IT security, vunerabilities, bugs, fixes, flaws, RSA conference and Infosec.

« May 2005 | Main | July 2005 »

Name, rank and serial number

Well it's going to be a busy week for those interested in identity cards. The bill goes up for a second reading tomorrow and it looks likely that parliamentary rebels won't be able to derail it, although the Lords may.

I've lost count of the number of reasons why this scheme is a rotten idea. While the IT companies which support New Labour so generously may love the idea of a huge integration deal like this, it makes little sense for the rest of us. The technology's unproven, the task of integration will be unprecedented and the security benefits are minimal.

But what really grates, as an Englishman true and true, is the thought that some petty official can demand that I prove who I am a the drop of a hat and then read through my most private data. I've been stopped by police in the US once and the first question that was barked out was "ID" and heaven help me if I didn't have it.

If the ID card goes through it won't be the next Poll Tax. Unless the British people have become a lot more active over the past few years they'll learn to live with this.

No, if we're doing comparisons the ID card legislation is this government's electronic foot and mouth epidemic: massively expensive, hugely dispiriting and leaving everyone with a nasty taste in the mouth.

June 27, 2005 | Permalink | Comments (0) | TrackBack

BT the next hacking target?

BT was very confident yesterday that its new Fusion service is secure.

"All the data is encrypted with IPSec," stated project boss Ian Livingstone, as if that were case closed.

But IPSec has been cracked already and there are worrying rumours about Bluetooth too.

If the base station can broadcast 25 metres or more then there's the opportunity for everyone to share your phone connection, or bring it down if your late night call wakes them.

So watch this space, as BT may be heading for a security problem.

June 16, 2005 | Permalink | Comments (0) | TrackBack

McKinnon madness

The case of the "biggest military computer hack of all time" is fascinating. Was the 39 year-old unemployed programmer really an evil mastermind as some of the press have been suggesting? Or just a normal chap with an overly developed interest in UFOs and a working knowledge of computers?

There are several things about this case that just don't seem right. Why did the US authorities wait for over two years before starting the case? Why were the military systems so poorly protected? And where did the estimate for $700,000 worth of damage come from?

The last figure is particularly suspect. In his excellent history of the first days of the digital underground, Bruce Sterling recorded the method used by one particular company to estimate the damage caused by a document being stolen.

The company charged for two writers and an editor, as well as the hardware they produced it on, and came up with a damages figure in the hundreds of thousands. They were later shown to be selling the same document for under $10.

The key to all these cases is to look critically at the facts, the facts and nothing but the facts. Based on the evidence so far, McKinnon may be guilty. But the sentence he faces far outweighs the seriousness of his actions.

June 9, 2005 | Permalink | Comments (0) | TrackBack