My news stories on Infosecurity Magazine, 31 May 2012

My news stories today:

US difficulties over Megaupload case continue
In April we reported that a US judge voiced doubts over whether Megaupload would ever get to trial in the US; now there are doubts it will even get to the US.
31 May 2012

Military grade chips may not be as secure as we think
Sergei Skorobogatov and Chris Woods have discovered a backdoor into a military grade chip, permitting ‘a new and disturbing possibility of a large-scale Stuxnet-type attack via a network or the Internet on the silicon itself’.
31 May 2012

Today is a key day for ACTA in Europe
Three EU committees are today due to make recommendations on ACTA. So far, two have reported: do not ratify ACTA, they tell the European Parliament.
31 May 2012

The changing face of European politics

Today all three European parliament committees due to vote on their ACTA recommendations came out clearly: do not ratify ACTA.

Courtesy of Rick Falkvinge, we ask: is this the beginning of the end for the old order? Is this the changing face of European politics?

My news stories on Infosecurity Magazine, 30 May 2012

My news stories today:

Flaming Hack: What does ‘Flame’ mean for the rest of us?
We’ve all heard about Flame, the ‘mother of all cyberweapons’, the attack tool that takes cyberwarfare to a new level. But what does it actually mean for the rest of us?
30 May 2012

Neelie Kroes Promises champagne connection – for the wealthy
Neelie Kroes, European Commissioner for the Digital Agenda, has promised a champagne connection for those who can afford it.
30 May 2012

Assange’s appeal fails: extradition lawful – everything left to play for
By a majority of 5 to 2 (Lord Mance and Lady Hale dissented) the UK supreme court has this morning ruled that Julian Assange’s extradition to Sweden is lawful, “and his appeal against extradition is accordingly dismissed.” Assange was not present in court.
30 May 2012

My news stories on Infosecurity Magazine, 29 May 2012

My news stories today:

Flame proves cyberwarfare is active
Cyberwarfare is an emotive and contentious issue. But the emergence of an extensive and sophisticated attack toolkit, Flame, apparently targeted against Iran removes all doubt: cyberwar is here and active.
29 May 2012

Google Apps for Business gets ISO 27001 certification
Google’s achievement in gaining ISO 27001 certification should be applauded; but users must remember that security in the cloud is a partnership between provider and user.
29 May 2012

Yahoo and TalkTalk confirm human error as security weakness
Two recent and separate events, involving Yahoo and TalkTalk, demonstrate that no amount of security policy or product can defend against the one great security weakness: human error.
29 May 2012

My news stories on Infosecurity Magazine, 28 May 2012

My news stories today:

iOS 5.5.1 jailbreak done; iOS 6 jailbreak pending
On Friday, the iOS 5.5.1 untethered jailbreak, Absinthe 2, was released. Now the same team is already working on a jailbreak for iOS6. But users should consider this: you’re on your own if you jailbreak.
28 May 2012

UK’s new cookie law came into effect Sunday
UK websites can now only use cookies with the informed consent of their visitors. That’s the law – but is still far from the practice.
28 May 2012

Corporate response to mobile threats still confused
Tenable Network Security has released research from the RSA Conference 2012 and Infosecurity Europe 2012 comparing US and UK attitudes towards the mobile threat: confused, contradictory and inconsistent.
28 May 2012

Why did TheWikiBoat’s OpNewSon fail?

TheWikiBoat’s OpNewSon, which commenced at midnight on Friday 25th May, falls somewhere between a fail and an abject fail.

It was announced on 11 April. “On the day of the operation, we plan to hit and attack several high corporate entities,” said TheWikiBoat. “Those targets are none other then the ones who ultimately rule: the high revenue making companies of the world.” The attack would be multi-phased: first a DDoS followed by a hack resulting in the leak of “highly classified data from the targets”.

Somehow, this description grew into an attack on 46 major global companies, including Bank Of America, Apple, Wal-Mart, Tesco and others. I can find no source for this, so it could either be journalistic licence or a passing comment on an IRC channel. I did a preview of OpNewSon on Infosecurity Magazine: TheWikiBoat’s OpNewSon fires today.

But OpNewSon never matched its claims. In the event, it seems that only one site, BethBlog, was attacked with debatable success. BethBlog is the online home of Bethesda Software, a game developer and publisher and not of “the ones who ultimately rule”. In security terms it would be classified a soft target.

So what do we make of TheWikiBoat now? Is it a group of wannabees looking for the notoriety of LulzSec and the fame of Anonymous, but with more chutzpah than skill? That is bound to be the first reaction, and it may well be right. It may also be wrong.

TheWikiBoat seems to be blaming VoxAnon for pulling the IRC channel and effectively leaving the wiki boat without a rudder. Given the global nature of its members and the many different time zones involved, it became impossible to focus the fire power. Could be. Or it could be the group just didn’t get the LOIC critical mass; it could be they didn’t have the fire power to focus.

Either way, you cannot imagine either Anonymous or LulzSec making such a mess of such a well publicised plan. Personally, I hope TheWikiBoat disbands. If they have skills, then they should use their skills for good. Lulz for lulz sake is just childish. And if they are wannabees, they should simply grow up. There is already too much wrong in this world to add to it.

News stories on Infosecurity Magazine: 17, 18, 21 and 22 May, 2012

My recent news stories…

Security: do as I say, not as I do
While the role of the CISO is increasingly recognized – usually reporting directly to the board and sometimes sitting on the board – the problems it faces is highlighted by a new Cryptzone survey: security policy doesn’t apply to senior management.
25 May 2012

The rightsholders’ war of attrition against the internet
Google’s Transparency Report now provides a new section on copyright, “disclosing the number of requests… to remove Google Search results because they allegedly link to infringing content.”
25 May 2012

TheWikiBoat’s OpNewSon fires today
TheWikiBoat, a new hacking group that uses techniques and tools similar to Anonymous, but for the lulz rather than the principle, plans to launch its first major operation, #OpNewSon, today.
25 May 2012

Google describes the winning hack at Pwnium
Each year the CanSecWest conference runs the pwn2own hacking contest against leading browsers: Chrome, Firefox, IE and Safari. This year Google withdrew its sponsorship and set up its own Chrome specific contest: Pwnium, an extension of the Chromium Security Rewards program.
24 May 2012

Clueful – an app to describe app behavior
Earlier this year social networking company Path was hauled over the coals by both users and Apple for automatically uploading users’ iPhone address books. This, says Apple, is “in violation of our guidelines.”
24 May 2012

FCC’s net neutrality rules may be tested by VoIP
Bad blood in a local dispute in Georgia leads to request for the FCC to proceed “with corrective action as required or as deemed necessary… to protect the national and global interest of the public and the internet application industry alike.”
24 May 2012

Long-standing secret meetings between Canadian telcos and government on C-30
Michael Geist, a law professor at the University of Ottawa specializing in internet and e-commerce law, has discovered secret talks between Canadian telcos and the government on internet surveillance.
23 May 2012

McAfee Q1 Threats Report
The latest quarterly McAfee threats report shows cyber threats increasing across the board: PC, Mac, mobile malware; botnets and hacktivism are all on the rise.
23 May 2012

Monday Mail Mayhem: Anonymous dumps 1.7GB from the DoJ
Monday Mail Mayhem was this week launched by Anonymous starting with the Pirate Bay dump of a 1.7GB database stolen from the Department of Justice, and the release of the traditional Anonymous video announcement.
23 May 2012

The antidote to security: 24 May 2012

To the Moor today; from Saddle Bridge down the brook to the stepping stones over the West Dart and on…

News stories on Infosecurity Magazine: 17, 18, 21 and 22 May, 2012

My recent news stories…

You don’t need to be hacked if you give away your credentials
GFI Software highlights the problems of users’ carelessness with their credentials: who needs hacking skills when log-on details are just handed over?
22 May 2012

A new solution for authenticating BYOD
New start-up SaaSID today launches a product at CloudForce London that seeks to solve a pressing and growing problem: the authentication of personal devices to the cloud.
22 May 2012

New HMRC refund phishing scam detected
Every year our tax details are evaluated by HMRC. Every year, a lucky few get tax refunds; and every year, at that time, the scammers come out to take advantage.
22 May 2012

UK government is likely to miss its own cloud targets
G-Cloud is the government strategy to reduce IT expenditure by increasing use of the cloud. It calls for 50% of new spending to be used on cloud services by 2015 – but a new report from VMWare suggests such targets will likely be missed by the public sector.
21 May 2012

New Absinthe 2.0 Apple jailbreak expected this week
The tethered jailbreak for iOS 5.1, Redsn0w, still works on iOS 5.1.1. This week, probably on 25 May, a new untethered jailbreak is likely to be announced at the Hack-in-the-Box conference.
21 May 2012

TeliaSonera sells black boxes to dictators
While the UK awaits details on how the proposed Communications Bill will force service providers to monitor internet and phone metadata, Sweden’s TeliaSonera shows how it could be done by selling black boxes to authoritarian states.
21 May 2012

Understanding the legal problems with DPA
We have known for many years that the EU is not happy with the UK’s implementation of the Data Protection Directive – what we haven’t known is why. This may now change thanks to the persistence of Amberhawk Training Ltd.
18 May 2012

Who attacked WikiLeaks and The Pirate Bay?
This week both the The Pirate Bay and WikiLeaks have been ‘taken down’ by sustained DDoS attacks: TPB for over 24 hours, and Wikileaks for 72. What isn’t known is who is behind the attacks.
18 May 2012

BYOD threatens job security at HP
BYOD isn’t simply a security issue – it’s a job issue. Sales of multi-function smartphones and tablets are reducing demand for traditional PCs; and this is hitting Hewlett Packard.
18 May 2012

25 civil servants reprimanded weekly for data breach
Government databases are full of highly prized and highly sensitive personal information. The upcoming Communications Bill will generate one of the very largest databases. The government says it will not include personal information.
17 May 2012

Vulnerability found in Mobile Spy spyware app
Mobile Spy is covert spyware designed to allow parents to monitor their children’s smartphones, employers to catch time-wasters, and partners to detect cheating spouses. But vulnerabilities mean the covertly spied-upon can become the covert spy.
17 May 2012

Governments make a grab for the internet
Although the internet is officially governed by a bottom-up multi-stakeholder non-governmental model, many governments around the world believe it leaves the US with too much control; and they want things to change.
17 May 2012

The Good Constitution of Lord Justice Laws

There is a wonderful read that made my blood boil and my heart leap in hope, in equal measure, alternately. It is the David Williams Lecture delivered by Lord Justice Laws this very month: The Good Constitution.

Let me start with the background as I understand it. The British Constitution is in flux. It has always been so, because it is the accumulation of the judiciary’s interpretation of the legislature’s laws. There is no formal, written, immutable Statement of Constitution; so what we have evolves – the judiciary effectively makes it up as we go.

But this strange and somewhat delicate state of affairs is changing. We are slowly getting a written constitution imposed upon us – such as the Human Rights Act; laid upon us by a higher authority, the European Union.

This is tipping the traditional balance between the legislature and the judiciary. Traditionally, in the UK, we have an assumption of parliamentary supremacy. Ultimately, what parliament dictates (and personally, I use that word advisedly) is what happens.

But under a written constitution, the judiciary is bound to question and override the will of parliament if it contravenes the constitution. In short, the judiciary counterbalances, if not supersedes, parliament. It is against this background that Lord Justice Laws seeks to define The Good Constitution.

To put his argument very simply, the legislature is responsible for the good of the whole – society at large, the people en masse. The judiciary, however, in line with the constitution (whether formal or common law) is responsible for the good of the individual who may be unfairly penalised under the good of the majority.

The Good Constitution, says Lord Justice Laws, comes from finding the right balance between these two; where the legislature does not trespass too much on the role of the judiciary, nor the judiciary on the role of the legislature.

What makes my blood boil is that both the ‘good of the people’ and the ‘rights of the person’ are to be defined and administered by the great and the good: MPs and judges. The will of the people (you and me) is rarely mentioned and usually dismissed. At one point he refers to a letter that appeared in the Telegraph: “This is a democracy. If the majority want to remove Abu Qatada from the country, that is what this Government should do.” Lord Justice Laws responds: “This is not an appeal to democracy. It is an appeal to what the Greeks called ochlocracy, rule by the mob.”

To dismiss the will of the people as rule by mob is arrogant, illiberal and autocratic – and semantically wrong. The term ‘majority’ means the greater part of all people. The term ‘mob’ implies (it is debatable) a relatively small number of people out of control. The two cannot be equated.

There’s another example. “The weakness of the morality of government,” he says, “is the side-effect of democracy’s corrective medicine: populism, which is the price of the polling-booth.” Is he really suggesting that government cannot govern effectively because it is forced to consider the popular will through the voting system?

This is what disturbs me most about Lord Justice Laws. The whole paper reads as if the will of the people is irrelevant – poor little souls need to be told what they want. And between us, we, the courts and the government, are the people to do it.

But his paper also gives me some hope. We seem to be inexorably moving towards a more formal constitutional society; one in which constitutional rights can be upheld even against a parliamentary majority. The tyranny of government, which perhaps started with Maggie, came to a head with Blair/Brown and is continuing now with Cameron, could be held in check by a judiciary armed with a written constitution. Commenting on the current foundation of what could evolve into that full, formal, written constitution, the Human Rights Act, he says

And among the political rights, though they may be interfered with by government on public utilitarian grounds, there is to be found Article 10 – freedom of expression; and this is a right which is inherent in the autonomy of the individual, the very basis of the morality of law. Along with Article 9, freedom of thought and religion, it is integral to one of the law’s core principles – the presumption of liberty; and to the mandatory characteristics of the good constitution to which I referred at the outset: difference and disputation, in short pluralism. As such it needs the special protection of the judges. And I think it is under threat. There has in recent years developed an insidious tendency to regard the fact that certain speech is offensive as a reason for banning it. I do not think that offensive speech should ever be prohibited by law for no reason other than its offensiveness.

With a written constitution, provided that we do not allow the courts and parliament to carve it out between themselves at our exclusion, what we already consider to be our fundamental rights will be by necessity defended by the courts – who in this regard will be superior to the will of the politicians. It’s something we increasingly and quite urgently need.

But we won’t get it under the present system – which is something I should perhaps return to later. Meanwhile, read The Good Constitution with both fear and hope.