UK Data Leaks: Public Sector Vs. Private Sector

 Computing, Media, Politics  No Responses »
Nov 022008
 

Today we woke up to learn of yet another UK government data leak. Apparently a memory stick was left in a pub car park. Of course as always, not is all quite as it seems; the person who actually left the memory stick where it was, actually worked for a private sector company doing contracting work for the government. So was this really a UK government data leak at all ?

Well yes, the data was government data and it does not matter who leaked it. From memory (i.e. I am too lazy to hunt down the links to check) this is not the first time that government data leaks have been caused by private contractors. Perhaps the government should stick to doing their own work when it comes to working with data that contains personal information; if there is anything more aggravating than being slated for your own stupidity it is being criticised for someone else’s stupidity.

Of course most people will be under the impression that data leaks pretty much only occur when the government is involved; somehow data leaks from private sector companies never seem to hit the headlines in quite the same way. For instance the headlines for this morning’s leaks were all about the government role in the data loss and no mention of the private sector firm involved :-

  • “Government memory stick found in pub” – Independent on Sunday.
  • Government passwords left at pub” – Guardian; also “Fears for personal data after government passwords left in pub car park”.
  • Brown says government cannot ensure data safety” – Times.

I have left out a few … I could not find the story on a few websites belonging to the gutter press, and lost interest after one too many pages with lurid colours and half-naked women popping out at me. But it’s all “the government” in those headlines; although they do in the end point out that it was a private contractor who lost the data.

Anyone reading (and trusting!) the media would be under the impression that the Government cannot be trusted with our personal information whereas private sector companies can because they rarely end up as front-page stories for losing data. Well I am not totally convinced that the Government has a monopoly on stupidity; there seems more than enough to go around.

Hunting down stories about private sector data leaks is kind of tedious because there does not appear to be that much out there, but a few stories did show up (not linking to anything before 2007) :-

The last story is particularly interesting – 56 reported data leaks from financial firms in 2008 (who are not required to report data leaks). In a report by Verizon, it is estimated that of all private sector data leaks, only 14% of leaks are from financial firms; doing a little arithmetic indicates that there have been at least 400 data leaks this year.

So is the private sector any better or worse than the public sector ? They are probably just the same – woefully irresponsible. People rarely care about information security of others in their daily lives; in fact they are often also completely naive about their own information security.

So why does the government come in for so much criticism in comparison to the private sector ? Partially it is simply that we do not get a choice in the matter of whether to do business with the government or not. And partially it probably makes for a better media story. Or perhaps the media just wants to attack the government.

Perhaps some journalist can take a proper look at the private sector leaks, do the job properly and just for once the private sector can get some justified criticism. They might also want to take a closer look at the media’s preference for attacking the government on this matter.

Onto another matter; encryption. The government response was that the only personal data leaked in this case was encrypted as though that would protect the data. Well maybe, but only if it was strong encryption. Most people who use encryption are not aware of whether the encryption method is strong or not. For instance a quick google for “Word document password recovery” returns a huge list of choices for applicatiosn which will break the encryption on Word documents – making the encryption built into Word completely pointless. But how many people who use this encryption know that they are getting a false sense of security ?

No Flash?

 Computing, General  No Responses »
Oct 212008
 

So I was trawling the web looking at chairs (one manufacturer in particular – it doesn’t matter who) available at various stockists, when I was suddenly brought up short by a little error message “Your browser does not support Flash files”.

Strangely enough the site I had just visited itself had an annoying Flash-based website … all presentation in full-screen window with non-standard navigation controls. So what was the error about ?

Well obviously my browser does support Flash, but the chances are the developers were checking for a particular version of Flash that does not exist for the operating system I use as yet. So “does not support Flash files”  is not quite appropriate, something more like “Nah! Nah! You aren’t as up to date as we are” would be more accutate.

Not really sensible however as I could have been looking to drop something like £1,000 on a chair (yes they really do cost in that region, and yes they probably are that good). Especially as the Flash site in question probably does not absolutely require all of the features of the latest version.

Ah well, I guess I won’t be buying a chair from that place then.

No More Drupal, Hello WordPress

 Computing  No Responses »
Sep 202008
 

Well it was fun playing with Drupal for a while (looks to be about 2 years), but I was not really using it to the full extent. In fact all I was doing was writing a blog, which something like WordPress can do perfectly well. And it was time I had another look at WordPress given I now have something that allows me to publish entries from my iPhone.

All of the old posts have been kept, but unfortunately the URLs are not the same so old links (or realistically links from search results) will no longer work. Something I personally hate.

iPhone: Changing The Root Password

 Computing  1 Response »
Jul 192008
 

I have just changed the root password on my iPhone from the default (really dumb of Apple to give every iPhone the same root password; it would not be much work to set the default root password from the IMEI or something). Before doing so I googled for appropriate instructions.

Nothing wrong with the technical side of the instructions out there, but none I read made a point of what I would consider basic safety for dealing with changing the root password on a Unix machine. Keep a session open in case things go wrong!

My own instructions for doing the change went along the lines of :-

  1. Open two terminals
  2. Create a new password hash with openssl passwd -crypt -salt "XX" "xyzzy" (obviously change the salt (“XX”) to two characters of your choice, and pick a better password than “xyzzy”!). Keep the output stashed somewhere safe.
  3. In both terminals ssh to the iPhone (ssh root@iphone).
  4. Copy the file /etc/master.passwd to a safe copy /etc/master.passwd.original
  5. Edit /etc/master.passwd and put the stashed has into the second field of root’s entry.
  6. Now exit from the ssh session in one window and try to reconnect with the new password.

If things have gone wrong you will have an open session available to fix things (cp /etc/master.passwd.original /etc/master.passwd would be worth trying) whereas without you are kind of stuck.

IT: Upgrading To Ubuntu 8.04

 Computing  No Responses »
Apr 272008
 

This entry is about upgrading a machine running Ubuntu 7.10 to Ubuntu 8.04 which is only just out. But not in the standard way which would be quite boring.

I have at least two computers running Ubuntu, both configured in a fairly complex way and both fairly important (in the sense I really don’t need to try an upgrade and end up with a broken system). Whilst Ubuntu frequently does upgrade without a hitch, it can occasionally choke; this is seemingly more common with more complex installations.

Why not preserve an old copy of the install around to revert to ? Well with LVM it is perfectly possible. Ignoring what happens underneath, I have an LVM volume group called “internal” (actually I don’t, but I would if I were to re-install) which has :-

  • var – 4Gbytes to be mounted as /var
  • root – 8Gbytes to be mounted as /
  • home – “enough” to be mounted as /home

Note I do not believe in allocating all available disk space with a storage management system like LVM available; I do a great deal of storage management work and the biggest mistake anyone can make is assuming that they know the storage requirements of a system throughout it’s whole lifetime. This applies in spades to a desktop machine. Without some free space, the suggested upgrade mechanism won’t work.

Now with modern hard disks, we are likely to have more than enough storage to allocate. For instance on this machine right away I have 138Gbytes of free storage (mirrored). And that it is on a two year old machine; a newer machine would have larger disks. Easily enough storage to have two or more “copies” of different versions of Ubuntu around.

It would be nice if Ubuntu could do much of the work for us, but for now it’s pretty much a manual process. As an aside, the Ubuntu developers should probably think about using LVM in the default installer to assist in the development of this kind of feature.

The first stage is to create new logical volumes and build filesystems on them. I chose to name the logical volumes after the operating system version they would be running …

lvcreate -n 804root --size=8G /dev/internal
lvcreate -n 804var --size=4G /dev/internal
mkfs -t xfs /dev/internal/804root
mkfs -t xfs /dev/internal/804var

Now the key here is not to look at the current size of your /var filesystem and decide you need a much smaller filesystem … or the upgrade process will refuse to start. You can always reduce it later if you really want to quibble over 1-2Gbytes.

The next stage is to copy the relevant filesystems across. At this point you should avoid running as much as possible and probably do this from a text terminal after shutting down GDM …

/etc/init.d/gdm stop
apt-get install star
     (If you don't have it installed already)
mount /dev/internal/804var /mnt
star -v -xdev -acl -copy /var/* /mnt
umount /mnt
mount /dev/internal/804root /mnt
star -v -xdev -acl -copy / /mnt

This stage will take some time to complete. You will want to do a quick check of the new / and /var to ensure they look roughly like the originals (I always seem to come up with the equivalent of /var/var when I do something like this). Notice that the new root filesystem is still mounted … you need to edit /mnt/etc/fstab to alter what devices are mounted for / and /var.

The next stage is a bit tricky because I didn’t do it “right”, so I will be suggesting something that I didn’t try myself. The task is to modify /boot/grub/menu.lst in such a way as to result in two separate menu entries that will boot either the old operating environment or the new operating environment.

I would suggest that you :-

  1. Create an entry outside of the “DEBIAN AUTOMAGIC KERNELS LIST” that essentially replicates one of the entries. It should not be modified to boot off the new root filesystem.
  2. Modify all of the entries in the “DEBIAN AUTOMAGIC KERNELS LIST” (it makes sense when you review the menu.lst file) to alter the “root=’ kernel parameter to point to the new root filesystem. This is not the “root (hd0,0)” part, but the kernel parameter “root”. It will specify the old root filesystem logical volume (something like “root=/dev/internal/root”) and you want to change this to “root=/dev/internal/804root”.

At this point you should probably reboot to check that both environments work. Just make sure you have a recent rescue CD knocking around before you do.

After you have done the checking you can boot the new environment and use ‘update-manager’ to upgrade the new environment to Ubuntu 8.04. This will probably work (it worked fine for me).

Undoubtedly the next time I try this, I will figure out how to make it work better, but it is good enough to have a “fallback” option in case an upgrade goes badly. For instance until last week, running Vmware Server under 8.04beta was pretty tricky and if it were still the case I would have to revert back to 7.10.

 Older Entries  Newer Entries