Revised (Final?) Draft of Muffett response to #CCDP / Communications Data Bill! Will post in morning. Comments?

UPDATE: Replaced by this

“Why is nobody crowing about ‘Critical National Infrastructure’?” ( at Computerworld) #cybersecurity #cni

Why is nobody crowing about ‘Critical National Infrastructure’?

O2 went dark; RBS/NatWest/Ulster Bank died. Surely the Government ought to tell us what to do? Much cybersecurity planning is couched in terms of we must protect critical national infrastructure – but when a bank goofs a software upgrade and commits transactional suicide for a week (or more, see Ulster Bank) – and when an entire phone network loses internet connectivity that is the lifeblood of modern commerce – you would think that someone in authority would be jumping up and down saying that this was evidence that the private sector could not be trusted to deliver critical national infrastructure and that banking and telco infrastructure ought to be nationalised, standardised or at least put under central government regulation to ensure that this does not happen again. But they’re (apparently) not doing that. Why not? Partly because they don’t see it that way […]

…read more, or comment at Unscrewing Security

“If it turns out that #LinkedIn passwords have leaked…” ( at Computerworld)

If it turns out that LinkedIn passwords have leaked…

…here’s what you should do

Rumours are circulating on the net that a database of hashes of LinkedIn passwords has been published on a Russian hacker site.

I cannot confirm this, but if the article referred to above is correct then there is a risk to LinkedIn users; password cracking software such as Hashcat can be brought to bear on the problem, and passwords that are derived from common words and phrases – or which are just too short – can and will be broken.

I’ll write more in the meantime, but in the meantime:

  1. Choose a new password – a short phrase, make it twelve or more characters long; don’t worry too much about making it look random but instead make it long-and-memorable and use proper spacing and (perhaps) punctuation.

  2. See this famous cartoon for techical explanation, but don’t reuse the password it suggests.

…read more, or comment at Unscrewing Security

“Chinese Cyberwarriors in your Chips?” ( at Computerworld) #FPGAbackdoor

Chinese Cyberwarriors in your Chips?

Perhaps, but the Cambridge ones are more interesting

The security interwebs this morning are alive with reference to Sergei Skorobogatov’s webpage at Cambridge, the key quote from which is:

We developed breakthrough silicon chip scanning technology to investigate these claims. We chose an American military chip that is highly secure with sophisticated encryption standard, manufactured in China. Our aim was to perform advanced code breaking and to see if there were any unexpected features on the chip. We scanned the silicon `chip in an affordable time and found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems. The scale and range of possible attacks has huge implications for National Security and public infrastructure.

I recommend against panic.

Instead there are a bunch of questions to ask:

What’s the threat?

…read more, or comment at Unscrewing Security

“Ask Alec: Security for Freelance Developers” ( at Computerworld ) #security

Ask Alec: Security for Freelance Developers

What do you do to be secure when you’re on your own?

So in my mailbox a few weeks ago there arrived the following:

Hi Alec

I was wondering whether you’d mind doing me a small favour. It’d be great if you could punt out a quick top 5 / top 10 tips for sensible data security practices for freelance developers (encrypted backups, being mindful of client data dumps from production systems – am sure you get where I’m coming from) […]

Cheers,\ Steve

It’s a question that I hear a lot and the challenge is keeping my response down to a reasonable, memorable minimum; let’s try, though this will assuredly be an incomplete list…

…read more, or comment at Unscrewing Security

“#Cybersecurity: Demand An Evidence-Based Approach” ( at Computerworld )

Cybersecurity: Demand An Evidence-Based Approach

Beware Secondhand Statistics; Beware Creating Them

In the days before the SOPA blackout a popular meme infected the interwebs:

Dear Congress: It’s No Longer OK To Not Know How The Internet Works

Directed at the US Government this article and its related discussion decried the creation of new legislation founded upon both a lack of understanding and a lack of evidence – challenging behaviour that is also exhibited UK Parliamentarians if not by all governments worldwide.

What the geek community at that time failed to consider was itself as a source of apparent evidence which might be repeated by journalists and/or relied upon by by lawmakers, especially when it lends weight to a higher goal that they wish to achieve.

For a nascent example…

…read more, or comment at Unscrewing Security

“Still Scrambling For Safety” ( at #Computerworld )

Still Scrambling For Safety

Time for old magic in the debate on CCDP

Dateline: the late 1990s; in the USA and UK there is fear and debate over development of new technology which renders moot the “existing capability” of Government agencies to intercept internet communication – thereby risking intelligence (even that which cannot be described in court for security reasons) being lost to the crime-fighting forces of good.

This was not CCDP though, this was Mandatory Key Escrow and constituted an early salvo in the Crypto Wars.

To analogise in modern parlance: the FBI (in the USA) wanted all HTTPS / SSL connections to be wiretappable, and to that end wanted to mandate that all cryptography use a particular algorithm which provided “trustworthy agencies” with cheap and easy decryption backdoors – ones that would only ever be used in pursuit of fighting crime – honest.

Such analogy can only ever be imprecise because technology has so massively morphed – SSL barely existed in 1995 but we now use encryption almost everywhere rather than just Voice-over-IP (VOIP) which the US Government initially targeted. Also: the great increase in CPU-power available to an average device has rendered the concept of a hardware crypto-chip defunct except for certain exotic keystore purposes.

So what happened in the many years after the Key Escrow debate?

…read more, or comment at Unscrewing Security

Surveillance? Only *SOME* Liberal Democrats aren’t supporting it… #CCDP #libdems

[note: this was written for my CWUK blog but they are dealing with some tech issues at the moment, so I’m posting it here instead.]

Erratum: Surveillance? *SOME* Liberal Democrats aren’t supporting it…

LibDem Conference says one thing, LibDem Leadership says another

So – by dint of reporting on a Sunday Times article which “broke” the story – the BBC finally picked up on the Communications Capabilities Development Programme (CCDP) mentioned in this blog’s previous post.

Just in case you missed it, the CCDP is:

  1. A large Government IT project
  2. to surveil (basically) all domestic internet access – recording all the URLs you access, and what social-media interactions you have
  3. by securely logging all of that data on-site at your respective service provider, with equipment part-paid-for by taxpayer money
  4. where it won’t need a warrant to be accessed by Government employees, since the actual content of your communication is not logged
  5. just in case you ever turn out to be a terrorist or criminal.

There are a few problems with these points, viz: all of them, and perhaps the least is point 1 – Britain’s reputation is still not great regarding large Government IT projects.

Point 2 is trivially reduced in usefulness through use of secure sockets (ie: HTTPS) to servers beyond UK jurisdictions, the audit trail becoming something like Client X connected to Server Y which hosts the following websites …; use of Tor would negate even that.

Point 3 – there are enough data leakage stories in the press without their being multiplied by legislating for enhanced logging while promising the public that logged data will never be leaked, hacked or end up on Ebay after server decommissioning.

As an aside: who pays for the log servers? We all do. That which is not paid from Government coffers will be paid for by service providers – who in turn will recoup the cost through raised costs to their customers, which in turn will generate higher VAT.

Point 4 – we are assured by Nick Clegg himself that there will be “no central database” to CCDP – correct, it’s a distributed database which in some respects is far riskier – and that he’s also “totally opposed” to the Government “reading e-mails at will”.

This is also fine, because CCDP is not proposing to do that either. Instead the proposal is to log the date and time and size and sender and recipients of every e-mail sent or received; and also the URLs of every website surfed, and (ideally) the names of people whom you mention, tweet, friend, like, etc.

Targeted advertising aside it’s not necessary to see message content in order to profile someone from their web traffic – if someone receives e-mails from abortion clinics, betting websites, or is surfing URLs with SEO-friendly terms like leather-fetish.jpg – you can draw fairly accurate conclusions about what’s on their mind; come to that if you’ve logged the URLs you can probably download the same thing your target was looking at and thereby confirm your suspicions.

Browsing the logs activity won’t need a warrant because it does not count as interception – so the Deputy Prime Minister can rest assured that he has not directly lied about CCDP.

However he may yet have the opportunity to do so – mid-monday blogger Charlotte Gore posted on Twitter a copy of the Liberal Democrat party briefing on CCDP, with some choice spin to help confirm the above:

There will be no weakening of the current safeguards and checks in place to protect communications data

…they’re not strong enough currently…

There will be no centralised database of all communications data, as proposed by Labour in 2006

…because CCDP will be distributed

This “communications data” can show who an individual has contacted, when they did so, and where they were at the time; but not what the content of that communication was.

…unless they surf websites with meaningful hostnames and URLs…

The current proposals have one aim and one aim only: to maintain the capability of our law enforcement agencies to investigate and prosecute dangerous people.

…”maintain” meaning “introduce new means of surveillance more typically associated with China and Iran”…

Where there is no business case for Communication Service Providers to gather this data, the government will provide financial and technical assistance to allow it to be collected on companies’ local systems.

…the taxpayer will contribute until Government money runs out, at which point Britain’s domestic surveillance apparatus is an overhead cost to private industry that will discourage entrepreneurialism.

Finally – regarding the “safeguards” to protect browsing data that were introduced at the recent Liberal Democrat conference:

We believe these safeguards to be in place already with the current proposal and will not support any legislative changes without these measures.

…which makes a bit of a mockery of the process of introducing those safeguards, since you’re saying that those safeguards – brought in specifically because of CCDP – were never actually necessary. The activists behind the introduction of those safeguards are understandably a bit miffed at this implication. There are opinions. There have been words. The twittering LibDem grass roots are so angry that there may soon be a raffle and the first prize might be the Liberal Democrat leadership’s head.

But I am a security geek. The party politics don’t interest me. In a perverse sense I almost welcome CCDP because it is so arrogantly infeasible and misconceived – and delightfully retro in a Stasi kind of way – that I cannot conceive a better way of waking people up to the importance of privacy and digital rights.

The Tor Project should do well out of it.

UPDATE: for a more comic spin on the story, try the daily mash.

UPDATE2: Radio4’s The World At One did a fine piece you can listen to – start playback at the 7m10s mark.

“#LibDems custodiet ipsos custodes?” ( at Computerworld) #ccdp #imp #libdem #orgcon

The Liberal Democrats are watching our watchmen?

LibDems custodiet ipsos custodes?

The Home Office wants to log with whom you communicate, wherever and however, just in case you’re naughty – but the Liberal Democrats object…

It’s been a good few months for surveillance, its practitioners and its supply industry – barnstorming industry conferences, massive media coverage of technology and puff pieces on government projects stateside … oh, wait, is this meant to be covert? Oops.

James Bamford – famous in security circles for lifting the lid on the NSA – wrote a huge piece in WiReD about the National Security Agency’s intention to turn Salt Lake City into an enormous datacentre; Forbes provides an executive summary:

In his just-published cover story for Wired, Bamford lays out the NSA’s plans for a vast new facility in Bluffdale, Utah that aims to become a storage and analysis hub for the record-breakingly massive collections of Internet traffic data that the NSA hopes to gather in coming years not from just foreign networks, but domestic ones as well.

The story adds confirmation to what the New York Times revealed in 2005: that the NSA has engaged in widespread wiretapping of Americans with the consent of firms like AT&T and Verizon. But more interestingly and more troubling in the eyes of many who value their privacy it details the Agency s plans to crack AES encryption, the cryptographic standard certified by the NSA itself in 2009 for military and government use and until now considered uncrackable in any amount of time relevant to mortals.


…read more, or comment at Unscrewing Security

“Learning about Cybersecurity from an Unnatural World” ( at Computerworld)

Learning about Cybersecurity from an Unnatural World

Radio 4 on Security: Bio, Cyber or otherwise…

I was listening to the rerun of File On 4[1] this evening, and a chap from the FBI said something very sensible about Cybersecurity.

Albeit the programme itself was nothing to do with cybersecurity and its tone was mildly hysterical in conflating domestic DIY-biologists and science experimenters – complete with fearsome plans downloaded from the internet – with anthrax outbreaks, vox-pop Oxford ethicists, and preparedness for “Olympic bioterrorism”.

Oh, and the destruction of humanity was mentioned.

But still a FBI agent (from the Weapons of Mass Destruction Directorate) said something very clever about how to deal with biosecurity, and therefore how to deal with security in general, and thus how to deal with cybersecurity:

FBI Special Agent Edward Yue[2] said:

[1] 18Mb MP3 at the BBC
[2] spelling may differ, audio citation only

…read more, or comment at Unscrewing Security