Portsmouth’s Queen Alexandra Hospital, the Whittington Hospital NHS Trust and Notts Police have all recently adopted single sign-on systems. Has this become an accepted methodology for users?

I’m referring to the format, hopefully not the effect.

* The US Department of Homeland Security, which sets the benchmark for IT security practice in America, suffered more than 840 IT security lapses in 2005 and 2006, despite spending $332m on IT security this year.

* Unisys has dismissed reports in the Washington Post that it was to blame for data breaches at the US Department for Homeland Security last year. Unisys said, “The allegation that Unisys did not properly install essential security systems is incorrect. In addition, we routinely follow prescribed security protocols and have properly reported incidents to the customer in accordance with those protocols.”

* Attackers have set their sights on two Microsoft flaws — an unpatched DirectX Media vulnerability and the XML Core Services flaw the software maker patched last week in its MS07-042 security update. Antivirus company Symantec has issued alerts for both exploits in emails to customers of its DeepSight threat management service. The security company said it had raised its ThreatCon to level 2 in response to the threats.

* Hackers managed to steal information from the US Department of Transportation and several firms by using fake job listings for employees, reports Reuters. It is believed information was stolen from around 1,000 corporate PCs. The FBI is now investigating the reported breaches.

* Newham Borough Council has delayed a major desktop roll-out after hitting a barrier in its 10-year strategic relationship with Microsoft and Hewlett-Packard. The council has put back the deployment of Windows Vista in its new 1,500-desktop corporate head office by 12 months, because of a lack of Vista-certified applications from its third-party suppliers. As a result, Newham will incur the cost of deploying XP in the new office, only to have to upgrade the machines to Vista at a later date. The council will now roll out Windows XP in March 2008 instead of Vista as originally planned.

* Reliance on ID systems can take you to some strange places (via Ideal Government): “Supermarket staff refused to sell alcohol to a white-haired 72-year-old man - because he would not confirm he was over 21.”

* (Via Light Blue Touchpaper): “When it rains, it pours. Following the fuss over the Storm worm impersonating Tor, today Wired and The Register are covering the story of a Dan Egerstad, who intercepted embassy email account passwords by setting up 5 Tor exit nodes, then published the results online. People have been sniffing passwords on Tor before, and one even published a live feed. However, the sensitivity of embassies as targets and initial mystery over how the passwords were snooped, helped drum up media interest.”

* (Via Bruce Schneier) “Copper cable has been known as the easily tapped physical transmission medium for years. Conscientious network and security managers either provided tight physical security for cabling or used fiber as an alternative. Many network managers considered fiber relatively safe due to the perceived challenges associated with tapping into an optical cable run. However, fiber is no safer than copper. For less than $1,000, an attacker can purchase the hardware necessary to tap into a fiber run. The tap consists of bending the fiber to the point that it leaks light.”

I do look at other sources, but this again via Kable: “Liberty has published a report on the rise of the surveillance society, which seeks to restore the balance of the relationship between the individual and the state.” (Warning–I could not find the report on the Liberty website.)

This comes one week after news that the EU Human Rights Commission is considering whether DNA retention should be allowed absent a conviction for a serious crime, and only 3 days after a NHS hard drive with confidential patient information appeared on eBay.

As the Kable article is a short piece, more quoting becomes almost theft, but I’ve got good IPR lawyers… “Published on 13 September 2007, the report, ‘Overlooked: Surveillance and Personal Privacy in Britain’ explores the increase in surveillance, including the mass retention of personal information on government-run databases and the growth of the national DNA database.

It comes a week after Liberty won a six month battle with the Avon and Somerset Constabulary to have the DNA of a 13 year old boy, falsely accused of writing graffiti, removed from the DNA database.

According to the pressure group, the DNA database is the largest in the world with 3.9m samples. Rules allowing DNA samples to be taken at the point of arrest rather than conviction has disproportionately affected black men, with nearly 40% of black men represented, compared with 13% of Asian men and 9% of white men.”

And again, one interesting fact in the body of the story: “A YouGov poll commissioned by Liberty found that only 17% of Britons trust the authorities to keep their personal details confidential, while 57% believe the UK has become a “surveillance society”.”

And yes, regarding the title of this post, I did spend 4 years in the Navy and yes, I’ve been waiting for a chance to use the phrase.

We have tended here to concentrate on protecting information flows through computer networks. This is in part because there is so much work still to be done in this area, but I think also in part because most Blindsiders are of a computer-centric generation (you may well say ’speak for yourself, Fuller’, and I’ll eat humble pie).

However, mobile computing is growing faster than just about anything that gets measured in tech terms (well, except for Larry Ellison’s ego…) and I am personally convinced that a combination of mobile computing, location-based services and pervasive computing is going to explode onto the scene, offering new possibilities and new threats. I not only believe this–the success of my private pension scheme depends on it.

I think the day is coming very fast when the fact that I sit in a room at a desktop will instantly identify me as a grumpy old man (I think women will adapt to the new paradigm without much fuss). I think mobile devices with Japanese butterfly fan screens that fold up will move computing outside the converted second bedroom and into the street, and flash memory lapel pins will hold more information than my laptop.

It’s all going to be great fun, and I’m looking forward to it. But one reason I think it’s going to be fun is the fact that I’m not charged with assuring information flows within a government organisation. I think the number of nodes in organisational networks is set to grow logarythmically and that the edges of networks are going to blur dramatically.

I think IA specialists in 10 years are going to reminisce fondly about how life was so simple in 2007, before they had to build concentric circles of protection and build data hierarchies that have to exist in different forms within each circle.

For all of us who have retirement in mind before 2017, we may breathe a sigh of relief that it won’t happen on our watch (although it still may). And it might be fair to say that a fairly large share of Blindsiders fall within this group. But I think we owe it to the next generation of information assurance professionals to set the stage for them.

When memory becomes so small and cheap that your life fits into your belt buckle, when people will normally carry four or five objects on their person that have network connectivity, when hundreds of services offer local data based on segmentation rather than aggregation, when p2p dating services sit next to real-time data flows from your banking and investment activity, when government networks imperceptibly bleed into and through a myriad of specialist networks, information assurance will take on a different meaning.

We are entering that period of time where the evolutionary explosion fills an environmental niche created by a new technology. The prelude is finished. It’s just a bit funny that it’s not just one new technology–that computer science, biology, nanotechnology and whatever else I’m forgetting are coming of age at the same time.

Who needs science fiction?

The reaction from (I think) almost everyone who contributes to the Blindside project would be no. However, after hearing our impassioned arguments, many in Government still believe it is in the UK’s best interests to order everyone in the UK to submit DNA to government for inclusion in a national database.

Instead of starting off with my reasons why I think this is a seriously flawed idea, I want to focus on the reasons why some think it is good–or at least necessary. I don’t believe that all who support a comprehensive DNA database are either evil or fools, and some clearly have given thought to this.

A national registry of DNA would help government perform some things more efficiently without requiring structural change. Currently, the national media keeps attention focused on certain major issues–crime, and to a lesser extent (this year at least), immigration. Government supporters of a DNA database evidently believe that it would help deal with those issues.

My argument (FWIW) against this is that a DNA database would help in solving crime and identifying current illegal immigrants, but would do much less in preventing crime and future illegal immigration. Similar arguments were advanced regarding CCTV’s potential for deterrence of crime, and these arguments proved invalid. CCTV has not deterred crime, but has helped identify criminals after the fact. I don’t think DNA DB would play out much differently. Hence, to me it seems a major sacrifice of personal liberty for a false hope. If a DNA database proves ineffective in dealing with crime and immigration, they will not throw away the DB in disgust.

But the current structure of police forces, with fewer cops on the beat actually deterring crime, has shifted its focus to high tech resolution of crime instead. A DNA database would allow them to keep the same structure, beefing it up and increasing their powers. A DNA DB would allow the judicial system, currently fighting a backlog at the same time it resists internal technological change, to be (it hopes) more efficient without, again, undergoing structural change.

The persistence of the desire for such a database in the face of all the problems that have been noted in the concept means to me that government feels besieged, not just by crime and immigration (which aren’t nearly as bad as the effects of media coverage of same), but by all the effects of the 20th and 21st centuries, and are searching for a silver bullet that will allow them to do things the way they want to do them.

There has been considerable reorganisation of government departments over the past 5 years, but it’s hard to avoid the impression that much of that has been name changing and seat shuffling. I think the most passionate advocates of a DNA database are really defending their way of life more than anything else.

I do think every discussion of a national DNA registry should include a brief summary of some of the most important objections to it:

1. Data will be entered incorrectly, lost or sold illegally. As the system gets used for more purposes, the effects will be fatal to some. Lives will be lost.

2. People will learn how to defeat the system, reducing its reliability. The most common means will be via corruption of civil servants.

3. The money spent on such a system, if redirected towards a more visible police presence in city centres on Saturday nights and at the principle points of entry into the UK, would actually reduce crime and illegal immigration to the extent that the DNA registry would not be necessary.

4. As currently constituted, the UK government is incapable of holding this information securely. It will be stolen. It will be sold.

5. Maintaining border security by identifying ‘legitimate’ citizens and assuming anyone not on the list is illegitimate will result in wide-scale violations of human rights and crimes against those who do not appear on the list.

I almost got through that list without mentioning human rights, and I didn’t talk about liberty either. They evidently are not a major consideration in this argument, so why beat a dead horse?

Let me just mention what I would support. A database for the NHS with voluntary contributions of DNA to assist in patient care. Mandatory DNA sampling of criminals convicted of a serious crime. That’s it.

And by the way, it should be obvious that arguments against a national DNA registry transfer without much modification to a National Identity Card Programme. As with a DNA registry, it is being proposed to benefit government, and the burden of proof needs to be placed squarely on the shoulders of its proponents.

Hi all,

I have referred in the past to Dave’s Bit Bucket, run by Dave Walker of Sun. His blog can be a bit of a slog as he actually has the temerity to post code up regarding his Trusted Extension work, which just glides gracefully over my head. However, when he turns his attention to other subjects, we have to pay attention. So I will perform a much-needed public service here and link to specific posts relevant to Blindside:

Dave’s earlier post on Microsoft Vista (Why Microsoft Windows Vista cannot be deployed in Government, Critical National Infrastructure, or Battlespace …and I may well have missed a few categories for the sake of a concise subject line, especially where Finance, Aerospace, etc are not specifically included under the banner of “Critical National Infrastructure”. Read this, and be startled. Update: Putting a black hat on for a moment, this also means that Microsoft’s licensing verification servers will be the number 1 target for any actual Black Hat who wishes to cause general chaos, rather than target specific organisations; taking the licensing servers down in a manner which resulted in an outage of significant duration would precipitate a worldwide Vista outage. Also, in battlespace, if you’re running Solaris and your enemy is running Vista, it may be within the rules of war to target Microsoft’s licensing infrastructure (with either electronic warfare methods or, depending on the sphere of conflict, ordnance) and watch your enemy’s C4I infrastructure collapse…)

led to Dave linking to this: “DRM bites again: the Microsoft Windows Genuine Advantage servers (which every XP and Vista install phones home to) all failed sometime earlier today. The result? Every single Windows XP and Vista installation — except possibly those with volume license keys — is being marked as counterfeit when it tries to check in. Installations which are flagged as counterfeit switch to a “reduced functionality mode” which results in features like Aero and DirectX being disabled.”

When it comes time for Dave to renew his passport, he immediately sees a problem: “From the large list presented - and notwithstanding the extending clause of “someone of similar standing in the community” - I suspect that the average person wouldn’t have too much trouble finding someone who could be duped or bribed into providing a false assertion of identity for the Passport Office… ”

And, although we don’t want to stimulate plot ideas for 24, Dave looks ahead to future problems with remote working: With the continued rise in home-based and mobile working, the possibility of staff being forced to access and potentially modify data by suitably-armed ne’er-do-wells becomes a genuine - if niche - security issue. (…) Taking this into account, it’s possible that a well-designed system which authenticates users based on a username and password would require up to 4 passwords per user - one for legitimate login in a non-duress situation, and three more, one for each type of duress!

I previously wrote about my concerns regarding the UK government’s readiness to begin construction of a National Identity Programme. Perhaps because it’s August (couldn’t possibly be the quality of my writing, right?), I only got one comment.

But what a comment. Dave Walker, perhaps known to you as author of Dave’s Bit Bucket, wrote, “…never mind the sheer throughput the system will have to have, especially at biometric enrolment / renewal time; see some advanced thinking on this at http://blogs.sun.com/davew/entry/more_national_id_card_food .” I hope he won’t mind my liberal quoting of his post (okay, downright theft, but in a good cause, you see). “While I’ve been somewhat sceptical about the usability of biometrics for some time now, the session was well worth attending. As well as having representation and presentation from staff-who-must-remain-nameless at the Home Office, we were fortunate enough to have Professor John Daugman (whose principal claim to fame is the characterisation of the analysis and transforms needed to authenticate people by iris recognition) presenting on issues he has regarding the N-to-N biometric comparison which is required at biometric registration time. An N-to-N comparison is needed to ensure that a person can’t turn up on one day with one set of papers and get an ID card, and turn up with the following day with a different set of papers, and get a second and different ID card.

Daugman has his head screwed on properly, and then some. While the paper he presented doesn’t appear to have made it to the web yet, he calculates the number of biometric comparisons which need to be made at biometric enrolment time for the proposed UK National ID card to be - for a database of 45 million principals, ie the UK adult population - around 10^15 to ensure biometric non-duplication. 10^15. Ouch.

He cited the example of the UAE biometric database, which makes 14 billion comparisons daily - this is 1/5000th the size of what woud be needed for the UK National ID Card system.

Of course, any check other than enrolment is a straightforward 1-to-1; a person presents a credential to an appropriate officer, the biometric on the credential (or stored in some database) is checked against the individual’s stored biometric as mapped to their credential, and the match between the ID and the biometric is either accepted (at which point, the credential’s presenter is validated) or rejected (at which point, the presenter of the credential is subject to whatever due process of law). Still, the inability to eliminate the single N-to-N comparison required, makes enrolment very big hill to climb.”

This story received a lot of coverage; the Boston Herald has a representative version. In brief: the immigration service computers crashed in the early afternoon so that incoming international passengers could not be processed - or at least, couldn’t be matched against the computerised lists of people with outstanding warrants for their arrest, known criminals and terrorists, and all those other weary, unwanted huddled masses. “You can’t just tell by looking at them,” says an immigration official quoted in the story. Yet, for many years until fairly recently that’s precisely how entry decisions were made.

There are a couple of big things here:
- a major airport’s complete inability to handle a computer crash (by all accounts, thousands of people spent 10-12 hours sitting on planes on runways waiting to be able to disembark, although as they had access to food, water, and bathrooms they may in fact have been better off than the unfortunates stuck in the crowded terminal). No back-up, no alternative.

- the cure may be worse than the disease. Some reports say that they are now considering issuing immigration personnel with laptops they can work with offline to process people if the system goes down. With, presumably, all the synchronization and other security issues involved in deploying thousands of laptops.

- the computer glitch arguably caused greater disruption than some terrorist threats.

- immigration officials are now taught to rely on the computer system and do not learn whatever skills their predecessors had. (I note however that tests at the time suggested that immigration officials were not particularly good at picking out the undesirables - or at least, no better than the college student control group ISTR they were tested against.)

- on the other hand, in the interests of controlling climate change, making flying as miserable an experience as possible might just be a very good strategy.

wg

Well, they’ve published the tender for the The Identity and Passport Service to set up a framework of suppliers to develop the National Identity Card Programme.

Preface: We at Blindside are independent researchers and writers. We don’t speak for HM Government, or for any department therein. We’ve been asked to help government where we can by independently identifying areas where government can be blindsided by technology. Please assimilate that before continuing.

I cannot in all honest say I believe that the UK Government is ready to begin this work. I do not believe they will invite the right people to the party, nor will they write the correct tender specifications, nor will they police the conversations of those they do (and do not) invite into the framework. As shown below, I don’t believe UK Government has widely published or absorbed internally commonly accepted best practice in the set-up and administration of information gathering and dissemination. This is not about philosophy. It is about basic hygiene.

See here. “Millions of homeowners are being left wide open to identity theft because their personal details are being made available on a Government website, campaigners warned yesterday. Details of their mortgage lender, mortgage value and even a copy of their signature can be found on the Land Registry site for just £3.”

See here. Key quote: “As a result, as Channel 4 revealed earlier this evening, all the details of final year medical students applying for hospital jobs were accessible by the general public. We are not just talking names and address. We are talking everything.”

And then see here. Again, key quote: “Given that Sanjib did the right thing, a year ago, and reported the problem to VFS as well as the British High Commission, why am I bothering to write about it now?

Mainly, it has to be said, because after a year that security hole was gaping as wide open as ever. Although I will refrain from posting precise details here, yesterday afternoon I was able to manipulate the data URL simply by changing what appears to be the date on which the application was made along with a sequence number. Doing this, entirely at random, brings up the visa application details of people ranging from someone who applied yesterday through to some who applied a year ago and I have the screenshots to prove it.”

But there’s more:

“Well after a year of being told about the thing privately and ignoring it the FCO and its outsourcers did, sort of, fix the issue by closing the website and an independent inquiry was launched. The investigator’s report has now been produced and no punches are pulled. Here are some of the relevant paragraphs:

108.
UKvisas recently obtained an expert assessment of the basic data security provided by the VFS online website. The findings were that the site had many security weaknesses, and that many of these weaknesses were amongst the most understood and documented security concerns in the computing industry. The expert view was that none should be present within a securely designed website.
109.
I note that during the technical investigations, several screenshots provided by VFS highlighted wider security concerns. These screenshots of the management console used to access and configure the firewalls also showed users actively engaged in Skype3 conversations and logged onto webmail4 packages. These entities are considered to have poor security when used in isolation. Using them whilst accessing security device management consoles shows that standard acceptable usage policies are either not in place or not followed.”

I cannot in all honesty say I believe that the UK Government is ready to commission a framework agreement to begin work on the National Identity Programme.

Via Bruce Schneier, this story about a test of facial recognition systems in Germany.

“Face Recognition Test Results
For a few months, German police tested a face recognition system. Two hundred frequent travellers volunteered to have their faces recorded and three different systems tried to recognize the faces in the crowds of a train station. Results (in German): 60% recognition at best, 30% on average (depending on light and other factors).”

Perhaps this comment summarizes it best:

“Yawn. Automatic face recognition again. It just doesn’t work except in highly controlled conditions, and as this test shows, not well enough even then: with a self-selecting group of peop;e who wanted to be recognised (or didn’t mind if they were recognised) it could only manage 60% at best.
The face isn’t even a reliable way to identify people, as personal experience shows. On the one hand, people look like each other; on the other hand, people’s appearances change, deliberately or fortuitously, enough to confuse a computer program.
Face recognition is one of the things humans can do better than computers, and even we aren’t 100%”