the traffic crosses our threshold, then an alert is sounded and one of our security analysts will go in and, with the help of the tool, determine what type or types of attack is under way (usually the attacks can be mixed) and then we apply our filters which will scrub the bad out and deliver clean back.”
An attack, he told me, can build up pretty fast, but is detected before it can overwhelm the target. “We’ll see it coming from the four corners of our network. Although some of the traffic originates from within our network a lot of it comes from other networks, so we’ll see it coming through the peering points with other tier 1 ISPs [a peering point is the place where multiple networks meet and pass traffic from one to the other] – it doesn’t turn on like a light switch; we’ll see the traffic volume begin to build, build, build; and then depending on the SLAs that we’ve agreed with our customer, we do have thresholds that we watch. For a DDoS attack to be a DDoS attack it needs to have a certain volume, and once it crosses the threshold, we’ll alert the customer and let them know what’s going on and, with advice, ask them if they’d like us to mitigate. That’s typically how we do it.”
The next stage is to channel the traffic to Tata’s laundry sites. “We announce a route across our network that is advertised almost instantly across the entire internet. It draws in all the traffic destined for our customer to our scrubbing clusters that are situated globally near a peering point and we will scrub the traffic and then deliver it to the customer nice and clean.” Two things I wondered: how accurate is this scrubbing? and could the scrubbing clusters themselves be overwhelmed?
“We don’t start mitigating the attack,” he replied, “until after we’ve had a conversation with the customer. We do this every day, hundreds of times a month, with very large volumes of traffic. Before we start mitigating, customers have a hard time getting to their site, and after, we have no complaints. I am sure that legitimate traffic in some fashion now and then gets dropped. I think that’s inevitable. Any claim that we could get 100% accuracy on our filters would be wrong – but if we do drop good traffic it is an insignificant volume and would simply require the user to refresh the browser to get back.”
What about being overwhelmed? “That’s the big advantage – and one of the biggest advantages,” he said, “in having a very large network behind us. DDoS attacks are all about capacity; and we have the capacity. Tata Communications is the fourth largest ISP on earth. Theoretically, if we were to have a purely academic discussion, it is possible that any network could be overwhelmed; but there are a lot of reasons why that would be very unlikely. But if you were to buy your DDoS mitigation service from a provider that didn’t have such a large network then I think you are taking away one of those critical attributes of any DDoS mitigation service: having that huge network behind you to absorb the traffic, because that’s really what you need to do.”
But what about the future? How can we prevent DDoS attacks from happening rather than just mitigate against them succeeding? Adam didn’t specifically say so, but I got the impression that’s a long way off. “We think that the majority of the sources of the attacks are infected PCs or laptops,” he commented. And we all know how secure the average home computer tends to be. “Usually, the source address is fake. There are other clues that enable us to track back to the source so we can get a geographical idea – often Eastern Europe or Asia – but DDoS is generally truly global.” And that’s a problem in itself. “If one of our own users is knowingly or unknowingly participating in a DDoS attack, that user is violating our acceptable use policy and we will tell them that they have to stop that.” In other words, Tata can try to keep its own network clean. “But TATA Communications works in almost 200 international jurisdictions. The privacy laws in Europe are a great example of exactly why it is impossible for us to be proactive – whether we would want to or not doesn’t really matter, it is actually illegal in many countries and jurisdictions for us to even monitor our own networks for that kind of traffic if it is customer data.” And if the traffic is coming in via a peering point from another ISP, the problem just gets more difficult.
So since there’s no quick fix to the DDoS problem, I guess we’d better just carry on mitigating them. Pass it on to the Russian Embassy.
I’ve said it before, but it’s worth saying again: government is the biggest identity thief. And I’m so glad that I’m not alone in thinking this. VirusBarrier, the anti-malware product I use on Mac, agrees. It detected Her Majesty’s Revenue and Customs as a phishing site.
Sadly, the window saying this disappeared before I was able to ‘grab’ it. But good old VirusBarrier just blocked the page anyway.
Beware: http://www.hmrc.gov.uk is a phisher!
As the great European super tanker stumbles on towards economic implosion and, let’s face it, potential breakup, have you ever thought that perhaps, maybe, they should just ease up a bit on their increasingly interventionist policies against the individual?
Dream on. If you think that the EU is already too intrusive against citizens who are British first (or German, or Dutch or Spanish or whatever) and European second, think again. European law supplants national law. The EC has announced its intention to train 700,000 legal professionals in EU law.
The European Commission has set a clear target for increasing the numbers of judges, prosecutors, lawyers and other legal practitioners trained in European law. In a policy paper agreed today, the European Commission aims to ensure that half of all legal practitioners in the European Union – around 700,000 – participate in some form of European judicial training by 2020. The aim is to equip legal practitioners to apply European law…
European Commission sets goal of training 700,000 legal professionals in EU law by 2020
ENISA, the European Network and Information Security Agency, has produced a new report: Appstore security – 5 lines of defence against malware. Its purpose is to help the burgeoning app store market protect against infiltration from malapps (not a widely used word yet, but watch it grow); smartphone apps pretending to be apps but really just plain malware.
The five lines of defence range from the bleeding-obvious through good-idea-but-don’t-hold-your-breath to illustrations of the-conflict-between-security-and-liberty. They are
- App review – bleeding obvious but not foolproof
- Reputation – not foolproof
- Kill switch – hang on a bit
- Sandboxed apps – bleeding obvious
- jailing – hang on a bit more
App reviews should obviously be done. But they’re not foolproof and are time-consuming and costly. New app stores will minimise them in order to reduce their own costs and speed the population of the store. Even where they are performed, with or without the help of automated testing, there is no guarantee against false negatives.
Reputations can be manipulated. Cyber criminals have shown that they are willing to play the long game. With enough time and resources it would be easy enough to release a few genuine and good apps before slipping in, backed by a good reputation, the bad one.
Kill switch. I don’t want one. And they don’t necessarily work. If I buy something, it is mine (I’m sick of the industry selling me something and then revealing later or in the small print that I only rented it). If I buy it, it’s mine. Therefore only I should be able to remove it. Not the software developer, not the app store, not the device manufacturer, not law enforcement and not the government. And anyway, they don’t work. DroidDream foiled the Android kill switch by simply operating outside of the sandbox. Here’s a good security principle: if something can be set up by software, it can be taken down by software. And another thing:
in a military setting, apps may be mission-critical and the app revocation mechanism may need to be turned off.
I’m not sure that I like being told that only the military has mission critical apps. My apps are critical to me.
Sandboxing. Now that is a good idea. It probably has more to do with the OS developer than the app store provider, but it’s still a good idea. It may not work nor be possible in all cases; but it’s still a good idea.
Jailing. Again, this has more to do with the OS developer and the hardware manufacturer than the app store itself. And again, if something is mine, I don’t want a third party telling me what I can do with it. It may be good security but it infringes my rights as a human being.
You may think I’m being overly critical and a bit frivolous, but I’m not. This report will make not one iota of difference to the app market. I wish ENISA and all the myriad other European agencies would spend the time and money we spend on them on something more worthwhile. Especially when the solution to malapps is easy: make the app stores liable. Make them liable for any losses incurred through malapps bought or downloaded from them. And where there is no measurable loss, simply fine the pants off them. That will stop malapps from app stores in their tracks.