Jane’s Defence Weekly (subscription only) is an entertaining source of information. Sandwiched between news of Peruvian plans to upgrade their MIG 29 fighter force and adverts for body armour, you can find surprising amounts of detail relevant to information assurance issues.

We’ve posted before on UAV (robotic airplane) activity and the staggering bandwidth requirements they generate and the need for secure communications. Jane’s tells us more–that there are 157 types of UAV in development in 17 European nations, and that, according to the United States Air Force, co-ordination problems between the USAF and other services in Iraq, Afghanistan and other combat areas is currently a pressing issue.

The USAF (the organisation that brought us Curtis LeMay, advocate of bombing enemies until the rubble jumps), inevitably thinks that they should have executive authority over high and medium altitude unmanned aircraft. Well, they would.

Another story in the same issue talks of NATO planners demanding full interoperability for equipment and weapons, and specifically mentions UAVs. “The appetite of our field commanders for UAVs is unlimited, for example. But we cannot have a Dutch UAV flying over southern Afghanistan that is unable to send data to a UK or Canadian commander.”

Later, the article notes “A US-led project involving 10 nations and allied capability planners called MAJIIC aims to do just that by defining a common architecture for sharing data.”

As a former member of the US Navy, I have an inherent prejudice regarding the USAF, which may colour my thinking. Nonetheless, I would suggest that EU and NATO technical planners get a secure system for sharing information in place soon, and offer to share with the Yanks rather than cede control.

The world is changing now.

Ramps may replace stairs in homes and businesses to facilitate access to domestic robots. (Pure speculation on my part, this.)

Domestic robots charged with cleaning and other duties will be equipped with CCTV cameras. (Already exist and offered as a commercial service.)

Some bright lass or lad will equip these domestic robots with prosthetic arms for manipulating objects on command–or autonomously (already exist and working in the lab).

In addition to opening doors and pulling levers, etc., those arms will be able to manipulate tasers or pepper-spray projectors. Domestic robots will then have security responsibilities.

However, to prevent misuse and frivolous use, it is quite possible that the use of robots for security purposes must involve an enabling command from a certified security operator or even a law-enforcement agency, looped in on the feed from the robot’s CCTV camera. It might be a dual decision, with the security operator enabling the owner to actuate the device.

Which of course means the integrity and authenticity of all messaging must be iron-clad–encrypted, authenticated and secure.

So when, 10 years down the line, you are choosing which type of wood to use in the ramp that replaces your stairs, remember the information assurance implications.

And just in case you think this is too futuristic and science-fictiony to worry about, have a look at the first private spaceport–due to be finished in 2010–before Crossrail.

Hat tip to Robert Heinlein’s Door Into Summer, 1957.

Mary Meeker was an analyst who, back in the nineties, was accused of over-hyping dot com companies, helping them launch into publically listed existence. Many of her recommended picks failed, a few became the Internet powerhouses we see on the web today. Mary became very controversial for a while. Perhaps failing upwards, Ms. Meeker is now head of Morgan Stanley’s global technology research team.

She is here before us today, ranking countries in terms of their Internet ‘power,’ or who is leading the world in what.

The American news story focusses on America’s declining share of world GDP, which really should be welcome news for all, including Americans. What interests me is her assessment of world leaders in certain areas of Internet practice.

“In terms of the Internet — especially in technologies key to Web 2.0 success — the fastest growth is in non-U.S. markets. For example, Germany leads the e-commerce market, China leads in online gaming, South Korea leads in broadband, Japan leads in mobile payments, the United Kingdom leads in online advertising, Brazil and South Korea lead in social networking, and the Philippines leads in micro-transactions via SMS.”

Nice to know the UK leads in something. Pity it’s just advertising. Sadly, Ms. Meeker does not nominate a country as leader in the areas of IT security, information assurance, etc.

I bring this up because I wonder where people turn when they search for best practice. There was a time when the default might well have been the U.S. for many areas of technology. But I think that time passed around 1990.

There is, or should be, relevance to information assurance efforts in all of this, as a technology that undergoes its growth pains in another country and matures into commercial propositions can be introduced into the UK as a disruptive solution before anybody has had a chance to consider the implications. If it is introduced from a country where legislative and regulatory goals are vastly different, it could have implications for all of us.

Yesterday I posted about a Korean company that allows for mobile phone CCTV coverage of your house (it’s near the bottom of the post). But of course it doesn’t have to be your house. It can be anyplace you can stick a webcam. Great technology. But there are implications for privacy, security, all the things we go on about here at Blindside.

And a long time ago I asked if the UK was ready in any meaningful sense of the word to integrate best practice or leading edge technology currently available in other parts of the world, should they migrate here in full form. I didn’t get an answer… so I’ll ask again, using this as a specific case study.

Is the UK prepared, in terms of existing laws and regulation, in terms of social attitudes and acceptance, in terms of technology infrastructure, to accept a fully-formed technology that allows anyone to stick a webcam anywhere and view the results over a mobile phone?

The story is here.

“The electricity grid, power plants and refineries face increasing threats from computer hackers who could cause major disruptions and economic chaos, congressional investigators say.”

…”Langevin, D-R.I., noted the recent disclosure that government scientists at the Energy Department’s Idaho National Laboratory were able to hack into a simulated power plant control system and cause an electric generator to destruct.”

…”Lofgren said that was not the intent of Congress when it created the department. “We haven’t made any progress in the cybersecurity side for a long, long time,” she said.

The commission is considering more stringent standards for the electricity industry that a quasi-industry group, the North American Electric Reliability Corp., is developing.

To date, location-based services are widely used in emergency services, help alerts, fleet tracking and offering the location of a mobile phone. Or, as Wikipedia lists them,

Some examples of location-based services are:
Requesting the nearest business or service, such as an ATM or restaurant
Receiving alerts, such as notification of a sale on gas or warning of a traffic jam
Finding a buddy
For the carrier, location-based services provide value add by enabling services such as:
Resource tracking with dynamic distribution Taxis, service people, rental equipment, doctors, fleet scheduling
Resource tracking Objects without privacy controls, using passive sensors or RF tags, such as packages and train boxcars
Finding someone or something Person by skill (doctor), business directory, navigation, weather, traffic, room schedules, stolen phone, emergency 911
Proximity-based notification (push or pull) Targeted advertising, buddy list, common profile matching (dating), automatic airport check-in
Proximity-based actuation (push or pull) Payment based upon proximity (EZ pass, toll watch)

All very useful services, but in a sector where much more was expected, it looks kind of vanilla these days.

In September of 2006, Silicon.com wrote of location-based services, “Another good question. Mobile operators, pundits and other assorted industry watchers have been talking about LBS since the tail end of the last decade but have never really found a way to capitalise on them. It’s thought that the inclusion of GPS in mobile handsets could jump-start LBS. ABI Research predicts that by 2011, there will be 315 million GPS subscribers for location based services, up from a measly 12 million this year.”

A year later, has anything changed?

In May of this year, the BBC was showing interest: “Speaking at the FT Mobile Media conference, the BBC’s director of future media, Ashley Highfield, said the broadcaster - now the UK’s favourite mobile web destination - believes mobile content is shortly to enter a boom time. He said: “Mobile is the future of media and technology… I think a number of factors are coming into alignment for explosive growth.” Among those factors, Highfield believes, are better pricing, operators’ decision to ditch their ‘walled garden’ approach to content and improvements in phones themselves including the addition of GPS. Highfield added: “It looks like the shift we saw when broadband took off.”

One major use of location-based services will be in telecare for the disabled and elderly. In March of 2007, the International Journal of Health Geographics published an editorial about CAALYX, a “Complete Ambient Assisted Living Experiment, an EU-funded project that aims at increasing older people’s autonomy and self-confidence by developing a wearable light device capable of measuring specific vital signs of the elderly, detecting falls and location, and communicating automatically in real-time with his/her care provider in case of an emergency, wherever the older person happens to be, at home or outside.”

“CAALYX aims at increasing older people’s autonomy and self-confidence by developing a wearable light device capable of measuring specific vital signs of the elderly, detecting falls, and communicating automatically in real time with his/her care provider in case of an emergency, wherever the elderly person happens to be, at home or outside. Specifically, CAALYX’s objectives are:

• To identify which vital signs and patterns are most important in determining probable critical states of an elder’s health;

• To develop an electronic device able to measure vital signs and to detect falls of the older person in the domestic environment and outside. This gadget will have a geo-location system so that the monitoring system may be able to know the elder’s position in case of emergency (especially outdoors);

• To allow for the secure monitoring of individuals organised into groups managed by a caretaker who will decide whether to communicate events identified by the system to the emergency service (112); and

• To create social tele-assistance services that can be easily operated by the users.”

Crucially for Blindside readers, CAALYX addresses privacy issues in the editorial: “Location capability poses service providers with the challenge of responsibly handling consumers’ personal privacy [1]. This is particularly important with ‘tracking services’ that continuously monitor and log user’s location, like Wherifone, an American location-tracking service for the elderly and children [21], and other live tracking services using technologies like the GpsGate Server [22]. Such services raise many privacy concerns and questions; for example, “If a consumer service allows one party access to the location of a second party, should that second party be notified when this location information has been provided?”[23]

However, CAALYX’s approach to location information privacy is different. CAALYX is an extensible user health monitoring platform that uses GPS as to support that function (health monitoring) and for emergency handling. Thus CAALYX is not continuously tracking older people, or continuously communicating their location in real-time with the central monitoring station. There are a number of reasons for this. Firstly, allowing the data logger (a mobile smartphone that users carry on them) to collect the data rather than continuously stream it to a remote server means that expensive bandwidth is saved. It is also far more power-efficient than a system that has to continuously transmit data and pick up real-time geographic information via GPS, a paramount feature in any handheld device. But most importantly, it means people will not feel as if their every move is being watched. Location information is only sent when required during an emergency or when an alarm is raised. As such CAALYX has the potential of setting the standards and providing a ‘modus operandi’ or ‘best-practice’ model for wireless location privacy in mobile, location-intelligent/enabled e-health services.”

Commercial activity reported in the media indicates substantial interest in location-based services. Nokia’s recent purchase of Navteq, a supplier of digital maps, follows their recent introduction of a GPS-enabled mobile phone, the 6110 Navigator. “Using the handset’s embedded software, consumers can view their current location on a map, search for destinations, find specific routes, or locate nearby services, such as restaurants, hotels or shops. Location-based services are “one of the cornerstones of Nokia’s internet services strategy,” Nokia chief executive Olli-Pekka Kallasvuo said in a statement. “By joining forces with Navteq, we will be able to bring context and geographical information to a number of our internet services with accelerated time to market.”

And from the same article, “Navteq has been viewed as a takeover target since this summer, when navigation device maker TomTom said it would pay €1.8bn for Navteq’s top rival in the mapping market, Tele Atlas. Tele Atlas provides maps for MapQuest, Google Maps and several other navigation devices. TomTom accounts for about 40 percent of Tele Atlas’ business. When the acquisition was announced in July, many speculated that Google would buy rival Navteq.”

It’s all very much jam tomorrow, but tomorrow looks closer than it did a year ago. Well, I suppose it would.

To see what’s actually happening today, one needs to look at Asia. A white paper found on ZDNet (registration required), titled ‘Home Network Services in Korea,’ and published by Research On Asia (ROA) Group, Inc. talks about some interesting location-based services:

Logicplant’s Telekeeper (Mobile phone-based PC remote service) Service in brief: a solution to problems related to children’s PC use. The parents can monitor their children’s computer use.

Phone CCTV Service by SKT: Service in brief: this service, based on camera and high speed Internet, enables the user to monitor the situation at home via mobile phone and warns the user by sending a text message in a case of an intruder. By just installing a camera at home or in office, the service is enabled in real time via mobile phone.

Nespot Lu Service by KT: Service in brief: KT’s wireless Nespot service, connects mobile phone with a home robot. The robot is equipped with a small camera that monitors the situation inside the house and enables the user to check each room while staying outside the house by using a mobile phone.

From America (specifically, the University of Colorado), comes “A Methodological Assessment of Location Privacy Risks
in Wireless Hotspot Networks,” another white paper found on ZDNet. The abstract states, “Mobile computing enables users to compute and communicate almost regardless of their current location. However, as a side effect this technology considerably increased surveillance potential for user movements. Current research addresses location privacy rather patchwork-like than comprehensively. Thus, this paper presents a methodology for identifying, assessing, and comparing location privacy risks in mobile computing technologies. In a case study, we apply the approach to IEEE 802.11b wireless LAN networks and location-based
services, where it reveals significant location privacy concerns through link- and application-layer information. From a technological perspective, we argue that these are best addressed through novel anonymity-based mechanisms.

Jam today, but not jam here.

Via Kable, “Home Office minister Meg Hillier has insisted on the need to debate the future of the National DNA Database. Responding to parliamentary questions from two Conservative MPs on 15 October 2007, Hillier said the growth of the database, which now holds records of more than 4m people, has made a debate on its future development necessary.”

Benefits to society so far: “Hillier claimed that the database had been used to solve 452 homicides, 644 rapes and more than 8,000 domestic burglaries.”

Example of possible downsides: Tory MP Stephen Crabb “highlighted the case of 75 year old Geoffrey Orchard, who was wrongfully arrested and received a written apology from the police, but who remains unable to get his DNA information removed from the system.”

So let’s have the debate. I suggest on the BBC (they may be looking for cheap programming these days). Let’s by all means have some of the great and the good participate. But let’s also have some of the Awkward Squad and some ordinary citizens as well.

Let’s try and walk through this together.

It would appear that UK Government, taken as a whole, relies on specific bodies, such as CPNI and CSIA, to develop, promulgate, monitor and remediate information assurance efforts. Agree? Disagree? I would assert that this, if true, would make information assurance impossible, as an internal commitment to the core principles of information assurance is the whole point. Agree? Disagree?

It would appear that the IA issues that we have covered, in terms of lost data, etc., are the result of structural and not transient defects in government approaches to IA. I say this because the same egregious errors keep occurring, and any lessons learnt aren’t being published across government. Agree? Disagree?

It would also appear that information assurance is not being built into tender specifications as a core definition of solutions that are fit for purpose. Agree? Disagree?

It then would appear that, despite (or because of) the recent examples of IA failure in what could be regarded as an annus horribilus for all concerned with information assurance in UK government, that as a practice, information assurance is no further along than it was at this time last year. Agree? Disagree?

If you agree with the agressive (purposely so) statements above, please join me in creating a set of specific recommendations so that we have a chance of not saying the same thing next year.

1. Please suggest wording for a declaration of principles regarding information assurance that UK government departments can sign on to. For extra credit, suggest wording for a declaration of principles for suppliers to UK government. Or should they be the same?
2. Please suggest wording for all tender documents stating that ‘unless information assurance is designed into your technical solution, it will not be considered fit for purpose.’ Or something similar….
3. Please suggest appropriate incentives (carrots and sticks) that will motivate public sector workers to think of information assurance first.
4. Please cover all the gaps not listed in items 1-3 above. Show your work. Papers will not be marked.

Last week I attended a discussion on “Galileo – is it worth it”, hosted by OpenEurope at the House of Lords committee rooms.

Lined up was:

Richard Peckham, Business Development Director (UK), EADS Astrium
Peter Brookes, Senior Fellow, National Security Affairs, The Heritage Foundation (former Deputy Assistant Defence Secretary in the George W. Bush Administration)
Dr. Stephen Ladyman MP, former Minister of State for Transport
Bernard Jenkin MP, member of the House of Commons Defence Select Committee, former Shadow Secretary of State for Defence

Not sure that I learnt much as all played to form. The industrialist took the industry line (EU should invest €2.1 billion), Tory politician (EU waste of money), Labour Politian (wanted it stopped but couldn’t quite say so), Ex US Politian (don’t undermine NATO and don’t trust the Chinese - see here)

It seems that unless there is a political carve up it’s “doomed”. The most interesting part of the discussion was on the impact of loss of GPS (failure or executive switch-off). There is general agreement that loss of GPS would be disastrous for the EU and US economies (and others presumably) and therefore the US Administration would never switch it (the open access bit) off. OK then, if it’s that important then why don’t we need a back up! I think a trick was missed here and should have been explored further.

It’s well documented that GPS is easy to jam and goes wrong and as I said in a recent post the continuity of service is possibly the only remaining defensible argument for continuing with Galileo.

As part of my job, I’ve been looking at the GPS and Galileo debate – but more of that in a later post. What I want to raise here is one aspect of GNSS (Global Navigation Satellite Systems) that I wasn’t aware of. Whilst the use of GNSS for positioning and navigational applications is obvious, less well known is its use as a timing reference in for example national power grids and telecommunications systems. Now many of you may be familiar with this, but for me it is a critical issue often overlooked in any consideration of the impact of loss of GNSS – possibly the only remaining defensible argument for continuing with Galileo.

This use of GNSS is discussed in the VOLPE report – the only detailed research I could find into the vulnerability of GPS.

To explain the blog title. This is reference to a story that was recently related to me – though probably an urban myth. Apparently the “culprit” for the US Eastern Seaboard blackout in 2003 was a trucker. He was having assignations with a lady and wanted to jam the GPS signals to his spy-in-the-cab. He purchased the jammer, turned it on, drove past a local national grid sub-station, affected the power phasing and set off a chain reaction – the rest is history.

It does seem fairly easy to jam GPS though, see here.

I suppose I should pretend I did all the research that produces the following, but I just opened the email from Bruce Schneier’s Cryptogram. If you’re serious about these issues (and why else would you be reading this?), click here to subscribe.

Quotes from this issue:

“Although it’s most commonly called a worm, Storm is really more: a worm,
a Trojan horse and a bot all rolled into one. It’s also the most
successful example we have of a new breed of worm, and I’ve seen
estimates that between 1 million and 50 million computers have been
infected worldwide.”

UK Police Can Now Demand Encryption Keys: “Cambridge University security expert Richard Clayton said in May of
2006 that such laws would only encourage businesses to house their
cryptography operations out of the reach of UK investigators,
potentially harming the country’s economy. ‘The controversy here [lies
in] seizing keys, not in forcing people to decrypt. The power to seize
encryption keys is spooking big business, ‘ Clayton said.

“‘The notion that international bankers would be wary of bringing master
keys into UK if they could be seized as part of legitimate police
operations, or by a corrupt chief constable, has quite a lot of
traction,’ he added. ‘With the appropriate paperwork, keys can be
seized. If you’re an international banker you’ll plonk your headquarters
in Zurich.’”

“Microsoft updates both XP and Vista without user permission or
notification. Microsoft can do this; that’s just stupid company stuff.
But what’s to stop anyone else from using Microsoft’s stealth remote
install capability to put anything onto anyone’s computer? How long
before some smart hacker exploits this, and then writes a program that
will allow all the dumb hackers to do it? ”

London’s 10,000 security cameras don’t reduce crime:
http://www.thisislondon.co.uk/news/article-23412867-details/Tens+of+thousands+of+CCTV+cameras%2C+yet+80%25+of+crime+unsolved/article.do
or http://tinyurl.com/286pab
This is a follow-up to a 2005 article:
http://www.thisislondon.co.uk/news/article-16856213-details/CCTV+’does+not+stop+crime’/article.do
or http://tinyurl.com/2tfjyf

Just go and subscribe, or read them on his weblog.