Wednesday, 23 January 2008

Vote for me

Another teenager was attacked yesterday in the UK, a 'frenzied knife attack' at least did not kill the teenager who was left with 30 stab wounds on her way home from school. We've had shootings this year in London and Liverpool, our capital and 'city of culture' (if you've ever been to Liverpool you'll know why this is in quotes). I moved to Spain last year because I was at the end of my tether with a) the UK government and b) the appalling mess the country is in in general [and c) the weather].

It didn't take long for me to realise that actually what I hated was the fact that:

a) the government has no control over what happens any more, they are wet and stepped on, having to contend with junior ministers leaving their laptops on the back seat of their cars in the middle of Birmingham,
b) people think it is acceptable to intrude on one another's lives without invitation, sex, drugs and violence are glamourised to the point of worship, and there is no control of the media it creates such wealth for the country and... er, the government which it controls,
c) the weather has always been shit here, it's just my mood that is black.

So it's down to me against the popular press I think. Well, if there's any room for a sardonic, self-righteous and pseudo-moralistic blogger to take the place of badly written, brightly coloured, in your f-ing face, judgmental rabble rousing, then I'm obviously your man. I expect to see the Daily Mail readership go down in direct proportion to my blog readership going up.

You may think this has nothing to do with security, and indeed it is a little 'off-topic' but it's actually quite desperate over here. The only comfort I have is that as the stock markets crash through the floor, confidence in the government will be at an all time low, and next time round we might get a different newspaper, erm, I mean party, in charge. Trouble is, they're all hopeless.

So if the country is being run by the media, and I am now a (tiny) part of the media, surely I must be in with a shot. If I can just start influencing people to envy each other, starve to death for beauty, eat for comfort, shoot and kill for kicks and steal for survival, I'll at least be in line with current policy.

I'll let you know how I get on. It can only improve. I seem to remember one Anthony Blair releaseing his 'New Labour' party with the D:Ream song "Things can only get better" though. Maybe just hoping doesn't work.

Saturday, 19 January 2008

UK government going for data-loss record

It seems like only last week that I was lamenting the state of our government's security, and having a laugh at their expense. It seems that way because it was. Well, it's happened again.

Big headlines again this morning telling of how the Ministry of Defence has now lost information on '600,000 would-be recruits'. I'm not laughing any more. Yes, I still think the media are blowing it up a bit, and yes, I think the very same media will drop data-security like a lead weight as soon as the public are bored of it, but for now I am in my element and I'm in uneasy alliance with them.

[In fact if you're reading this, I guess I've become the media. The only difference is there is no picture of Paris Hilton's breasts further down the column although that gives me yet another great plan for improving site statistics.]

We've now had 8, yes 8, publicly disclosed data breaches at various levels of government in less than 3 months. This MUST have been going on before this, and I can't see any evidence of steps being taken to stop it. Surely I would have received a phone call by now if they were..?

I don't know if it's just a coincidence, but business for me in the private sector has gone supernova in the last 3 months too. Maybe whatever the government is experience is being replicated across the country, and big business is keeping schtum where the public sector can't. Although it is more likely that PCI DSS is now becoming a reality for e-commerce practitioners, it goes to show that us security guys aren't just sitting here saying stuff for the sake of it. It really does happen. Those who are being pro-active may not see the benefits of this, but those who aren't sure as hell will see the downsides.

Maybe not today, maybe not tomorrow, but soon...

Monday, 14 January 2008

Data loss pandemic sweeps UK

There have been a few very high profile cases of data loss in the UK in the last couple of months. Most notable amongst these was the Inland Revenue losing millions of customer details on 2 CDs, which they blamed on 'a junior member of staff'. Isn't it always?

Anyone watching our government from overseas might be forgiven therefore for assuming that the British Isles is full of Benny Hill characters walking into lampposts, hitting each other with bits of wood and generally pratfalling all over the shop. So, it would be hilarious then if, say, the chairman of one of the biggest banks (if not the biggest) in the UK had his ID stolen because his bank account was breached? That would never happen of course...

Barclays chairman loses £10,000 in ID fraud scam

Oh dear. Well, at least the insurance will cover it, right? Except I've got a feeling premiums might be going up:

Customer bank records found on motorway

Hang on, 'found' I understand, 'customer records' I am familiar with, but I've never seen them used in the same sentence as 'motorway' before. What?!?

In all seriousness however, this kind of thing has probably been happening for years, but it's just fashionable in the press right now. Keeps me busy.

What is especially notable in these cases is that they are different data security issues, but to prevent them would take very similar measures. The first, as is often the case, is down to policy and educating staff, the second could have been fixed with just a little bit of thought, but also policy and education.

I normally hate the media because they make everything so depressing (war and famine sell newspapers after all), vacuous (Paris Hilton), immoral (sex also sells) and pointless (what IS reality TV?). We need to make sure everyone is thinking data-centrically however, and for once, I'm actually in favour of them splashing these horror stories across the front pages.

Thursday, 3 January 2008

New Year's ideas

Everyone knows that Jesus was not really born on December 25th. Back then they didn't even have calendars, certainly not Gregorian calendars, probably Julian ones, but I'm not sure the Jews were that friendly with the Romans at the time, so possibly they stuck to their own method of time keeping?

So why do we have Christmas when we do? Is it arbitrarily picked from the plethora of available dates to fall a week before the New Year, just so we get an extra long holiday? It must come from some sort of church decree of some sort, but for me it's more of a recovery time. I've spoken to a few people today, and even had a few mails of greeting from the wider community. Most notably, shrdlu got in touch to concur with my sentiment of hibernation.

I suggested we compare notes, swap ideas for things to do, try and get some enthusiasm up and running. Turns out we have loads in common, nothing exciting to do, too much work to spend as much time as we'd like with our partners, no hobbies as such, unless you count blogging, etc...

So, I'm opening the floor to anyone still reading, post me some of your hobbies and ideas for the New Year. If I like any of them I will make them my New Year's resolution, and will send the rest to shrdlu.

UK government bans 'hacker tools'

Back on topic for the evening... I like to keep a keen eye on security matters in my region and have many elves scouring the news mines for data security tidbits at all times. One such elf just forwarded an interesting story to me. I say elf, but that's just to cover up the fact that it was sent over by Walt Conway, who lives in San Francisco. Really, I'm still hibernating.

Back to the story then. Apparently UK government are going to ban possession of 'hacker tools'. Hmm... Alarm bells.

Issue 1: Who decides what is a hacker tool and what is a legitimate security testing tool?
Issue 2: How do you ban them?
Issue 3: When all the law-abiding sysadmins and support guys give up their vulnerability assessment tools, who will then find the vulnerabilities?

It's another case of legislating against the wrong thing. The bad guys are already bad. Making another law to say they are bad isn't going to make them give up the badness and suddenly want to be good.

I think this is a panicked governmental department trying to look as though they are taking action. There is also more front page news today of large data losses in the UK government. The story is now so common in the papers that people are going from being outraged to taking it for granted.

It seems like a reaction to a problem rather than a solution, which is largely politically motivated rather than thought through. For all the debating that goes on in Parliament, it seems that no actual education or information is sought before jumping to conclusions which seem to make the government look good.

I'm not going to get into my views on politicians and the media as I've decided to make 2008 a happy year, but needless to say, I'm not that impressed.

New Year Ramble

I feel like I've been hibernating for the last couple of weeks, I shut everything down, including most of my brain and muscles, just keeping the essential eating parts going for the holidays. It's a shock to wake up from my slumber to find that it's absolutely bloody freezing outside.

Maybe that's why nothing's happening. I was frantic before Christmas, everyone had to have everything done now, or sooner, and now nothing. Not even a blip on the radar. Europe is officially still on holiday.

So I was pleased to see that Microsoft have released another version of IE. I'm writing this using Firefox incidentally. I find it simple, well laid out, and nothing moves from one day to the next. IE is like a teenager, trying out what looks best, making things smaller and more iconic, hiding 'unnecessary' things away. Until, basically, if you've grown up using computers, you can't find a thing. Not where you last left it anyway.

I'm sure there are people somewhere who like the forward thinking of application designers, but I for one wish they would leave IE alone. And the operating systems whilst we're at it. I really struggled when I first had to use Windows 2000, then XP took me by surprise. I don't DARE look at Vista in case it proves me to be an old fuddy-duddy.

Still, some things never change, I can't wait until Tuesday for the first enormous patch roll-out of the year.