Liberty Alone

Shocking news from Ross Anderson here:

auditors called 45 GP surgeries asking for personal information about 51 patients. In only one case were they asked to verify their identity

He also recounts that in 1996 whilst advising the BMA 30 false-pretext phone calls were detected within one week at one health authority. Reporting this to the Department of Health resulted in them being told not to work with the health authority anymore.

This is going to cost lives soon. It already is indirectly.

Of course, what do you expect from a state run service?

Spy Blog has drawn some worrying conclusions from recent attempts to discredit Ross Anderson a security expert from Cambridge University.

The allegation is the information being used to try and discredit Professor Anderson could only be gained from illegally accessing private emails.

Ross is an excellent security analyst, he’s unfailingly spoken out against security flaws he’s discovered, even under threat of legal action from vested interests.
He’s very much concerned with the societal effects of technology and privacy and is Chair of the The Foundation for Information Policy Research, a position which has seen him come into conflict with government over technology and privacy.

Its disgusting that the government should seek to undermine academics in such a way because they happen to disagree. I suppose its just the flip side of government funding of academia though, especially employing suitable ‘right thinking’ academics to bolster their position.

The BBC is reporting the release of a new privacy report by the Royal Academy of Engineering.

The line Tony Blair and other technocrats should take on board is:

No technology is 100% perfect, and no engineer will tell you that any technology is 100% perfect

Another interesting idea is that the biometric data in new passports could be used to trigger targeted attacks. Since these passports use RFID for contactless reading, they are vulnerable to being read at a distance as has been demonstrated many times now.
This could be used to detonated a bomb when particular people are near it, or when people from a particular country are nearby.
The more data held on passports, or ID cards makes this sort of targeting easier, it also makes tracking of people far easier. Either by government services or by criminals or even private detectives (although such methods may be illegal, that will not stop people).

Privacy and identity have taken on a new importance recently. It used to be understood that the state and others would not pry into your private life, but today the state is seeking more control over our identities (and therefore our lives) and to reduce our privacy. We leave much more information about ourselves and our actions behind, although it is currently difficult to link all this together, new technology is being deployed to make the task of linking up our data and discovering habits and movements much much easier.

This may be of benefit to the state and its organs, but the benefit to individuals is at best hazy, at worst there is a large negative impact.

Liberalism needs to start taking these threats seriously and developing a response to such power grabs by the state. We need to articulate a vision of individual rights and responsibilities only regulated by the state to prevent harm to others to combat the vision of the ‘beneficial state’ which attempts to solve all our problems through technocratic measures and decreased individual freedom.

I’ve just come across an interesting idea about the ‘Great Firewall of China’. Freeborn John discovered he was blocked so placed some pseudo communist blurb which an intelligent reader would realise was rubbish but a computer might not. Lo and behold he was removed from the blocked list.

You can find out if you’re blocked here. I appear to be blocked…

For those running Wordpress:
One of their servers was compromised and malicious code inserted into downloads of version 2.1.1
A new release, 2.1.2 has been released and all users on 2.1.1 are recomended to upgrade.

2.0.x users are not affected.

More details here.

Light Blue Touchpaper has details of another attackon the supposedly secure Chip & Pin system.

This one is a relay attack which uses a dummy terminal to collect your card details and pin and then relay them to someone in another shop who uses these details to pretend their modified card is your card.

The transaction looks normal to the bank and you think your payment has gone through okay. The shop at the other end thinks everything is okay too. Its only later when you check your bank balance that you notice that something is wrong.

Tonight’s Watchdog will feature this attack, and more details are available from here.

Reid has suggested that sex offenders could be made to surrender their email address and usernames for chat rooms so they can be monitored to identify grooming.

This strikes me as futile at least, or harmful in the worst case. This is simply because emails and usernames are so easy to get. An offender could give their usual details but create new ones for grooming. Initially that makes the measures appear futile, however, given the fact that some data now exists, resources are likely to be concentrated on that information making it even less likely that those using undisclosed information will be caught.

The police will always be a step behind, but it would help if the law makers actually understood what they were talking about…

Bruce Schneier has written an excellent essay on the problem of insecure software.

The problem is that it is actually in a company’s best interest to write insecure software because it is easier and therefore cheaper and they do not suffer the costs of security failure. In fact, the market rewards insecure software as people like timely releases and lots of features, both of which decrease the time spent on making software secure.

The only way to counter this is to make it profitable for all companies to produce secure software. This could be done simply by passing on some of the costs of security failure to the software vendor by making them liable.

This also applies to other areas of security, notably bank and identity fraud. Its not in the bank’s interest to protect you much from such actions as the costs fall upon you. The banks are even making more of the liability fall upon the customer through initiatives like Chip ‘n’ Pin (if you have a fraudulent Chip ‘n’ Pin transaction it is taken to be your fault because the PIN is meant to be a secret and you cannot easily prove it wasn’t you as you can with a signature).

Richard Allan (whose blog, coincidentally, was one of the reasons I first thought about joining the LibDems) posts about the Cambridge University’s Computer Lab Security Group and their blog Light Blue Touchpaper.

This is an excellent blog, not least because by nature security researchers tend to be liberals of varying degrees (probably due to a healthy disrespect for authority and coming across how much people mess things up so much).

Recently they showed how some people managed to play Tetris on a Chip ‘n’ Pin terminal.

Unusually this has actually been recognised as a problem by the banking industry, something which they are loathe to do, especially with their beloved Chip ‘n’ Pin. The threat is real though. Despite the fact that the terminals are tamper resistant, this could be used to harvest PIN’s. This is because the tamper resistance means that they stop working if you tamper with them, but if you can simply replace the functions with something which mimics a functioning terminal, except for actually processing it (you could convince the till that its worked if necessary) then you can harvest PIN’s with impunity.

Even if the cases were tamper evident, who knows what to look for? I don’t. I expect most customers or staff do.

Of course, what happens when we get clones of the machines which just drop in place? I sense a whole world of problems…