Tag Archives: security

January 13, 2015 · 12:54 pm

There’s an election in four months

cameron-lol

There’s an election in four months.

Those are the only words you need to remember. Whenever a politician drivels before an invited audience of heart-eyed acolytes or assembly line workers glazing over on company time for half an hour, just remember: there’s an election in four months (or three, or two, or one…).

Yesterday renowned cryptographer David Cameron said there should be no “means of communication” which “we cannot read”. This has been interpreted by technically literate commentators, mostly through the medium of boggle-eyed laughter, as expressing a desire to ban encryption or enforce the addition of backdoors. I’ve seen many, many tweets setting out the stupidity of such a move, and I have no desire or need to rehash them here.

Because the only thing you need to know is: there’s an election in four months.

Cameron is talking about monitoring the internet because there is an election in four months. He wants people to vote for him. He understands — better, sadly, than those tweeting about protocols and key escrow and men-in-the-middle and laptops left in taxis — that none of all that matters. He’s not talking to that audience, the tiny audience that groks the detail and the implications. He’s talking to the other 99%, who saw the attacks in Paris last week and think (thanks to Be Vigilant And Report Darkies posters) that we’re next.

Let’s imagine Cameron is elected in May with a majority. What would he actually do? We have no idea. There’s no manifesto yet, and manifestos can’t be trusted anyway. On past experience — we have almost five years of it now — his words don’t much match his deeds. I expect there’d be a series of meetings, possibly involving token techies invited as a sop to industry, and the End Terrorism Forever Bill 2017 (probably) that would emerge would contain no clauses capable of achieving any such thing.

There’s an election in four months. That’s all Cameron is worried about.

The opposition parties (I include the Lib Dems in that category for election purposes) have the same phrase in their heads. If they want to oppose Cameron on this issue — and I’m not entirely sure the Labour party does, for fear of being labelled soft on terrorism — then there is absolutely no point in talking technology. That’s preaching to the choir.

To oppose this policy they need to do two things: pursue, with great vigour and purpose, the support of younger people (beneficial side-effect: these are least likely to be slack-jawed kippers); and tell them in specific terms which apps and services Cameron thinks they shouldn’t be permitted to use without being snooped on.

Snapchat, WhatsApp, iMessage, FaceTime, Yik Yak, Rooms, Skype, etc, etc — and also Facebook and Twitter and plain old email, of course, but with less emphasis since younger people don’t use those so much. Ignore the likes of HTTPS, Tor, and all that: too confusing for the audience you’re trying to reach.

Keep it simple. Non-technical. Personal.

Avoid greyfaces and clumping hooves of rhetoric: all an utter turn-off for the audience. Don’t make it an official party video at all. You want Cassetteboy, not Saatchi, and if you don’t know who Cassetteboy is, fire yourself.

Here’s an idea off the top of my head: take one (or more) of those ubiquitous thirty-second promo videos from an app vendor’s website — you know the ones, with the indie guitar solos and the Californian hipster voiceovers — and every time a toothy blond communicates with another toothy blond, intercut video of Cameron sitting at a computer screen.

It doesn’t matter that it’s inaccurate or simplistic: so is what he’s claiming to propose.

There’s an election in four months.

3 Comments

Filed under Random

Tagged as , , , , , , , , , , , , , , , , , , , , , , , ,

August 20, 2013 · 11:46 am

The one after next

The detention of David Miranda at Heathrow airport under the Terrorism Act is beyond disturbing. As David Allen Green writes, he was detained under schedule 7 of the act, which allows for such detention only to determine whether someone “is or has been concerned in the commission, preparation or instigation of acts of terrorism”.

Officials are not allowed to detain anyone for a fishing expedition. But they are allowed to detain someone even if they have no reasonable suspicion. And since the people they detain usually don’t have an intimate knowledge of the law — and the law doesn’t give those detained the right to legal representation — the net effect is surely that officials detain whoever they want to detain, for whichever reasons.

The Home Office says schedule 7 “forms an essential part of the UK’s security arrangements”. Of course it does: an empire doesn’t give up hard-won powers without a pitched battle and the stink of revolution.

Whitehall also says, almost apologetically, “the powers should not be used arbitrarily”. In 2012-13, schedule 7 was used on 61,145 people, 12% down on 2011-12. Good news! But of those 70,000-odd detentions in 2011-12, there were just 24 terrorism-related arrests: 0.03% of people stopped (source).

That is overreach. That is arbitrary use of powers.

And of course, officials can steal the computers, phones, etc, of these detainees whether they go on to arrest them or not.

The reality of life at the UK Border: you have no rights to person or property.

If David Miranda had posed a terrorist threat you can be sure the details would have been leaked gleefully to the papers by now, probably to the spook-friendly Daily Mail, and ministers would be queuing up to appear on TV condemning him before trial and pronouncing Glenn Greenwald guilty by association. Since there has been no leak and our servants in government are apparently unavailable for comment, I therefore conclude from my self-elected position as armchair judge, jury and executioner, that Miranda did not pose such a threat.

His detention wasn’t arbitrary: it was capricious and most likely unlawful. He wasn’t detained in case he was a terrorist, but for “travelling while in the process of committing journalism that might embarrass the state”, or perhaps “travelling while being the partner of an irritating journalist”.

Naturally Scotland Yard says Miranda’s detention was “legally sound”. This is the Scotland Yard with such a strong record in matters of law: the one that claimed the unarmed, entirely innocent bystander Jean-Charles De Menezes was a terrorist; the one that took four years to admit one of its officers used “excessive and unlawful force” and killed Ian Tomlinson; the one deeply enmired in the phone hacking scandal. We’re close to being able to state confidently that whatever Scotland Yard says, the opposite is the truth.

I’ve said this many times, and it’s truer than ever. The test of any proposed new law should not be how it is intended to be used today, nor how the next government or the next set of police commissioners might decide to interpret it. It’s about the government and the police that come after them. The ones we cannot know, living in a world we cannot know, with pressures and technologies and enemies and realities we cannot know.

Arbitrary and capricious detention at the border. Spooks tapping internet traffic without proper oversight. A push to impose censorship on internet connections on spurious grounds. Destruction of hard drives by security services at newspaper offices.

Who will be prime minister on August 20, 2023? Cameron? Miliband? The other Miliband? Johnson? Farage? Griffin?

1 Comment

Filed under Random

Tagged as , , , , , , , , , , , , , , , , , ,

July 6, 2013 · 1:14 pm

Tumbling through NS&I hoops

In the olden times when weeks were three days long and daytime TV was a still photo of a young girl losing noughts and crosses to a toy clown, my family bought me a bunch of premium bonds. If you don’t know, premium bonds are a kind of 1950s national lottery: you give an agency of the government some money, they give you some numbers, and those numbers take part in a monthly draw forever. You might win a prize each and every month; you might win nothing, ever. It’s all in the hands of the gods, in this case the god called ERNIE, the random number generator for premium bonds (in the 1950s all computers had to be given names so people wouldn’t grab pitchforks and torches and raze the building).

Fast forward a few decades and a couple of addresses and naturally NS&I, the priests who tend the dead pixels of ERNIE’s 2013 descendant, no longer know where I live. Having found my premium bond holder’s number and discovered I won £50 nine years ago that’s still waiting for me to claim, I thought I’d sign up to their online service at nsandi.com and ask for my winnings.

“Complete the online and phone registration form”, said the website. By which they mean, it turned out: give us all the pertinent details and we’ll generate a PDF for you that includes those details, which you must then print, sign, have witnessed, and then post.

Not the mightiest of faffs, and I suppose fair enough — though it’s hardly the most fraud-proof authenticator. Dutifully, and via PC World to address the inevitable empty printer cartridge, I did as I was told and posted the form.

A few days ago I received two letters, in identical envelopes, with identical plastic windows showing identical address formatting. Neither said NS&I on the outside, but they both evidently had the same sender.

One letter gave me my NS&I number: an eleven-digit identifier. My username.

The other letter contained, beneath a fancy-dancy pull-off plastic strip, an eight-character alphanumeric temporary password for my NS&I account.

So they sent separate letters for username and password for security, but in the same post so they’d likely arrive at the same time. Not particularly secure. Surely better, if they want to keep these things separate, to send them by different means: number by text message, password by post, or something. Anyway.

The password letter said I’d need to choose a new password for the site on first login. Helpfully, it gave the constraints:

The password you choose must have between 6 and 8 characters. You need to include at least one number, at least one special character, as well as a mixture of upper and lower case letters.

I understand the purpose of the character type constraints. Although enforcing a number and a special character reduces the total entropy of a password (an attacker knows that one of the characters has only ten possibilities — the digits 0-9) it increases the strength of the average password. It forces people who’d normally use “password” to use, say, “pAs5w.rd”. But I’d bet a large proportion of people stick the number and punctuation on the end, with an upper case letter at the start: “Foobar9!”. How much more secure is that than “foobar”? Not much. Users subvert constraints, because security trades off against usability.

To illustrate how likely this particular pattern is, the password letter includes this text just after the constraints:

An example is Uhsd895* (do not use this example for your own password).

In any case, a maximum length of eight characters for a password is, these days, laughable.

After ranting about this on Twitter, I left it a day or two. Yesterday I thought I’d try logging in.

Stand by your beds, I’m switching to present tense. It’s more dramatic.

On the first screen, the site asks for my surname and my NS&I number. OK.

On the second screen it wants two characters from my password (hopefully these are randomly chosen). Hmm. Presumably this is intended to defeat keyloggers (in fact it’s not usually much help), but unfortunately it also defeats password managers that like to fill in password boxes for you. And it might also mean NS&I is storing passwords in its database in plaintext.

Next screen: choose a new password. Here it doesn’t tell me what the password constraints are. I presume they’re the same as in the letter. I generate a random password in my password manager, limiting it to eight characters, and this is accepted.

Next screen: security questions. Five of them. All mandatory. Each with a separate picklist of choices. At least one of the available questions seems US-biased (wanting my “first-grade teacher”). Others are  ambiguous (“favourite sports team”) or easily discoverable (“university”) or can be socially engineered.

Right, done that, is that everything? No.

Below that, three boxes for security phone numbers. Thankfully only one is mandatory.

Am I done now? Not yet.

Next screen: I must select one from about eight or ten thumbnail images. My selection will be displayed on the login page as “reassurance” that I’m on the site I think I am.

Am I done now? Nope.

Below that: I must enter a “login phrase” as yet further “reassurance” when I log in. I enter something short and pithy.

And then, finally, I’m done. I have hauled my weary body through the maze of twisty passages all of limited utility, and have made it to NS&I’s secure website where I can claim my £50.

I click “Prize History” on the sidebar of the early-noughties design. I select my premium bond holder number from the list of two items (“please select” and my number). To select a date range there are two date pickers dug up from about the late eighteenth century which open actual new browser windows with ugly calendars. I decide to look between January 2000 and now, because, well, why not. (I don’t bother to read the text below, which nobody ever reads, and which says “We can only show prizes won since the online service for Premium Bonds was introduced. Click Info to find out more.”)

I click Next. There, in the world’s tiniest writing, several miles from the most appropriate place: “Please enter a start date bigger or equal to 01-01-2011”. (The Info popup says much the same thing, but in English.)

nsandi-1

Hang on. I won my prize in 2004. Are you telling me the unclaimed-prize checker you don’t need an NS&I account to use has more data, going back further in time, than the hoop-tumbling monstrosity that is the secure, authenticated account-holder site?

It’s at this point I realise I’ll be writing this blog post.

OK, I’ll play their game. I change the start date to 01-01-2011 and click Next. It whispers another error message: “ZTS90009 : Please enter a start date bigger or equal to 08-07-2011”. No reason given.

nsandi-2

This sort of half-baked rubbish no longer surprises me, so I change the picker to exactly that date. Here’s what it squeaks now, in that same tiny font, just as if it were an error: “ZTS90007 : There are no prizes to display.”

nsandi-3

Thanks for that.

How do I claim my £50? After much clicking around I find nothing on the authenticated site that lets me do that.

I log out, huff and puff, and hunt down the website’s feedback form. I keep my comments and my question short: essentially, “I’ve got an NS&I account. How do I claim an unclaimed premium bond prize?”

An hour or so later, I receive a reply by email:

To claim your outstanding prize please can you write to us quoting :

1. Your name and address

2. Your holder’s number

3. The prize details as stated on the website

To make sure that we provide the highest levels of security, we require the signature of the holder to enable us to issue any replacement warrants.

You know, something tells me they haven’t upgraded ERNIE since about 1964, and it’s still running their IT. And I suspect I might shortly be booking a very pleasant railway journey to NS&I Glasgow, armed with a pitchfork and a flaming torch.

15 Comments

Filed under Random

Tagged as , , , , , , , , , , , , , , , ,