Category Archives: computing

Muffett’s Personal Opinion on the Cyber Volunteer Force

A friend of mine asked me about the UK’s mooted Cybersecurity “volunteer” force; this is approximately how I responded:

The Cyber-Force thing is simultaneously scary, tragic and amusing; Iain Lobban – Director of GCHQ – has been heard to lament that they cannot afford to pay for geeks:

www.techweekeurope.co.uk/news/news-security/gchq-boss-complains-of-cyber-brain-drain-34212

…that essentially they can’t compete with private sector industry for salaries and conditions.

The truth is a little more complex and a little less clear-cut than that.

From my modest experience of the demographic – dating from around 1994 to the present day – the UK defence establishment has subsisted by chewing-up public spirited geeks who were willing to trade shitty pay for unfireable job-security and an index-linked civil service pension from age ~55ish, thence to buy a cottage in Cornwall, or Provence or something.

The unfireable pension opportunity has now evaporated and DERA (the Defence Evaluation and Research Agency) which provided the hinterland of geeks for GCHQ was largely privatised as Qinetiq – significant numbers have left that – plus computing is now sexy again, so suddenly a lot of the UK’s core security expertise is going into private hands.

You know my perspective on “cyber”[1] – that it is a framing of the debate to launder:

  • interception/monitoring/snooping
  • filtering/blocking/censorship
  • public relations/propaganda, and …
  • expansion of state regulation opportunity

…as a necessary new military activity in a new “domain” – the domain of “communications” – which they call “cyber” because calling it communications would be too obviously unmilitary for people to bear.

Not to mention that honesty would sound too “Orwellian”.

However the good manpower is now off earning loadsamoney with either:

  1. “Big Data”, or…
  2. “Silicon Roundabout Startups” – which are sacrosanct because they may save the economy and the DTI is currently behind them.

…and therefore GCHQ are calling for volunteer cyberwarrior do-gooders.

If in one scenario this is not terrifying to normal people then it bloody well ought to be, if only for the example of “LOVEINT” at the NSA:

news.cnet.com/8301-13578_3-57605051-38/nsa-offers-details-on-loveint-thats-spying-on-lovers-exes/

…because if the best-funded cyberagency in the world has significant spy-on-your-ex-lover issues, what the hell will happen when you let loose a bunch of volunteers on the spook-internal databases of the UK?

There would be rather more “snoop on your mate’s ex-girlfriend” than “Edward Snowden” activity, to be sure.

But let’s instead imagine that GCHQ are not fools and that the volunteers are kept at a discreet arm’s length from the datacentre at Cheltenham; what then? Will you have a bunch of volunteers going around to BNFL and setting up firewalls for nuclear power stations? Or trying to hack into the National Grid? I think they’re already equipped.

What will they be doing, and will they actually be any good at it? And whom will they be depriving of a paid job in the interim? Answers: they won’t be sure, not terribly, and possibly themselves.

I’ve spoken with a competition winner from the GCHQ “UK Cyber Champion” contest and it seems that even if they really like you as a person, the public sector does not have the culture to employ creative, individualistic, modern computer people.

So I think they are in trouble; and you can’t justify the budgets if you can’t get the staff.

If I was to suggest a way out for GCHQ and the Government it would be to stop fretting about process so much, stop throwing money at the big defence contractors and instead engage directly with smaller parties in the private sector.

But that will never happen on the scale which it needs to. Alas.


[1] my perspective on cyber: www.slideshare.net/alecmuffett/how-to-think-clearly-about-cybersecurity-v2

The cost of UK Cybercrime was not £27bn – Hansard

Told you so…

Chi Onwurah (Newcastle upon Tyne Central, Labour)

Let us look at cyber-statistics. In answer to my parliamentary question, the Minister put the cost of cybercrime at £27 billion, but that turns out to be a 2010 “guestimate” from defence company Detica. The National Audit Office misused Cambridge university figures, managing to confuse pounds with dollars. We all know that online crime is rising, but the Government rely on outdated third-party figures. Is he surprised that the public do not trust the Government’s efforts to fight cybercrime, given that they clearly cannot even measure it?

Source; also, the Cabinet Office are throwing it under a bus:

I am writing to advise you that following a search of our paper and electronic records, I have established that the information you requested is not held by the Cabinet Office.

The £27 billion per annum figure is not our figure but comes from a BAE Systems/Detica report. We do not hold any information about how this figure was arrived at.

End days for Cyberfear?

Cybersecurity and “Igon Values”

Igon Value Problems: so very, very applicable to politicians and cybernetwork-security…

I will say this about Malcolm Gladwell: I like his writing, which oozes with intellect that enables him to see angles that many people miss. As a golf fan, I thoughtGladwell’s assessment of Tiger Woods versus Phil Mickelson was so spot-on that I printed out Gladwell’s quote and taped it in front of my desk. However, at this point, the record is clear that Gladwell sometimes finds himself speaking and writing about topics that are out of his depth, leading to head-scratchingly elementary mistakes. The most notable is Gladwell’s gaffe with “igon value,” illustrated in a book review by Steven Pinker:

Gladwell frequently holds forth about statistics and psychology, and his lack of technical grounding in these subjects can be jarring. He provides misleading definitions of “homology,” “sagittal plane” and “power law” and quotes an expert speaking about an “igon value” (that’s eigenvalue, a basic concept in linear algebra). In the spirit of Gladwell, who likes to give portentous names to his aperçus, I will call this the Igon Value Problem: when a writer’s education on a topic consists in interviewing an expert, he is apt to offer generalizations that are banal, obtuse or flat wrong.

Malcolm Gladwell, Eclectic Detective [New York Times]

via Ask a Korean!: Culturalism, Gladwell, and Airplane Crashes.

HP Keeps Installing Secret Backdoors in Enterprise Storage # and the best bit is the password they used…

…and a quick Google for 78a7ecf065324604540ad3c41c3bb8fe1d084c50 yields “badg3r5″, which is a really terrible password by any metric

Even with root access, the secret admin account does not give support techs or hackers access to data stored on the HP machines, according to the company. But it does provide enough access and control over the hardware in a storage cluster to reboot specific nodes, which would “cripple the cluster,” according to information provided to The Register by an unnamed source.

The account also provides access to a factory-reset control that would allow intruders to destroy much of the data and configurations of a network of HP storage products. And it’s not hard to find: “Open up your favourite SSH client, key in the IP of an HP D2D unit. Enter in yourself the username HPSupport, and the password which has a SHA1 of 78a7ecf065324604540ad3c41c3bb8fe1d084c50. Say hello to an administrative account you didn’t know existed,” according to Technion, who claims to have attempted to notify HP for weeks with no result before deciding to go public.

The hash hiding the login “is easily brute-forced,” according to Technion, who noted in a later blog that more than 55 users have separately notified him they’d broken the hash. The backdoors are hidden in versions of the LeftHand OS v. 9.0 and higher. They have existed since at least 2009, according to The Register.

via HP Keeps Installing Secret Backdoors in Enterprise Storage.

TIL: What a “Warrant Canary” is…

Twitter / bytemark: @ralpost You know we're not ….

[...]

Warrant_canary

A warrant canary is a method used by an Internet service provider to inform its customers that the provider has not been served with a secret government subpoena. Such subpoenas, including those covered under the USA Patriot Act, provide criminal penalties for revealing the existence of the warrant to any third party, including the service provider’s customers. A warrant canary may be posted by the provider to inform customers of dates that they haven’t been served a secret subpoena. If the canary has not been updated in the time period specified by the host, customers are to assume that the host has been served with such a subpoena. The intention is to allow the provider to inform customers of the existence of a subpoena passively, without violating any laws. The legality of this method has not been tested in any court.

The idea of using negative pronouncements to thwart secret warrants was first proposed by Steven Schear on the cypherpunks mailing list,[1] and was first implemented by public libraries in response to the USA Patriot Act.

The first commercial use of a warrant canary was by rsync.net. In addition to a digital signature, they provide a recent news headline as proof that the warrant canary was recently posted[2] as well as mirroring the posting internationally.[3]

APT Defender : “The APT causes many tears. We are their Kleenex.” #cyber #this #somuchthis

Via Spaf:

APT Defender.

WE HAVE ENOUGH EXPERIENCE TO GO AROUND

Our CISSPs have been dealing with APTs before they were even ‘a thing’. They have the knowledge and expertise to dig into your situation, assess how advanced the threat is, and to stop the persistence in its tracks. From there, they will work with you to eradicate whatever elements of The APT that could come back to haunt you.
WORLDWIDE PRESENCE

Since we only hire CISSPs, and since it is a worldwide-known certification, we have access to thousands and thousands of qualified experts around the world. Since there are so many CISSPs, we essentially have an unbelievably elastic workforce that is at the ready to tackle whatever The APT might have up its nasty sleeve.
OUR METHODOLOGY

We have developed what we call The Toolset, which is specifically designed to combat The APT. It is based on The Method, which is has been organically created via the communal atmosphere fostered by, and for, our CISSPs. This organic growth has allowed both The Method, and The Toolset simply to be better at combating The APT than any other organization. For more details, please contact us.

Wanna bet that CESG was using Man-in-the-Middle SSL with a fake cert/CA?

Certificate pinning and Convergence, now – or mandate VPNs. I don’t believe that Google’s Certificate Transparency addresses this narrow, one-off, state-sanctioned threat – am I wrong?

Foreign politicians and officials who took part in two G20 summit meetings in London in 2009 had their computers monitored and their phone calls intercepted on the instructions of their British government hosts, according to documents seen by the Guardian. Some delegates were tricked into using internet cafes which had been set up by British intelligence agencies to read their email traffic.

The revelation comes as Britain prepares to host another summit on Monday – for the G8 nations, all of whom attended the 2009 meetings which were the object of the systematic spying. It is likely to lead to some tension among visiting delegates who will want the prime minister to explain whether they were targets in 2009 and whether the exercise is to be repeated this week.

The disclosure raises new questions about the boundaries of surveillance by GCHQ and its American sister organisation, the National Security Agency, whose access to phone records and internet data has been defended as necessary in the fight against terrorism and serious crime. The G20 spying appears to have been organised for the more mundane purpose of securing an advantage in meetings. Named targets include long-standing allies such as South Africa and Turkey.

Continues at GCHQ intercepted foreign politicians’ communications at G20 summits | UK news | The Guardian.

Seems to be a new PDF (malware?) spam doing the rounds: “Gmail Verification Alerts”

I just received a PDF – “Gmail Verification Letter.pdf” – with an MD5 of dfa4f3d5e56d8700400dd919d40b44f4  and which GMail passed to me without flagging as spam.

Of course I’m not going to open it – at least not yet – and because it comes from Miami medical school rather than the ostensible “Gmail Team”, I am pretty sure it’s low-grade spam.

Just wondering if anyone else has it?

 

This story confuses me; are Google soon to to drop XMPP (and/or GTalk) entirely?

…if – IF – so, then it will be very very bad for the future of private communication:

Talk, for example, was built to help enterprise users communicate better, Singhal says. “The notion of creating something that’s social and that’s always available wasn’t the same charter as we set out with when we created Talk.” With Hangouts, Singhal says Google had to make the difficult decision to drop the very “open” XMPP standard that it helped pioneer.

via Exclusive: Inside Hangouts, Google’s big fix for its messaging mess | The Verge.