Posted on

Is Quantum Cryptography About to be Hacked (again)?

I saw a curious note on the BBC teletext service saying physicists in Canada had just proved that the Heisenberg Uncertainty Principle wasn’t quite right and that therefore Quantum Cryptography was probably not as secure as we’d hoped.

The Heisenberg principle basically states that at quantum level (very small things) it’s impossible to measure the precise position and speed of anything (or measure any other two attributes). The more accurate a position reading, the less accurate the speed measurement, or if you measure the speed accurately the position will become uncertain.

However, quantum cryptography relies on is something much less weird to work practically – namely the Observer Effect, or Heisenberg’s Measurement-Disturbance Relationship. This is what the Canadian team were actually on about. You can find the paper causing all the fuss here:

Lee A. Rozema, Ardavan Darabi, Dylan H. Mahler, Alex Hayat, Yasaman Soudagar, and Aephraim M. Steinberg, Centre for Quantum Information & Quantum Control and Institute for Optical Sciences, Department of Physics, 60 St. George Street, University of Toronto, Toronto, Ontario, Canada M5S 1A7

The Observer Effect is much easier to understand. It says that when you measure some things you necessarily change them by the act of measuring. There are plenty of examples to choose from, like a volt meter in an electrical circuit connecting two hitherto unconnected points and allowing a current to flow that wasn’t there before the meter was introduced. If electronics isn’t your bag, consider measuring the tyre pressure on a car. When you apply the gauge a small amount of air escapes, so the pressure is obviously less than it was before you measured it.

As to whether it’s going to make a jot of difference to the safety of your credit card details, I highly doubt it. Quantum Cryptography is not widely used, although I believe laboratory experiments continue (notably British Telecom’s research lab in Ipswitch and latterly Raytheon BBN Technologies). And even then, it’s not at all clear whether this will make any difference to it.

So what is Quantum Cryptography in practice?

Unless you slept through ‘O’ Level (now GCSE) Physics at school, you’ll think you know what a polaroid is:  a filter that allows light waves through if the waves are oriented correctly and blocks them if they’re not; a bit like grating for light waves. Except, of course, they don’t behave like that in the real world, do they?

There’s the classic experiment where you take two polaroids and place them one in front of the other. If you have two polaroid sunglasses, try it now. If you have only one pair you could snap them in half to get two lenses, or just take my word for what follows.

As you look through the two lenses and rotate one they’ll either be transparent, black or at various states of fading in between. When the polaroids are aligned the theory says that all the light gets through, when they’re 90° apart then all the light will be blocked. But what about when they’re 45°apart? How come you can still see through? ‘O’ Level physics doesn’t want to bother you with quantum mechanics but as I understand it, this is caused by those pesky photons randomly changing direction all the time, and side-stepping the grill. There’s a random chance of photons still getting through, and it’s proportional to how far around the polaroid is out of alignment. Slightly out of line means most still get through, 45° means half get through and 90° means none get through.

Now suppose we’re sending information by polarising light and shoving it down an optical fibre; we send it through a polaroid. To measure the result we stick it through another polaroid at the other end, aligned at random. The sender’s polarisation pattern is secret at this time. If the receiving polaroid it a bit off, we’ll still get a signal but it will vary randomly. The thing is that there is no way of knowing whether we’re looking at a randomly corrupted signal, or whether all photons are getting through. However, we can record the results and if we’re later told what the polarisation settings were, we can discard the measurements we made with our receiving polaroid was set wrong and use simple error-correction techniques to make use of the remaining “good” data. The polarisation settings can be transmitted insecurely after the event, because they’re of no use to an attacker by then. This is subtle…

If someone decides to bung a polaroid in the middle of the line to try and examine our photons, unless they get lucky and have exactly the right polarisation every time then they’re going to filter off some of our the signal. This is going to show up as corrupted data by the recipient, and we’ll know we have an eavesdropper. When the correct settings are published, even if the eavesdropper gets to hear about them it will be too late – they will have corrupted the signal and given their presence away.

The current state-of-the-art in Quantum Cryptography relies on sending and detecting single or pairs of photons. Good luck with that one! It’s also not an easy thing to send and receive  a single polarised photon, so the research is looking towards simply swapping encryption keys for protecting the actual payload later. This is known as QKD – Quantum Key Distribution.

Suffice to say that this technique makes it impossible to eavesdrop on a line as to do so will corrupt whatever is being intercepted  and, with an appropriate protocol, it’ll be almost impossible to try this without being detected before any real data is exposed.

So why does the Heisenberg’s Measurement-Disturbance Relationship matter to all of this? Well, supposing someone was able to make a polarisation detector that could measure polarisation at any angle. With this they could read the polarisation of whatever was passing, and even if they destroyed it in doing so, they could re-transmit a new photon polarised the same way. Quantum mechanics currently says you can only test for polarisation in one plane (basis) at a time, so the eavesdropper couldn’t possibly do this. If quantum theory was actually wrong, someone would still have to find a practical way measure all-ways polarisation. Quantum Cryptography itself has practicality issues, this isn’t a reason to lose any sleep in the real world. A few companies offer QKD networking equipment, and demonstration networks come and go, but unless anyone can enlighten me, I’m not aware of any real-world users of the technology. Given the number of successful attack vectors found in all known experimental systems, it’s not surprising.

Please note – I am not a theoretical physicist; I’m looking at this from an application perspective. I’d love to hear from anyone with a full understanding of quantum mechanics able to shed further light on this, as long as they can keep it simple.

Posted on

Panicky public gets scammer’s charter for cookie law

Are you worried about websites you visit using cookies? If so, you’re completely wrong; probably swept up in a tide of hysteria whipped up by concerned but technically ignorant campaigners. The Internet is full of such people, and the EU politicians have been pandering to them because politicians are a technically illiterate bunch too.

A cookie is a note that is stored by your web browser to recall some information you’ve entered in to a web site. For example, it might contain (effectively) a list of things you’ve added to your shopping cart while browsing, or the login name you entered. Web sites need them to interact, otherwise they can’t track who you are from one page to another. (Well there are alternatives, but they’re cumbersome).

So what’s the big deal? Why is there a law coming in to force requiring you to give informed consent before using a web site that needs cookies? Complete pig-ignorance and hysteria from the politicians, that’s why.

There is actually a privacy issue with cookies – some advertisers that embed parts of their website in another can update their cookies on your machine to follow you from one web site to another. This is a bit sneaky, but the practice doesn’t require cookies specifically, although they do make it a lot easier. These are known as tracking cookies. However, this practice is not what the new law is about.

So, pretty much every small business with a web site created more than 12 months ago (when this was announced) or written by a “web developer” that probably didn’t even realise how their CMS used cookies, is illegal as from today. Probably including this one (which uses WordPress). Nonetheless, head of the ICO’s project on cookies, Dave Evans, is still “planning to use formal undertakings or enforcement notices to make sites take action”.

What’s actually going to happen is that scamming “web developers” will be contacting everyone  offering to fix their illegal web sites for an exorbitant fee.

The ICO has realised the stupidity of its initial position and now allows “implied consent” – in other words if you continue to use a web site that uses cookies you will be considered to have consented to it. Again, this is a nonsense as the only possible problem cookies are tracking cookies, and these come from sources other than the web site you’re apparently looking at – e.g. from embedded adverts.

So – if you want to continue reading articles on this blog you must be educated enough to know what a cookie is and not mind about them. As an extra level of informed concent you must presumably agree that Dave Evans of the ICO and his whole department is an outrageous waste of tax-payers money. (In fareness to Dave Evans, he’s defending a daft EU law because that’s his job – its the system and not him, but he’s also paid to take the flack).

Posted on

What is all this Zune comment spam about?

People running popular blogs are often targeted by comment spammers – this blog gets hit with at least 10,000 a year (and very useful for botnet research) – most of it is semi-literate drivel containing a link to some site being “promoted”. Idiots pay other idiots to do this because they believe it will increase their Google ranking. It doesn’t, but a fool and his money are soon parted and the comment spammers, although wasting everyone’s time, are at least receiving payment from the idiots of the second part.

But there’s a weird class of comment spam that’s been going for years which contains lucid, but repeated, “reviews” about something called a “Zune”. It turns out that this is a Microsoft MP3 player available in the USA. The spams contain a load of links, and I assume that the spammers are using proper English (well, American English) in an attempt to get around automated spam filters that can spot the broken language of the third-world spam gangs easily enough. But they do seem to concentrate on the Zune media player rather than other topics. Blocking them is easy: just block any comment with the word “Zune” in, as it doesn’t appear in normal English. Unless, of course, your blog is about media players available in the USA.

This really does beg the question: why are these spammers sicking to one subject with a readily identified filter signature? I’ve often wondered if they’re being paid by a Microsoft rival to ensure that the word “Zune” appears in every spam filter on the planet, thus ensuring that no “social media” exposure exists for the product. Or is this just a paranoid conspiracy theory?

An analysis of the sources shows that nearly all of this stuff is coming from dubious server hosting companies.  A dubious hosting company is one that doesn’t know/care what its customers are doing, as evidenced by continued abuse and lack of response to complaints. There’s one in Melbourne (Telstra!) responsible for quite a bit of it, and very many in South Korea plus a smattering in Europe, all of which are “one-time” so presumably they’re taking complains seriously even if they’re not vetting beforehand. It’s hard to be sure about the Koreans – there are a lot but there’s evidence they might be skipping from one hosting company to the other. Unusually for this kind of abuse there are very few in China and Eastern Europe, and only the odd DSL source. These people don’t seem to be making much use of botnets.

So, one wonders, what’s their game? Could it be they’re buying hosting space and appearing to behave themselves by posting reasonable-looking but irrelevant comments? Well any competent server operators could detect comment posting easily enough, but in the “cheap” end of the market they won’t have the time or even the minimal knowledge to do this.

I did wonder if they were using VPN endpoints for this, but as there’s no reverse-lookup in the vast majority of cases it’s unlikely to be any legitimate server.

Posted on

Government’s red-herring email law

The government (UK) launched a red herring at the Internet today, and the news media has lapped it up. “We’re brining in a new law to allow security services to monitor email and other Internet traffic.” This is actually referring to the fact of the communication; not its content.

The TV news has subsequently been filled with earnest spokespersons from civil liberties groups decrying the worst Big Bother laws since New Labour got the boot – anything to get their silly mugs in front of a camera. Great news drama – the Conservatives moving over to the dark side.

Wake up people! What they’re proposing is just not possible. Blair already tried it in a fanfare of announcements and publicity, but anyone who knows anything about how email and the Internet function can tell you that it’s not even technically possible on so many levels.

1) Email does not necessarily use an ISP’s mail server or web mail service. Home users probably do; any company or organisation will most likely use their own. If anyone wanted to avoid snooping, they would too.

2) Users of commercial mail services are anonymous if they want to be. With a few minutes effort it’s possible to hide your IP address, or use an untraceable random one, and there’s no other trail leading back to an individual. The international criminals being targeted will know the tricks, for sure.

3) The security services already have the powers to do this, and do use them.

4) If the ISP is outside the UK, then what?

When the Blair government announced something similar I had to write to the government department concerned asking for the details. I heard about it from the general news. Apparently I, as an ISP, needed to keep records for a year – but records of what, exactly? They didn’t contact me to warn me it was happening; they can’t as there is no register of ISPs. There’s no definition of what counts as an ISP either. And needless to say, the government department concerned didn’t write back with the details.

So why is the current government making this announcement about an announcement now? Could they be wanting to change the news agenda? As usual they can rely on the media types to completely miss the fact it’s nonsense. Eventually the BBC got Andrew Mars on to comment, but I suspect his interview snippet was severely edited to suit their agenda.

Posted on

FBI VoIP system conference call intercepted by Anonymous?

Major embarrassment today as Anonymous intercepts a conference call between several European and American law enforcement agencies, according to something I’ve just seen on the BBC. It’s on YouTube right now if you want to hear it for yourself, click here.

It got my attention – someone breaking into a VoIP system would. But on further investigation it’s pretty obvious to me that it wasn’t an intercept at all. The clues are in the intercepted email  and the start of the recording – Anonymous read an email circular inviting people to the conference call, where the access number and password were given.

This makes the authorities concerned seem even more incompetent that if they’d had their VoIP service compromised.

 

Posted on

Certificate “Errors” on Internet Explorer 9 – and how to stop them

Like recent versions of Internet Explorer, Version 9 has a Microsoft-style way of handling SSL certificates. It won’t let lusers access anything over a secure connection if there’s anything wrong with the certificate the remote end has presented. On the face of it, this is all very reasonable, as you don’t want the lusers being tricked by nasty criminals. But in reality it’s not as simple as that.

A bit of background, because everyone should make an informed choice about this…

SSL (or TLS) has two purposes – authentication and encryption. When you send data over SSL then two things occur. Firstly it’s only readable by the receiving computer (i.e. it’s encrypted), and secondly you know you’re talking to the right server (the link is authenticated – both computers recognise each other). The computers don’t exactly exchange passwords, but they have a way of recognising each other’s SSL certificate. Put simply, if two computers need to talk they have a copy of each other’s certificate stored on their disk  and they use to make sure they’re not talking to an impostor (gross over-simplification, but it’s a paradigm that works). Should one computer not have the certificate needed to authenticate the other end it will be supplied, and this is supplied certificate is checked to see if its “signed” by an “signing authority” using a certificate it does already have has. In other words, the unknown remote certificate arrives and the computer checks with a “signing authority” certificate to see if it’s been signed, and is therefore to be trusted. If it’s okay, it’s stored and used.

Now here’s where it breaks in Microsoft-land: For your computer’s certificate (the one it sends) to be signed by a “signing authority”, money has to change hands. Quite a lot of money, in fact. If it’s not signed, the recipient will have no way of knowing it’s really you.

In the rest of the world (where SSL came from), on receipt of an unknown certificate,  you’d see a message saying that the remote computer says it can be recognised using the supplied certificate, but I’ve never seen it before: Do we trust it? In most cases the answer would be “yes” and the two computers become known to each other on subsequent connections. It’s okay to do this – it’s normal. Something like this happens on Windows with Firefox and other browsers, but not, apparently, Internet Explorer. Not until you did a bit deeper, anyway. Actually, Internet Explorer 9 can be made to recognise unsigned security certificates, and here’s how.

First off, we really need to know what we’re about to do. What are the symptoms? The address bar goes red and you get a page saying there’s a problem with the certificate every time you visit a “site”. You can click on something to proceed anyway, but the implication is that you’re heading for your doom. The “error” message you see is normally for one of three reasons, and reading it might be enlightening. On a bad day you might get all three! But taking them in turn:

“The security certificate presented by this website was not issued by a trusted certificate authority.”

This just means that no one has paid to have this certificate signed by anyone of Microsoft’s liking. It may be a private company-wide certificate, or that belonging to a piece of network equipment such as a router. If it’s a web site belonging to your bank or an on-line shop, then you should be worried! Otherwise, if there’s a reason why someone isn’t paying to have their certificate approved (indirectly) by Microsoft, make your own decision as to whether you trust it.

So how do you get around it? Actually it’s pretty simple but Microsoft aren’t giving out any clues! The trick is to run Internet Explorer as Administrator (not just when logged in as Administrator).  In current versions of Windows you do this by right-clicking on IE in the start menu and selecting “Run as Administrator” from the pop-up menu. If you don’t, the following won’t work.

Go to the site who’s certificate you wish to import, and proceed to view the site in spite of the warnings. Then in the address bar you’ll see “Certificate error”. Click on this and you’ll see an option to “View Certificate”, and (assuming you’re in Administrator mode) there’s be a button the “General” tab to “Install Certificate”. Follow the prompts. For maximum effectiveness(!) choose the option to “Place all certificates in…” and browse to the “Trusted Root Certification Authorities”. This probably isn’t necessary in most cases, but if you do this it’ll cover you for pretty much every use. Your PC will happily accept anything from the remote machine hereafter; so make sure you’re importing the right certificate!

“The security certificate presented by this website has expired or is not yet valid.”

This means the certificate is out-of-date, or exceptionally, too new. In most cases encountering a certificate that isn’t valid suggests that your computer’s clock has reset itself to 1980. If this sounds plausible, just proceed to use the certificate anyway (there’s a clear option on the screen to do this). You’ll still get a scary red address bar, then it’s up to the server operator to fix this, but before you get on the ‘phone and give them what for, make sure you’re computer’s idea of the time and date is actually correct.

“The security certificate presented by this website was issued for a different website’s address”

This third case is a bit more tricky. Basically the name of the computer is embedded into the certificate, but you might be referring to it by another name (i.e. an alias). Or it could be using a pinched certificate. If you’re talking to a network router like a Draytek 2820 by going to its IP address and it’s giving you a built-in certificate, it would have no way of knowing what name or address the router is ultimately going end up on. The certificate is bound to be wrong in this respect. However, fishing around in the Internet Explorer options, under Advanced (and right down near the bottom) there’s a check-box – “Warn about certificate name mismatches”. Un-check it and it’ll stop squawking. Unfortunately it’s either on or off; you can’t set it to ignore a mis-match for particular names only. Because of the risk that someone might be impersonating your bank, you’d probably be best to leave this one checked and put up with the red warnings.

Final word of warning

Some people reading this will reckon this advice is reckless. Why circumvent a security feature? Simple – if the authentication part of SSL isn’t working you still want it for the encryption. In an ideal world everyone would have signed certificates so you can verify everything you talk and know it’s what it claims to be the first time you meet it. Subsequent visits will be authenticated with your newly installed certificate, so if something turns up impersonating it alter it’ll be detected. In the real world you probably want your data encrypted regardless. A signed certificate is better, but not that much better.

Hassling everyone over security certificates, as Microsoft is doing, may be justifiable on some levels, but as far as I’m concerned, anything that makes the use of encrypted data paths more difficult or expensive to use than they need be is a bad thing. They’re throwing the baby out with the bathwater.

 

Posted on

PAM authentication in PHP on FreeBSD

I have several groups of lusers who want to be able to set/change their mail vacation settings but aren’t up to using ssh to edit their .forward and .vacation.msg files. I thought I’d write a quick PHP application to allow them to do it in a luser-friendly way using a web browser. If this isn’t what PHP is for, I don’t know what good it is. The snag: you need to make sure the right user is editing the right file.

The obvious answer is to authenticate them with their mail user-name and password pair using PAM. (This is the system that will check user-name/password combinations against whatever authentication you see fit – by default /etc/passwd).

PHP has a module available for doing just this – it’s called “PAM” and there’s even a FreeBSD port of it you can install from /usr/ports/security/pecl-pam. If you want to use it, just “make” and “make install” – it’ll add it to the PHP extensions automatically, but don’t forget to restart Apache if you’re planning to use it there.

You’ll also have to configure PAM itself. This involves listing the authentication methods applicable to your module in /etc/pam.d/. In this case the php module will have the default name ‘php’ unless you’ve changed it in /etc/php.ini using a line like pam.servicename = "php";

Adding the above line above obviously does nothing as it’s the default, but it’s useful as a reminder of what the default is set to. I don’t like implicit defaults, but then again I don’t like a lot of the shortcuts taken by PHP.

The only thing you need to do to get it workings is to add a PAM module definition file called /etc/pam.d/php. The easy way to create this is copy an existing one, such as /etc/pam.d/ftp. This will be about right for most people, but read /etc/pam.d/README if you want to understand exactly what’s going on.

So – to test it. A quick PHP program such as the following will do the trick:

<?php
var_dump (pam_auth('auser','theirpassword',&$error,0));
print $error;
?>

If there’s an entry in /etc/passwd that matches then it’ll return true, otherwise false, and $error will contain the reason. Actually, it checks the file /etc/master.passwd – the one that isn’t world readable and therefore can contain the MD5 password hashes. And there’s the rub…

This works fine when run as root, but not as any other users; it always returns false. This makes it next to useless. It might be a bug in the code, but even if it isn’t it leads to interesting questions about security. For example, it would allow a PHP user to hammer away trying to brute-force guess passwords. I’ve seen it suggested to Linux users can overcome the need to run as root by making their shadow password group or world readable. Yikes!

If you’re going to use this with PHP inside Apache, you’re talking about giving the “limited” Apache user access to one of the most critical system files as far as security goes. I can see the LAMP lusers clamouring for for me to let them do this, but the answer is “no!” Pecl-pam is not a safe solution to this, especially on a shared machine. You could probably persuade it to use a different password file, but what’s the point? If the www user can read it, all web hosting users can and you might just as well read it from the disk directly (or use a database). PAM only makes sense for using system-wide passwords for authenticating real users.

I do now have a work-around: if you want your Apache PHP script to modify files in a user’s home directory you can do this using FTP. I’ve written some code to achieve this (not hard) and I’ll post it here if there’s any interest, and after I’ve decided it’s not another security nightmare.

 

Posted on

Spamassassin, spamd, FreeBSD and “autolearn: unavailable”

I recently built a mail server using FreeBSD 8.2 and compiled spamassassin from the current ports collection, to run globally. spamd looked okay and it was adding headers, but after a while I noticed the Baysian filtering didn’t seem to be working in spite of it having had enough samples through.

A closer look at the added headers showed “autolearn: no”, or “autolearn: unavailable” but never “autolearn: ham/spam”.

What was going on? RTFM and you’ll see spamassassin 3.0 and onwards has added three new autolearn return codes: disabled, failed and unavailable. The first two are pretty self-explanatory: either you’d set bayes_auto_learn 0 in the config file or there was some kind of error thrown up by the script. But I was getting the last one:

unavailable: autolearning not completed for any reason not covered above. It could be the message was already learned.

I knew perfectly well that the messages hadn’t already been learned, so was left with “any reason not covered by the above”. Unfortunately “the above” seemed to cover all bases already. There wasn’t any clue in /var/maillog or anywhere else likely.

I don’t much care for perl scripts, especially those that don’t work, so after an unpleasant rummage I discovered the problem. Simply put, it couldn’t access its database due to file permissions.

The files you need to sort are at /root/.spamassassin/bayes_* – only root will be able to write to them, not spamd – so a chmod is in order.

A better solution is to move the Bayesian database out of /root – /var would probably be more appropriate. You can achieve this by adding something like this to /etc/spamd.cf (which should link to /usr/local/etc/mail/spamassassin/local.cf):

bayes_path /var/spamassassin/bayes/bayes
bayes_file_mode 0666

I suspect that the lower-security Linux implementation avoids these problems by setting group-write-access as default, but FreeBSD, being a server OS, doesn’t. It’s also a bug in the error handling for the milter – it should clearly report as a “failed” and write something to the log file to tell you why.

You should be able to restart spamd after the edit with /usr/local/sbin/spamdreload, but to be on the safe side I use the following after shutting down Sendmail first.

/usr/local/etc/rc.d/spamass-milter restart
/usr/local/etc/rc.d/sa-spamd/restart

I don’t know if Sendmail can cope well with having spamass-milter unavailable, but why take the risk?

 

Posted on

Phone hacking gets serious

A committee of MPs are currently grilling the management of News International trying to find someone to blame for the ‘phone “hacking” scandal. It has to be someone convenient; definitely not the people who are actually responsible. That’d lose them votes. This is because those ultimately responsible are the readers of the tabloid newspapers with their insatiable appetite for the personal details of anyone famous, or in the news.

Readers of the Daily Mirror and the Sun/News of the Screws are mostly to blame, together with the Daily Mail, Express and “celebrity” magazines. They’re creating the demand; the publishers are in business to satisfy a demand. This isn’t to say I approve of the business – the cult of celebrity is one of the most rotten things about modern society – but blaming those making a living by never underestimating the public’s bad taste is like condemning a lion for eating an antelope. The tabloids are profitable; proper newspapers are a money pit.

But the politicians don’t want to blame the tabloid readers (aka most of the electorate), and neither does the news media want to blame their best customers. Instead they’re nervously jostling for position in a circular firing squad.

Politically, blaming the Murdoch Press is the best answer. Politicians would love to control the media, but in the west this is a tricky position to engineer. The fact that a sub-contracted investigator to one tabloid accessed the voice-mail of a missing person who subsequently turned out to have been murdered is a pretty flimsy pretext, but they appear to be making the most of it. Oh yes – they messed with a police investigation by deleting old messages. Hmm. My mobile ‘phone voicemail does this automatically – why blame the hack? Just convenient, and it makes it seem more shocking and no one is going to mention this obvious explanation as a possibility. This morning I heard Neil Kinnock suggesting the press needed regulating. Well it worked for Castro, Stalin and Kim Jung Il, his socialist role models?

Last weekend the News of the World was forced to close; a newspaper (in the broad sense of the word) was muzzled to cheers of delight. They were doing something illegal, and they had to go. Actually it was only made illegal in 2000 by Blair’s government (arguably it only came in to force in 2002). Prior to this it was dodgy ground, but there was always a public interest defence. This is key. Journalists used to be able to snoop on whoever they chose as long as it was in the public interest. Each individual case had to be argued on its merits; it was safe. Now journalists face a very real risk of prosecution simply for looking into the dealings of corrupt politicians, organised criminals and dodgy police officers (especially). New Labour’s idea is that only the police and security services were allowed to do anything like this – i.e. The state should have a monopoly on snooping. This is the same model used by the Gestapo, the KGB, the OVRA and the Stasi. It’s used in various countries in the modern world; there was no free press to hold the secret police and politicians to account.

Does this mean Blair and New Labour deserve to be lumped in with the dictatorial heads of police states? Probably not – they produced a large amount of stupid legislation in a hurry and I could well believe this was simple incompetence. However, it’s notable that politicians now are hardly lining up to condemn these totalitarian laws. Why would they? One of the major beneficiaries have been the politicians themselves, who like to have a protect “private life” outside the glare of publicity.

As a final note, watch for the Mirror – they were the subject of more complaints about illegal intercepts (by a long way) than The Sun, Screws or anyone else on Fleet Street (or Wapping). So far they’re being protected. If you think this is a conspiracy theory, check the complaints for yourself on the Ofcom web site. Don’t expect the news media to report it – not in their interests!

Posted on

Infosec Europe 2011 – worrying trend

Every Infosec (the Information Security show in London) seems to have have a theme. It’s not planned, it just happens. Last year it was encrypted USB sticks; in 2009 it was firewalls. 2011 was the year of standards.

As usual there were plenty of security related companies touting for business. Most of them claimed to do everything from penetration testing to anti-virus. But the trend seemed to be related to security standards instead of the usual technological silver bullets. Some of the companies were touting their own standards, others offering courses so you could get a piece of paper to comply with a standard, and yet others provided people (with aforementioned paper) to tick boxes for you to prove that you met the standard.

This is bad news. Security has nothing to do with standards; proving security has nothing to do with ticking boxes. Security is moving towards an industry reminiscent of Total Quality Assurance in the1990’s.

One thing I heard a lot was “There is a shortage of 20,000 people in IT security” and the response appears to be to dumb-down enough such that you can put someone on a training course to qualify them as a box-ticker. The people hiring “professionals” such as this won’t care – they’ll have a set of ticked boxes and a certificate that proves that any security breach was “not their fault” as they met the relevant standard.

Let’s hope the industry returns to actual security in 2012 – I’ll might even find merit in the technological fixes.