Category Archives: Security

Caught in the trap

Posted on by

This morning’s Observer column.

Watching William Hague doing his avuncular routine in the Commons on Monday, I was reminded of the way establishment figures in the 1950s used to reassure hoi polloi that they had nothing to worry about. Everything was in order. The Right Chaps were in charge. Citizens who had done nothing wrong, declared Uncle Hague, had nothing to fear from comprehensive surveillance.

Oh yeah? As Stephen Fry observed in an exasperated tweet: “William Hague’s view seems to be ‘we can hide a camera & bug in your room & if you’ve got nothing to hide, what’s the worry?’ Hell’s teeth!”

Hell’s teeth indeed. I can think of thousands of people who have nothing to hide, but who would have good reasons to worry about intrusive surveillance. Journalists seeking to protect their sources, for example; NHS whistleblowers; people seeking online help for personal psychological torments; frightened teenagers seeking advice on contraception or abortion; estranged wives of abusive husbands; asylum seekers and dissident refugees; and so on.

In a way, Hague’s smug, patronising tone was the least troubling aspect of the NSA/GCHQ story…

Google’s choice: between a rock and a very hard place

Posted on by

My Observer Comment piece about the dilemma facing Google and the other Internet giants: do they co-operate with the National Security State? Or look after their users’ (and their own commercial) interests?

The revelations of the past week explain why Schmidt was so preoccupied with the power of the state – especially of the national security state, which is what our democracies are morphing into. The apparent contradictions between, on the one hand, Google’s vehement insistence that it has “not joined any programme that would give the US government – or any other government – direct access to our servers” and, on the other, the assertions to the contrary in the leaked National Security Agency slide-deck that demonstrate the extent to which Google (and the other internet companies) are caught between a rock and a very hard place.

The rock is that the national security state, as embodied in the National Security Agency, GCHQ and kindred agencies, shows no sign of withering away. Au contraire. In the end, companies such as Google, Microsoft, Facebook and Apple will be compelled to obey the state’s orders. If they don’t, their executives will find themselves sharing jail cells with the likes of Bradley Manning.

The hard place is corporate terror that their users will become alienated by the realisation that personal communications cannot be safely entrusted to internet companies based in the US. Crunch time has arrived for Google & co, in other words. I look forward to the second, revised, edition of Schmidt’s book.

Feudalism 2.0

Posted on by

Bruce Schneier on the state we’re in.

Some of us have pledged our allegiance to Google: We have Gmail accounts, we use Google Calendar and Google Docs, and we have Android phones. Others have pledged allegiance to Apple: We have Macintosh laptops, iPhones, and iPads; and we let iCloud automatically synchronize and back up everything. Still others of us let Microsoft do it all. Or we buy our music and e-books from Amazon, which keeps records of what we own and allows downloading to a Kindle, computer, or phone. Some of us have pretty much abandoned e-mail altogether … for Facebook.

These vendors are becoming our feudal lords, and we are becoming their vassals. We might refuse to pledge allegiance to all of them – or to a particular one we don’t like. Or we can spread our allegiance around. But either way, it’s becoming increasingly difficult to not pledge allegiance to at least one of them.

Nice essay and a useful metaphor. Worth reading in full.

Raspberry Pi: cautionary tale

Posted on by

From a Facebook post by Jon Crowcroft:

So raspberry Pi ships with a) sshd on b) root login on sshd on c) the same default password on every Pi – doh! Do not plug in your pi to a net before changing at least one of the above, or you will, like a famous professor in the computer lab last week, get hacked, and deserve to be:)

Noted! (I’ve just ordered a new Raspberry Pi to replace the one that died on me.)

Footnote: the victim was not Jon!

Put not your trust in the Cloud — any cloud

Posted on by

This morning’s Observer column.

Most of the iCloud users of my acquaintance seem very happy with it. No more worrying about back-ups, or having out-of-date calendars on different devices. In return for an annual subscription, the great Church of Apple takes away the existential angst about data security that plagues less fortunate folks. And for as long as they stay within the enfolding arms of the Church, that blissful state will continue. That this is rather too good to be true should have been obvious to even the meanest intelligence, but it took a personal disaster last week finally to explode the illusion that single-church, cloud-based systems are the answers to everyone’s prayers.

The victim was a well-known technology journalist and iCloud subscriber named Mat Honan…

Lots of good stuff about this topic on the Web — for example this piece by Bob Cringely.

1984 wasn’t cancelled, merely postponed

Posted on by

One of the chapters in my new book (out on Thursday next though Amazon seems to be already selling the Kindle edition) is about the potential of computing and network technology to create systems for perfect surveillance and control. I’ve argued that the threat comes from two directions: one is the Orwellian one that we all know about; the other comes from companies like Apple and Google and Facebook. In both cases the connivance — tacit or active – of democratic governments is required. This anguished piece by Thom Holwerda suggests that the penny has dropped for him.

Here we are, at the start of 2012. Obama signed the NDAA for 2012, making it possible for American citizens to be detained indefinitely without any form of trial or due process, only because they are terrorist suspects. At the same time, we have SOPA, which, if passed, would enact a system in which websites can be taken off the web, again without any form of trial or due process, while also enabling the monitoring of internet traffic. Combine this with how the authorities labelled the Occupy movements – namely, as terrorists – and you can see where this is going.

In case all this reminds you of China and similarly totalitarian regimes, you're not alone. Even the Motion Picture Association of America, the MPAA, proudly proclaims that what works for China, Syria, Iran, and others, should work for the US. China's Great Firewall and similar filtering systems are glorified as workable solutions in what is supposed to be the free world.

The crux of the matter here is that unlike the days of yore, where repressive regimes needed elaborate networks of secret police and informants to monitor communication, all they need now is control over the software and hardware we use. Our desktops, laptops, tablets, smartphones, and all manner of devices play a role in virtually all of our communication. Think you’re in the clear when communicating face-to-face? Think again. How did you arrange the meet-up? Over the phone? The web? And what do you have in your pocket or bag, always connected to the network?

This is what [Richard] Stallman has been warning us about all these years – and most of us, including myself, never really took him seriously. However, as the world changes, the importance of the ability to check what the code in your devices is doing – by someone else in case you lack the skills – becomes increasingly apparent. If we lose the ability to check what our own computers are doing, we’re boned.

Thom also points to Cory Doctorow’s chilling talk at the Chaos Computer Congress in Berlin, entitled “The coming war on general computation,” which sets things out pretty clearly.

(Transcript here for those who are too busy to watch all the way through.)

One of the most depressing things now is the discovery that Obama seems not just clueless and passive about this stuff, but that — when push comes to shove — he really sides with the forces of darkness. If SOPA ever makes it through Congress, for example, my guess is that he will sign it. After all, as Thom points out, he signed the NDAA 2012.

‘Security’ = Microsoft control

Posted on by

From the Canonical Blog.

Any new Windows 8 PC will have Secure Boot switched “ON” when it leaves the shop and will be able to boot Microsoft approved software only. However, you will most likely find that your new PC has no option for you to add your own list of approved software. So to install Linux (or any other operating system), you will need to turn Secure Boot “OFF”.

Hmmm… I wonder how many computer users will know how to do that — or understand why it might be necessary to do it. Canonical (the company behind Ubuntu) wonders about that too:

Even with the ability for users to configure Secure Boot, it will become harder for non-techie users to install, or even try, any other operating system besides the one that was loaded on the PC when you bought it. For this reason, we recommend that PCs include a User Interface to easily enable or disable Secure Boot and allow the user to chose to change their operating system.

UK firm denies ‘cyber-spy’ deal with Egypt

Posted on by

From a BBC News report.

A UK firm offered to supply "cyber-spy" software used by Egypt to target activists, the BBC has learned.

Documents found in the headquarters of the country's security service suggest it was used for a five-month trial period at the end of last year.

Hampshire-based Gamma International UK denies actually supplying the program, which infects computers with a virus that bugs online voice calls and email.

The foreign secretary says he will “critically” examine export controls.

Hmmm… Consider this from the firm’s web site:

All perfectly legal, of course.

Spear phishing

Posted on by

I’ve been wondering about the implications of LinkedIn (which one of my mates calls “Facebook for job-seeking suits”), and then came on this in an excellent piece by Patrick Kingsley in today’s Guardian.

“One of the first places a hacker will visit is LinkedIn,” says [Rik] Ferguson. [Director of security research at computer protection firm, TrendMicro.] “What do we do on there? We make our entire CV available for the world to see. You can see everywhere I’ve worked in the past. You can see all my connections, see everyone I’ve worked with, everyone I know. So a hacker can assume one of those people’s identities and reference things that have happened in my professional life. And I’m far more likely to open an attachment from your email, because it’s far more credible.”

Spot on. Wonder if all the people who stampeded to get in on the LinkedIn IPO thought about that.

Online banking, pshaw

Posted on by

Much to the annoyance of some of my consultancy clients and my bank — and the amazement of friends (“What? Call yourself a technology columnist and not use Internet banking!!!”) — I don’t use online banking for the simple reason that I don’t think it’s secure. So this report from Good Morning Silicon Valley is grist to my mill.

The high-profile cyberattacks continue: Citigroup has been hacked, too, it told the Financial Times Wednesday. The May attack allowed hackers to access the names, account numbers and contact information of about 200,000 North American customers of the company, according to Reuters. Citigroup says other information such as card security codes, expiration dates and customers’ Social Security numbers are kept elsewhere and were not accessed.

While the FT quoted a Gartner analyst who said that “for the actual breach to happen at a bank is a very big deal,” because banks’ online systems are usually more secure, Federal Deposit Insurance Corp. Chairman Sheila Bair said this morning that banks are frequent targets, according to the Reuters article. Bair said the FDIC may push banks to improve their online-security measures.

On a related note, and in case you missed it: What does happen when your bank gets hacked and your money is stolen? According to a judge’s ruling in one case in Maine, the bank can only do so much. Wired’s Threat Level blog reports that a construction company that fell victim to a password-stealing Trojan on an employee’s computer is out of luck in trying to recover about $300,000 from Ocean Bank. While Magistrate Judge John Rich agreed that the bank could stand to have a more secure authentication system, he said the law does not require it to have such a system, and that its system is comparable to that of other banks.