This blog posting represents the views of the author, David Fosberry. Those opinions may change over time. They do not constitute an expert legal or financial opinion.

If you have comments on this blog posting, please email me .

The Opinion Blog is organised by threads, so each post is identified by a thread number ("Major" index) and a post number ("Minor" index). If you want to view the index of blogs, click here to download it as an Excel spreadsheet.

Click here to see the whole Opinion Blog.

To view, save, share or refer to a particular blog post, use the link in that post (below/right, where it says "Show only this post").

US DoJ Hacks Back.

Posted on 27th January 2023

Show only this post
Show all posts in this thread (Cybersecurity).

I was pleasantly surprised by this story on the BBC, which describes the Department of Justice's (DoJ) campaign of over 6 months hacking the cyber-crime organisation Hive.

The FBI managed to gain deep access to the Hive ransomware group in late July 2022. The were the able to warn victims of impending attacks. They also gave more than 300 decryption keys to victims, saving them more than $130m.

The US DoJ said it had taken down Hive's websites and communication networks, working with other national police forces including in Germany and the Netherlands.

We need more of this proactivity.

A String Of Major Hacking Attacks.

Posted on 28th November 2022

Show only this post
Show all posts in this thread (Cybersecurity).

There have been a number of significant hacking breaches is the last few weeks.

This article on Security Affairs reports on a data breach (or multiple breaches - the report is a little confusing in this respect) at Twitter that has resulted in the data (including phone numbers and email addresses) of 5.4 million users being made available online.

An even larger breach has been suffered by WhatsApp, with the user data (in this case, phone numbers) of nearly half a billion (487 million, 25% of the total) users accessed, as reported by Business Standard: the data of 32 million users from the US, 11 million from the UK, 45 million from Egypt, 35 million from Italy, 29 million from Saudi Arabia, 20 million from France, 20 million from Turkey, 10 million from Russia (10 mn) and 6 million from India. At the moment this is only a risk, since the data has not yet been made available online, but that is probably only a matter of time. The article also pointed out that "Last year, information about more than 500 million users of Facebook, another Meta-owned company, was offered online for free. In 2019, data of 419 million Facebook and 49 million Instagram users were exposed. In the same year, it had faced another breach leaving data of 267 million users exposed."

Finally (for now), this piece from Bleeping Computer reports on the disclosure by Dropbox (whose software provides file storage and sharing, used by 700 million users) that 130 of their GitHub code repositories. Dropbox said "To date, our investigation has found that the code accessed by this threat actor contained some credentials — primarily, API keys — used by Dropbox developers," which opens up the possibility that Dropbox users' data (which is supposed to be secure) could, in future be accessed by the hackers.

All this goes to show that companies (Twitter, Facebook/Instagram and WhatsApp) are consistently unable to keep the data of their users secure.

Bad Publicity for NHS IT Supplier.

Posted on 15th August 2022

Show only this post
Show all posts in this thread (Cybersecurity).

This BBC report is a really bad advertisement for the company involved, Advanced.

Advanced, which provides digital IT services to the NHS (UK National Health Service), has been hit by a ransomware attack. There is a chance (not yet confirmed) that NHS data including patient data, has been stolen in the attack. Although ransomware attacks do not usually steal data, the security vulnerabilities that allowed the ransomware attack could also be used by hacker organisations wanting to steal data.

The NHS relies on all of its suppliers of services and products to ensure the security and reliability of its services and data, and it only takes one weak link in the chain to compromise potentially everything.

This is not only very bad publicity for Advanced, but also (as if we needed any more proof - governments and their agencies are notorious for their poor protection of sensitive data) shows that the NHS is not taking cybersecurity seriously. Advance should be better protected, and the NHS have clearly failed in their duty of due diligence, which is something that needs to happen not only when suppliers are selected, but also continuously thereafter.

Video-conferencing apps may listen to you even while muted!

Posted on 13th April 2022

Show only this post
Show all posts in this thread (Cybersecurity).

This report on "The Next Web" warns people about something worrying, even though it should be obvious to people who have a modicum of technical know-how: when you are in a video-conference, muting in the app will only prevent other conference participants from hearing you. The app/service provider is able to listen to anything you say, and record it or analyse it with an AI program. That does not mean that they are eavesdropping, but it is technically possible; it reminds us all of how much trust we are placing in the likes of Zoom and Microsoft (suppliers of Teams and Skype).

I don't know about the rest of you, but I don't want someone recording or analysing my speech when I am muted. It is an invasion of privacy.

You might think that, having muted, you can safely swear about your boss, or talk about something that is not intended for public knowledge with someone else in the room with you, but this is clearly not the case.

Luckily, as the article points it, it is still possible to mute, by muting the device, not the app. For example, many headsets mute if you raise the microphone; alternatively you can use your operating system functionality to mute the microphone locally (how you do this depends on what operating system and version you have).

Bank With No Cybersecurity Gets Hacked.

Posted on 8th April 2022

Show only this post
Show all posts in this thread (Cybersecurity).

There is a reason why computer experts recommend that you have cybersecurity software and processes, as demonstrated by this story (reported here on The Register).

Apparently the Andra Pradesh Mahesh Co-Operative Urban Bank's firewall licence had expired (at least they had one, which maybe still worked, but there would have been no more updates), and they had no phishing protection, intrusion detection system or intrusion prevention system. It is therefore no surprise that they got hacked, resulting in a significant amount of money being stolen.

I feel sorry for their customers, who were probably assured that the bank had comprehensive cybersecurity systems and processes in place.

For your computer systems to be secure, you need to be paranoid. For example, if you are reading this on my web-site, your access is through 3 different firewalls. That paranoia should extend to not sharing details with your friends, family, colleagues or employer of what kind of cybersecurity you have in place (notice that I didn't tell you what and where my 3 firewalls are).

Even for securing your home computers, you need to be paranoid: at the very minimum, firewalls and antivirus programs, both regularly updated; and scan your systems regularly.

Another thing you might want to look into is your Internet modem. In the old days, when all traffic ran over IPv4, all your home systems (servers, desktops, laptops, NAS, mobile phones and Internet of Things smart devices) were hidden from public view by NAT routing in the Internet modem. Then IPv6 was introduced: older IPv6 capable Internet modems (like the Techicolor TC7200) offered no firewall protection of IPv6 devices on your home network; they were all visible and accessible to anyone on the Internet; newer Internet modems like the FritzBox 7590 have IPv6 firewalling. You can find out by reading the manufacturer's user handbook, or checking the administration interface (if it has a section to allow your IPv6 devices to be accessed from the Internet, which you would need to do for a web-server or email-server, then it has an IPv6 firewall).

The Perils Of Using Online Service Providers.

Posted on 21st December 2021

Show only this post
Show all posts in this thread (Cybersecurity).

A recent ransomware attack on Kronos (reported on here by the BBC) highlights the risks of using online services for business critical functions.

Kronos provide cloud-based services for workforce management and human capital management, which includes payroll services.

Due to the attack, a number of large businesses, including Sainsbury's (a large UK supermarket chain), were unable to process their payroll.

Large corporations like to outsource, including to online service providers like Kronos and Kaseya (read about the Kayeya incident here), because there are cost advantages. The downside, however, is the increased risk of loss of service. A large online or cloud-based service provider is a larger and more interesting target for hackers; why spend time and effort attacking one company, when you can with the same effort attack a service provider and impact many companies? This is why there are so many of these kinds of attack at the moment; almost all attacks target either service providers, providers of software used by many organisations or large multi-site organisations like healthcare provides and government agencies.

There are, of course, contingency measures that one can take to protect against an attack on one's service providers, although they all have a cost. For example have a fallback service provider, to whom you send the same data, whether payroll, print or backup service data. When one's primary provider is hacked, you will be ready to go with an alternative.

Hacking Continues.

Posted on 26th August 2021

Show only this post
Show all posts in this thread (Cybersecurity).

Several recent stories show that hacking (and rasomware) attacks, and security vulnerabilities, are part of every day life in the modern world, and not just some passing phase. They also show that the problem is being exacerbated by a lack of the appropriate paranoia about the risks, and by general stupidity.

Earlier this year the Solarwinds hack came to light, which mainly targeted U.S. government agencies, although it went undetected for many months.

More recently there was the Kaseya attack, which affected companies around the world. Many companies were much more seriously impacted than necessary, because they were using Kaseya's backup service, meaning that the backups, which were also compromised, could not be used to recover from the hack. A friend who runs a small to medium sized company in Munich was impacted by this hack (and he is totally paranoid about cybersecurity!), and will not be using Kaseya's backup service any more (he didn't actually realise that his backups used this service, because his backups were handled by one of his service providers, who in turn used Kaseya).

Crypto-currency traders and repositories were also hit recently. There was an attack on Poly Network, in which about $600M was stolen, although bizarrely, most of the funds were later returned by the hacker. Then there was an attack on Japanese crypto-currency exchange Liquid. where the hackers stole around $100M.

There was a hack which stole data on more than 40 million of T-Mobile's U.S. customers (and people who had merely applied to be customers).

Microsoft continues to be the greatest cybersecurity risk in many people's everyday lives; Adobe is a close second. After the PrintNightmare vulnerability came to light, there is now a new security hole which would let hackers take control of your systems, without needing an administrative password. This article on Tom's Guide really says it all: "Boneheaded recent change to Windows just makes it too easy". It's like I always say, you can't trust Microsoft.

We need to accept that this problem affects everyone, and all systems, and to apply some common sense and paranoia, to reduce the risks and impacts. The problem is not going away. Security needs to be designed into systems from the ground up, not added as a bolt-on fix. Do your own backups, and store them off-site; update your systems frequently (but vet the updates before rolling them out); use firewalls which only allow essential access, and review the settings regularly; use dissimilar systems where possible (e.g. Linux servers with Windows clients); use quality malware scanners (more than one); block your users' access to dangerous web-sites; provide your users with a quarantine environment where they can open suspicious email attachments and visit suspicious web-links; control the connection of removable media/devices (USB drives, mobile phones, etc.) to company systems; and trust no-one.

Colossal cyber-attack!

Posted on 4th July 2021

Show only this post
Show all posts in this thread (Cybersecurity).

This news report on the BBC describes a huge cyber-attack, with about 200 US companies effected so far, and the number apparently still growing.

The attack seems to be working in a similar way to the SolarWinds attack on US government agencies in 2020, whereby a software supplier (Kaseya, in the latest attack) was breached and their software compromised; the compromised software was then distributed to their customers through the standard software update process.

The latest story, also on the BBC, reports that the Swedish Coop supermarket chain has had to close hundreds of their stores, because they were unable to process customers' payments. This is a huge problem in Sweden, where almost all shop payments are electronic, and many people do not carry enough cash to pay for their groceries.

The worrying thing is that the Swedish Coop is not even a direct customer of Kaseya, but a customer of one of Kaseya's customers. This suggests that the impact could potentially grow even larger.

New Windows vulnerability affects all Windows versions.

Posted on 3rd July 2021

Show only this post
Show all posts in this thread (Cybersecurity).

This report on PCMag, and this one on Tom's Guide are about the newly discovered PrintNightmare exploit of a Windows security vulnerability.

Yes, the vulnerability is already being actively exploited, and your computers are at risk.

So, yet again, Microsoft, with their poor design and cavalier attitude to users' security, have put millions of users at risk. The potential impact is huge, because all Windows versions since Windows are vulnerable.

The vulnerable software is the Print Spooler, which is common to all Windows versions, both client and server. As yet there is no patch to close the vulnerability, but there are some things that you can do to reduce or eliminate the risk (depending on your network topology and security policies). Microsoft has released a document listing “PrintNightmare” mitigation strategies. The suggestion on Tom's Guide is to disable the Print Spooler service (which you probably can't live with) or to disable inbound remote printing through Windows’ Group Policy.

Disabling inbound remote printing means that your Windows print servers will not work; yet another reason to migrate your server functionality to Linux.

Time To Check If Your Email Password Has Been Compromised.

Posted on 12th June 2021

Show only this post
Show all posts in this thread (Cybersecurity).

This report on "Laptop" describes the latest release of hacked email passwords on the Internet.

The published leak is a 100GB text file comprising 8.4 billion private login entries (email address and password pairs).

The article included a link to "Have I Been Pwned?", where you can easily check whether any of your email passwords have been compromised. This is safe: all you need to do is enter your email address, and it will respond with the number of passwords in the file for that address. You are not asked for your password, and there is no way for you or anyone else, to find out what those passwords are.

I strongly recommend that everyone checks all of their email addresses.

Amazon Rolls Out Sidewalk: Automated Hacking.

Posted on 12th June 2021

Show only this post
Show all posts in this thread (Cybersecurity).

As reported here on Defender Network, Amazon Sidewalk has now been rolled out (on the 8th of June). If you didn't opt out, you already have it. More to the point, your neighbours with Amazon devices (Alexa, Echo, or a Ring Doorbell) also have it, with the option to use your WiFi is theirs is not working, unless you opted out.

"Amazon Sidewalk is a free, shared network to help customers with Amazon devices, Alexa, Echo, Ring doorbell, and security cameras, stay connected even if your wifi is weak or fails. Sidewalk automatically connects customers to the wifi of neighbors who also have Amazon devices."

This is a huge security risk for your home network, opening the door to hacking from your neighbours' networks. Any security measures are only as secure as the weakest link, so your risk is determined by how careful your neighbours have been.

Personally, I am rather paranoid about my network security. This means:

  • I will not have smart Internet-connected devices like Amazon Alexa, Echo, or a Ring doorbell on my network, nor indeed any IoT (Internet of Things) device (Internet-connected TV or refrigerator) on my network:
  • I am picky about who can connect to my WfFi.
Porn Addict Spreads Malware To Government Network

Posted on 6th November 2018

Show only this post
Show all posts in this thread.

No wonder government agencies do such a poor job protecting our data. This story on the BBC describes how a porn-addicted worker at the US Geological Survey (USGS) infected computers on a government network by visiting malware-infected porn websites.

The US Office of the Inspector General has recommended that the USGS blacklist "rogue" websites. You think? Duh!

I find so many things incredible about this story:

  • That the USGS hadn't blacklisted dangerous sites. It is not hard; there are lists that you can subscribe to for free blacklists.
  • That USGS employees are advised not to connect USB devices or mobile phones to government computers, but USB connections are not disabled.
  • That an employee was dumb enough to access porn sites from his office computer (presumably during working hours, although I don't know that for sure).

It is not as if the threat posed by porn sites is a surprise. It is a well know problem.

If you want to look at porn sites (and many people do - porn is one of the heaviest sources of Internet traffic), then do it from home, or somewhere else private, and use a virtual machine (which you can then easily periodically restore from a clean backup - i.e. from before you used it to access porn). Then any infection will only affect the VM (virtual machine), and can be easily dealt with by the restore. You can use VMs on Windows, Mac, and Linux computers. If you are concerned about people knowing that you look at porn, access it via a VPN (there are widely available options for free or low-cost VPNs). Also, choose your porn sites wisely (read a review to help decide which are safe).

Of course, porn sites are not the only way to get infected with malware. The worst infection that I had was from a Microsoft site, when downloading a document template. Phishing emails are very common; you should never open email attachments from unknown sources. I use a quarantine VM to open email attachments that I am unsure about.

You can read more about virtualisation and how to virtualise, although these are mostly focused on virtual machines running on Linux hosts.

Web firm fights DoJ on Trump protesters

Posted on 18th August 2017

Show only this post
Show all posts in this thread.

This report on the BBC is rather worrying.

A US web-host service provider, DreamHost, is embroiled in a battle with the US Department of Justice (DoJ) over a request for all the IP addresses of people (about 1.3 million of them) who accessed a web-site that helped organise a protest on the day of President Trump's inauguration. DreamHost is currently refusing to provide the data, and the dispute is due to be heard in court later this month.

Regulations have already been changed to allow ISPs and other web-service providers (like Google) to sell the data on what web-sites you visit (if they choose to, but so far no-one has chosen to do this). Now the government wants that data too (presumably without even paying for it).

This is all rather bizarre, given that the US constitution gives people the right to free speech, which is normally considered to include the right to protest (peacefully). It seems that the world described in George Orwell's "1984" is coming to pass (albeit more than 30 years behind schedule); if you have never read this book, now seems to be a good time.

If you don't already use one, now might be a good time to investigate the use of a VPN or a public proxy server to hide your web-activity; a service that is based outside of the USA, otherwise the US government will be able to force the VPN or proxy service provider to hand over data on your browsing habits. Also, you should get in the habit of using HTTPS (secure HTTP) when you visit web-sites; most major web-sites are available over HTTPS (this site is available over HTTPS, and many sites automatically redirect you to HTTPS if you visit using non-secure HTTP).

Since I live in Germany, where data protection and privacy laws are strong and well enforced, I don't currently have many worries about my Internet usage data being sold or handed over to some government, but nevertheless I use a proxy for some of my traffic. Readers in the USA (and the UK) are much more exposed, and you need to protect yourselves.

Why We Need VPNs

Posted on 2nd August 2017

Show only this post
Show all posts in this thread.

There were two stories on the BBC today about VPNs:

  • This article about Russia banning VPNs for web-browsing, to stop people accessing web-sites which are banned in Russia;
  • and this piece about how Apple has agreed to comply with Chinese government requests to remove VPN apps from the Apple Store.

I can understand both these decisions. Russia wants to enforce their bans on illegal web-sites, such as those on the dark-web which sell drugs and weapons. Apple needs to keep the Chinese happy, otherwise their business in China (manufacturing iPhones, and the sales of Apple devices in the Chinese market) will be interfered with, as has happened in the past.

These, however, are not the only crackdowns against VPNs. Streaming services like Netflix have been making it more and more difficult to bypass their regional controls (designed to ensure that material can only be accessed in countries where they hold a licence to sell it) by blocking access to their services from known public VPN services. Governments around the world have also been strongly making the case for having access to encrypted Internet traffic (most business operated VPNs are encrypted) to help prevent terrorist attacks.

A VPN is a Virtual Private Network: a logical (i.e. not physical) network to seamlessly connect computers as if they were physically connected. The access to VPNs is usually controlled (with a user-id and password, and sometimes with more complex access controls) and many are encrypted to keep their traffic secure. In this respect they differ from the public proxy servers, widely available, that you can also use to keep your Internet traffic secure. Many of you may not care very much about the trend to ban the use of VPNs, but if VPNs become widely banned, it will effect all of us.

Most readers may not have been exposed to the legitimate use of VPNs, and believe that they are only used to access illicit web-sites and to view copyrighted streamed content which is otherwise not available where they live, but VPNs are widely used in industry, and are essential to the business which use them. VPNs are the usual means to allow remote access to IT systems (email servers, file servers, databases and a host of collaboration tools).

I used to work for a company which had VPN access (one of many jobs where I used VPNs, actually). From home I could connect to all the systems that I would use when in the office, via their VPN. I could then use that VPN to connect to another VPN, providing me access to a customer's systems in another country, enabling me to perform software installations, diagnose and repair faults, and other system administration and support tasks. Without the VPNs, I would have had to go to the office and/or to the customer's site for all such tasks. Since I frequently received work phone calls in the middle of the night, that would have been very inconvenient, and would have vastly increased the cost and the time to complete otherwise simple tasks, if I had had no VPN to use.

Most companies having offices or factories in multiple locations operate at least one VPN. Siemens is an example. Siemens staff can access IT resources at their home office when they are on secondment to another site, and even make phone calls over the VPN to other offices, and make calls at local rates to suppliers, friends and family over the VPN. Given the attempts by governments to access mails on public email services (see here) and the tapping of Internet traffic, you can understand why companies want to use their own email servers, and have their employees access the servers via a secure VPN.

I run a Linux server at home (where this web-site is hosted), meaning that I have free software enabling me to set up a public VPN or even a proxy server. I am starting to wonder whether I should do so, as a statement of my objection to the trend to outlawing VPNs.

Lessons From The Massive Ransom-ware Attack

Posted on 15th May 2016

Show only this post
Show all posts in this thread.

There are several very important lessons to be learned from the recent enormous ransom-ware attack (reported here, by the BBC), which affected at least 99 countries, and had huge impact on the National Health Service (NHS) in the UK.

The attack was a worm (not a virus), meaning that infection passes directly from one networked device to another, without the need for any user interaction (being careful about what email attachments you click on is no protection).

The attack was stopped, in part, by the efforts of a UK security researcher "MalwareTech", who found a "kill-switch coded into the worm. This kill-switch will prevent new devices being affected by the worm, but will not decrypt already infected devices.

  1. Firstly, it is a timely reminder for everyone, even people who do not own a computer, smartphone or other computational device, that the modern world is full of cyber-threats and that there is no way to guarantee protection from them. The chaos caused in the NHS shows that people's lives can be severely disrupted, including lives put at risk, by attacks on our infrastructure. If you own or administer computers, this is a reminder of how vital it is to take regular and frequent back-ups, and to keep those devices up to date (security patches and updates to anti-virus and firewall software).
  2. It is also a reminder that organisations such as the National Security Agency (NSA) in the USA, who developed the hacking tool upon which this ransom-ware worm was based, cannot keep anything secret, and cannot be trusted to develop or use such technology. It is no use blaming WikiLeaks for publishing data on the hacking tools that the NSA had developed (as far as I know, they did not publish the actual code); the NSA themselves are to blame for being insecure. Maybe the UK government should sue the NSA, on behalf of the NHS, for the damage caused by them letting the exploit code leak into the wild.
  3. One thing to note is that the NSA, and similar organisations around the world, do not seem to be under any legal obligation to notify vendors such as Microsoft about security holes that they find. Nowadays there are many so called white-hat hackers who, when they find a security vulnerability, notify the responsible vendor, and give them a month or more to roll out a repair before publishing their discovery; the NSA doesn't, and the reason is that they want systems around the world to remain vulnerable so that they can hack them themselves. If the NSA were not so leaky, this wouldn't be such a problem, but sadly they are notoriously insecure. Microsoft themselves are warning (here) about the dangers caused by governments storing data on software security vulnerabilities.
  4. Another rather important lesson here is that an obsolete operating system like Windows-XP should never be used for mission-critical purposes. It has, officially, not been supported by Microsoft for years, and is seriously insecure (and not just because it is a Microsoft product). These PCs should have long ago been upgraded or replaced to something more secure and under support. Personally, I would never recommend any version of Windows for any use where security is important (Linux is inherently more secure, cheaper, and faster), but if you really want to use Windows, at least make sure it is current and supported.
  5. There is also an important lesson for the UK government (or maybe for the voting public). This report by the Mirror describes how the government cut the support which they had been providing for all these obsolete Windows-XP computers in the NHS about a year ago; this despite ample warnings of the cyber-security risks: the Government Digital Service, decided not to extend a £5.5million one-year support deal with Microsoft for Windows XP. What they did not do, however, is provide central funds for replacement or upgrade, nor did they put in place a centrally managed and funded replacement/upgrade programme; they simply told the NHS that they should take care of the problem themselves. This was arrogant and financially motivated irresponsibility of the highest degree. If the support from Microsoft was to be continued, the cheapest and most effective way to get it would have been through a contract with the UK government, not by piecemeal contracts with individual NHS bodies; if the PCs were to be upgraded or replaced, again, the cheapest and most effective solution would have been a centralised programme. This situation just highlights how cheaply the UK government values the lives and health of the populace.

As far as I know, no NHS patients died or suffered other major harm due to the cyber-attack; that is pure luck, and next time (because there will certainly be a next time) we may not be so lucky. We have a whole host of services (electricity generation, including control of nuclear power stations, electricity distribution, water distribution, flood prevention, mobile phone, emergency services, Internet services, traffic control, air-traffic control, weather forecasting, weapon system control, etc.), most of which are essential and many of which are safety-critical, which depend on computers. Hacking is relatively easy (you can buy kits to develop hacking tools fairly cheaply) and preventing it or repairing the results is hard, expensive and time-consuming. The world really needs to learn the lessons from this attack, urgently.

Insecure Banking Apps

Posted on 4th March 2016

Show only this post
Show all posts in this thread.

This BBC report, about how easy it is to hack into the bank accounts of customers who do online banking from their mobile phones, highlights the reason why I don't use my mobile phone for banking (I also don't do in-App purchases on my phone, for the same reason).

Not only do many banking and purchasing Apps keep sensitive data on your phone, from where it can be hacked, but phones (actually SIMs) can be cloned, and traffic (calls and SMSes) can be diverted to another mobile device (as described in the BBC news story).

There are some (usually national) standards to try to make such things more secure, many of which ensure that your sensitive data (bank account numbers, credit card numbers, etc.) are not actually kept on your phone, and if a new SIM is registered for your phone account, these details must be re-established. My project is testing this functionality, amongst other things, right now.

What the article highlights, for me, is just how pathetic the security analyses by NatWest and Royal Bank of Scotland were. I am sure their customers expect better.

If you really need to do online banking and purchasing on your phone, then make sure that your financial service provider complies with good standards. If you are not sure, check with an expert. You might have to change financial institutions and/or mobile provider to get a solution that is good enough.

Dutch Government Says No To 'Encryption Backdoors'

Posted on 15th January 2016

Show only this post
Show all posts in this thread.

This BBC story is one of the more recent of many about encryption and encryption back-doors.

The Dutch government says that it will not force technology firms to provide back-door access to encrypted data such as emails and instant messaging. I like their attitude, but it is in direct contradiction to government policy in the USA and UK.

FBI director James Comey said in November "We are not some kind of maniacs who are ideologues against encryption … but we have a problem that encryption is crashing into public safety and we have to figure out, as people who care about both, how to resolve it." It seems clear that the FBI has concluded that, in a contest between privacy and public safety, public safety wins.

Proposals on the table to solve the FBI's dilemma include the outlawing of very strong encryption and back door access for security agencies. Outlawing very strong encryption will ensure that security agencies can crack the encryption, but that also means that criminal organisations, foreign governments, and even terrorists can also crack it. Back door access for security agencies will probably mean that other nations (Russia and China, for example) will be granted such access; plus, given the appalling track record of security agencies (even in the US and UK) in keeping secrets and being hacked, it is only a matter of time until these back-door access channels also leak out to the various other kinds of bad guys.

So no, neither of these proposals work for me.

People sometimes ask me why I am so concerned about my privacy: what is it that I have to hide? Actually, at the moment, I have no great secrets, and put a lot of my life in public view on this site and on social media. That, however, might change: if there is a change in my political environment (e.g. a totalitarian government), then it might be that my privacy becomes a life or death issue for me.

One thing that I can and will do, if legislation erodes my privacy even further, is to choose who has data about me. If Facebook, LinkedIn and Microsoft can’t keep my data secret because of legal constraints, or even for their own purposes, I will do what I can to ensure they have no data about me, including ceasing to be their customer if necessary.

Who Can We Trust With Our Data?

Posted on 3rd November 2015

Show only this post
Show all posts in this thread.

The latest drama in the hacking saga, this time at Vodafone in the UK, really makes me wonder if anyone can be trusted with our confidential data.

The most recent hack in the news was of Vodafone UK, as reported by the BBC here: details of around 2,000 Vodafone customers were accessed. Before that there was TalkTalk (the latest BBC report is here), where hackers accessed around 1.2 million email addresses, names and phone numbers and 21,000 unique bank account details. At the beginning of October, hackers stole personal information on about 15 million T-Mobile US customers and applicants, as described in this BBC news story. Almost two years ago, payment details from up to 40 million credit cards were stolen through a hack of card payment machines in the stores of US retail giant Target (described in this BBC report). Remember, these are just a few examples (a lot of hacks do not get reported, especially when the targets are banks). So clearly, we cannot trust the companies with which we do business to keep data about us safe.

We ought to be able to trust our governments to keep our data safe (especially as they are hoovering up data (both legally and illegally) like it's going out of style, but no, it seems that we can't. This BBC report is just one of a series about a data breach in April this year at the US Office of Personnel Management (OPM): initial reports were that data about 4 million people were stolen; more recent reports are saying it is 21 million (which is 6.5% of the nation's population!). More recently there was a hack, purportedly by Anonymous, of the US Census Bureau in which hackers pulled down information on thousands of users, including email addresses, phone numbers, addresses, usernames and password hashes (i.e. encrypted passwords). The data includes information on Census and other federal employees, as well as members of organizations with user accounts for submitting audits to the site.

It really seems that no-one is able to keep data about us safe.

This inability to ensure data security just adds to the concerns (due to issues of privacy and censorship) that are regularly voiced about data collection in the modern world. One recent example, described in this BBC story, is that the former head of GCHQ (the UK equivalent of the NSA) has said that "Internet firms" (by which I assume he means Internet Service Providers - ISPs) should be forced (by legislation) to keep users' data. Another example is the ongoing story about Facebook and the Safe Harbour Agreement (an international agreement that recognised foreign and private data protection processes as "good enough" to meet European data protection standards), reported here by the BBC; the Safe Harbour Agreement was ruled invalid in early October 2015 by the European Court of Justice, clearing the way for Facebook to be taken to court for sharing personal data internationally. There are two separate issues with both cases: these firms should not, in principle, be collecting such data about anyone without just cause, and most certainly not when it cannot be guaranteed to be kept securely.

Since I work in IT, I do understand that there is no system which is 100% secure, but the ease and speed with which some of the recent hacks have been achieved means that basic efforts are not being made. The degree of protection that is afforded our private data does not meet my basic Terms and Conditions. Either do better, or stop keeping so much data about us.

South Korean Government Enabling Paedophiles?

Posted on 3rd November 2015

Show only this post
Show all posts in this thread.

This (a BBC news story) is a pretty sorry tale. The South Korean government has withdrawn a phone app, "Smart Sheriff", from the market and is recommending exisating users to change to an alternative. Smart Sheriff had been downloaded hundreds of thousands of times inside South Korea.

One of reasons this market is so big in South Korean is that the government there mandated in April this year that all children's mobile phones must be monitored. Smart Sheriff was developed by a group of telecoms companies called the Korean Mobile Internet Business Association (Moiba), and seems to have been the government's recommended app.

It turns out that Smart Sheriff is not actually very Smart. Its security is described as "catastrophic" in two reports, one by the University of Toronto and the second by software auditing firm Cure53. It seems that children's personal details were not stored securely and that the parental filters were easy to disable.

So, in summary, it doesn't do its job properly, and whilst failing to work it leaks confidential data. Paedophiles (Pedophiles to any American readers) must simply love this app. A great job all around!