Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

18 May 2017

Tell the UK Government: No Backdoors in Crypto

The UK government seems to be pressing ahead with its idiotic plans to backdoor crypto. There is a (secret) consultation on the subject that closes tomorrow - write to investigatorypowers@homeoffice.gsi.gov.uk.  Here's what I've just sent:

I am writing in connection with UK government proposals to force tech companies and Internet providers to create government backdoors to encrypted communications.

Speaking as a journalist who has been writing about every aspect of computer technology for 35 years, and about the Internet for 20 years (https://en.wikipedia.org/wiki/Glyn_Moody), I cannot emphasise too strongly that this would be a very unwise and dangerous move.

There is no such thing as a safe backdoor that is only available to the authorities.  If a weakness is created in a program or service, it can be found be third parties.  That is hard, but not impossible, especially for well-funded state actors.

Even more likely is that details of backdoors will be leaked.  The recent experience of the WannaCry ransomware attack, which is based on an NSA exploit that was leaked earlier, show how devastating this kind of subversion can be.

There is another powerful reason not to force companies operating in the UK to weaken their security.  First, US companies may simply water down protections for UK users, while protecting those in the rest of the world.  Obviously that would leave UK users particularly vulnerable to attack, and make them prime targets.

Secondly, if British companies are forced to provide backdoors in their products, then no government or company elsewhere in the world will use UK software, since there will always be a risk that it contains intentional security flaws.  This is the surest way to sabotage the UK software industry, and to ensure that computer startups are located anywhere but in the UK.

As well as being harmful, moves to weaken the security of encrypted products are also unnecessary.  As recent events have confirmed, terrorists rarely use encryption, and when they do, they make mistakes that allow the security services to access communications.  Indeed, there are many ways to obtain access and information even when encryption is used, as a recent paper explained (https://www.schneier.com/blog/archives/2017/03/new_paper_on_en.html).

To summarise, the many and mighty harms caused by weakening encryption vastly outweigh any illusory benefits.  The UK government would be ill-advised to take this route.

23 November 2013

Windows 8+TPM: Germany Warns of 'Loss of Control'

Last year, I wrote about some serious issues with Microsoft's Secure Boot Technology in Windows 8. It seems that the German government has started to wake up to problems with Windows 8, as this headline in Die Zeit attests:

On Open Enterprise blog.

26 October 2013

Yet More Security Reasons to Give Microsoft a Miss

In the wake of Microsoft's dire financial results, it might seem a little unsporting to draw attention to more of the company's problems. But its continuing stranglehold on companies and governments around the world means that such measures are justified, not least because people are suffering as result - millions of them.

On Open Enterprise blog.

Can You Trust Microsoft With Your Company Secrets?

About a month ago, I wrote about the extraordinary fact that Microsoft routinely hands over zero-day exploits in its applications to the US government for the latter to use in the short window before they are announced and plugged. On thing that allows is for "foreign" governments and companies to be targetted and various levels of access to be gained in a way that is hard to protect against.

On Open Enterprise blog.

German Minister Calls Security A 'Super Fundamental Right' That Outranks Privacy; German Press Call Him 'Idiot In Charge'

One of the striking features of the Snowden story is that there has been no serious attempt to deny the main claims about massive, global spying. Instead, the fall-back position has become: well, yeah, maybe we did some of that, but look how many lives were saved as a result. For example, the day after the first leaks appeared, it was suggested that PRISM was responsible for stopping a plot to bomb the NYC subways. However, further investigation showed that probably wasn't the case. 

On Techdirt.

31 March 2013

The Great "Cyber" Con

Hackers and hacking have been much in the news recently - for all the wrong reasons, unfortunately. The most dramatic case, perhaps, was the suicide of Aaron Swartz. He was threatened with 35 years in prison, partly for this:

On Open Enterprise blog.

10 March 2013

Armed UK Police Raid House Over Facebook Picture Showing Toy Weapon In Background

One of the reasons Techdirt rails against exaggerated responses to supposed terrorist threats is that it has caused police forces around the world to lose all sense of proportion -- literally, in the case of this UK story from the Daily Mail. 

On Techdirt.

10 February 2013

Banking Equipment Vendor Tries To Censor Security Research With DMCA Notice -- Then Backs Down When Called Out For It

Abuse of the DMCA takedown process to remove material that is awkward or embarrassing for a company is a common enough topic on Techdirt. But here's one with a slight twist. It concerns hardware security modules (HSMs), which manage the cryptographic keys and PINs used to authenticate bank card transactions. These were generally regarded as pretty secure -- until researchers started analyzing them, as Ross Anderson, head of the Security Research Laboratory at Cambridge University, explains: 

On Techdirt.

06 January 2013

Chinese Nobel Prize-Winner Says We Need Censorship Like We Need Airport Security

This year's winner of the Nobel prize in literature, the Chinese writer Mo Yan, was a controversial choice. Some saw him as too close to the Chinese establishment, and thus insufficiently heroic -- unlike the previous Chinese Nobel prize-winner, the imprisoned dissident Liu Xiaobo

On Techdirt.

18 April 2012

What One Line of Code can Teach Us

Light Blue Touchpaper is a blog written by researchers in the Security Group at the University of Cambridge Computer Laboratory (don't miss the explanation of the blog's rather witty name). It's normally full of deep stuff about computer security and vulnerabilities, and is well worth reading for that reason.

On The H Open.

02 March 2012

EU Censorship Plan With A Cheesy Name: The Clean IT Project

A couple of weeks ago, Techdirt reported on UK politicians calling for ISPs to "take down" terrorist content. Now it seems that the idea has not only spread to other European countries, but even acquired a cheesy name: "the Clean IT Project". 

On Techdirt.

12 January 2012

Is Microsoft Blocking Linux Booting on ARM Hardware?

Back in September last year, there was a bit of a to-do about Microsoft's UEFI Secure Boot technology in Windows 8, when a Red Hat engineer posted the following:

On Open Enterprise blog.

04 August 2011

One Thing We Know about the Shady Rats

The news about "Operation Shady Rat" has naturally provoked much interest (as it was intended to....) After all, who could not fail to be impressed by claims like this?


I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.

Ouch.

You can read the rest of the McAfee post for more details - but not for an answer to the key question: who is doing this? You don't have to be a genius to work out that it's probably one of two large, countries situated in Asia, and personally I'd guess it's the one with lots of people in it, FWIW.

But that's not really what interests me here. Instead, I'd like to focus on this final part of the post:

Although Shady RAT’s scope and duration may shock those who have not been as intimately involved in the investigations into these targeted espionage operations as we have been, I would like to caution you that what I have described here has been one specific operation conducted by a single actor/group. We know of many other successful targeted intrusions (not counting cybercrime-related ones) that we are called in to investigate almost weekly, which impact other companies and industries. This is a problem of massive scale that affects nearly every industry and sector of the economies of numerous countries, and the only organizations that are exempt from this threat are those that don’t have anything valuable or interesting worth stealing.

It's a nice ending to a fascinating piece, but in one respect it's almost certainly not true.

That's because, like just about every similar piece describing massive intrustions of this kind, the McAfee doesn't actually say anything about the platforms that were affected, simply noting:

The compromises themselves were standard procedure for these types of targeted intrusions: a spear-phishing email containing an exploit is sent to an individual with the right level of access at the company, and the exploit when opened on an unpatched system will trigger a download of the implant malware. That malware will execute and initiate a backdoor communication channel to the Command & Control web server and interpret the instructions encoded in the hidden comments embedded in the webpage code. This will be quickly followed by live intruders jumping on to the infected machine and proceeding to quickly escalate privileges and move laterally within the organization to establish new persistent footholds via additional compromised machines running implant malware, as well as targeting for quick exfiltration the key data they came for.

But somebody in the comments asked the obvious question: "Were the initial intrusions all on Microsoft OS machines? Also, was a particular browser targeted?" To which the answer came:

All the malware we’ve seen was Windows-based. There were a variety of vulnerabilities used

Think about that. This massive breach of security, and loss of possibly highly-sensitive information, was all down to two things: the abiding thoughtlessness of people opening attachments, and a range of flaws in Microsoft's software.

So the statement that "the only organizations that are exempt from this threat are those that don’t have anything valuable or interesting worth stealing" is not true; another class would be those wise enough not to allow any of their personnel to use Microsoft products. We may not know definitively who the Shady Rats are, but we certainly know what they *really* love.

Follow me @glynmoody on Twitter and identi.ca, or on Google+

07 February 2011

UK Cyberwar - or UK Cyberwallies?

One of the most embarrassing features of the dotcom era was a habit of putting “cyber” in front of everything to make it look hot and trendy (disclosure: I did it too, but I was 15 years younger then...). Don't look now, but it's back:

On Open Enterprise blog.

27 January 2011

HMRC's Latest IT Fail - and What to Do About It

On Monday, I called the HMRC to give them some information they wanted from me. After being placed on hold for about 10 minutes, I finally got through, and was rightly “taken through security”. After all, it's vitally important that HMRC and similar organisations establish that the person they are talking to is indeed that person. Unfortunately, security had been “upgraded”, so you probably know what is coming next....

On Open Enterprise blog.

13 October 2010

Is GCHQ Frighteningly Clueless or Fiendishly Cunning?

I'm very sceptical about the concept of “cyber attacks”. Not that I doubt that computer systems and infrastructure are attacked: it's just their packaging as some super-duper new “threat” that I find suspicious. It smacks of bandwagon-jumping at best, and at worst looks like an attempt by greedy security companies to drum up yet more business.

On Open Enterprise blog.

06 October 2010

Dr Microsoft: Time to Be Struck Off

A Microsoft researcher offers an interesting medical metaphor:

Just as when an individual who is not vaccinated puts others’ health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society. In the physical world, international, national, and local health organizations identify, track and control the spread of disease which can include, where necessary, quarantining people to avoid the infection of others. Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk. To realize this vision, there are steps that can be taken by governments, the IT industry, Internet access providers, users and others to evaluate the health of consumer devices before granting them unfettered access to the Internet or other critical resources.

So, we're talking about computers "compromised with a bot": now, which ones might they be? Oh look, that would be almost exclusively Windows users. And why would that be? Because no matter how diligent users are in installing endless security updates to the Swiss cheese-like applications known as Windows, Internet Explorer and Microsoft Office, there are always more critical bugs that pop out of the proverbial digital woodwork to lay them open to attack and subversion.

So, where does that leave us when it comes to "improving" and "maintaining" the "health of consumer devices connected to the Internet"? Well, it means that by Microsoft's own logic, the solution is for everyone to junk a system that is still insecure, despite promise after promise after promise that this just was some minor technical detail that Microsoft would fix in the next release.

For Windows has manifestly not been fixed; moreover, Windows will *not* be fixed, because it's just not a priority; Windows may even be *unfixable*. The only sane solution is for people to move to inherently safer (although certainly not perfect or impregnable) alternatives like GNU/Linux.

For a researcher at Microsoft to attempt to avoid this inevitable conclusion by pushing the blame for this endless series of security lapses onto end users this way, and to suggest they, rather than Microsoft, should be thrown into the outer darkness. is beyond pathetic. (Via @rlancefield.)

Follow me @glynmoody on Twitter or identi.ca.

08 March 2010

Open Source and Security: Are there Limits?

You might think that's a pretty ridiculous question to ask, since the canard about open source being less secure than closed source has been debunked many times. But it seems that some people didn't get the memo:

On Open Enterprise blog.

26 February 2010

Schneier Nails it on CCTV Folly

Another brilliant essay on security from Bruce Schneier. It's all well-worth reading, but here's the nub:


If universal surveillance were the answer, lots of us would have moved to the former East Germany. If surveillance cameras were the answer, camera-happy London, with something like 500,000 of them at a cost of $700 million, would be the safest city on the planet.

We didn't, and it isn't, because surveillance and surveillance cameras don't make us safer. The money spent on cameras in London, and in cities across America, could be much better spent on actual policing.

When will the politicians face up to the facts on CCTV? (Via Boing Boing.)

Follow me @glynmoody on Twitter or identi.ca.

10 February 2010

Is Microsoft Exploiting the Innocent?

I'd never heard of the UK government's Child Exploitation and Online Protection Centre (CEOP), but that's not surprising, since I'm allergic to organisations whose approach is "truly holistic" as CEOP brightly claims. But as well as being susceptible to embarrassing cliches, it seems that the outfit is naive, too.

For, as part of the "Safer Internet Day", CEOP is promoting Internet Explorer 8 on its front page. And what exactly does this famous panacea for all human ills offer in this context? Well:

Download the 'Click CEOP' button into your browser toolbar to provide instant access to internet safety information for children and parents.

Of course, it's rather a pity that to access the information you have to use Internet Explorer 8, scion of a family of browsers that has probably done more than any other software to expose young people to harm on the Internet through woeful security that allows viruses and trojans to be downloaded so easily - one still riddled with flaws.

Strange, then, that CEOP didn't offer a much better way of protecting vulnerable users by suggesting that they switch to a safer browser; it doesn't even offer that same instant access to safety information for Firefox users, thus encouraging people to use IE8 if they want to see it. Moreover, it does this by providing - oh irony of ironies - a link to a .exe file to download and run, the very thing you should be teaching young people *not* to do.

It couldn't be that the young and innocent Child Exploitation and Online Protection Centre has allowed itself to be, er, exploited by that wily old Microsoft here, could it?

Follow me @glynmoody on Twitter or identi.ca.