Sunday, 28 October 2012

Alarm – adult human being found still working at the Cabinet Office

Thank goodness for Andy Smith. Whoever he is. And even if he isn't.
audio
video (slide to 1:31:30)

Hat tip: Philip Virgo

25 October 2012, and Whitehall held one of its endless conferences/talking shops where people who work for acronyms get together and speak in acronyms. The 9:20 welcome and introduction, for example, were given by John Robertson MP, Chair, apComms and Chi Onwurah MP and Stephen Mosley MP, Co-Chairs, PICTFOR.

All was set fair for a normal day of incomprehensible talk to be minuted and then forgotten when, according to the BBC, Andy Smith, PSTSA Security Manager, Cabinet Office, was asked a question about using social networks:
A senior government official has sparked anger by advising internet users to give fake details to websites to protect their security.

Andy Smith, an internet security chief at the Cabinet Office, said people should only give accurate details to trusted sites such as government ones.

He said names and addresses posted on social networking sites "can be used against you" by criminals.
Andy Smith is quite properly very hard to track down. He's got something to do with security at the PSTSA. The PSTSA has got something to do with the Public Services Network. The security of the PSN is assured in part by the use of PKI, the public key infrastructure, and that, in turn, depends on digital certificates.

In their chart-topping release of 31 July 2012, PSN Certificate Policy IPsec IL3, PSN say:
5.4.8.2 Each CA and RA must ensure that its PKI services are accredited by the PSTSA Accreditation Board (PSAB) to impact levels 4-4-4 and included within an RMADS prior to live operation.
DMossEsq can help a bit here. A CA is a certification authority and an RA is a registration authority but, after that, you're on your own. You could try the glossary at the back of the report where you'll find that RMADS is the Risk Management and Accreditation Document Set but, rather charmingly, under PSTSA it just says "Public Services ???".

So there's Andy Smith, a man who speaks fluent acronym, who works for an acronym so secret that even PSN don't know what it stands for (DKWISF), a man who has something to do with the deepest levels of the security of PSN and when he's asked about social networks, his informed security advice is don't tell them any more of the truth than you have to for your purposes.

Meanwhile, back at the robot Government Digital Service (GDS), the senior boys in charge were getting ready on Monday 22 October 2012 to announce that we should all communicate with the government using our trusty Facebook and Google+ user IDs. But they bottled out of it. It's too ridiculous. Even a child couldn't take the suggestion seriously.

Thank goodness for Andy Smith. Whoever he is. And even if he isn't.

----------

Cribsheet
4 October 2012, IndependentNational 'virtual ID card' scheme set for launch (Is there anything that could possibly go wrong?): "The Government will announce details this month of a controversial national identity scheme which will allow people to use their mobile phones and social media profiles as official identification documents for accessing public services ... The public will be able to use their log-ins from a set list of “trusted” private organisations to access Government services, which are being grouped together on a single website called Gov.uk ... The system will be trialled when the Department of Work & Pensions starts the early roll out of the Universal Credit scheme, a radical overhaul of the benefits system, in April ... Details of the 'identity assurance' scheme are being finalised amid growing concerns over identity theft and other forms of cybercrime ... Members of the Cabinet Office team travelled to the White House in May to exchange ideas with American counterparts working on the National Strategy for Trusted Identities in Cyberspace (NSTIC) ...".

4 October 2012, Government Digital Service, Less About Identity, More About Trust: "If you’d like to know more the Q&A in The Independent gives a pretty good overview (the only thing we’d really quibble with is the headline)".

25 October 2012, Philip Virgo, Government official gives practical security advice - shock horror: "This morning I ... received yet another e-mail covering the latest nonsenses in the ongoing saga of expensive displacement activity that passes for Government (US, EU, HMG etc.) electronic ID policy ...".

25 October 2012, BBC, Give social networks fake details, advises Whitehall web security official: "Mr Smith, who is in charge of security for what he described as the 'largest public services network in Europe', which will eventually be accessed by millions of people in the UK, said giving fake details to social networking sites was 'a very sensible thing to do ... Don't put all your information on websites you don't trust ... When you put information on the internet do not use your real name, your real date of birth', he told a Parliament and the Internet Conference in Portcullis House, Westminster ... 'When you are putting information on social networking sites don't put real combinations of information, because it can be used against you' ...".

26 October 2012, Wendy Goodman, I thought her head was going to explode: "For the record, I think it's clear that Smith gave good security advice ...".

26 October 2012, dropsafe, Andy Smith of the #CabinetOffice is a Epic Fucking #Security Hero: "I have said much the same – worse/moreso, even, by suggesting that folk randomise their personal information so that your mother’s maiden name was F3JlfIrOH8 and your favourite colour is uAfhaR." – kindly includes the links to audio and video of the conference above.

26 October 2012, Daily MailUse fake names on Facebook and Twitter, says the head of government internet security: "... It comes at a time when the government is considering allowing people to use their existing log-ins for social networking sites to access a new government website to apply for benefits, passports and driving licences ...".

26 October 2012, GuardianBeing wary of handing over personal details to websites isn't 'outrageous': "I'm not sure making up data is necessarily the best advice Smith could have given, but you can see where he was coming from: if you are suspicious about why a site is asking for your details, don't give them ... you should be a bit discerning about who you share your details with and how much you give out ... Earlier this year, a report into US identity fraud found it was on the rise, in part because of the incredible amount of personal information being shared on public social media profiles ...".

26 October 2012, Dave Birch, The battle of the internet security experts: "Andy is spot on ...".

From the archives
30 October 2008, Daily Mail, Brown's ID card claims 'absolute bunkum' says Government electronic security expert from GCHQ: "Gordon Brown's claims for the £4.5billion ID cards project have been disputed by one of the Government's own electronic security experts ... The Prime Minister and Home Secretary Jacqui Smith have repeatedly said that ID cards will help thwart terror attacks ... Mr Brown said a national ID card scheme could 'disrupt terrorists' while Miss Smith has claimed ID cards will be a 'robust defence' against terrorists using false identities ... But Harvey Mattinson, a senior consultant at the IT security arm of GCHQ, the Government's listening station, said the claims were 'absolute bunkum' ...".

Harvey Mattinson then. Andy Smith now. Should they decide to accept it, there is another mission for the security services, to save us from GDS and their friends by unwinding the contracts HMRC and GDS have signed with Skyscape Cloud Services Ltd:
CESG have rescued the nation before from other-worldly decisions taken by Whitehall. The Home Office wanted to use DWP’s National Insurance number database as the National Identity Register for the ID cards scheme. CESG pointed out that it was inappropriate and that was the end of that.

Let’s hope that they repeat the trick in their review of Skyscape. I look forward to a small piece appearing in the technical press somewhere out of the way regretting that for security reasons which cannot be given the HMRC [and GDS] contract[s] with Skyscape [have] had to be revoked.

No comments:

Post a comment