Security – Page 16 – Frank Leonhardt's Blog

Error 0x8002007 installing Security Essentials

Good one this! If you’re trying to install Microsoft Security Essentials and it crashes out with Error 0x8002007, clicking on the Help link doesn’t really help.

If you read the technet blurb it relates to the Windows Update service not working, and if you believe this you’re going to waste a lot of time trying to repair it. I did. But the solution was really simple.

If you’re using Windows XP the Microsoft site will give you the Vista/Windows 7 version by default! Hunt around for the Windows XP 32-bit version, download that and it’ll probably work. Just don’t click the “Download Now” button because it doesn’t check which one you need – or give you the choice.

Some genuis programmers at Microsoft didn’t bother to check the version number as soon as start to run the installer. I wonder why not.

The one you get by default is:

mssefullinstall-x86fre-en-us-vista-win7

The one you probably want is:

mssefullinstall-x86fre-en-us-xp

20-November-1022-July-13

Google is innocent (ish)

So Google’s streetview cars have been driving around harvesting people’s email passwords have they? Well this is probably true. Let’s sue/fine/regulate them!

Actually, let’s not. They haven’t done anything wrong. What Google’s surveying vehicles did was record the wireless Ethernet radio activity as they went along, to get an idea of where the WIFI hotspots are. This is a really useful thing for someone to have done – there’s no other way to find out what’s really where than by doing a ground-level survey.

In order to determine what kind of service they’re receiving you need to record a bit of the traffic for analysis. If it’s a private service, this traffic will be encrypted so it really doesn’t matter a jot – they’d be mostly recording gibberish. If it’s an open, public service they’d get the clear text of whatever happened to be transmitted at the time if the luser’s weren’t using application-layer encryption. If some technological dunderhead decides to do a radio broadcast of his unencrypted passwords, Google (and anyone else in the vicinity) will end up receiving that too.

Look at it another way – if someone wrote their password on a big sign and stuck it in the front of their house, anyone walking down the road couldn’t help but capture it. Are the pedestrians doing something wrong, or is the owner of the house an idiot?

It’s no good the idiots bleating on about Google. That won’t give them brains. It might, however, give them some of Google’s money and this could be the real motive.

The Information Commissioner, Christopher Graham, has come up with some surprising statements about Google. But on review, they’re only surprising to someone understanding the technical issues here. Does this mean Graham is a technological klutz? It’s one theory – at times it seems like everyone the government appoints to deal with technology requires this as a qualification. However I think it’s far more likely a case of bowing to media/political pressure on the subject and wishing to be seen to be doing something about it.

Then, last Friday, Google signed an undertaking with the Information Commissioner’s Office to train their staff that they mustn’t do naughty things (just in case they were ever tempted). In return for this the ICO promises to leave them alone. Read it for yourself – it’s only three pages long.

http://www.ico.gov.uk/~/media/documents/library/Data_Protection/Notices/google_inc_undertaking.ashx

What’s sad about the whole affair is that the ICO is, first and foremost, a political/media driven entity even if there are some level heads at work behind the scenes. But what a waste of time and money…

5-October-1019-June-13

Oliver Drage makes mockery out of RIPA

Oliver Drage, suspected trader in child pornography, has just been sent down for refusing to disclose the password he’d used to encrypt his PC. This is an offence under RIPA (the Regulation of Investigatory Powers Act 2000). So if you’ve got something dodgy on your computer, you’ll get locked up whether or not the cops can decrypt it (or you’ve lost the password).

A spokesman for Lancashire police was pleased: “Drage was previously of good character so the immediate custodial sentence handed down by the judge in this case shows just how seriously the courts take this kind of offence.”

Really. Drage is going to gaol for sixteen weeks (read “two months”) . How long would he have been locked up for if he’d given them the password so they could decrypt whatever it’s alleged he was hiding? Five years? Ten years? Lock up and throw away the key?

This is not what I call “taking it seriously”.

The penalties under RIPA for not disclosing passwords are far lower than the likely sentence assuming someone’s been up to anything of interest of the authorities in this way. They don’t take it seriously at all.

12-September-1014-February-13

Comment spam from Volumedrive

Comment spammers aren’t the sharpest knives in the draw. If they did their research properly they’d realise that spamming here was a stupid as trying to burgle the police station (while it’s open). You’ll notice there’s no comment spam around here, but that isn’t to say they don’t try.

Anyway, there’s been a lot of activity lately from a spambot running at an “interesting” hosting company called Volumedrive. They rent out rack space, so it’s not going to be easy for them to know what their customers are doing, but they don’t seem inclined to shut any of them down for “unacceptable” use. For all I know they’ve got a lot of legitimate customers, but people do seem to like running comment spammers through their servers.

If you need to get rid of them, there is an easy way to block them completely if you’re running WordPress, even if you don’t have full access to the server and its firewall. The trick is to over-ride the clients Apache is prepared to talk to (default: the whole world) by putting a “Deny from” directive in the .htaccess file. WordPress normally creates a .htaccess file in its root directory; all you do is add:

Deny from bad.people.com

Here, “bad.people.com” is the server sending you the spam, but in reality they probably haven’t called themselves anything so convenient. The Apache documentation isn’t that explicit unless you read the whole lot, so it’s worth knowing you can actually list IP addresses (more than one per line) and even ranges of IP addresses (subnets).

For example:

Deny from 12.34.56.78 Deny from 12.34.56.89 22.33.44.55 Deny from 123.45.67.0/24

The last line blocks everything from 123.45.67.0 to 123.45.67.255. If you don’t know why, please read up on IP addresses and subnet masks (or ask below in a comment).

So when you get a a load of spammers from similar IP addresses, look up to see who the block belongs to using “whois”. Once you know you can block the whole lot. For example, if you’re being hit by the bot using Volumedrive on 173.208.67.154, run “whois 173.208.67.154”. This will return:

NetRange: 173.242.112.0 - 173.242.127.255 CIDR: 173.242.112.0/20 OriginAS: AS46664 NetName: VOLUMEDRIVE NetHandle: NET-173-242-112-0-1 Parent: NET-173-0-0-0-0 NetType: Direct Allocation
<snip>

If you don’t have whois on your comptuer (i.e. you’re using Windoze) there’s a web version at http://www.whois.net/.

In the above, the CIDR is the most interesting – it specifies the block of IP addresses routed to one organisation. I’m not going in to IP routing here and now, suffice to say that in this example it specifies the complete block of addresses belonging to volumedrive that we don’t want – at least until they clean up their act.

To avoid volumedrive’s spambots you need to add the following line to the end your .htaccess file:

Deny from 173.242.112.0/20

If this doesn’t work for you the the web server you’re using may have been configured in a strange way – talk to your ISP if they’re the approachable type.

I have contacted Volumedrive, but they declined to comment, or even reply; never mind curtail the activities of their users.

This isn’t a WordPress-only solution – .htaccess belongs to Apache and you can use it to block access to any web site.

Perhaps there’s some scope in sharing a list these comment spambots in an easy-to-use list. If anyone’s interested, email me. This is a Turing test :-)

8-September-1014-February-13

Why and how to hack a mobile phone

Anyone outraged that News of the Screws journalists have been “hacking” in to mobile ‘phones needs to get a grip on reality. They’re investigative tabloid journalists; what do you expect them to be doing?

To call it “hacking” is grossly overstating the case anyway – what they did required no technical knowledge other that that available in any playground in the country. All you need to do to retrieve people’s voice mail messages is dial their number, and when you get through to voice mail, enter the PIN. Most people leave the PIN as the system default.

You might argue that this is a gross breach of privacy and so forth. But it’s no more so than camping out on someone’s doorstep to see who goes in and out, following them, or tricking them into telling you something they wouldn’t if they knew your were a journalist.

New Labour was very keen to suppress the traditional liberties of the population in general and passed various dodgy laws to protect the lives of the guilty from prying journalists. In 2000, listening to other people’s voice mail was made a specific offence. “And quite right too!”. Wrong! It’s just another example of those in power making it difficult for us to check up on what they’re doing. We have (or had) a free press with a tradition of snooping on politicians, criminals and anyone else they wanted to using whatever means, as long as it was “In the public interest”.

Journalists are also out to sell papers, so the “public interest” defence is often strained to its limit, or broken. However, it should remain as a defence in a court of law and people should be able to argue their case there. It should be all about intent. But New Labour had other ideas.

People are uneasy about voice mail because it’s technological, so lets look at another example.

Suppose a journalist was camped outside someone’s house, noting down who came in and out. Another invasion of privacy, but right or wrong?

Well that depends – if it’s some innocent person then the journalist will probably end up throwing the notes away, so no harm done. If someone uses information collected in this way in the pursuance of a crime (e.g. Blackmail), that’s another matter, but journalists don’t do that.

Now supposing the journalist is investigating a suspected terrorist, and checking up to see who they’re associating with – or even a politician associating with a known crook. Clearly this information in the public interest.

It’s all about intent.

You could argue that investigations of this nature shouldn’t be carried out by private individuals but should be left to the security forces. That argument doesn’t bear scrutiny for more than a couple of seconds. The public needs the right to snoop as well as the government agents – anything else is known as a ‘police state’

As to the current difficulties – anyone who knows anything about the press will tell you that these and many other tricks are employed as a matter of course, although journalists won’t make a big noise about using them. It’s conceivable that an editor like Andy Coulson would neither know nor care exactly what his investigation teams were doing to come up with the information; you don’t ask. It’s also inconceivable that only the hacks on the News of the World had thought of it. Sources need protection.

It’s clearly a political stunt by old new Labour. Could they be upset that the press, including Mr Coulson’s old rag, turned against them? They used to be friends with the News of the World. At the time of the original scandal, it appears that the first politician to call Andy Coulson to commiserate with him about having to resign was none other than Gordon Brown. Apparently he went on to suggest that someone with his talent would soon find another job where he could make himself useful. (Source: Nick Clegg at today’s PMQs).

19-August-1014-February-13

Intel has just bought McAfee

Intel has just bought its neighbour in Santa Clara.

Well there’s a surprise. According to today’s Wall Street Journal it’s a done deal at $48/share (about £5bn). Paul Otellini (Intel’s CEO) has been saying that “security was becoming important” in addition to energy efficiency and connectivity. This lack of insight does not bode well.

I’ve been expecting something like this since Microsoft really got its act together with “Security Essentials”, its own PC virus scanner by another name. Unlike other PC virus scanners, Microsoft’s just sits in the background and gets on with the job without slugging the PC’s performance. Why would anyone stick with McAfee and Symantec products in these circumstances?

Whether PC virus scanners have much benefit in today’s security landscape is questionable, but at least the Microsoft one does no harm.

Intel has (apparently) paid about £5bn in cash for McAfee. I wonder if they’ve paid too much. It’ll generate revenue while lusers and luser IT managers are too scared to stop paying the subscription, but as anti-virus becomes built in to Windows this is going to dry up. I suspect McAfee was aware of this situation ad was moving on to mobile device security – not by developing anything itself, but by buying out companies that are.

When McAfee bought Dr Solomons in 1998, it was basically to pinch their technology for detecting polymorphic viruses and close down their European rival, which they did – everyone lost their jobs and the office closed. (Declaration of interest: Dr Solomons was a client of mine). Whether McAfee has any technology worth plundering isn’t so obvious, so presumably Intel is buying them as a ready-made security division.

McAfee does, of course, have some good researchers in the background – we all know the score.

27-April-1014-February-13

BlueWatchDog Review

This is an almost brilliant idea. The BlueWatchDog is a thick credit-card sized device that picks up the signal from your paired Bluetooth ‘phone, and if it gets separated from it, sounds an alarm. Great if you’re the type to leave your Blackberry behind or you iPhone is pinched from you handbag. At just £40 it could save you a lot of hassle.

I said it was “almost” brilliant. The snag is that it requires an application running on the mobile device. It’d have been better if it could pair with anything Bluetooth, at least as an option. The application can be used to set the range before the alarm is set off but this is functionally you could live without. As it stands it works with Android, RIM and Apple mobiles. Apple, incidentally, didn’t like the idea of them giving the App away but the company have struck a deal to make this possible.

I managed to speak with the inventor and suggested a version that would work with any Bluetooth unit – possibly by treating it an audio device. Watch this space (and I hope he sends me a sample!)

www.mindyourit.co.uk
0800 999 2177

27-April-1014-February-13

Encrypted USB Flash Drives Review

This year Infosec was awash with encrypted USB flash drives. This makes sense; lost USB drives are a major security problem. In fact flash drives are a major security problem, full stop.

Nearly all the flash drives I looked at had one major weakness – they’re tied to the Windows operating system (or Macintosh, and possibly Linux) in order to get data on and off. They have a special application to get the password from the user and supply it to the drive.

This may be considered a weakness, with a common criticism being that key loggers can capture the password before it can get to the drive. I’m actually not too worried about this because if the host has a key logger running then malware can just as easily access the drive itself, however the drive received its password in the first place.

However, having a Windows application required for access to the data is no good if you’re not always running Windows, and flash drives can be read from anything from a car radio to a photocopier. Even if you are reading it on a PC, the operating system of your choice will be upgraded in due course, but the application needed to access your data may not be.

After a bit of searching did find three genuinely OS-independent devices; the LOK-IT, the hiden Crypto Adapter and the Data Locker

Data Locker

This is a USB 2.0 hard disk, available in capacities ranging from 320Gb to 1TB. It’s a nice bit of kit, with a rubber bump-shell and a touch sensitive LCD panel for entering the codes to unlock it. Data is encrypted using hardware to AES CBC 128-bit or 256-bit depending on the model, and once the password has been entered the host system sees it as a standard drive. There are lots of nice features, like a randomized keypad so wear on particular keys doesn’t give the game away.

As it contains a 2.5″ drive it’s bulky compared to a flash drive, but it’s a huge capacity. If you really need to carry around such a large amount of secure data it’s a good choice. But at £400+VAT you’d be better off with something smaller if you don’t.

The Data Locker is made by Origin Storage in Basingstoke. They’ve been around since 2001 supplying OEM storage products, and aquired Amacom in 2006 – the brand used for Data Locker.

www.datalockerdrive.eu
No standard rate telephone number available.

hiddn Crypto Adapter

This doesn’t actually store anything – it’s a USB to USB adapter with encryption. Basically you plug one end into the host machine and plug your standard USB flash drive, or USB HDD if you prefer, into the top. Then you load your encryption key using a smart-card in the slot below, enter your PIN and away you go. It doesn’t matter what the host or USB storage device actually is; the host sees a standard USB drive.

The unit is mouse-sized and works well on a desktop, but is a bit bulky to carry around on portable equipment. It’s also pricey, at £290+VAT.

This system actually makes a lot of sense as with two units permanently attached to desktop machines in different locations as you can use cheap, standard flash drives to transport the data – even post them – without the risk of data leakage if they’re lost in transit. Using the optional key management software it’s possible to duplicate the keys on the smart cards so encryption works at both ends

The Norwegian makers, hdd, have a range of other encryption products which are worth a look, using the same smart cards to hold keys. I shall be watching them with interest

www.hiddn.no
+47 38 10 44 80

LOK-IT

This USB flash drive is probably the solution for the rest of us. It’s simple. It’s a flash drive with a small keypad allowing you to enter a PIN to activate it. Powered by an internal battery, you’ve got 30 seconds after entering the password to plug it in, at which point it looks like any other USB drive to the host system. Activation status is indicated by either a red or green LED, and once the drive is pulled from the host it immediately returns to its encrypted state.

There are two versions available, one with a five-key PIN pad, and one with the full ten digits. Both have on-the-fly 256-bit AES encryption hardware. Apparently the ten-key version is more popular, but I liked the five-key because it had a draw-back USB cover you can’t lose.

If you enter the PIN incorrectly ten times the units wipe all their data and reset. This could be annoying, but it prevents access if they fall in to the wrong hands.

My only concern about these units is the robustness of the keypad, which is also a tad difficult to operate. It feels flimsy but may be okay. But with the 4Gb version costing just US$60 they’re a very cost-effective and practical solution. No UK distributor is available at the time of writing.

www.lok-it.net
++1 954-889-3535

6-February-108-September-15

It is safe to allow your kids to use Fronter?

Fronter is Pearson’s commercial LMS; basically Moodle, but you pay lots of money for it. It quite possibly does more, but I’m not in a position to pay for a copy to find out. However, this isn’t a review of Fronter. In fact it applies to the concept of an LMS rather than Fronter, as an instance of an LMS.

An LMS (or LCMS) is a CMS that has been developed, or optimised for learning (hence the acronym). It’s currently being pushed in to primary schools for use by children as young as six, and it’s security is far from certain.

An LMS is also known as Virtual Learning Environments (VLE) in marketing-speak. Ask any academic computer scientist and they’ll tell you Moodle is the one to go for these days. WebCT in the past; but the open source nature and sheer power of Moodle makes it king of the castle – and it’s free. So why does half the world use Blackboard (they purchased WebCT in 2005)? My best guess is that most schools don’t have the technical ability to support anything in-house, and by outsourcing you get a commercial product, sold with smiles and soothing words. It’s just not realistic to expect many primary or secondary education institutions to have the knowledge to manage its own IT – the 20% of the world using Moodle are the clued-up tertiary sector. And the folks able to use Moodle are the same folks that are likely to understand the security implications. Primary schools are unlikely to have security skills in-house, and it’d be surprising to find that level of knowledge in a secondary (high) school either, so in order to use an LMS it has to be outsourced and made simpler.

Enter Pearson with Fronter. Pearson is a large media conglomerate with an education division, best known for brands such as Prentice Hall, Longman, Addison-Wesley. Ah, THAT Pearson. So you can see they’ve got a good ‘in’ to schools, and they appear to be pushing Fronter hard in to the primary sector. It’s being used for children as young as six, and this raises significant questions when it comes to security. Would you let your child use Facebook? Of course not; so why is Fronter, with its social media features any better?

Leaving aside whether it’s appropriate to introduce very young children to any form of social networking, a close look at the security aspects of any LMS is vital. Latterly I’ve been looking at Fronter, and this is used for examples in this article, but the comments apply to any LMS – they can all be configured in a dangerous way.

Fronter is obviously keen to allay concerns, and has just hired Logica (completed March 2010) to get it through ISO 27001. Fronter will doubtless wave this badge around saying “Okay – we’re now safe and secure to international standards”. This will be true, to at extent, but ISO-27001 is so vague it can mean anything. Like ISO-9000, it basically means it can be audited within the parameters set, and potential stakeholders can review the documentation and see if it meets their requirements. Even when these parameters are available, I doubt I’d be allowed to review it (Fronter – are you listening?)

Don’t get me wrong here. I’m not knocking ISO-27001 any more than I’d knock ISO-9000. At least not per se. It’s a framework, and as such, can be used to promote good or to conceal evil. Neither do I question Fronter’s commitment to keep intruders out of its system, if for no other reason than because any breach would have a disastrous effect on its business. I’m as confident as I can be that they’re taking the matter very seriously indeed, as do any other serious LMS developers.

But the developers can’t make an LMS safe. It’s infrastructure might be secure, but its users are always going to be the weak link. Schools really don’t know about who has access to their LMS, or don’t care because it’s too difficult a problem to find out.

When your child reads something posted by another Fronter user, who actually wrote it? Much is made of ensuring that everyone in contact with children has a CRB check, but a Fronter account for a child is given out to its parents with no checks made on them whatsoever.

Have you ever wondered what the likelihood of a randomly selected parent failing a CRB check might be? Well I reckon it’s about 1 in 5; in other words not much better than 50:50 that one adult in the house has a criminal record of some sort. (Figures aren’t compiled; I have extrapolated this from an answer in Hansard 25 Apr 2008 : Column 2328W). Worrying? So How many are likely to be on the “Sex Offenders Register”? Currently the English notification system lists 48,000 adults. It’s widely realised that most don’t appear on this because they haven’t been caught, and dodgy teenagers don’t figure in the stats at all, but certainly exist. Projecting this to working age parents (or guardians) you end up with an average of about three sex offenders being parents at a school of 1000 pupils. In other words, you can say pretty safely that there are probably registered sex offenders able to control accounts on most Infant and Junior schools using an LMS.

This leaves schools with a bit of a dilemma. If parents realised that they children were using a social media site shared by CRB failures and sex offenders they’d insist the plug was pulled. But at the very least, schools need to ask for informed consent from the parents before exposing their children to this risk – or turn off the ability to communicate in the LMS software (the safe option) and simply use it for staff to pupil communication. What schools often claim is that their staff monitor all content and messages. This will be done with the best of intentions, but will it be kept up long-term and how effective will it be on a large volume of traffic? If you’ve ever moderated a forum, you’ll understand the difficulty. However, teachers are smart people and usually have a sixth sense about where to watch for trouble.

Monitoring is undoubtedly good thing compared to a free-for-all, but does fail to address the fact that multiple channels are often used for nefarious purposes. A message posted on the LMS might seem innocuous in itself, but could easily be key part of an external conversation. Anyone who thinks children don’t routinely use code words adults won’t understand simply doesn’t know children.

So far I have considered login details falling in to the lap of undesirable elements via children in the household. But supposing an unconnected local paedophile wished to target a LMS directly. Is this possible? Of course, and here’s a scenario to make the point.

A fair number of schools now use outsourced emailing systems such as ParentMail, inTouch and CallParents to contact parents, and may simply use the mechanism to distribute attached files rather than proper text messages in the email body. Parents tend to trust emails from these services as they believe they know the sender (i.e. the their child’s school), and are conditioned into opening file attachments. It’s trivially easy to forge a ParentMail email, sending any file attachment the attacker pleases. Stealing login-in credentials in such circumstances would be almost child’s play, but if a key logger was too much trouble then a phishing email should work just as well. Assuming some effort is being made to target a child, an email to the parents saying “Please click here to log in to Fronter”, using context information from the school’s web site and parent details from Facebook is trivially easy. I haven’t heard of this happening, but I can’t believe it hasn’t.

Assuming the LMS developer has any sense of responsibility or desire to stay in business, it’s pretty clear that the security measures against infiltration of a LMS such as Fronter depend on policy rather than technology. If children are allowed to exchange messages with each other the only thing that will stop an infiltrator will be the vigilance of the monitoring staff. Supervision whilst using the system, whilst at home and at school, is just common sense. But there are still technical issues to address.

Some LMS require certain insecure features to be enabled on web browsers, such as Java. For security reasons, many people have risky technologies disabled. You certainly wouldn’t allow them in a secure commercial environment, so why take the risk at home? And worse, how much more of a risk is it if you allow a naïve child to use client-side code? Yet this is exactly what schools using an LMS are asking parents to do – drop the security on their home computers to allow access to attractive interactive features. There’s probably little risk that the LMS will contain compromised code unless pupils are allowed to develop their own content, but it’s not impossible especially using a targeted attack.

An LMS is an attractive vehicle for delivering malware for various reasons. In junior schools particularly, the inexperience of the pupils could allow things to be activated that adults would normally be suspicious of. Also, there’s a temptation for the institution to consider the LMS part of the Intranet and give it trusted status on local endpoints, meaning anything injected in to the LMS is likely to run with trusted privileges even when the Internet is locked down. This isn’t logical – if the endpoint is vulnerable to Internet-based web pages and LMS users can upload content, it’s not actually any more secure.

Many LMS allow file uploads for assignment submission, which provides a route to compromise the PCs used by the academic staff. Given that criminals will have access to some pupil’s login details by virtue of the fact they’re also parents, uploading a trojan to a staff computer is a real threat. For example, Fronter reassures users on its web site that uploads are scanned using Clam-AV. Commendable, but they are inadvertently giving the criminals the intelligence needed to bypass this specific scanner.

Another issue with file uploads concerns endpoint security software. If the endpoint has been secured, file transfers from the browser or elsewhere will be disabled. In order to use the LMS, this often has to be globally enabled. For example, using Ranger to block file upload/download dialogues with Fronter appears impossible because it uses the generic object selector. Ranger detects the window title and either blocks it or lets it through for every web site. Discrimination isn’t possible.

Whilst I’ve used Fronter in many of these examples because it is to hand, I am talking about general issues of security when allowing young children to use an LMS. The developers of such systems take good care to make sure the platform is inherently secure, but dangers remain from at least two sources. Firstly, there may be only a thin veneer of control over who has access to the system if pupils have access outside of school. Secondly, in order to run an LMS it is often necessary to disable endpoint security measures in such a way that it becomes venerable to threats from wider sources.

1-December-0912-April-16

Gary McKinnon who has Asperger’s syndrome

The Home Secretary (Alan Johnson) has just answered an emergency question in the commons as to why he’s declined to block the extradition of Gary McKinnon to the USA for ‘hacking’ (whatever that means). He said that the medical evidence didn’t amount to enough, he’d admitted he was guilty, and besides, he hasn’t got any discretionary powers in the matter.

In some ways, I agree with him. McKinnon may very well have done what he’s been accused of; and as far as Asperger’s Syndrome goes – do me a favour!

He was diagnosed with this condition last year by Prof. Simon Baron-Cohen from Cambridge University. It’s a psychological illness, right? Well actually there are many who’d doubt that. He certainly seems to be the authority on the subject, based on the number of papers published and TV appearances – acceptable to academia and pop culture. He’s the country’s foremost expert on the condition. But is it an illness?

A few years back Prof. Baron-Cohen devised the A.Q. test, a series of 50 self-assessment questions for those wondering if they have the condition. Apparently the general population scores 28%. I score 76%. Do I have a mental illness? I don’t think so; in fact it’s often said that half the scientists in the world would score highly on the assessment too. Us nerds might be different, but so are gay people. Try telling them they’re ill! If you want to know more, just Google the subject.

Gary McKinnon is also, apparently, upset and depressed. Who wouldn’t be in his circumstances?

It might be worth reminding ourselves what he’s actually done (according to Alan Johnson):

He accessed US government computers looking for UFO evidence while smoking dope (as one does), and in the processes has damaged their operation. According to the Americans (and Mr Johnson) he knocked out all the military computers in Washington for 24-hours.

Apparently this was done by using perl to look for blank passwords, a technique a find entirely credible. That’s right – McKinnon is a script kiddie. He claims he was caught when using Windows Remote Desktop while the real user was still on the machine, which also fits.

Now for this he deserves to be prosecuted, the same as the morons who were prosecuted for criminal damage while attempting to thieve hereabouts. The difference is that Harrow magistrates decided just to give them a good ticking off after they’d made up some sob story about turning their life around. McKinnon’s treatment is on the other extreme.

Unfortunately for him, there’s an obvious political element. The American military has lost (more) credibility and they want someone, preferably foreign, to divert attention. They can’t catch Bin Laden, so he’ll have to do. Anyone in the data security game knows that any serious cyber-criminals will be able to cover their tracks, so IF serious deliberate damage was done and IF they traced it back to this script kiddie then the one thing you can be pretty sure of is that he wasn’t behind it. Either that, or all the computers in Washington were in such a fragile state that they’d fall over if you sneezed.

In spite of the Home Secretary’s assurances about the extradition arrangements between here and the USA being reciprocal, many will suspect that this case results from the special Labour-Bush relationship – the one where Bush asked and Blair gave.

If Alan Johnson is right, and he really does have no discretion to stop this charade, the real question David Burrowes (McKinnon’s MP) should have followed his answer with was “Why not?”