I was thinking more about the legal profession (who must be competing with estate agents to be the next in line for some bad press after bankers, politicians and journalists!) and particularly the way that most of it is viewed in as anachronistic. There’s a strong link to the way the our political structures work, especially in the UK and even more so given the upper house’s status as the court of ultimate appeal. As a natural conservative in these matters I’m given to question change (what do we want to achieve? what compromises are we willing to make? What will be the actual effects of a proposed change? – all the sorts of questions we should ask whenever anyone suggests anything!) and I see a great deal of damage being done by our rush to modernise important processes on the whim of people who don’t understand them.

In criminal situations we provide a great deal of protection to the accused – this is a natural extension of our “innocent until proven guilty” ethos (although that seems to have been largely forgotten recently). Much of the apparently antiquated theatre of trials are there to support that – the rights a person has are strictly defined and protected.

A more obvious legal situation where strictness is required is in the area of contracts – disputes often arise and words such as “getting the lawyers involved” are thrown about, whereas the truth is that if lawyers (of sufficient skill) were sufficiently engaged from the beginning of the process then such a dispute would have been much less likely. Hopefully this sounds familiar to anyone who works in IT and especially in the security space!

The reason for the apprehension in involving specialists is a lack of understanding – words such as “legalese” are bandied to denigrate the specific language and forms used (”concise and precise” as a professor of mine used to say). It is the precision that is key – what exactly is meant by a certain word or phrase (English is a wonderful language, but can be confusing), what exclusions should apply to clause, how should disputes be handled; these are the reasons for having a specialist.

Spotting problems and risks and putting in place appropriate mitigations is the raison d’etre of the specialist.

© Paul Squires - All views and opinions are those of the author only.

One of the new blogs in my feed is Ben Goldacre’s excellent Bad Science so whilst I was walking around the great shopping centre known as Terminal 5 yesterday and saw his book I thought I’d grab a copy. I read a good chunk of it on the flight over.

Aside from my interest in science generally (it’s another area I don’t get chance to explore enough) and the absurdities of the things he discusses there were two things that really grabbed me.

Firstly just from an edcuation viewpoint, we’re producing children that don’t seem to have the required critical faculties to make wheaty decisions from the information chaff they are exposed to. I suspect that the younger generation are very good at sifting through data and finding relevance, but I question how well they can judge accuracy – particularly when it involves the scientific method, and knowing how our educators and (as a direct result of) our politicians view anything “sciency”.

The second interesting thing (and more so for the topic of this blog) that occured to me (although I am sleep deprived) was the overlap in what Goldacre writes with my views on security related issues. Many of the problems faced by our doctors and science experts are the same as we face in attempting to fix security and a good part of this comes from a fundamental misunderstanding of risk and statistics!

Taking a slightly different view however I see similarities in the approaches by “alternative” therapies and many of the stupid security systems that are put in place – it’s about making people feel better, rather than actually making them safer/healthier. How much of an effect is a “placebo” in a security system? When does this become dangerous by skewing the view of risk (”I can’t get cancer, I take my vitamins” / “We can’t have terrorists, we have ID cards”), or as Bruce Schneier describes it – “Security Theater”?

The area of security where I see the most scientific method, cryptography, has some even more striking parallels with the world of medicine. Basic tenets such as peer reviews, using established methods and building an understanding shine through in both – how many similarities are there between the “new-age” pill vendors and “nutritionists” and the snake-oil salesmen we see pushing their “unbreakable” crypto sytems. The responses of both groups are also alike.

Having read part of Goldacre’s book, I continued to catch up on other’s blog posts – this post from James McGovern (who has since “retired” from the blogosphere”) caught my eye.

Security isn’t hard. It is actually easy

Are you annoyed with security professionals who pontificate with humorless monotone legalistic rambling that no one understands?

The bad guys are winning and the good guys just don’t have a long enough attention span to win.

I almost agree – most of this stuff IS easy, but people don’t see it. What’s needed isn’t to dumb down the experts, but to ensure that decision makers understand the ramifications of what they do. It’s interesting that James uses the word “legalistic” here – most western democracies have a very well defined set of legal processes – designed to protect the innocent and prevent abuses, but people see them as confusing and archaic. Look under the covers and you’ll see that the development of these processes has been quite scientific.

Whether it’s the law, medicine or security we can all learn from each other in making better processes, better tools and better decisions. With those we can defeat the bad guys.

© Paul Squires - All views and opinions are those of the author only.

First up, I have to comment that the officials are a lot friendlier and more polite than I’d experienced in previous trips – there’s a definite human face to the whole process.

As a UK citizen (or “subject”, but that’s not the point) I’m obviously eligible to enter under the Visa Waiver programme (note presence of the last two letters ) and, as such, used ESTA to apply in advance. A quote from the site

The ESTA application collects the same information collected on Form I-94W.

Imagine my surprise when the cabin crew (typically excellent BA) were distributing the same forms that were always used- including I-94W! Having checked further it does seem that the two work in conjunction together, but it seems needlessly over-complex. Given that I provided my passport details on the electronic application, this should be easily cross-checked and verified.

Has anyone seen a good explanation for the dual process that takes place?

© Paul Squires - All views and opinions are those of the author only.

Today I was prompted to upgrade Safari – I’ve had it installed, used it once or twice and forgotten about it. I did so then opened up the browser to see what it’s like now. Apart from the ridiculous loading time for the start page (which does look very cool) I was presented with a problem in that I couldn’t get to any web sites other than the ones Apple decided I’d like to see!

The main culprit here is the lack of an address bar (also some of the default shortcut keys that work in EVERY OTHER BROWSER don’t seem to work here). This is not about usability however! With no address bar it’s not possible to get to exactly where I know I want to be (the simplest way of avoiding phishing attacks) – there’s also no visual indicator of which protocol I’m using – I have no way of knowing whether my credentials are about to be sent in the clear (the only way I can find is to view the source of the page, which surely isn’t what Apple intended).

When the security industry is making strides to solve the problems faced by consumers I really feel like Safari is a step backwards (no matter how cool it is). We spend time, money and effort telling people to check for the presence of the padlock and presenting warnings to people, only for it to be scrapped for style. The interface is there for a reason!

© Paul Squires - All views and opinions are those of the author only.

I heard a comment on the radio yesterday that perhaps it is in the public interest for newspapers to take these kind of actions because it may lead to evidence of wrongdoing – strangely, this is one of the first times I’ve NOT heard anyone say “if you’ve nothing to hide, you’ve nothing to fear”. It seems that the British public takes a different view of personal privacy for celebraties and politicians than for the rest of us…

I don’t want to get into the details of this case, but it does strike me that we’ve slowly moving into a new age where paranoia may finally be seen as a positive trait. I hope this help highlight some of the security issues at large and that individuals may start to take a more active hand in things.

This goes well with the news that the new iphone 3GS has hardware encryption. I guess this is primarily a nod to the enterprise and DLP, but the benefits for individuals could be immense. Of course this wouldn’t help with phone tapping &c so the next stage will be full end point security. I wonder if any of the mobile phone networks will start offering that as a response? Will the individuals targetted by these attacks learn anything – how many use unencrypted email, for instance? Imagine Elle Mcpherson as the spokesperson for PGP

There’s also another issue here of using the right tools – organisations need to be wary of releasing data outside of their control so this should mean providing secure communications methods (where it’s warranted). I noticed over the past few years that more “important” communication is done over public, unsecured networks – this needs to change.

We will see the rise of VPNs for all traffic across all networks, a fact that ties in nicely with the recent offering from The Pirate Bay – ipredator (this still doesn’t hide the fact that you connected to the network, natch. Is the next step going to be onion routed VPN connections?).

Ultimately, this whole situation may provide a much needed tonic to the discussion around privacy and intrusion – from any source.

© Paul Squires - All views and opinions are those of the author only.

I realise that this is now an old story, but I’m only just catching up with things from over the past month. Such is the life of one who works hard

One particular sentence of this caused me to want to respond -

Just one more reason to drop the use of passwords in favor of a biometric authentication.

The issue I have here is that if I give my password to someone (either voluntarily or through force or subtefruge) I can, at a later date, change it. Once someone has my biometric data I can’t ever change it.

The city of Bozeman might not want my fingers, but the US Department of Homeland Security certainly does, along with a vast number of other organisations (it might not be the finger itself, but the digital digit is equivalent).

Other than that, it’s pleasing that the city retracted their demand – such a ridiculous one on so many levels. If there were really things I wouldn’t want a potential employer to read about me, why would I disclose in the first place?!

© Paul Squires - All views and opinions are those of the author only.

© Paul Squires - All views and opinions are those of the author only.

One of the key flaws discovered was related to the populating of the database from elsewhere – specifically if a child was adopted, the automatic updating of records would create links between the old entry and the new – allowing a “malicious” person to track an adopted child; clearly a problem if the child was removed from the parents due to some risk.

There’s so much wrong with this that I’m not sure where to begin! It did however provide a wonderful quote from the Rowntree report on the debacle

If you think IT is the solution to your problem, then you don’t understand IT, and you don’t understand your problem either”

© Paul Squires - All views and opinions are those of the author only.

I’ll post soon with something interesting.

© Paul Squires - All views and opinions are those of the author only.

I registered, put in my details, including my bank details to set up the direct debit and a few minutes later I got an e-mailed response saying that my application was being processed and that my license would be emailed to me within three days. First of all – what takes three days? Shouldn’t this process be, essentially, real-time – with the exception for the direct debit confirmation and let’s face it, if I don’t pay the license can be revoked fairly easily.

The e-mail arrived this morning – titled “Please open the attachment to access your TV License” and from the weird address of email hidden; JavaScript is required (the web site is actually at tvlicensing.co.uk) – why not make it consistent? Usually when I get emails with a title like that I bin them straight away, but in this case I thought I’d make an exception. I opened the email, which contained a number of remote images (thankfully Thunderbird won’t display them), as well as an HTML attachment and a button “Read Message” to click on. The basic content of the email is that my license is encrypted (good) and they need to send me another email with a link to it. This might just be me, but this whole process doesn’t make much sense.

Still being wary of the attachment itself I save it to the desktop and view the source, it’s basically a web page with Voltage secure content. That explains it all then… Voltage is a clever method of delivering encrypted email content without the need for traditional key management so works very well in consumer/public facing scenarios (it’s known as IBE – Identity Based Encryption). For some reason Thunderbird had displayed the HTML attachment inline of the message, leading to my confusion.

Clicking on the button actually sent me to a web page with a message saying that functionality in certain mail clients prevents the system from working correctly and, if that’s the case, one should forward the original email to another address, which presumably is set to autorespond with the link to the actual license.

I can see the intent with the system and it’s nice to see a public body doing something sensible with secure email, but the implementation just seems odd – a reliance on people opening attachments and clicking on links seems to contradict the advice given about phishing. Having completed the process I’m struggling to find a reason for the extra security – all I could see on-screen was my license (essentially just a number), information about what it covers and the amounts that will be paid by direct debit. The link is good for one time only, so now I’ve closed that browser tab I can’t get back to it. I’d also question what threats this was to counter – if someone were to be intercepting/monitoring my email, then all they’d need to do is follow the same link (or just forward the message to the address helpfully provided) to see my license details.

In summary – a good idea generally, but seems to be a poor implementation. The most intriguing aspect of this is that I don’t have an actual license (and since I can’t re-click on the link, can’t get even an electronic version), but that’s fine because I don’t need one. For years the TV licensing authority scared people with the notion of “detector vans” travelling round the streets finding people watching TV without a license. At last they’ve come clean and admitted that all they really have is a big database of every address in the UK, can tell which are licensed and manage the rest by exception, which must be a lot cheaper to enforce and if we’re going to have the license, I’d prefer that.

© Paul Squires - All views and opinions are those of the author only.

For those that don’t know, this method is simply one of getting a replacement birth certificate for someone born roughly the same time as yourself (so your physical age appears right for your new identity), preferably one who doesn’t have too many other formal records attached to them (Darwin managed to get a certificate for someone who died at a few months of age). All one needs to apply for a passport is, essentially, a birth certificate (which are public record). What I find amusing is that this sort of “attack” was supposed to have been stopped – the BBC has a story on it from over four years ago… (although I confess that I’ve not checked exactly when Darwin got his new passport).

Darwin’s exploits were only secondary in my thoughts in comparison to the latest scandal involving UK Government departments and data leakage. This time round it’s the DVLA (Driver and Vehicle Licensing Agency) in Northern Ireland? who sent unencrypted disks, via public courier to the agency’s head office (Swansea), which have gone missing.

Whilst there was a huge outcry over the recent events involving child benefit data this seems to have attracted less attention, but still may result in some major problems. I concede that events involving people directly, especially bank account details and even more when it involves children’s details are more emotive, but much of the data leaked there was public record anyway (for anyone who thinks handing your bank details to a stranger is a bad idea I suggest you look at your chequebook sometime).

This case of data leakage contains car information – makes, models, colours, registration plates, chassis numbers &c – all of which is incredibly useful to someone wishing to clone a vehicle. Vehicle cloning is, apparently, on the increase, and the way that our systems handle this needs to be looked at. With the right information it wouldn’t be too difficult to make any of the same model car look like another – a quick respray and plate change should do it. The victim wouldn’t know until the fines start rolling in (or worse – the cloned vehicle is used for a more serious crime and the police come knocking at the door). Aside from the stupidity of sending unencrypted, critical, data through public networks (whatever the channel), there are? two things that come to mind about this situation.

Firstly, this highlights the problems caused by having an automated justice system with a reliance on cameras, IT systems and “business logic”. It’s something I’ve commented on before, but we’ve lost the human touch in security and law enforcement – a well trained, experienced? (and well paid) policeman with the ability to make decisions and trust their own? judgement is far better than a computer – when something is “wrong” they can tell and take action, when someone innocent is “bending” the law they can take action without over-penalising them. If a vehicle is being used illegally there may be other ways to tell it’s cloned – most likely by cross-referencing the driver and car. This would require a stop and search, but with appropriately targetted action I don’t see the issue – and we take a far more scattergun approach to drink driving…

The second point is related to a comment I made previously about biometric identifiers in humans. Once an identifier has been cloned these are very difficult to correct for the victim? – unenrollment is simply not possible. If someone uses my fingerprints for regular nefarious activity I can’t just change mine to avoid being arrested every few days – likewise, if my car is cloned I can’t (easily) change the major identifiers for it.

Essentially, in almost all areas of life, it is the reliance on automated systems, computers and oversight that creates the environment where identity fraud, car cloning (and worse? crimes like? human trafficking) can thrive. The presence of a human touch is the best deterrent to these crimes. I realise that modern life means a return to the days of seeing your bank manager to get a loan is unlikely – we have to deal with processes that scale well, but there has to be some element of humanity in every system – preferably close to where it interfaces with the people that really matter. Like everything else in security, it’s a trade-off.

© Paul Squires - All views and opinions are those of the author only.

My new hosting? company is Vista Pages.

See you on the other side!

© Paul Squires - All views and opinions are those of the author only.

© Paul Squires - All views and opinions are those of the author only.

There are a number of potential problems with a DNA database, which will start to become more apparent as the number of records increases and technology moves on. A comment from Sedley demonstrates my biggest concern with any such database

It also means that a great many people who are walking the streets and whose DNA would show them guilty of crimes, go free?

This displays the very real public opinion that DNA (along with fingerprints, for that matter) are infallible proof of guilt of a crime when, in fact, there can be errors made at any stage of the process. DNA gets around – look in my car, for example, there are DNA samples from me, my family, my girlfriend, my colleagues, the guy who changed a tyre recently and probably many more. If my car becomes a crime scene just how many people will be under suspicion?

Taking this a step further, it’s already possible to plant DNA evidence (it’s easy enough to collect, as my car demonstrates) and at some point in the future will be a trivial task to synthesise it and no doubt to mask it as well. What needs to happen is that the police perform robust investigation, collecting real evidence and determining motive; DNA samples can never be anything other than circumstantial and should certainly not be used as prima facie evidence of guilt.

One of the biggest issues with any biometric identifier is that it is impossible to change – once my DNA (or my fingerprint) has been used for some nefarious purpose then I can never change – there could be someone who (within the bounds of scanning accuracy) is my genetic “twin” to whom I am permanently linked. Every crime he commits would result in my arrest! We’ve seen this situation with the no-fly lists using names (which admittedly are certainly not as unique as DNA).

As with many of these discussions, it’s not the database itself that’s the problem, but the purposes to which it can be put. Unfortunately no legal restraints can be put in place that will guarantee such a system will not be abused and therefore I have little choice but to criticise the initial implementation – as I’ve done already with other systems in our “database state”. I do have nothing to hide, but there is still plenty to fear from this.

© Paul Squires - All views and opinions are those of the author only.

I was recently re-reading Neal Stephenson’s “In the Beginning…Was the Command Line” (also available online for free) and I was struck by some of the comments that Stephenson makes during his essay and how they relate to the (even more) modern problems facing computer use, particularly in the Internet age.

The key point from the essay is about how the use of GUIs impacts on and impedes a lower level understanding of what’s really going on. Stephenson obviously deals with operating systems but makes an interesting point about how the metaphor of a GUI extends into other areas of the life; the levels of abstraction apply to television, books and other areas of culture. Stephenson uses the interesting story about Disney World as a pre-packaged interpretation of a real experience and it’s certainly one that rings true after a little thought.

“By using GUIs all the time we have insensibly bought into a premise that few people would have accepted if it were presented to them bluntly: namely, that hard things can be made easy, and complicated things simple, by putting the right interface on them.”

This particular quote struck with great resonance, thinking recently, as I had been about identity related issues from a non-technical angel and most interestingly from a psychology perspective. Twice in the past few weeks pub conversations have descended into questions of self image, presentation, reflection, multiple personae – questions, ultimately of “identity”. This was followed by a dinner conversation during which Erving Goffman’s theories on some of those matters were referenced (as you can tell I have a thrilling social life).

Ultimately, all our interactions are identity based – in a conversation the language, tone and vocabulary change according to the audience. The underlying identity doesn’t change, but the presentation of that will vary (there’s been some interesting research recently about how in fact, people do change according to who they surround themselves with however). One of the goals of digital identity management is? to make our online interactions as seamless and natural as our face to face ones.

This leaves me wondering – I do tend to agree with Stephenson’s quote above about how, when we abstract something with metaphors, the underlying concepts become more difficult to understand. There’s been discussion in the past about how impersonation and delegation fit into the identity model and I’m starting to question how we can best use such concepts within a solid identity system.

Identity federation systems provide a level of abstraction that reduces the amount of control that individual users have – the “user centric” model is there to redress that for the consumer space (in the enterprise space any identity is owned by the employer and not the employee), but even there the goal is to reduce the complexity that the user sees – providing a GUI over the command line of the underlying system.

Whilst making systems easier to use, providing metaphors and interoperability layers we need to ensure that the people at both ends of an identity transaction can determine what happens throughout.

© Paul Squires - All views and opinions are those of the author only.