Wednesday 11 September 2013

iPhone 5S fingerprint technology – eye-catching

Apple unveils two iPhones — and a password at your fingertip, it says in the Times today. According to the Telegraph, Apple iPhone 5S and 5C: fingerprint sensor and plastic make iPhone 5 debut. Etcetera, throughout the media.

You could have announced the end of the world yesterday. No-one would have noticed.

In fact, Sir David Attenborough did. "I think that we've stopped evolving", he told the Radio Times. And all anyone wanted to know is how easily they can photograph themselves with the iPhone 5C.

No matter how trivial the detail, media coverage was breathlessly serious.

Except, perhaps, for Murad Ahmed in the Times. For him, maybe there is some sign of a sense of humour. Maybe there is hope:
At events held at the company’s headquarters in Cupertino, California, and Berlin yesterday, analysts said the new fingerprint technology was the most eye-catching advance.
Which brings us to biometrics.

Suppose the fingerprint recognition in the iPhone 5S doesn't work. Suppose that 20 percent of 5S owners queue up outside Phones4U, complaining that they've bought a product that won't let them use it – the computer says I'm not me and it won't let me unlock the home screen – and they all want their contracts cancelled and their money back.

Suppose someone finds a way to steal your fingerprints from the iPhone 5S and use them to authenticate their own purchases, fraudulently. It's not as though you can just go out and get a new set of fingerprints ...

That's not a disaster for Apple alone.

What will the news footage of those queues do for US-VISIT, the US border control system that relies on fingerprint recognition? What will it do for Aadhaar, the Indian identity management scheme that ditto? What will it do for Safran's share price? What will it do for payments systems which rely on fingerprint recognition to authenticate transactions?

Sweaty fingers and scared eyes. It's in their DNA. That's the evolutionary response that will be shared by all the owners with a horse in the Apple Stakes.

If the fingerprint technology is up to the job and can authenticate you as the legitimate user of this iPhone 5S, then it can also allow you to open the front door to your house. As the Wall Street Journal said in Apple's Latest iPhone Puts Focus Back on Fingerprint Security. Last word to them:
"If I go jogging with my iPhone and I come back to my house and my thumb is all sweaty and I can't get in my apartment door, that would kind of suck".

iPhone 5S fingerprint technology – eye-catching

Apple unveils two iPhones — and a password at your fingertip, it says in the Times today. According to the Telegraph, Apple iPhone 5S and 5C: fingerprint sensor and plastic make iPhone 5 debut. Etcetera, throughout the media.

You could have announced the end of the world yesterday. No-one would have noticed.

In fact, Sir David Attenborough did. "I think that we've stopped evolving", he told the Radio Times. And all anyone wanted to know is how easily they can photograph themselves with the iPhone 5C.

Tuesday 10 September 2013

Edward Snowden – déjà vu all over again

Come to think of it, this debate about the security services having cracked all our codes is not entirely new.

For what it's worth, back in August 2010, on the No2ID forum, we were discussing the latest revelations about BlackBerry mobile phones. Someone posted the following extracts from a Nic Fildes article in the Times newspaper, BlackBerry ‘near deal to open messages to Saudis’. The debate remains relevant three years later:
The makers of BlackBerry mobile phones appear to have backed down in the face of demands from Saudi Arabia to allow the state to monitor messages sent on its devices ...

The Saudi-backed television station Al-Arabiya quoted unnamed sources as saying RIM [Research In Motion, the people behind the BlackBerry] had agreed in principle to grant the Saudi authorities access to its messages.

Bandar al-Mohammed, of the Saudi Communications and Information Technology Commission, said RIM had expressed its “intention…to place a server inside Saudi Arabia”, allowing the kingdom to inspect communications and data exchanged between BlackBerry handsets ...

The United Arab Emirates intends to ban BlackBerry e-mail, messaging and web browsing on October 11 ...

The company then issued a statement on Thursday denying that it had already allowed some governments access to BlackBerry data.

The US and Canadian governments have also offered to hold talks with countries concerned about the security implications of BlackBerry usage.
Not just Saudi Arabia, but the UAE, too, and India and Indonesia and France – it seemed as if no country would allow people to use BlackBerrys until its security services had found out how to listen in. There are obvious implications for industrial and other espionage.

Then Justin found a Babbage article in the Economist magazine, Spies, secrets and smart-phones, and someone posted this, adding a reference to Sir Richard Dearlove, the former head of MI6 ...
From the Economist article usefully brought to our attention by Justin:
A security pundit interviewed on BBC television's "Newsnight" a few days ago speculated that the American authorities are only pretending when they claim they still can't tap into Skype calls. This was then put to Lord West, a former British security minister. His response was fascinating:
When I come on a programme like this I'm always very nervous, ‘cos I know so much. And also people…don’t necessarily always tell the truth. That sounds an awful thing to say but do you want anyone to know that you can get into very high-encrypted stuff? No, you can say "we don’t, we can’t do it".
He then went on to say how "mind-boggling" are the capabilities of America's National Security Agency and its British counterpart, GCHQ. To this blogger, that sounded like: "Yes of course we can hack Skype calls and all the rest, but we have to pretend we can't".
Lord West is not the only one playing this game. At 9.30 a.m. on Saturday 26 September 2009 Sir Richard Dearlove lectured several hundred of us on the security risks the world faces and the international response [p.15]. At one point he said that there are many good encryption systems available but maybe "we" have cracked them. (I paraphrase.) (Andrew Watson turned out to be at the lecture, too – Andrew, can you confirm this is at least roughly right?)

Let's take it, from Sir Richard's lecture and Lord West's appearance on Newsnight, that the commonly available encryption systems are a busted flush. So what?

The implications are legion.

One of them is that part of the case for long periods of detention without charge [remember Admiral Lord West, the once court-martialled and then reinstated "simple sailor"] collapses. That case is based on the large number of computer files that often have to be checked for evidence and on the difficulty of deciphering them. If that difficulty doesn't exist, ... etc.
... followed by wise words from Andrew Watson:
I have to admit that I don't remember what he said on that topic - having lived through all the fuss surrounding PGP export from the USA in the 90s [see Phil Zimmermann, Why I wrote PGP, pp.227-31], I'm afraid I tend to tune-out speculation about whether the NSA can or cannot read any particular form of encryption. I agree that there doesn't seem to be any publicly-available hard data on this point, and one can spend a lifetime speculating about the possibilities for bluff, double-bluff, triple-bluff etc by those who may know but aren't telling.

Here's the one bit of hard data I have seen recently -

http://www.theregister.co.uk/2010/06/28 ... _lock_out/

... but again, one could speculate that the NSA could break this crypto if they wanted to, but choose not to release this information to the FBI for fear of revealing the secret (etc, etc).
That ElReg article referred to by Andrew, Brazilian banker's crypto baffles FBI, is all about TrueCrypt, the open source encryption facility which was exercising Mydex the other day, "Waaaaat? A backdoor is available for truecrypt too?".

Mydex, and the rest of us – we're all exercised by the Edward Snowden revelations that began on 6 June 2013.

In the atmosphere of "bluff, double-bluff, triple-bluff etc" we're not going to get any sensible answers.

So here's a flippant point.

England staged its revolution over a century before the Americans and the French got round to holding theirs. Edward Snowden was beaten to it by Sir Richard and Lord West by three or four years. Late again!

Edward Snowden – déjà vu all over again

Come to think of it, this debate about the security services having cracked all our codes is not entirely new.

For what it's worth, back in August 2010, on the No2ID forum, we were discussing the latest revelations about BlackBerry mobile phones. Someone posted the following extracts from a Nic Fildes article in the Times newspaper, BlackBerry ‘near deal to open messages to Saudis’. The debate remains relevant three years later:
The makers of BlackBerry mobile phones appear to have backed down in the face of demands from Saudi Arabia to allow the state to monitor messages sent on its devices ...

The Saudi-backed television station Al-Arabiya quoted unnamed sources as saying RIM [Research In Motion, the people behind the BlackBerry] had agreed in principle to grant the Saudi authorities access to its messages.

Bandar al-Mohammed, of the Saudi Communications and Information Technology Commission, said RIM had expressed its “intention…to place a server inside Saudi Arabia”, allowing the kingdom to inspect communications and data exchanged between BlackBerry handsets ...

The United Arab Emirates intends to ban BlackBerry e-mail, messaging and web browsing on October 11 ...

The company then issued a statement on Thursday denying that it had already allowed some governments access to BlackBerry data.

The US and Canadian governments have also offered to hold talks with countries concerned about the security implications of BlackBerry usage.
Not just Saudi Arabia, but the UAE, too, and India and Indonesia and France – it seemed as if no country would allow people to use BlackBerrys until its security services had found out how to listen in. There are obvious implications for industrial and other espionage.

Sunday 8 September 2013

Edward Snowden – the penny drops 2

While beautiful people dance, beautifully dressed, through the lush pastures and wild flowers singing beautifully, they are stalked all the while by the Gestapo, the Geheime Staatspolizei, the sinister secret state police ...

The Sound of Music? It's a parable of our time, dontcha know.

No it isn't. But you'd never guess that from the way some people have reacted.

Who do you think wrote this in the Guardian?
Government and industry have betrayed the internet, and us.

By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards.

This is not the internet the world needs, or the internet its creators envisioned. We need to take it back.
Only Bruce Schneier. That's who.

For anyone who doesn't know, Mr Schneier is a wise and expert practitioner and commentator on security whose blog is required reading for level-headed analysis and comprehensive coverage of current security affairs.

Writing like Private Eye's Dave Spart is the last thing you would ever expect of him but there it is in black and white, "government and industry have betrayed us ... undermined a fundamental social contract ... ethical internet stewards ... we need to take it back". Normal service will no doubt resume once he has got over the shock of the latest Edward Snowden revelations.

Is there any way for the ordinary punter to keep their data secure on the internet?

In another Guardian article, NSA surveillance: A guide to staying secure, Mr Schneier tentatively offers a five-point plan and recommends some tools to use:
Since I started working with Snowden's documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I'm not going to write about. There's an undocumented encryption feature in my Password Safe program from the command line); I've been using that as well ...

I understand that most of this is impossible for the typical internet user. Even I don't use all these tools for most everything I am working on.
So no. There isn't. Not even for Mr Schneier.

It will be said that we are all over-reacting. All of us including Mr Schneier. Things aren't as bad as they look, securitywise, on the internet.

In fact, it's already been said: "Phew :-)  Back to: so what was it we were *right* to be paranoid about? ... hoax ... indeed. We're all delighted".

Too late for that: "it's a hoax ... but that gives no info about whether true ;-)".

The damage is done: "Not cool. Wonder what effect that first Tweet will have on some market capitalisations".

The trust has gone.

There was never any basis for it in the first place.

The internet never was Julie Andrews and a troupe of good-looking children singing in picture postcard-beautiful mountains. Google and Amazon and Facebook and Apple and eBay/PayPal are in it for the money. Martin Sorrell told us so. So did Mydex's very own William Heath:
It’s no more helpful to obsess about identity than to obsess about privacy ... The area to focus on is data logistics ... the compelling reason to pursue better data logistics with user-driven services is saving money.
Not just the money. The power, as well. Which Douglas Carswell should have realised. That's where the NSA and GCHQ come into it. And ex-Guardian man Mike Bracken's Government Digital Service and their friends.

Edward Snowden has done us a favour. The penny has dropped and the Hollywood movie rose-tinted spectacles are off.

Edward Snowden – the penny drops 2

While beautiful people dance, beautifully dressed, through the lush pastures and wild flowers singing beautifully, they are stalked all the while by the Gestapo, the Geheime Staatspolizei, the sinister secret state police ...

The Sound of Music? It's a parable of our time, dontcha know.

No it isn't. But you'd never guess that from the way some people have reacted.

Who do you think wrote this in the Guardian?

Edward Snowden – the penny drops 1

The Edward Snowden revelations began here in the UK on 6 June 2013.

The public response and the response of the national media has been muted. Spies spy. What do you expect? They have to. Surveillance is legal. You'd have to be naïve to think otherwise. It's for our own good.

It's a case of move along, there's nothing to see here, as far as Whitehall is concerned. And in that case the plans to make public services digital by default can proceed. We can carry on saying that it is safe to store our data in the cloud. We can carry on saying that trusted third parties – "identity providers" – can supply us with personal data stores, maintained on "secure websites", which will give us "control" over what happens to our personal data.

There's nothing to see here. Our personal data will be encrypted. The security of the websites is provided by encryption. Encryption works. That's why the third parties can be trusted.

When the cartoon character runs off the edge of a cliff his legs keep going and he keeps moving forwards as long as he doesn't look down.

On 6 September 2013, three months after after running off the cliff, the revelation that the US National Security Agency (NSA) and GCHQ can get round some/many/most forms of encryption has finally made the cartoon character look down. His legs stop. A look of doubt appears on his face, the penny drops and he starts to fall.

Mydex is in poll position to provide the personal data stores for midata, the Department for Business Innovation and Skills initiative to "empower the consumer". Mydex is also one of the UK's appointed "identity providers" and recently signed a contract to supply identity assurance services.

William Heath is the chairman of Mydex. Here, faithfully recorded by Twitter, is what he saw when he looked down:










----------

Updated 29.9.15

"Mydex is in poll position to provide the personal data stores [PDSs] for midata". Written two years ago. Please see above.

It looked then as though Mydex relied on a package called "TrueCrypt" to make their PDSs secure.

If they relied then or rather if they rely now on TrueCrypt, there's a problem. Support for TrueCrypt was withdrawn in May 2014.

"Mydex provides the individual with a hyper-secure storage area to enable them to manage their personal data, including text, numbers, images, video, certificates and sound. No-one but the individual can access or see the data". That's what it says, to this day, at the bottom of Mydex's webpage – "hyper-secure".

Where does this "hyper-security" come from? Not from TrueCrypt. So where?

If your PDS is hacked, that's your fault. That's Mydex's stance and that's why, unlike the banks, they offer no compensation.

Before entering into a no-compensation deal which requires you to store all your personal information in a PDS, you might be wise to check just how secure that PDS is. Wiser still, whoever you get your PDSs from, to assume that hyper-security is impossible and insist on the provision for compensation in the contract.



Edward Snowden – the penny drops 1

The Edward Snowden revelations began here in the UK on 6 June 2013.

The public response and the response of the national media has been muted. Spies spy. What do you expect? They have to. Surveillance is legal. You'd have to be naïve to think otherwise. It's for our own good.

It's a case of move along, there's nothing to see here, as far as Whitehall is concerned. And in that case the plans to make public services digital by default can proceed. We can carry on saying that it is safe to store our data in the cloud. We can carry on saying that trusted third parties – "identity providers" – can supply us with personal data stores, maintained on "secure websites", which will give us "control" over what happens to our personal data.

There's nothing to see here. Our personal data will be encrypted. The security of the websites is provided by encryption. Encryption works. That's why the third parties can be trusted.

When the cartoon character runs off the edge of a cliff his legs keep going and he keeps moving forwards as long as he doesn't look down.

Friday 6 September 2013

The internet secure? Absurd

While we were all away on holiday a scene from the theatre of the absurd was reported. It had been enacted  a month before, in July, in the basement of the Guardian newspaper's London office.

Dramatis personae:
    A number of GCHQ persons
    A Guardian editor and a Guardian IT person

Props:
    A number of computer disks and chips
    An angle grinder and some other tools

On 20 July 2013, apparently acting on the orders of Sir Jeremy Heywood, the Cabinet Secretary, who was in turn apparently acting on the orders of the Prime Minister himself, the Guardian persons set about destroying the disks and chips with the angle grinder and other tools. The GCHQ persons, having watched but not assisted, left once the job was done.

Thus one copy of the Edward Snowden files was destroyed. Quite pointlessly, as there are other copies. But the Prime Minister insisted, allegedly, the charade went ahead, and the dignity of his office was thereby preserved.

The Snowden revelations continue unabated. Yesterday, the Guardian treated us to US and UK spy agencies defeat privacy and security on the internet while the New York Times gave us N.S.A. Able to Foil Basic Safeguards of Privacy on Web.

If you think that encryption will keep your use of the internet private/confidential/secret, think again.

The US National Security Agency (NSA) and our very own GCHQ have cracked the code and can decrypt your transactions on secure websites, your use of virtual private networks, your emails, web chats and Skype calls, just like that, more or less in real time.

If a cloud computing supplier tells you your data is safe in the cloud because it's encrypted, he or she is probably wrong. HMRC, the MOD, the Home Office and the Government Digital Service (GDS) might like to reconsider their use of Skyscape Cloud Services Ltd.

If a personal data store supplier tells you that your information is safe because it's encrypted – perhaps in connection with the UK's midata project – he or she is probably wrong.

No doubt GDS will tell us that the new electoral roll will be secure. And that the identity assurance service they are about to unleash on HMRC is secure. In what way?

Individuals, companies and government departments can forget about confidentiality on the internet. What was left of it was all hoovered up by the cleaners in the Guardian's basement after the audience had left.

Lawyers, bankers and accountants working on a major takeover, for example, may well continue to use the internet. It's convenient. But they can no longer promise that their clients' data is being kept confidential. Everyone now knows that on the internet that is, to all intents and purposes, impossible.

The internet secure? Absurd

While we were all away on holiday a scene from the theatre of the absurd was reported. It had been enacted  a month before, in July, in the basement of the Guardian newspaper's London office.

Dramatis personae:
    A number of GCHQ persons
    A Guardian editor and a Guardian IT person

Props:
    A number of computer disks and chips
    An angle grinder and some other tools

On 20 July 2013, apparently acting on the orders of Sir Jeremy Heywood, the Cabinet Secretary, who was in turn apparently acting on the orders of the Prime Minister himself, the Guardian persons set about destroying the disks and chips with the angle grinder and other tools. The GCHQ persons, having watched but not assisted, left once the job was done.