…Or more specifically, to link to the Washington Post’s 3-page article about the U.S. Future Combat Systems.

It’s so easy to get caught up in the protection of data (or lack thereof) that it is easy to forget about the other primary goal of information assurance–getting correct information to the right place in good shape, accurately and on time, to preserve the confidence of the public in government’s ability to manage its own affairs.

“THOUSANDS of servicemen and women, including many fighting on the front line, are being underpaid because of failures in a new computerised pay system.”

…”The computer system, known as Joint Personnel Administration (JPA), was introduced in March last year in the Royal Navy and saw a flood of complaints from sailors not being paid their full pay. The RAF was taken on to the system in October last year, followed by the Army in April this year. The £250m system was implemented by EDS, which was widely criticised for its computerisation of the Child Support Agency.

One of the key problems with the system is that it requires senior officers to log in to authorise payments, which means that if they are away on operations, the whole procedure grinds to a halt. “The system is based on the design for a civilian pay system and takes no account of the complexities of the armed forces pay system,” one officer said.”

It’s a good thing that the British are so patient–these people are armed. It’s a very bad thing that we can’t get JPA right–ADP would have taken this on as an outsourcing project for a lot less than £250 million.

Here’s glaring evidence that giant screens aren’t yet ready to replace old-fashioned billboards…

This is going to get interesting, and the Economist says that this topic will be covered in their upcoming technology quarterly (which is really one of the best things about the Economist). We’ve been following UAVs here since summertime, and I really think it is a) emerging as a technology that has information assurance implications for UK government and b) it’s really cool.

Ranging from powered model airplanes for children to the Predator, UAVs are currently lightly regulated and not at all policed, which should worry law enforcement as well as IA practitioners. With progress in miniaturization in full swing, an unmanned aerial vehicle can carry a camera (the UK is already using them to carry CCTV)… or something quite a bit deadlier. It is clear that legislation and regulation hasn’t caught up to the implications of this.

Meanwhile, at the Popular Mechanics website, there’s a story about the Houston Police Department’s trials of a UAV. The story walks through a lot of the issues revolving around this stuff.

Remember the main IA issue is going to be integrating information flows to, from and about potentially large numbers of these critters into information about more conventional air traffic. As I’ve mentioned before, between UAVs, ultralights and normal increases in air traffic (as point-to-point becomes more popular than hub and spoke and small jets become more ‘affordable’), those charged with keeping air traffic safe are going to have a lot on their hands.

Related stories (copied off the PM site–thanks!)

Civilian UAVs: No Pilot, No Problem

Britain’s Police Drone: Could It Stop Next Terror Plot?

Miami’s New Test Aircraft Gets Look from Army, Navy

Air Scouts: FA-18s Take On UAV Reconnaissance Duties in Iraq

Unmanned NASA Aircraft Enlisted in SoCal Firefight

Sunday Update: “Police and border control authorities are to use an unmanned aircraft to patrol the south coast to catch illegal immigrants trying to enter Britain by boat.” …”It is understood the police have expressed interest in using the £5m drone to monitor crowds during demonstrations and events such as football matches.”

“Andrew Mellors, head of civil autonomous systems at BAE, told the conference: “From 2012 fully autonomous unmanned air systems could be routinely used by border agencies, the police and government bodies.”

Key Section Here: “On-board sensors also give the drone the ability to deal with unexpected incidents, for example by automatically changing course to avoid coming close to other planes in the crowded airspace.

BAE Systems is in talks with the authorities to ensure that the drone does not interfere with civil or military flying. It said that the Herti, in addition to its sensors, had transponders to allow other aircraft and ground controllers to see it on their radar.”

If BAE has the brains God gave a gnat it will put the sensors and transponders in a black box, sell it to everyone who wants to use a UAV, and politely inform government that they have the power to mandate inclusion in all unmanned aircraft….

Well, hope I got the Latin right. This is a bit unnerving (not this part–no application is perfect): “Antivirus software must open and inspect data in hundreds, if not thousands, of file formats. One bug in the software that does this can lead to a serious security breach. Zoller and his colleague Sergio Alvarez have been looking into this issue for the past two years and they’ve found more than 80 parser bugs in antivirus software, most of which have not yet been patched.”

“The flaws they’ve found affect every major antivirus vendor, and many of them could allow attackers to run unauthorized code on a victim’s system, Zoller said.”

It’s this part that is scary–the type of denial that has been the prelude to IT disasters for 20 years:

“Zoller says he has been criticized by his peers in the security industry for “questioning the very glue that holds IT security all together,” but he believes that by bringing this issue to the forefront, the industry will be forced to address a very real security problem. Between 2002 and 2005, nearly half of the vulnerabilities that were discovered in antivirus software were remotely exploitable, meaning that attackers could launch their attacks from anywhere on the Internet. Nowadays, that percentage is close to 80 percent, he said.”

Russ Cooper, a senior scientist with Verizon Business, had some criticism for the work of n.runs. “The research almost appears to be goading criminals into ‘getting better’ at attacking vulnerabilities… hardly helpful,” he said via instant message. “There’s no doubt that the list of vulnerabilities they have already published in security products looks daunting. However, historically, we have not seen this type of vulnerability exploited.”

And if I read this right, I do not want to do business with this company at all–he seems to be saying that there’s no need to fix it until it gets hacked: “Though Cooper agrees that antivirus file parsing vulnerabilities do pose a risk, he said there are several reasons they have not yet been the focus of widespread criminal attacks. For one, criminals are already being effective enough with their current tactics, such as sending malicious e-mail attachments. A second reason is that security software tends to get more scrutiny, meaning that any vulnerability that was being exploited would be quickly patched, and that any criminal involved in an exploit would be more likely to be caught.”

Coda

Security vendors have long known about vulnerabilities in their software, said Marc Maiffret, chief technology officer with eEye digital security. “Security software is just as vulnerable as any other software,” he said via instant message. “We all hire the same developers that went to the same colleges as Microsoft and learned the same bad habits.”

Here’s the story on the day after…

I have said this before on this blog. There are countries where a national identification card is completely non-controversial. There are possible benefits to society from a well run and properly managed system.

But in my heart of hearts I do not believe that this country’s government (and I do not distinguish between political party here) is capable of building and operating an ID management system at this point in time without disastrous consequences to information assurance.

The Open Rights Group posted today its annual review, including its first full year’s accounts. (Like a number of people who read here, I’m on its Advisory Board.) ORG wants the link blogged as widely as possible…

Some months back a photographer practically made the sign of the cross when I mentioned ORG in an interview. I think one of the challenges ORG has is to make people understand that it’s not against people making a living from IPR - after all, many of its AB members, its patron (Neil Gaiman), and one of its founders (Cory Doctorow) all make their livings by creating and selling intellectual property. What it’s against is the extension of copyright beyond all reason. Since the primary beneficiaries of that are the same publishers who have been grabbing rights from people like photographers, journalists, et al it’s hard for me to understand why the “enemy of my enemy is my friend” principle doesn’t apply…

For Blindside, I suppose the relevance is that if you make a sufficient number of sufficiently anti-public access laws for long enough, eventually you will spark enough opposition to create something like ORG, which really seems to me to have grown on Internet time.

wg

Via Kable: “Buckinghamshire and Milton Keynes Fire and Rescue Service is planning to use handheld technology for fire risk inspections. It intends to replace its paper based scheme with electronic forms on handheld devices, which make it possible to transmit the reports immediately to headquarters servers.”

Progress marches on. However, “Information captured is stored on the device until completed and automatically updated to a Fire Safety Management application provided by Consilium, which manages Fire Safety Inspections and produces statutory reports.”

A couple of things I hope they’ve thought of: What happens to the data in the device after the Consilium Fire Safety Management application is automatically updated? Does it stay on the device? Is it transmitted securely? And, of course, what happens if a device is left in a pub?

I don’t (at first glance) see that this information needs MI5 level of security, but the providers of this information do have rights under the Data Protection Act, and as property is money these days, I should hope there is some provision regarding this.

Via Kable: “The Land Registry has pulled potentially sensitive documents from its online service. As from midnight on 5 November 2007, online access to documents such as mortgage deeds and leases will be removed. Members of the public wishing to inspect or have copies of any such documents can do so by applying in writing to Land Registry. The move followed a report in The Daily Mail that criminal gangs have stolen £12m over the past two years by exploiting loopholes in the website. They gained access to documents such as title deeds to make it possible to sell properties they did not own.”

It’s a pity legitimate users of Land Registry information will no longer have access to these details, I guess, but what were sensitive documents like these doing lying around in the open air in the first place? Did any review of this take place?

After the fact, the Land Registry tried to ‘put this in perspective,’ saying that the £12 million in fraud was a small percentage of the fee income it generated.

WAKE UP. The £12 million in fraud in all probability represented a very large percentage of the total wealth of the individuals who were defrauded, each of whom had to go through a long and laborious compensation exercise and probably had to get the services of a solicitor to help them. Of course it had minimal impact on the Land Registry. It’s not their money. It’s not their information. It’s not their privacy.

Jane’s Defence Weekly (subscription only) is an entertaining source of information. Sandwiched between news of Peruvian plans to upgrade their MIG 29 fighter force and adverts for body armour, you can find surprising amounts of detail relevant to information assurance issues.

We’ve posted before on UAV (robotic airplane) activity and the staggering bandwidth requirements they generate and the need for secure communications. Jane’s tells us more–that there are 157 types of UAV in development in 17 European nations, and that, according to the United States Air Force, co-ordination problems between the USAF and other services in Iraq, Afghanistan and other combat areas is currently a pressing issue.

The USAF (the organisation that brought us Curtis LeMay, advocate of bombing enemies until the rubble jumps), inevitably thinks that they should have executive authority over high and medium altitude unmanned aircraft. Well, they would.

Another story in the same issue talks of NATO planners demanding full interoperability for equipment and weapons, and specifically mentions UAVs. “The appetite of our field commanders for UAVs is unlimited, for example. But we cannot have a Dutch UAV flying over southern Afghanistan that is unable to send data to a UK or Canadian commander.”

Later, the article notes “A US-led project involving 10 nations and allied capability planners called MAJIIC aims to do just that by defining a common architecture for sharing data.”

As a former member of the US Navy, I have an inherent prejudice regarding the USAF, which may colour my thinking. Nonetheless, I would suggest that EU and NATO technical planners get a secure system for sharing information in place soon, and offer to share with the Yanks rather than cede control.