Information Security As Medieval Town Defence

 Computing, Security  No Responses »
Dec 132012
 

I have been thinking a fair amount about Information Security recently; probably because I am in the middle of a SANS course which is rather more interesting than most IT courses I have been on. As I was walking in this morning, I was pondering how I would explain what I do to a distant ancestor. Not exactly the easiest of tasks given that what we do involves what would seem to be magic to someone from the distant past.

But an analogy did occur to me: What we do is somewhat similar to the militias that used to protect walled towns and cities in the medieval era; particularly during periods of the medieval era when central authority was somewhat lacking. Such as England’s “Anarchy”.

In the distant past (and in some cases, not so distant past), towns could be at risk of being sacked by brigands for profit or for some “military” purpose. Those living in towns were obviously somewhat reluctant at this possibility, and in many cases would arrange for protection by hiring soldiers to protect them; the defences would often include city walls, a militia (paid or voluntary), etc.

Which is somewhat similar to what we do – we’re the soldiers hired to protect the “town” (a company or some kind of institute), and we build town walls (firewalls), and other defences. Obviously it is easy to take the analogy too far – we don’t get to fire crossbows at our attackers. But neither is it completely inaccurate, or indeed uninteresting.

Today we expect our central governments to arrange physical protection for us – we don’t expect to need to organise a militia to protect our cities; neither do we expect to held up at gun point to turn over our valuables. Yes there are exceptions, but they are sufficiently unusual that they are greeted with astonishment. And yes some companies with especially high value assets do arrange for additional protection over and above what is usually provided by the state.

But when you compare physical security with information security, it becomes apparent that we are still in the medieval era when it comes to information security. States are only just beginning to look at “cyberwarfare” and offer little other than advice to individuals or organisations looking for protection; it is common to hear that the police are simply not interested in looking at an issue unless the costs are less than £1 million.

If someone suffers financial harm through a phishing attack, our standard response is to blame them for being “stupid”. Whilst most phishing attacks do involve someone doing something stupid, it seems odd to blame the victim – who would blame the victim of a mugging?

Similarly when an organisation has some attackers break in, steal a whole bunch of database files which in turn contain tons of clear text passwords, or hashed passwords, we blame the victim. How could they be so stupid as to not protect that data? After all, it costs more to be careful.

So perhaps I could explain what I do as being an old warrior who has settled down in a town and runs the local militia.

Now if you’ll excuse me, it’s time for bed – time to hang up the crossbow and take off this horrible chain mail.

The NHS DNA Database

 Computing, Security  2 Responses »
Dec 102012
 

Today it was announced that the NHS would be mapping the DNA of cancer patients (with their consent) to be stored and used by researchers. Which on the surface seems to be a perfectly sensible thing to do.

Of course there are those who are concerned with the privacy issue of the data being stored. Which is fair enough – any large storage of data like this is subject to privacy issues, and there are genuine fears that the data may be made available to private companies with no interest in health research.

Amusingly one of the comments was that the data would be made anonymous by removing any personal data from the data made available to researchers. Amusing because with the most personal data and ultimate means of identifying individuals is the DNA sequence itself – nothing can be more fundamental in identifying an individual than their unique DNA sequence.

On a more serious note, it is effectively impossible to make this kind of data completely anonymous. To be of any use the data in this database needs to include more data than just the DNA sequence – such as disease(s), treatments used, outcomes, etc. Whilst this may not be useful in identifying every individual taking part, it may well be enough to identify individuals with rarer combinations of disease and circumstances.

The Arrogance Of Leadership

 Politics  No Responses »
Dec 102012
 

In the last week, we have seen two example of the arrogance of leadership; on both occasions David Cameron has unilaterally decided that the considered opinion of a group of experts is wrong and his snap judgement is right. Of course he is not the only example of this sort of thinking – most Prime Ministers of the past have committed the same sort of error of judgement.

The two decisions in question were the response to the Leveson report, and today’s report on the future of recreational drug legislation. In both cases, people have gone to a considerable effort to consider what to do about certain issues. And of course have spent a lot of my money on doing so.

I do not resent my money being spent on such things; what I do resent is that some puffed up politician is wasting my money by not spending an appropriate amount of time considering the report(s).

A snap decision is necessary in some circumstances, but not in these circumstances! There should be nothing wrong with a political leader saying that they would like to spend some time considering the report – rather than respond with gut instinct to the report’s headlines.

Ripping up a report within hours of it being released is contemptuous of the work that has gone into it, and wasteful of taxpayers’ money.

It may well be that ignoring the report’s recommendations is the right thing to do, but to do so too quickly is definitely the wrong thing to do.

The James Bond Film Character

 Uncategorized  No Responses »
Dec 022012
 

If you were to pop into a Leicester Square cinema to watch the latest episode of the James Bond saga (Skyfall), and notice a small group of non-descript people pissing themselves with laughter at the most inappropriate moments it is entirely possible you have spotted a works outing from SIS. Because James Bond is about as far as you can get from a genuine SIS intelligence officer as you can possibly get.

That is not to say that Ian Flemming was not aware of what he was doing when he created the James Bond character – he was part of Naval intelligence during the war, and undoubtedly met many intelligence officers as well as officers from more “activist” agencies. The closest British agency that James Bond might be a member of is the old war-time SOE. And even there, his activities are far too public and extreme.

If anything, James Bond most closely resembles another fictional character: The Cleaner from the film Nikita. Whilst James Bond seems charming, he is in fact a cold blooded killer. A psychopathic tool wielded by the British government, and sent into situations where a “cleaner” is required.

James Bond was always envisaged as an entertaining character getting involved in many exciting adventures whereas real intelligence work is probably quite boring … ignoring the possibility of getting caught of course! Intelligence agents on the other hand may be involved in slightly more exciting activities, but any agent who starts to live too an exciting life is likely to get dropped by his or her controlling officer like a hot potato.

Real intelligence work is supposed to be secret; any operation that becomes public knowledge can be considered to be a failure. The purpose of an intelligence service is to gather intelligence. And to do so secretly.

That is not to say that covert operations are not always a bad idea, although they do have a poor reputation. Perhaps because only the poor ones get known about. But such operations are not what intelligence services are about, or what they are good at. The clearest demonstration of this were the strained relations between SIS and SOE during WWII which were not simply because some SIS officers did not like the young upstart, but because SIS and SOE operations were different and could sometimes have a negative impact on each other.

And back to James Bond. Does the fact that he has very little to do with the real SIS mean anything? Only if you want the James Bond films to be a documentary on the activities of SIS; if you want entertainment, he certainly provides that.

Everyone has their own favourite actor playing James Bond, but I think this is a mistake. All of the actors playing Bond have been quite talented; it is the story that makes the difference, and the tone of how the story is told. Different Bond eras have different flavours; the Sean Connery era was serious with a touch of humour, the Roger Moore era become so humorous that it was verging on becoming “Carry On Spying”, and the later Bond films went back to being serious. Perhaps even more serious than the early films.

Which you prefer is down to your personal tastes, but my liking is for the more serious films.

There are claims that James Bond is misogynistic, which is understandable but completely wrong. He is a mirror of the society that he finds himself in – if he seems misogynistic, it is the society that is misogynistic. After all we never see the real Bond; he is always playing a role to fit in as an upper-class twit.

And as for his sexual adventures, there is more than one hint throughout the films that more than a few of his “conquests” are to do with his job, and that he might prefer to have nothing to do with certain women. It is interesting to compare how people react to real characters such as Cynthia who also exploited her sexual conquests.

We always seem to think of upper-class twits as being like Bertie Wooster, but they were not all like that. It is easy to overlook the past when the upper-class twit actually had considerable power, but that is when the world’s largest empire was built – the British Empire. And upper-class twits had a considerable amount to do with the foundation of that empire.

Whether James Bond is an upper-class twit or is just pretending to be one, we will never know. But it is a good disguise.

As to how he is invulnerable to bullets, we will never know.

 

 

 

The Leveson Report & The Tory Reaction

 Media, Politics  No Responses »
Dec 012012
 

So Leveson has finally released his report on press regulation, and as quick as a flash the Tories and the chief Tory (David Cameron – the Prime Minister) have announced that they will have nothing to do with it. They prefer some form of self-regulation; in other words a toothless organisation which the press routinely ignores or sticks a middle finger up to (i.e. a modified version of the old Press Complaints Commission).

Nothing could demonstrate more clearly that the Tories will bend over backwards to support any kind of business (including the demonstrably corrupt), and ignore the needs of the public. Without reading the report, it is still possible to determine that the recommendations are sensible merely by looking at who opposes it – the Tories, and the press themselves. Just about every other politician is right behind Leveson.

The big trouble with self-regulation (at least of the press) is that it has been tried again, and again, and still fails. As Leveson himself reports, we have had 7 inquiries into press standards over the last 70 years. The press regularly acts “as if its own code, which it wrote, simply did not exist”.

Or in other words, when the press barons say that they will behave now, we know they are lying seeing as they have promised that before and have yet to live up to their fine words.

Interestingly the Tories seem most concerned about Leveson because they believe that the government and parliament should have no say  in the regulation of the press. Thus demonstrating that their reading comprehension is perhaps at the level of a 10 year old.

As Leveson himself says :-

Not a single witness has proposed that the Government or Parliament should themselves be involved in the regulation of the press. I have not contemplated and do not make any such proposal.

Personally I am not opposed to self-regulation in general; at least until that self-regulation has been demonstrated to be useless. But in practically every case where an industry or professional group has regulated itself, it has failed to do so properly. We have trusted the press to regulate itself and ultimately it has failed to do so.

Statutory regulation of the press is very definitely something to be wary of – let the politicians have a say in how the press is run and we would never have heard of the MPs expenses scandal! But this is not what Leveson is suggesting; he is suggesting that an independent body regulates the press with statutory authority.

Frankly if a regulatory authority wants to punish a rogue editor – perhaps with a thousand lashes of the cat – it needs statutory authority or the rogue editor is likely to raise the finger and walk out.

Finally, and the main reason for this post; time to give the Tories a bloody nose by telling them that we want the Leveson recommendations implemented. Visit the petition site and tell them so!

 

 Older Entries  Newer Entries