NSA monitored calls of 35 world leaders after US official handed over contacts it said in the Guardian yesterday and in every other newspaper.
That comes as news to most of us.
But then we remember: "News that Kofi Annan and other senior UN figures may have been routinely bugged by US or British security services has caused a huge political row around the world. But it will also have caused alarm among other people in the public eye who deal with sensitive information - or anyone, indeed, who values their privacy" – that's from the BBC News website, 2 March 2004, 9½ years ago.
It didn't cause "a huge political row around the world" then.
Maybe this time. Maybe the penny is beginning to drop.
Individuals complaining about invasions of their privacy have little traction.
With companies, it's different. Once they realise that it is questionable whether any of their dealings can be conducted in confidence they will take action. And unlike individuals, they have money and lobbying power and politicians listen to them.
Friday, 25 October 2013
Kofi Annan, the NSA and GCHQ – maybe this time
NSA monitored calls of 35 world leaders after US official handed over contacts it said in the Guardian yesterday and in every other newspaper.
That comes as news to most of us.
But then we remember: "News that Kofi Annan and other senior UN figures may have been routinely bugged by US or British security services has caused a huge political row around the world. But it will also have caused alarm among other people in the public eye who deal with sensitive information - or anyone, indeed, who values their privacy" – that's from the BBC News website, 2 March 2004, 9½ years ago.
It didn't cause "a huge political row around the world" then.
Maybe this time. Maybe the penny is beginning to drop.
That comes as news to most of us.
But then we remember: "News that Kofi Annan and other senior UN figures may have been routinely bugged by US or British security services has caused a huge political row around the world. But it will also have caused alarm among other people in the public eye who deal with sensitive information - or anyone, indeed, who values their privacy" – that's from the BBC News website, 2 March 2004, 9½ years ago.
It didn't cause "a huge political row around the world" then.
Maybe this time. Maybe the penny is beginning to drop.
Next week's news
Just to remind you, some time over the next 168 hours, as promised, we shall see the first ever fruits of the Government Digital Service's identity assurance programme. We shall all be able to amend our tax codes through an on-line connection to HMRC.
Extraordinary, but they won't have the field to themselves.
Remember midata, the latter-day South Sea Bubble being blown by the Department for Business Innovation and Skills? They've been "fanning the flames of innovation" round at the midata Innovation Lab and some time over the next 168 hours we are promised a glimpse of the fruits of their labours, too.
At last, new apps to empower us and improve our lifestyles and make the economy grow.
There's not a single mooncalf left in the world who believes that these apps will be free, is there?
Suppose, just for the sake of argument, that the DMossEsq blog is right and that there is no such thing as a secure website.
Then it would be a mistake for any supplier to try to sell you a service on that basis – the secure website sales pitch undermines trust in any supplier using it. At least two of GDS's "identity providers" do just that. Mydex and Verizon both promise you security. That's a mistake. There are no unicorns for them to deliver.
Better, surely, to say that every effort will be made to keep your personal data secure, but security can't be guaranteed.
We have a sad new example of the problem. Experian Sold Consumer Data to ID Theft Service. It should be made clear that Experian didn't mean to sell consumer data to ID thieves and that they're co-operating fully with the police investigations. But it happened.
Experian, like Mydex and Verizon, are UK "identity providers", on whom GDS's identity assurance programme depends.
The best you can hope for is that security breaches will be kept to an affordable minimum. How do you achieve that? Answer, you make the supplier of the on-line service responsible for losses.
How have the UK retail banks managed so well to maintain public trust in on-line banking? By paying – when you are defrauded, the banks have to compensate you.
That works (para.6).
Extraordinary, but they won't have the field to themselves.
Remember midata, the latter-day South Sea Bubble being blown by the Department for Business Innovation and Skills? They've been "fanning the flames of innovation" round at the midata Innovation Lab and some time over the next 168 hours we are promised a glimpse of the fruits of their labours, too.
At last, new apps to empower us and improve our lifestyles and make the economy grow.
There's not a single mooncalf left in the world who believes that these apps will be free, is there?
Suppose, just for the sake of argument, that the DMossEsq blog is right and that there is no such thing as a secure website.
Then it would be a mistake for any supplier to try to sell you a service on that basis – the secure website sales pitch undermines trust in any supplier using it. At least two of GDS's "identity providers" do just that. Mydex and Verizon both promise you security. That's a mistake. There are no unicorns for them to deliver.
Better, surely, to say that every effort will be made to keep your personal data secure, but security can't be guaranteed.
We have a sad new example of the problem. Experian Sold Consumer Data to ID Theft Service. It should be made clear that Experian didn't mean to sell consumer data to ID thieves and that they're co-operating fully with the police investigations. But it happened.
Experian, like Mydex and Verizon, are UK "identity providers", on whom GDS's identity assurance programme depends.
The best you can hope for is that security breaches will be kept to an affordable minimum. How do you achieve that? Answer, you make the supplier of the on-line service responsible for losses.
How have the UK retail banks managed so well to maintain public trust in on-line banking? By paying – when you are defrauded, the banks have to compensate you.
That works (para.6).
Next week's news
Just to remind you, some time over the next 168 hours, as promised, we shall see the first ever fruits of the Government Digital Service's identity assurance programme. We shall all be able to amend our tax codes through an on-line connection to HMRC.
Extraordinary, but they won't have the field to themselves.
Remember midata, the latter-day South Sea Bubble being blown by the Department for Business Innovation and Skills? They've been "fanning the flames of innovation" round at the midata Innovation Lab and some time over the next 168 hours we are promised a glimpse of the fruits of their labours, too.
At last, new apps to empower us and improve our lifestyles and make the economy grow.
Extraordinary, but they won't have the field to themselves.
Remember midata, the latter-day South Sea Bubble being blown by the Department for Business Innovation and Skills? They've been "fanning the flames of innovation" round at the midata Innovation Lab and some time over the next 168 hours we are promised a glimpse of the fruits of their labours, too.
At last, new apps to empower us and improve our lifestyles and make the economy grow.
Tuesday, 22 October 2013
Cloud computing and the sizzling Stephen Fry
Mr Fry has made only one appearance on this blog so far. That was in connection with the UK government's vile bid to introduce press regulation.
Many more posts have covered the inept marketing device of comparing cloud computing with the utilities:
Utility prices keep going up. Large numbers of people already find themselves in fuel poverty. Now we are promised that it will soon cost £1,500 a year to supply our homes with gas and electricity. What kind of a model is that for cloud computing? Not an attractive one – IT poverty, anyone?
The analogy is inept. When you buy gas, say, you pay money and the gas company supplies gas. Done. With cloud computing, you pay money and you hand over all your data and the cloud computing company supplies some service. You are paying to lose control of your data.
It's a simple point. And irrefutable.
But Databarracks, the cloud computing company, cannot be numbered among the millions of readers of DMossEsq. Because, you won't believe it, they've just scored an unenviable double. Stephen Fry and the cloud computing-utility analogy all in one.
Many more posts have covered the inept marketing device of comparing cloud computing with the utilities:
- 27 September 2012: Government Digital Service, G-Cloud, log-rolling, size matters
- 28 September 2012: Whitehall, an apology – they haven't gone mad, they're just lying
- 1 October 2012: Cloud computing and the Gadarene lemmings of Whitehall
- 16 October 2012: GDS – the user experience of misfeasance in public office
- 17 October 2012: Skyscape? Yes? No? Akamai? Maybe? Where is GOV.UK?
- 19 October 2012: Cloud computing turns IT into a utility, and that's a good thing?
- 24 October 2012: HMRC and Skyscape 2
- 8 November 2012: UC soon to be/already is Steve Doverless
- 13 November 2012: Cloud computing, and GDS's fantasy strategy
- 19 December 2012: Cloud computing supplier raises doubts about cloud computing suppliers – "suicidal mission with no exit"
- 1 April 2013: Cloud computing – away with the fairies
- 22 May 2013: Is CloudStore entirely legal?
- 11 September 2013: Public services under a cloud
- 26 September 2013: G-Cloud and lavatory paper
- to name but a few.
Utility prices keep going up. Large numbers of people already find themselves in fuel poverty. Now we are promised that it will soon cost £1,500 a year to supply our homes with gas and electricity. What kind of a model is that for cloud computing? Not an attractive one – IT poverty, anyone?
The analogy is inept. When you buy gas, say, you pay money and the gas company supplies gas. Done. With cloud computing, you pay money and you hand over all your data and the cloud computing company supplies some service. You are paying to lose control of your data.
It's a simple point. And irrefutable.
But Databarracks, the cloud computing company, cannot be numbered among the millions of readers of DMossEsq. Because, you won't believe it, they've just scored an unenviable double. Stephen Fry and the cloud computing-utility analogy all in one.
A treble, really, when you see that they employ the tiredest trick in the marketing armoury, a six-minute history of the world suggesting that the progress of civilisation has been leading ineluctably to this point, where you have to have whatever goods or services the marketing company's client is trying to flog:
Cloud computing and the sizzling Stephen Fry
Mr Fry has made only one appearance on this blog so far. That was in connection with the UK government's vile bid to introduce press regulation.
Many more posts have covered the inept marketing device of comparing cloud computing with the utilities:
Many more posts have covered the inept marketing device of comparing cloud computing with the utilities:
- 27 September 2012: Government Digital Service, G-Cloud, log-rolling, size matters
- 28 September 2012: Whitehall, an apology – they haven't gone mad, they're just lying
- 1 October 2012: Cloud computing and the Gadarene lemmings of Whitehall
- 16 October 2012: GDS – the user experience of misfeasance in public office
- 17 October 2012: Skyscape? Yes? No? Akamai? Maybe? Where is GOV.UK?
- 19 October 2012: Cloud computing turns IT into a utility, and that's a good thing?
- 24 October 2012: HMRC and Skyscape 2
- 8 November 2012: UC soon to be/already is Steve Doverless
- 13 November 2012: Cloud computing, and GDS's fantasy strategy
- 19 December 2012: Cloud computing supplier raises doubts about cloud computing suppliers – "suicidal mission with no exit"
- 1 April 2013: Cloud computing – away with the fairies
- 22 May 2013: Is CloudStore entirely legal?
- 11 September 2013: Public services under a cloud
- 26 September 2013: G-Cloud and lavatory paper
- to name but a few.
Hyperinflation hits the unicorn market
We live on a diet of data hacking stories fed to us by the media. Have done for years.
There's no defence. Not for us mooncalves. Not even for US defence contractors, who should know all about cybersecurity but who nevertheless managed to lose, among other things, the designs for the F-22 and F-35 fighter jets.
"Every day, all around the world, thousands of IT systems are compromised", says Iain Lobhan, the Director of GCHQ. He should know.
The upshot is clear – there is no such thing as a secure website. Secure websites are like unicorns. They don't exist.
When the Department for Business Innovation and Skills, for example, talk about work on their midata initiative and tell us that "this work is still in development by the midata programme participants, but broadly the proposal is that to gain access to their Personal Data Inventory, the customer would have to log-in to a secure website where ..." they might as well advise us to log in to a unicorn.
The suppliers whose business depends on selling us secure websites know this. How are they going to convince us to carry on paying for unicorns?
They've got a tough job.
One approach is to stop talking about mere secure websites and to offer instead super secure websites, as we saw the other day: "Mydex is providing the super secure Personal Data Store (PDS) for identity verification that will ...".
Superunicorns?
That's a bit weak. Either these resources are secure or they're not. It's like being pregnant – indistinguishable from being superpregnant.
But having embarked on that course, there's only one way to go: "The Mydex Trust Framework is a set of legal and technical rules by which members of a network agree to operate in order to achieve trust online. At its core it delivers a trusted digital identity, a hyper secure personal data store and platform from which individuals can connect to each other and organisations for the bi-directional exchange of information in a secure and verified manner".
Hyperunicorns?
What next?
No unicorns, no trust
Judging by that last example, what's next is a thoroughgoing mangling of the concept of trust. Unless you believe in unicorns, when someone offers you a trust framework or a supertrust framework or a hypertrust superframework, be warned. Be superwarned. Be hyperwarned.
----------
Updated 11.4.14
The day before yesterday Murad Ahmed warned us in the Times:
In a crowded field of experts, readers are recommended to believe Bruce Schneier when he says: "On the scale of 1 to 10, this is an 11":
Updated 19.11.14
The CloudStore has been re-written for the second or third time and re-named the Digital Marketplace. No surprise to DMossEsq's millions of readers.
The Government Digital Service (GDS) have written about it on their blog, please see Digital Marketplace: building a digital by default service. They have nothing to say about digital marketplaces.
They just bang on about their digital by default service standard.
That's the standard they were following, presumably, which meant that we now apply to register to vote in the UK using a system which has to work without GDS's identity assurance (IDA).
Not ideal but perhaps just as well since the first public service which incorporates a public test version of IDA seems to be unusable, despite satisfying all 26 criteria of the digital by default service standard. Bad luck DEFRA.
And good luck to all those G-Cloud suppliers who will rely on the Digital Marketplace and to the central and local government departments who try to buy services from them – just look at the logo GDS have chosen.
Updated 23.2.15
Some people never learn.
The media have stories every day about internet security breaches. The latest story that has burrowed through DMossEsq's thick skull concerns the US State Department.
Blomberg report that the State Department's email service was infiltrated several months ago and that, despite the most expert efforts, it remains infiltrated.
If the State Department can't deliver security there is no reason to believe that the UK's chirpy little Government Digital Service can. And yet, refusing to learn, these dinosaurs continue to offer the unicorn of internet security.
If you are tempted to sign up for their GOV.UK Verify identity assurance service (RIP), the first thing GDS tell you is that that it's secure. Who is there left on the planet who might believe that?
"Infallible security"?
This is the sales pitch of an unreconstructed mountebank. It might have worked in the 20th century. It can't work in the 21st.
There's no defence. Not for us mooncalves. Not even for US defence contractors, who should know all about cybersecurity but who nevertheless managed to lose, among other things, the designs for the F-22 and F-35 fighter jets.
"Every day, all around the world, thousands of IT systems are compromised", says Iain Lobhan, the Director of GCHQ. He should know.
The upshot is clear – there is no such thing as a secure website. Secure websites are like unicorns. They don't exist.
When the Department for Business Innovation and Skills, for example, talk about work on their midata initiative and tell us that "this work is still in development by the midata programme participants, but broadly the proposal is that to gain access to their Personal Data Inventory, the customer would have to log-in to a secure website where ..." they might as well advise us to log in to a unicorn.
The suppliers whose business depends on selling us secure websites know this. How are they going to convince us to carry on paying for unicorns?
They've got a tough job.
One approach is to stop talking about mere secure websites and to offer instead super secure websites, as we saw the other day: "Mydex is providing the super secure Personal Data Store (PDS) for identity verification that will ...".
Superunicorns?
That's a bit weak. Either these resources are secure or they're not. It's like being pregnant – indistinguishable from being superpregnant.
But having embarked on that course, there's only one way to go: "The Mydex Trust Framework is a set of legal and technical rules by which members of a network agree to operate in order to achieve trust online. At its core it delivers a trusted digital identity, a hyper secure personal data store and platform from which individuals can connect to each other and organisations for the bi-directional exchange of information in a secure and verified manner".
Hyperunicorns?
What next?
No unicorns, no trust
Judging by that last example, what's next is a thoroughgoing mangling of the concept of trust. Unless you believe in unicorns, when someone offers you a trust framework or a supertrust framework or a hypertrust superframework, be warned. Be superwarned. Be hyperwarned.
----------
Updated 11.4.14
The day before yesterday Murad Ahmed warned us in the Times:
How important is that?
Bug puts internet passwords at risk
... Security researchers said they have discovered the “heartbleed bug”, which is a problem in the way the majority of websites encrypt their sensitive data. About 60 per cent of websites use the affected software, known as OpenSSL – a way of protecting information such as names, passwords, messages and financial information as it passes between computers ...
In a crowded field of experts, readers are recommended to believe Bruce Schneier when he says: "On the scale of 1 to 10, this is an 11":
To reiterate. If someone promises you a secure website, remember, whether they know it or not, it's really not in their gift, it doesn't exist, it's a unicorn, be hyperwarned.
Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory -- SSL private keys, user keys, anything -- is vulnerable. And you have to assume that it is all compromised. All of it.
"Catastrophic" is the right word. On the scale of 1 to 10, this is an 11.
Half a million sites are vulnerable, including my own. Test your vulnerability here.
Updated 19.11.14
The CloudStore has been re-written for the second or third time and re-named the Digital Marketplace. No surprise to DMossEsq's millions of readers.
The Government Digital Service (GDS) have written about it on their blog, please see Digital Marketplace: building a digital by default service. They have nothing to say about digital marketplaces.
They just bang on about their digital by default service standard.
Not ideal but perhaps just as well since the first public service which incorporates a public test version of IDA seems to be unusable, despite satisfying all 26 criteria of the digital by default service standard. Bad luck DEFRA.
And good luck to all those G-Cloud suppliers who will rely on the Digital Marketplace and to the central and local government departments who try to buy services from them – just look at the logo GDS have chosen.
Updated 23.2.15
Some people never learn.
The media have stories every day about internet security breaches. The latest story that has burrowed through DMossEsq's thick skull concerns the US State Department.
Blomberg report that the State Department's email service was infiltrated several months ago and that, despite the most expert efforts, it remains infiltrated.
If the State Department can't deliver security there is no reason to believe that the UK's chirpy little Government Digital Service can. And yet, refusing to learn, these dinosaurs continue to offer the unicorn of internet security.
If you are tempted to sign up for their GOV.UK Verify identity assurance service (RIP), the first thing GDS tell you is that that it's secure. Who is there left on the planet who might believe that?
Far from helping to prevent identity theft, GOV.UK Verify is more likely to promote it by centralising the entire population's personal information in the databases of just a few "identity providers".
Not only do GDS want to centralise all personal information, they also want you to give up the relative safety of multiple logon IDs and passwords and replace it with a single key to your kingdom.
If against all the odds you pursue this wild goose chase and choose Digidentity as your GDS-sponsored "identity provider", they go even further:
This is the sales pitch of an unreconstructed mountebank. It might have worked in the 20th century. It can't work in the 21st.
Hyperinflation hits the unicorn market
We live on a diet of data hacking stories fed to us by the media. Have done for years.
There's no defence. Not for us mooncalves. Not even for US defence contractors, who should know all about cybersecurity but who nevertheless managed to lose, among other things, the designs for the F-22 and F-35 fighter jets.
"Every day, all around the world, thousands of IT systems are compromised", says Iain Lobhan, the Director of GCHQ. He should know.
The upshot is clear – there is no such thing as a secure website. Secure websites are like unicorns. They don't exist.
There's no defence. Not for us mooncalves. Not even for US defence contractors, who should know all about cybersecurity but who nevertheless managed to lose, among other things, the designs for the F-22 and F-35 fighter jets.
"Every day, all around the world, thousands of IT systems are compromised", says Iain Lobhan, the Director of GCHQ. He should know.
The upshot is clear – there is no such thing as a secure website. Secure websites are like unicorns. They don't exist.
1st cloud in Skyscape Cloud's sky
Readers will remember the immaculate conception of Skyscape Cloud Services Ltd, the company incorporated on 3 May 2011 which won four government contracts, some of them before the company had submitted its first set of accounts to Companies House.
The Government Digital Service (GDS), HMRC, the MOD and the Home Office all chose Skyscape in preference to long-established cloud services companies.
Now GDS have parked their harp on another cloud.
Government signs cloud hosting contract with Carrenza for GOV.UK, they tell us in ComputerWorldUK magazine:
The Government Digital Service (GDS), HMRC, the MOD and the Home Office all chose Skyscape in preference to long-established cloud services companies.
Now GDS have parked their harp on another cloud.
Government signs cloud hosting contract with Carrenza for GOV.UK, they tell us in ComputerWorldUK magazine:
And Carrenza have issued a press release:
The Government Digital Service (GDS) has signed a £100,000, one-year contract with Carrenza to help host the GOV.UK goverment services portal ... The infrastructure-as-a-service (IaaS) contract was awarded via the government's G-Cloud framework ... Carrenza replaces previous suppliers Skyscape and SCC, which provided hosting for GOV.UK over the last 12 months.
Will HMRC, the MOD and the Home Office follow suit?
Carrenza, the award winning UK based cloud services provider, today announced that it had signed a contract with the Government Digital Service (GDS) to be one of the primary suppliers hosting GOV.UK. The Infrastructure as a Service (IaaS) contract was awarded via the G-Cloud iii Framework, created to deliver fundamental changes in the way the public sector procures and operates ICT.
1st cloud in Skyscape Cloud's sky
Readers will remember the immaculate conception of Skyscape Cloud Services Ltd, the company incorporated on 3 May 2011 which won four government contracts, some of them before the company had submitted its first set of accounts to Companies House.
The Government Digital Service (GDS), HMRC, the MOD and the Home Office all chose Skyscape in preference to long-established cloud services companies.
Now GDS have parked their harp on another cloud.
The Government Digital Service (GDS), HMRC, the MOD and the Home Office all chose Skyscape in preference to long-established cloud services companies.
Now GDS have parked their harp on another cloud.