Government’s Daft Communications Bill

Never mind the privicy aspects, the communication’s bill is worrying because it shows the government has no idea at all about how communications on the Internet work. They seem to thing that passing a law allowing agencies to record the fact of, and possibly intercept, Internet communications will make it technically possible for them to do so. It will not. It’s as daft as passing a law to ban “recreational” drug use and then expecting the problem to disappear.

Steve Missham and the BBC – stranger than fiction

Whilst I smelled a rat in the Steve Missham affair and subsequent events have proved me justified, I’m not feeling that smug because I can’t actually claim I saw the latest developments coming. They’re just too incredible.

What Missham has done is announce to the world that his alleged abuser didn’t look like, and therefore wasn’t, the politician he’s been accusing to all and sundry for days. The news media appears to accept this, and has gone on a frenzy of blame culminating in the “resignation” of George Entwistle this evening. The one person not apparently in the firing line is Missham, who’s fantastic story is the cause of it. The idea that he didn’t know what the person he was accusing looked like before his recent publicity spree stretches credibility beyond my limit.

Okay, the BBC clearly didn’t check its facts either but then again this is hardly uncommon. As I said last week, they’re always on the lookout for anything negative they an say about the Conservative Party, and I’d assume they’re even less likely to check facts in such a case.

This morning I heard George Entwistle being savaged by John Humpharies on Today. After several minutes I couldn’t take it, but they were still on when the snooze button had timed out. Entwistle was protesting that no one had told him anything. Sadly, I have to say I believe him. This evening he “resigned”, but received a year’s inflated salary as a pay-off. That’s a neat trick. Who else can choose to resign and have their employer’s pay him a year’s salary? Some mistake, surely.

Apart from the peer who’s been accused of the most horrendous crimes for no reason whatsoever, the other victims in this affair are children who have been abused, and those who will be in the future. We’re always hearing the mantra that children don’t lie about such things and should always believed. This was Missham’s main theme too. It goes along with the notion that no women would falsely claim to be raped. Privately, people who work with children and alleged rape victims will contradict this – some people will claim all sorts of things if they think it will get them what they want. Having such a high-profile abuse victim who was clearly not telling the truth is not going to encourage genuine victims of such crimes to come forward.

As to the crisis at the BBC, it’s long been the case that some of their journalists have exhibited bias and inaccuracy in reporting, especially at the local and national level. They’re now engaged in reporting, 24/7 on their favourite subject (themselves). When Entwistle resigned it was blamed on “shoddy journalism”, but what of the shoddy journalists? They’re still there.

I’ve just been watching speculation as to who’s going to take over as Director General of the BBC. The journalists are complaining that Tim Davie, the caretaker DG, has no editorial experience, and is also an outsider. Other candidates have been criticised for being non-editorial and non-BBC types. Entwistle was from a 23-year BBC Editorial background (as previous DGs) but has failed spectacularly, cut and run (or was he really pushed?)

Of course the BBC hacks want one of their own, but that’s the last thing the BBC needs.

 

Tory Minister in child abuse scandal: A welsh rat

I’ve been listening on the BBC and reading in the tabloids about Steve Messham, a child abuse victim from a Welsh children’s home going on about how a senior Conservative politician was the centre of a peadophile ring. I smell a rat. He’s popping up every where, and in his latest interview he’s complained that the abuse took place under a “Tory” government and he’s now not getting his enquiry under another “Tory” government. He said nothing under the “Labour” government, and people using that kind of language have, in my experience, had a party political axe to grind.

It turns out he hasn’t actually complained to the police, or given any specifics of these allagations to anyone. Yet the BBC can’t get enough of him. In normal circumstances, someone like this would be ignored. Put up or shut up. However, to the BBC he’s a lifeline to take attention away from their own child abuse scandal. The icing on the cake for them is the “Tory politician” bit; music to the ears of certain BBC journalists.

Twitter is full of people praising Messham for his courage, and naming the politician he must be referring to (although somewhat unlikely).

The BBC is terrible about checking its facts, and this looks horribly like one of those cases of not letting facts get in the way of a good story, especially one with such perfect timing for them.

As to Mr Missham, I wonder what he’s thinking. After nearly a week of no substance, I’m wondering if this wasn’t a wheeze to jump on a rolling bandwaggon that’s now heading down hill with no brakes. He’s clearly enyoying the media spotlight but unless he delivers the goods (i.e. goes to the police), even the media pack is going to get bored, and when they do they’ll turn on him. I don’t suppose he has an exit stratergy. If he finally names someone, they’d better be long-dead or he’s going to be sued to kingdom come. Unless he’s right, but if he was, he’d have gone to the police already.

My name is Elena and I live in small city in Russia.

You may have seen one or more of these in your inbox in the last few days:

Hello,
 
My name is Elena and I live in small city in Russia. I have a little daughter and no husband since he left us. Due to deep crisis recently I losted job and can not pay the heating bills for our home anymore. I finded your address at website and decided to write you from a public library. We urgent need heating because winter arriving and the temperature in our home is very cold. We can heat our home with a portable woodburner, but we unable buy it because it cost too much for us. If you own any old transportable woodburner from cast iron which you don’t use anymore, I pray you can gift to us and transport of it to us.
 
I hope for your answer.
 
Elena.

Okay – it’s obviously a scam, but it’s interesting as it’s getting through most spam filters. It actually originates from Tellas in Greece, from mail servers that aren’t blacklisted – although today it moved on to ADSL lines.

Reading the text, it’s  reminiscent of various “I’m a poor Russian in trouble” panhandles that appear annually at about this time of year. If you reply (it’s been tried) the person at the other end will suggest that instead of sending the stove you just send the money as she can buy one from the local market for a figure just under $200.

What I’m not so sure of is that the scammer is actually even Russian in this instance, as the language isn’t quite right. Russian speakers (in fact most East Europeans) are notoriously bad at using the definite or indefinite article (‘it’ or ‘a’) because it doesn’t exist in their language. This person fails to use it pretty consistently  thus sounding like a Russian trying to speak English, but slips up with “…buy it because it cost…”. She also has “…a little daughter…”. It suggests American, as a linguist friend pointed out, because of the use of “home” instead of “house” and “woodburner” instead of “wood burning stove”.

You might wonder why on earth the request is for a cast iron stove. Are the collecting them from scrap iron? Well, no – when you think about it, if you offer them a stove the shipping will be prohibitively expensive (they are heavy) so you can save money by simply sending the cash.

Anyone up on this kind of thing will  have been thinking “Valentin Mikhaylin” from the start. Okay, he changed the name to Elana in 2007 (or sometimes Valentin and his mother, Elana), but the stove story has been used for at least ten years. It has all the hallmarks, except one: This year the spams are getting through. This could be the scammer’s undoing – as everyone is receiving multiple copies it’s lost all plausibility in 2012. So what will 2013 be about, one wonders?

Don’t use your real birthday on web sites

You’d have to be completely crazy to enter your name, address and date-of-birth when registering on a web site if you had any inkling of the security implications. Put simply, these are security questions commonly used by your bank and you really don’t want such information falling in to the wrong hands. So, security-savvy people use a fake DOB on different web sites. If you want to play fair with a site that’s asking this for demographic research, use approximately the correct year by all means, but don’t give them you mother’s real maiden name or anything else used by banks or government agencies to verify your identity, or the criminals will end up using it for their own purposes (i.e. emptying your bank account).

That banks, or anyone else, use personal details that can be uncovered with a bit of research at the public record office is a worry in itself. It’s only a minor hindrance to fraudulent criminals unless you provide random strings and insist to your bank that your father married a Miss Iyklandhqys. The bank might get uppity about it, but they should be more interested in security than genealogy.

This common knowledge, and common sense advice was repeated by civil servant from the Cabinet Office called Andy Smith at the Parliament and the Internet Conference at Portcullis House a few days ago. I’ve never met him, but he seems to have a better grasp of security than most of the government and civil service.

Enter Ms Goodman – Labour MP for Bishop Auckland. She heard this and declared his advice as “totally outrageous”, and went on to say that “I was genuinely shocked that a public official could say such a thing.”

I wish I was genuinely shocked at the dangerous ignorance of many MPs, but I can’t say that I am. Her political masters (New Labour) haven’t acted nearly quickly enough to suppress this foolish person. In her defence, she used the context that people used anonymous account to bully others. This doesn’t bear any scrutiny at all.

When are we going to find a politician with the faintest clue about how cyber security works? The fact that this ignoramus hasn’t disappeared under a barrage of criticism suggests that this isn’t an isolated problem – they’re all as culpable. Her biography shows just how qualified she is to talk about cyber security (or life outside of the Westminster bubble). I’ve no idea what she’s like as a person or MP, but a security expert she isn’t.

I do hope they listen to Andy Smith.

 

Interesting things at IP Expo 2012

IP Expo (nee. Storage) is on in London’s Earls Court Two for one more day. As a show it’s target remains a bit undefined (a show about Internet Protocol? Or do they mean Intellectual Property),  but that’s what can make it interesting.

This year there’s less of the mind-boggling high-end storage and more general network services from software and hardware vendors – in particular, vitallisation is the hot topic (yawn).

This is a quick impression; get down there and see for yourself or wait for a full report later.

One interesting stand is Firebrick, present for the first time. You can’t miss them, (a) because they’re in front of the main entrance one row back; and (b) they’ve got a life-sized fibreglass Orc on the stand. They’ll happily take your photograph standing with it, print it out and also give you a link to it for download within a matter of seconds.

Firebrick is a range of rather good network gateway devices (call them firewalls if you will, but that doesn’t really cover it). It’s their own technology, and it’s very clever. The latest clever stuff is the on-board SIP VoIP management, and a very reasonably priced service that can turn your 3G handset into a SIP extension. I’m not talking about a SIP App for a smartphone here; this is a SIM that integrates a mobile ‘phone in to your IP PABX.

Virtualisation is very popular, and so is security. Everyone’s got a security solution for virtualised server environments. A lot more on this topic later.

Trend has an amusing sign on their stand “Vurtualisation is becoming a reality”. Well what do you know? Are they recycling stands from five years ago, or just a bit slow to catch on. Actually, Trend has been ahead on integrating with VMWare at the hypervisor level, so it’s either a daft statement from the marketing department or an old sign but it’s too good a conversation opener to ignore. They’ll be sick if it by the end of the show.

Bit9, the security company from Massachusetts, is a the show. I like them; they’re sensible about what technology can and can’t do. This may not be a popular business model, but they give me more confidence than most of getting an accurate assessment where it matters.

Off to mingle..

BA e-ticket malware spam

Starting yesterday evening I’ve been seeing hundreds of emails sent to normally spam-free addresses claiming to be British Airways e-tickets. They are, of course, some new malware. It’s coming for a network of freshly compromised servers around the world (with a slight preference for Italy), so spam detection software won’t pick it up, and it’s new malware so virus scanners won’t find it either. As usual it’s a ZIP file containing an EXE, written in Borland Delphi I think.

The spambot code itself appears to be compiled on whatever Linux target the script attack has succeeded on, masquerading as “crond”.

Police vs. Andrew Mitchell

Apparently, according to Andrew Mitchell himself, he swore at a copper who refused to open the vehicle gate to Downing Street for him. Sections of the left-wing news media describe this as an “attack on the police” at a sensitive time. The notion is clearly nonsense; it’s was an attack on one particular police officer who was, apparently, asking for it. Whether swearing at him was the best response is debatable. Perhaps formal disciplinary proceedings would have been more appropriate, but the PC’s views on it aren’t known. I suspect that in the final analysis, being sworn at for being out-of-order is preferable to being hauled in front of a disciplinary panel. The former course is more direct and achieves the same effect with the minimum of fuss. Least said, soonest mended. Except not in this case.

By all accounts the PC and the politician have apologised and made up, and this should have been the end of it. The fact that the “row” continues suggests political motivation. Trade unions (such as the Police Federation) are calling for his resignation. Well they would, wouldn’t they. This is clearly a case of “rank and file” police officers protecting their interests by pushing the government about, shamelessly exploiting public sympathy after the shocking murders of PCs Fiona Bone and Nicola Hughes in Manchester to characterise a row about right-of-way as an attack on the police.

So what’s really at the heart of it? Well anyone who rides a bicycle on a regular basis will have encountered a jobsworth copper (or more often, a PCSO) telling them they can’t do this or that. Had Andrew Mitchell swept in to Downing Street in a ministerial Jag, of course they’d have opened the gate, but some sections of the police treat cyclists as second-class road users. They’re not all like that;  a lot of my local police are out on bicycles themselves and have a very good understanding of the issues. But others drive around in panda cars and have the belief that cyclists have less right to use the road than they do. Actually, cyclists use the road by right and motor cars are there under license.

The police (although notably, not the PC concerned) have claimed that Andrew Mitchell called him a pleb. He denies this, and from what I can understand of his character, I’m inclined to  believe him. If anything, it was the PC refusing to open the vehicle gate for a “mere” cyclist treating him with disrespect, and he retaliated by telling them to “…just open the f*ing gate!” or words to that effect. Normally, I’d stop and remonstrate politely with any anti-bicycle copper I encounter, pointing out the relevant parts of the Road Traffic Act, what counts as a right-of-way and what a court might regard as reasonable, but I’m not a government whip on a tight schedule.

The real issue here is the police, and wider society’s attitude to cyclists. The BBC journalists, trade unionists and Labour politicians quick to criticise Andrew Mitchell’s outburst at a copper with a bad attitude are doubtless used to driving around the place in cars. Andrew Mitchell isn’t the one who’s stuck up – he rides a bike. They are.

I dare say that the news media will force Andrew Mitchell out eventually unless the lid is blown on the murky back-room operation perpetuating this “row”. The people should be electing our politicians, not the police federation.

Nominet announces consultation on new .uk domains

Nominet is starting a three-month consultation on issuing domain names directly under the .uk TLD. According to Eleanor Bradley, Nominet’s Director of Operations, this development will allow new companies to purchase domain names (presumably because the .co.uk is in the hands of cyber squatters), and also be more secure by checking that the registrant has a UK address and providing daily monitoring for malicious software on the domain (presumably they mean associated web site here).

Nominet is justifying this because they say their new domain space will help to guard the UK against cyber crime, which costs the UK £27B per year.

Nominet is supposed to ensure that UK registrants are okay in any case – although it’s currently based on public complains when an anomaly is found. Their claim about ensuring that such web sites will be monitored and malware free is just about the craziest promise Nominet could be making. Whoever dreamt this up clearly has no idea about the risks and mechanisms that are used to pervert web sites for malware delivery – there is no way Nominet can check.

What I’ve heard so far is just another scheme for Nominet and cyber squatters (or domainers as they prefer to be called) to make more money. Nominet should be concentrating on the interests of Internet users in the UK, not “vibrant domain name spaces”, which basically means people trading in domain names as a commodity.

Internet Explorer – new vulnerability makes it just too dangerous to use

There’s a very serious problem with all versions of Internet Explorer on all versions of Windows. See here for the osvdb entry.

In simple terms, it involves pages with Flash content, and all you’ve got to do is open a page on a dodgy web site and it’s game over for you. There’s no patch for it.

Microsoft’s advice can be found in this technet article. It’s pathetic. Their suggested work-around is to deploy the Microsoft Enhanced Mitigation Experience Toolkit (EMET). Apparently this is a utility that “helps prevent vulnerabilities in software from successfully being exploited by applying in-box mitigations”. Microsoft continues “At this time, EMET is provided with limited support and is only available in the English language.”

Here’s my advice – just don’t use Internet Explorer until its been fixed.

Update

21-Sep-12

Microsoft has released a fix for this. See MS Security Bulletin MS 12-063.

If you have a legitimate copy of Windows this will download and install automatically, eventually. Run Windows Update manually to get it now – unfortunately it will insist on rebooting after installation.