Travel Advice

Please note: Because this is an archive of articles published on the BladeSec IA website in 2023, not all links may work.

Comment: 2023/12/31 - Bankruptcy, prosecution, disrupted livelihoods: Postmasters tell their story.
I clean forgot to mention Mr Bates vs. The Post Office. Anything that can be done to bring the travesty of The Post Office Scandal into the common psyche of society is welcome. Too many opportunities to resolve matters were missed. Too much time has passed. Too many aspects remain outstanding.

Clearly, the four part TV series on ITV1 at 21:00 tomorrow is a dramatisation. It remains to be seen how accurate it is - and whether Ms. Thompson gets the credit she deserves for uncovering the rot within The Post Office that stole the lives, livelihoods, reputations and time of hundreds of good people who had done nothing wrong.

Comment: 2023/12/26 - Family...
The half-dozen or so folk that read this website regularly, will be aware that I do occasionally mention family - usually when they have done something that makes me prouder than normal of them. On this occasion, I would like to mention my wife's first son, Ben. Yesterday, whilst most of western Europe was tucking into their Christmas dinner, Ben was heading off to do his last shift with the Yorkshire Air Ambulance. His partner, Megan, was also working - with the Yorkshire Ambulance Service. It is that Service that Ben is returning to following his stint flying whirlies.

Society owes Ben and Megan a debt of gratitude - just like the thousands of other workers who give up their special days to improve and change the lives of the most vulnerable.

In the last year, singlely prompted by Ben asking if he could refer to me as "Grandad" to his kids, I began to question, "What makes family?". I am no blood-relation, but I am inordinately proud of him. As a result, yesterday, I gave my wife a present of a collection of framed photos of all the people that we consider our own. The faces in those photos stretch across four countries and three languages, but the single thing that unites them all is their kindness, the strength of feeling, our shared values and how important each one is.

Merry Christmas....

Comment: 2023/12/21 - The annual Rush Day address.
Following last year's Rush Day, we thought that we'd make it a regular thing.

It feels like a long drawn-out descent to Christmas this year. I have no real idea why. Perhaps a social trip to London last weekend kick started it in my head? Who knows.... but as part of the annual Rush Day, I'm going to do a Rush Day Retrospective to look at the themes in the last year:-

• The majority of people do stupid things usually under the pretence of one or more of "being clever", "greed", "selfishness", "narrow-mindedness" and / or "a perception of fame".
• Artificial intelligence has hit the common vernacular as a tangible threat to society. Who knew at the beginning of the year that ChatGPT would enter the common vernacular like PPE did a couple of years back when it was unheard of outside building sites and laboratories? Psst! Want to know a secret? It's not really artificial intelligence, it's just a glorified search engine. AI isn't dangerous, however the opening theme will almost certainly apply....
• Organisations who should know better are suffering from very serious security incidents; but it's okay, the attack is "complex" rather than the organisation failing to invest in proper technology and people with proper skills.
• The British and French governments have started eroding the electronic rights of its citizens to further its own causes under the pretence of preventing child abuse.
• Power corrupts.
• The internet is regressing to like what it was in the eighties when large corporations (like CIX, BIX, CompuServe, Yahoo, etc..) provided news, messaging and chat-rooms - but no interoperability. It does threaten to undermine the open nature of the internet.
• We've been at war on an Internet plane for a number of years now with countries who, on the face of it, may well seem to be an ally.

As usual, all that remains to be said, is that I hope you have an uneventful Christmas and a wonderful 2024.

Comment: 2023/12/20 - More on Booking.com.
Regular browsers of this website will recall this back in October, when I gave Booking.com both barrels. According to this, I may have misdirected my ire(*). It is the first article I've seen regarding something that appears to have gone on for almost five years. I confess that I missed this and this.

As it was, like others in the second BBC article, I complained to Booking.com as I didn't really think their response was terribly helpful. Also like others in the same article, my complaint disappeared into a black hole. I don't like bad manners, so I complained to the ICO. Having reconfirmed the details twice with them, they told me to expect contact from Booking.com. I've not had anything in the two weeks since I was told to expect contact and I'm not holding my breath. I shall chase the ICO again in the New Year (along with a far more serious complaint that has been outstanding since September).
--
In my defence, I did seek clarity from Booking.com, asking, "How did a criminal either infiltrate Booking.com or the hotel and manage to send a message purporting so accurately to be from the hotel?" - but Booking.com failed to reply.

Comment: 2023/12/14 - Facebook introduces encryption; and other notable news.
Facebook have made good on what they promised, by introducing end-to-end encryption on their Messenger service. It has attracted lots of biased opinion - on both sides. As we pointed out previously, encryption is a tool that neither supports nor condones child abuse, but yet it is made out to be the root of all evil. Privacy should be a right, and if somebody disagrees, ask them (in a public place) how much they get paid, how many times they pick their nose, whether they have had an affair or how often they have sex.

The fact remains that there is an irony in the world's biggest scraper of personal data implementing something and claiming it will improve the privacy of their service. However, what is true is that without analysing the content of messages, it is possible to infer a considerable amount from the metadata.

The bottom line is that criminals caught this way will always get caught one way or another. If you're going to use the worlds biggest social media platform to conduct criminal activity, you probably aren't the sharpest tool in the box. There may be a very good reason we hear little about what the law enforcement community do to bring down the deeper elements of criminal abusers. That said, as usual, Ross Anderson has an equally insightful and through provoking viewpoint on Light Blue Touchpaper.

And if you want evidence to support the fact that the UK's not very good at making the best decisions about cyber-security, you just need to refer to the recent report from The Joint Committee on National Security Strategy. It's a fairly damning assessment of how well prepared the UK is, despite being one of the most targeted nations in the world. (And as I personal aside, I have a theory about that that many of my friends and colleagues are aware of, but is so controversial, I am unlikely to ever commit it to written form!)

Comment: 2023/12/04 - Radio silence.
I had two minutes spare and noticed that it's been a while since anybody posted anything news-worthy on the website. Has there been a lack of interesting news? Has the security world been silent? Have our R&D projects culminated in sound engineering? The truth is probably none of the above, but November has been monumentally busy - the busiest that I can remember.

One thing that I did want to provide an update on was using LineageOS as my daily driver. I've been using it for a few weeks now, having fallen out with my Nokia G22 (Whilst Nokia say they they will support it for three years, that doesn't appear to equate to "regular" [that is, monthly] updates. The biggest issue, however, was the performance. I should add that it is far from being an expensive phone, and I can just about live with not being able to stream Planet Rock, but having been faced with having to make repeated gestures to trigger interactions with the phone, whether it was a "swipe" to another app, or to unlock it using the finger print scanner, it began to drive me nuts. Hence LineageOS on a Motorola Moto G(7) Plus seemed like a better option!)

Installation was easy, and I decided to apply Google Apps to make OAuth2 integration easier. Most of the main applications that I use were downloaded and installed from F-Droid with a very small set of other Android applications downloaded from the Google Play Store.

I was genuinely surprised how quickly the battery was consumed during the first day. Part of that appeared to be me "just playing", and equally part of it felt like it was a background process that indexed something and then disappeared the following day. Equally, this is a four year old phone on the original battery. I can now get a day's reasonable use out of it. I don't think I'll travel anywhere without a battery pack - just in case - and I do miss the Nokia's ability to go through two days of very heavy use.

The phone works largely just like stock Android, except that it's running fully patched Android 13 and not 10. It has a few more features, including the ability to disable the microphone and camera in software. The camera is perfectly acceptable (in my eyes - and indeed, doesn't have an odd "A.I. induced" blurring that the Nokia had. The phone is far faster than the Nokia, never failing to react to a gesture or a finger on the well-placed fingerprint reader.

And now the drawbacks... It's not a certified Google device. Hence a number of applications simply will not work on it. Think banking and video streaming, and anything that relies on a chain of trust to work. I was a big fan of Google Wallet, and whilst I haven't tried it, I am led to believe that it simply will not work due to the uncertified nature of the device. It is a shame (and one that I mostly worked around by buying a Lenovo M10 tablet and installing all the "sensitive" applications on it. That device basically never leaves the physical security of my office, although I did manage to get both my personal banking application and my holiday banking application working on LineageOS - always useful!)

The one thing that has jumped out me, and means that the Nokia G22 may well get resurrected for use in very specific circumstances, is that because the first step of installing LineageOS, is to unlock the device boot-loader and then install custom (LineageOS) firmware, the device is now entirely vulnerable to an evil maid attack. Because the boot sequence isn't signed, somebody who has unsupervised access to the device could compromise it without throwing any alerts.

People like me can always point to times when you may be forcibly required to hand-over your device and it is times like those that may see the Nokia brought back into the fold.

All that said, I am impressed with LineageOS. It works, and it works well without most of the Google bloat that finds its way onto most devices these days. Squirrelling away the sensitive applications onto a securely locked away and powered off device has distinct advantages. For that reason, LineageOS will remain my daily driver until I find something interesting to replace it.

Comment: 2023/10/24 - Nothing to do with anything.
Yesterday, I went out to check the car over having chosen not to do it over the weekend because of the weather. Before I had done anything, I noticed the bulb in the boot was fused and surprisingly, I even had a spare. Because of the dog crate, and the angle of the roof it's actually easier to change the bulb from the rear passenger seat. As I pushed the bulb in, there was a small spark. I think the thing that gave away that it was serious was the fact that the alarm chirped.

Putting the keys in the ignition, the "ACC" setting was utterly dead. No stereo, sat-nav, remote locking and no interior lights. The car started and operated following another chirp from the alarm - but still no stereo, sat-nav, or air-con. I spent an hour and a half searching for answer on the internet to no avail. By the time I started checking individual fuses that seemed "logical", one of the farm hands stopped to see what had happened.

I had resigned myself to having to individually continuity test every fuse and I went inside to get my multimeter. When I came out, Stuart confidently told me that he had noticed something that would save me a couple of hours. And it was true. He had noticed that at the top of each individual fuse, there were two contact points that were clearly there to be able to quickly test for a blown fuse without having to remove them.(*)

Result!

The last fuse I checked in the engine bay fuse box proved to be the culprit. A yellow 20A one marked "Backup". Luckily, being a Subaru, it comes with a variety of spares - and Stuart stopped off later to donate some more. Replacing it fired everything into life and about two and a half hours after I started looking over the car, I actually started looking over the car. As I am due to be carrying a considerable load next weekend, I needed to increase the rear tyre pressures. I started off the battery powered compressor that automatically cuts out when it reaches the right pressure and after I completed the bulb check, I sat in the car. It was then that I realised that the electric windows didn't work and the air-conditioning and ventilation controls were dead.

Whilst I was revelling in my new found knowledge on easily testing fuses, I guessed that there was another casualty, and so I consulted the manual again whilst waiting for the compressor to stop. It took a good three minutes to realise that those exact things *never* work when the ignition is in the ACC position!
--
(*) As far as I can recall, I have never seen this information in any workshop manual albeit it is incredibly logical. And clearly, if you do it having read it here, you are doing so at your own risk. I used a proper multimeter with a continuity check. Make sure you remove the keys from the ignition and close all the doors and windows. Do not, in any circumstances bridge one fuse to the next using the tester. Only test one fuse at a time, placing one probe down before locating the other on the same fuse. If you are not confident in your ability, auto electrics can shock - either electrically or with the cost of fixing the amount of damage that desperate owners can cause!

Comment: 2023/10/09 - Booking.com hacked again?
We use Booking.com an awful lot because their mobile application and website are simple, fast and effective. The fact is that whilst they are a broker, they don't then transfer you to another website to complete the booking (with all the extras that entails just before you realise that you'd be better going somewhere else.)

There have been reports of Booking.com having been hacked going back almost five years and yesterday it was my turn to receive a phishing e-mail largely identical to this and this.

I almost fell for it. The e-mail that you receive has all your personal details, including your name, where you are staying and when. When you go into your Booking.com messages on the website or application, the same message appears there, suggesting it's either Booking.com or the hotel that has been hacked. There were two things that made me stop:-

Firstly, the fake message said that I hadn't completed the card validation. The thing is, I could specifically remember completing this for the booking as I specifically remember thinking that it was so far in advance, they couldn't possibly do the check. But they did. And that stuck in my mind.

And then I noticed the URL it was trying to encourage me to click on. Whilst it looked like a Booking.com URL, the domain was actually "com-id322712.com" and they made no attempt to hide it behind an obfuscated link. Interestingly, that domain appears to have been set up just yesterday.

At that point, I thought I would have a bit of fun and cut and pasted the link into a sandboxed private browsing session....

The website was excellent. Almost entirely identical to Booking.com except the next anomaly was it wanted me to pay in Euros. When I checked the certificate, it was issued by Lets Encrypt!. Whilst a number of organisations use them, I thought that Booking.com would pay for a proper certificate. Sure enough going to the proper Booking.com website and inspecting the certificate there showed it was certified by DigiCert Inc.

When I went back to the phishing e-mail, I noticed that it wanted to "Use Mastercard for verification!". Ignoring the number of exclamation marks in the message, it proposed to charge the whole amount for the booking which would be refunded "in a minute". That's definitely not how card verification works and a refund in a minute is entirely unheard of in the UK, where even a "faster payment" can take up to four hours to transfer.

At this point, the wheels had entirely come off the phish, and I was able to spot even more anomalies including one that the criminal wouldn't know about because as a dog owner, I had previously corresponded with the hotel to make arrangements.

Needless to say, it's been reported to the hotel, Booking.com and Action Fraud. The hotel pointed the finger entirely at Booking.com. Booking.com "apologised on behalf of the hotel" and suggested that I "change passwords and block any affected cards or accounts" if I had clicked on the link.

That's really not good enough!

Comment: 2023/09/20 - The day they came for me....
Yesterday, the world shifted on its axis when the government of a civilised society decided that it's citizens should not expect privacy when using technology. This wasn't a dictatorship, a military junta or an oppressive regime (so far). It was the United Kingdom.

Despite the BBC news headline, this will not remove harmful media content.

Lets face it, the last few days have been filled with reports of a notorious celebrity who was allegedly(*) permitted to get away with incredibly abusive. harmful and certainly unacceptable behaviour. It was conducted in plain sight, and not a soul stopped him. Equally, nothing in this bill, when it's enacted would have prevented what the individual did. Trying to use technology to fix society will not work.

Yesterday, big brother was born in the UK. How the infant legislation matures will show what kind of grown up he will become....
--
* I will not perpetuate the current trial-by-media as I personally believe the fundamental legal position of "innocent until proven guilty by a jury of your peers". For that reason alone, I will continue to use the word "alleged". That said, from what I've seen, the evidence is fairly damning and whilst he has not yet been charged, my personal view is that he was, and continues to be a thoroughly deplorable individual.

Comment: 2023/09/18 - Beyond Fear.
Interesting....

Comment: 2023/09/11 - A day of spying...
Yesterday we saw the first announcement that two individuals had been arrested for various offences under the Official Secrets Act back in March. One was seemingly named by some of the press yesterday prompting them to issue a statement.

In an interesting espionage two-for-one(*), this comes out the same weekend that Daniel Khalife, who absconded from HMP Wandsworth on September 6th, was recaptured.

Whilst the detail leading up to how he was recaptured is largely missing, a number of news reports are stating that the work to recapture him was the first cross-speciality piece of work undertaken by The Counter Terrorism Operations Centre. The detail that interests me was reported by The Mail on Sunday where it asserts that the mobile phones of a number of acquaintances of Mr Khalife were "tapped". Whilst the use of the the word "tapped" is interesting in itself, it serves to highlight that the security services were able to prove their actions were proportionate and necessary in order to obtain the necessary warrant in a timely manner.

In terms of oversight, that seems to be a good result.

Contrast that with what would have happen if The Online Safety Bill is passed without modification. And lets face it, even without deliberately back-dooring the encryption, the examples from the last News and Comment show how we are at securing things.
--
* Mr Khalife was facing charges of terrorism and a breach of Official Secrets - hence the link.

Comment: 2023/09/10 - Moroccan earthquake...
Morocco is one of my favourite places in the world, with the kindest people. And right now, they need your help.
--
(This item was accidentally overwritten and has been republished.)

Comment: 2023/08/08 - A day of breaches.
The press is full today of a variety of different breaches:-

• The Times are reporting that the Russians are behind a "complex" cyber attack on the Electorial Commission. Whilst the event has been confirmed, there does not yet seem to be anything that actually confirms Russian involvement other than they have a track record for trying to influence elections. There are far more questions, as to why the Commission found out about the incident over a year ago, but didn't say anything - even after they noticed the breach had first occurred in August 2021!
• On the other hand, PSNI have admitted that their own disclosure of officers and civilian staff was accidental and down to human error. Whilst the impact is likely to be significantly more serious than the breach of the Electorial Commission, it represents a manifestly different approach to reporting and transparency.
• Finally, in a notable story that disproves "the enemy of my enemy is my friend", Reuters have highlighted that attackers linked to the North Korean Government have installed backdoors into systems in a Russian missile manufacturer. Original source here.

Comment: 2023/08/03 - A de-Googled future.
More years ago than I care to remember, as part of a piece of work somewhere hot, I was responsible for supplying and assuring comms kit for a small unit operating in a foreign land. We chose to use a variety of Samsung Galaxy SII and S3s running de-Googled CyanogenMod. They needed secure messaging and voice, and so we side loaded Skype onto the devices and used OpenVPN to connect back to the UK HQ. The devices were shipped out, and we got feedback that they were broadly a success. The most interesting part was that we used commercial products in an operational environment back when such things were largely forbidden.

Leap forward to last week and I was discussing with a friend how our testing of Ubuntu Touch had gone last year. What makes Ubuntu Touch unsuitable for us in an otherwise almost perfect mobile OS is the fact that the encryption it uses for e-mail (provided by the excellent and slick, Dekko) does not appear to work with quantum resistant encryption. In essence, the encryption interface is provided by Enigma which silently fails to parse Ed25519 keys. Sadly, Enigma hasn't been updated since 2019. It is a shame, because otherwise, Ubuntu Touch works really well with Dekko, Signal (by means of Axolotl), Calendar and the web browser, despite not having a port of Fennec. The real tick-in-the-box, is the integrations. It mostly just works and works well.

Following that conversation, I tried the spiritual successor to CyanogenMod, LineageOS. It's a stunning effort, bringing Android 13 (and recent security updates) to an elderly Motorola Moto G7 Plus, that was destined to run Android 10 forever more. The main issue was that it became a colossal effort to integrate online calendars into the stock app. It was actually easier to apply the Google changes to the build and use the stock Google apps. What is it that the devs of Ubuntu Touch (and indeed, my old BlackBerry OS7 and OS10, all recent builds of Thunderbird, Gnome and Gnome Evolution) know that allows them to synchronise contacts, tasks and calendars securely from a cloud account as well as handle e-mail? This single nuance, is more disappointing than it should be as there are open-source versions of K9-Mail, OpenKeychain and Fennec available for Lineage. Signal can be side-loaded easily making it so close to everything that I need.

Perhaps some more time is needed, but in the meantime, We still have that LG Nexus 5 running Ubuntu Touch that we take out once a month. charge, apply updates and then have a play with. I live in hope!

Comment: 2023/07/31 - Diamond Wedding Anniversary.
Whilst it's nothing to do with anything IA related, last Friday, we were very privileged to be invited to the diamond wedding anniversary celebration of Frank and Beatrice Low. They were two very important people in the life of my late mother. Indeed, they probably didn't know how important they were, so it was very humbling to be invited along with some of their closest family and friends to mark their significant occasion.

Frank and Beatrice have been involved with Famine Relief for Orphans in Malawi for many, many years. Indeed, it was as a consequence of two decades of work by Beatrice's neice, that resulted in the charity being set up. With that in mind, if you have a few pounds to spare, then you might like to consider making a small donation. Every penny that is donated goes to Malawi as all administrative costs for the charity are met by the trustees.

Whilst the charity does not represent the company principles of BladeSec IA, it is our intention to add it to the list of organisations who receive a donation at our year end.

Comment: 2023/07/22 - Award of Freeman of the Western Isles.
I am delighted that friend and former neighbour from when I lived on Na h-Eileanan Siar is to be made a Freeman of the Western Isles after a selfless lifetime of hard work and kindness. There are very few folk that could be said to have done as much for the benefit of the islands as Sandy.

Comment: 2023/07/21 - Death of Kevin Mitnick.
For somebody who started working in the world wide web in the (very) early nineties, I was vaguely aware of Kevin Mitnick. As a system admin and being less worldly-wise than I am now, I always assumed that bad-guys were always and irretrievably bad. The computer press had largely condemned Mr Mitnick and so, I confess that I was more intrigued with how Tsutomu Shimomura was alleged to have caught him. I remember at the time of the publication of a particular book, they launched a domain where you could watch Shimomura-San's computer interactions in real-time.

In more recent times, I now understand that there are usually at least two sides to every story, but outside of forensics and peer-review, society will accept the individual who shouts the loudest about being wronged as being the more accurate. So I read, Ghost In The Wires and it became clear he was a fairly misunderstood individual that society had allowed to be persecuted by the US criminal justice system^*.

Regardless of your own thoughts of Mr Mitnick, as a result of his untimely death due to pancreatic cancer, he will never get to meet his unborn son. Obituary here. El Reg Obituary here.
--
^* For the avoidance of doubt and despite the superficial similarities, I do not believe that this statement should be applied to the other individual who is often mentioned in the same sentence as Mr Mitnick - Julian Assange.

Comment: 2023/07/16 - Useful travel links.
Ahead of the English summer holidays, the bottom of the Safer Travel page has been updated with a number of links to useful websites to help keep you safer when travelling. Needless to say, whilst we have used these websites and recommend them, they are not operated by BladeSec IA and therefore we cannot be held responsible for their accuracy or merit in your own circumstances.

Comment: 2023/07/14 - Chinese espionage.
Yesterday, The Times reported that the US Secretary of State has issued a warning to China after the US revealed Chinese hackers had breached accounts of various State Department Officials.

Last night / today, the Times quotes a report from the Intelligence and Intelligence Committee that highlights "Beijing's activities are so extensive, it has penetrated every sector of the economy". The assessment concludes that successive governments failed to address the threat because economic interests took precedence.

The former seems to stem from a warning from Microsoft about Exchange. There is more detail from Ars Technica here. Although much of it remains speculation it makes for chilling reading.

Comment: 2023/07/13 - A whinge.
How long will it take for the government to tax social media firms for damaging the health of their citizens and society in general? It needs to recognise that it is as addictive as a Class-A drug, as easily available as alcohol and yet the longtime affects are more harmful than tobacco.

Please insert your tongue firmly into your cheek before reading the following:-

Before social media was so widely available, you were kept in your place by a circle of mostly like-minded, and similarly aged peers that you engaged with and would kick your backside if you took yourself too seriously. There were good older role models that you could spend time with, whether these be teachers, relations, friends of parents, or neighbours. Fundamentally, interactions were social and face-to-face. Some of the best encounters may occur in a pub which used to be a melting pot of different sorts of people with different backgrounds, experiences, desires, sexes and educations. You could learn a lot from these people as they may not share your perspective, but being in your direct company you owed them a bit of respect.

Now, in the era of social media you can post anything for the world to see yet, the written word often misses context, is misunderstood by the reader, can be a bunch of lies and can be made relatively anonymously, without reprisal. It has ennobled peoples opinions well beyond what they should be and that individual is highly likely to believe they are cleverer than they actually are because somebody from the other side of the world has reposted it, clicked like or added "Me too!". Equally, social media allows individuals to proclaim allegiances to world events by clicking "like" and show solidarity that augments their own self-importance - all whilst sitting in their pants stroking their cat.

Most people cluster to the lowest common denominator, and there's a lot of that on social media.

And if the government chooses not to apply a tax, then it should come with a health warning:-

Warning: Social Media will not give you friends, and may indeed cost you real ones. It can leave you with no grasp of reality and an inability to have a mature emotional response to things that happen in the real world.

And then I got annoyed about the entirely stupid way that stock Android One handles Bluetooth connections. I came to bed, switched on the small Bluetooth speaker beside the bed and started streaming Planet Rock. I went off to brush my teeth and when I came back was surprised that there was nothing playing. My phone had decided to connect to a Bluetooth A/V receiver downstairs which was connected to an amplifier that is switched off. I long pressed the Bluetooth item in the menu (what I'd give for a short press to bring up the Bluetooth options) and disconnected from the A/V receiver. I then reconnected to the little speaker and heard a few seconds of music.... before the A/V receiver muscled in and decided it was more important. No matter what I did, I couldn't get it to work without switching off "Media Streaming" on the A/V receiver. Lots of clever people say that you can just delete the Bluetooth connection, but that suggests I don't want to use it again, which is simply not true.

How I long for the BlackBerry setting of "Connect automatically" and "Prompt for connection"....

What connects social media and Bluetooth? That's going to have to wait for my memoirs, but thanks for letting me whinge.

Comment: 2023/07/08 - Restriction of personal privacy's in France.
As if the recent riots in certain parts of France were not enough, just in time for the British holidays, Le Monde have reported that France has approved legislation to permit the camera, microphone and GPS location of mobile phones, laptops and cars to be captured by the state. Initially, the only controlling measure was a restriction to limit it to those suspected of crimes that would carry a sentence of five years or more. A further amendment, that was tabled quite late in the day, claims to limit the use of the measures "when justified by the nature and seriousness of the crimes" and for a period less than six months. The final part of that amendment sought to exempt MPs(!), lawyers and journalists.

More here in French.

It's not well known, but when you take your encrypted laptop or mobile phone to France, you are, in effect, having to rely on the "Wassenaar Arrangement". This is an agreement to "promote transparency and greater responsibility in transfers of conventional arms and dual-use goods and technologies, thus preventing destabilising accumulations. The aim is also to prevent the acquisition of these items by terrorists. (My emphasis.) One of the provisions of the Wassenaar Arrangement allows a traveller to freely enter a participating country with an encrypted device under a "personal use exemption", as long as the traveller does not create, enhance, share, sell or otherwise distribute the encryption technology while visiting. And yet the website is particularly vague on what constitutes "dual-use goods and technologies".

And I think that says it all that a government implements greater sanctions against its own citizens that it would against criminals.

A friend told me recently a funny story about how he managed to avoid the disposal and recycling costs for a van load full of encrypted laptops by booking it onto the Channel Tunnel. He truthfully answered the French Border Guard when asked what he was transporting and they confiscated the lot. Thing was, the laptops had already been degaussed....

Comment: 2023/05/31 - Safer Travel, 2023.
It's out....

Comment: 2023/05/25 - Tina Turner, 1939 to 2023.
All too often these days, the word "legend" is banded around and applied to individuals who barely qualify if held up against their forbears. It is clear, however, with the passing of Tina Turner, that this word is entirely insufficient to be applied to her. It is obvious that her life was composed of many careers and in each one, she could be considered legendary. It is impossible not to listen to her singing live and not be in awe at her vocal talent and her showmanship. She was The Best.

Comment: 2023/05/22 - Kirkcaldy and District Pipe Band.
Congratulations to the Kirkcaldy and District Pipe Band who came second in their Grade at Dollar Academy on Saturday. I am lucky to count most of the current members (and a good few previous ones) as such good friends, they insisted on coming and playing my son's 21^ST birthday. It was great to be there, as they brought on an awful lot of young musicians, who had never played in a competition before and land a well deserved second place.

Comment: 2023/05/01 - The other side of consultancy.
Here in the Security Cartshed, we make a big deal out of doing everything we can for our customers. The thing is (and I've never said this before) our staff are equally important. We don't exist without them and we can't deliver the services that we do without their agreeing to our ways of working. It's exactly the same for customers. We wouldn't exist without them, and we need them to recognise the unique benefits that working with BladeSec IA brings.

I have been reflecting on what I have learned since I moved into consultancy in 2006. Indeed, it was due to inconsistencies between what customers were sold, and then subsequent expectations placed on consultants that led me to launching BladeSec IA in 2012. I've seen consultancy from both sides, so I thought it would be interesting to explore it from the buyer's perspective with a view to making the consultant's job easier:-

• Firstly, make sure the consultant knows your address and how to find you. If you're in the second anonymous building at the end of an industrial estate, tell them this. These days What3words can make things easier. (I've lost count of the number of times I rocked up to a client office that I've never been to only to be told, "Oh. You want the other office two miles away". Indeed, one company I worked for had so many offices, very often the staff at one didn't know of the existence of the other half a mile away.)
• If the consultant is driving and it is within your power, try and reserve them a parking space. If you can't, tell them where the best place to park is. Consultancy is expensive and you don't want your expensive resource driving around trying to find somewhere to stop. Yes, they might be there to do eight hours, but if they don't arrive until ten, it eats into the consultant's time, not yours and not their employer's. (Many years ago, I worked with a client who had very limited visitors parking (two spaces!) and it was always provided on a "first come first served" basis. I couldn't use the staff parking as I wasn't staff and I couldn't use the on-street parking as the maximum stay was 2 hours, so I had to make sure that I got into a visitor's space. To make sure, I used to arrive just before eight before starting work at nine.)
• If you are able to reserve them a parking space, make sure they're able to get into the car park. It's pointless asking them to start at eight, if you need a pass for the car park barrier or reception to let them in - when reception doesn't start until nine. (This happened to me regularly at one of my very first clients.)
• If the consultant is taking public transport, allow for delays and be flexible. You might want to let them travel one morning after the rush hour and let them make time up. Tell them what the nearest train station is and how best to travel the last mile. (Once, I hopped off the train on my way to see a client for the first time only to discover the station was so small, there wasn't a taxi rank.)
• Please provide a desk for the consultant with a functioning chair. Find out if they need network or internet access. If you can't provision that, ensure you tell them; along with any other restrictions, such as the surprisingly common, "no mobile phones". (I arrived at a client to be shown to a desk that was health-affectingly filthy and matched with a chair that had a back that wouldn't lock into place. The situation was exacerbated by the client finding my predicament hilarious as I had been given the "special" consultant's desk and chair. It was a desperately unpleasant situation.)
• If they are not there to do a surprise audit (or social engineering exercise) make sure you tell everybody that the consultant is coming - that includes reception and people you think the consultant may want to speak to. If in doubt ask the consultant for a list. (I arrived at a client once as agreed, only to be told that most of the people I needed to speak to were away. In essence, the contact messed up as he hadn't checked the availability of his staff before booking me.)
• If the consultant has an appropriate clearance, where possible give them a pass that allows them to go to the coffee machine, toilets, desk and out to lunch without having to ask a member of your staff. (This is the one example where something that was done well jumps to mind. When I arrived at a client in London, I was made to feel very welcome, and they issued me with a temporary photo ID that I had to sign out every Monday morning. It permitted me into the building, into the other building and would identify me to staff that needed to know who I was - as well as letting me get coffee, go to the toilets and fetch lunch.)
• If you can't do that, make sure you nominate somebody in physical proximity to the consultant to be a local guide. Sometimes, it can be worth doing that anyway, so that you have a set of eyes and ears available to solve issues quickly. (The worst example of this was being told to arrive at a client site at eight. This I did, and was deliberately kept waiting until 10:30 whilst the contact worked on something else. Before I left, I asked what time to show up the next day only to be told that eight was fine. The next day, I was left until ten and despite this, I was told to arrived the following day at eight again. That morning, having spent so much time in the company of the small IT team, I started making coffees, answering the phone and updating servicedesk tickets to fill in the time.)
• Make sure they know what the local rules for coffee breaks and social interaction are. Is milk fiercely guarded, or is the vending machine on free-dispense? While you're at it, make sure you point out where the toilets and fire escapes are. Let them know if there's a fire drill planned and when the alarm is tested. (I worked for a very well known client in London that rang a bell at four o'clock every afternoon. At this point everybody had to stop working for half an hour, step away from their desks and have a cup of tea or coffee with their colleagues. The thing was, having been there since seven, and worked through lunch, I was looking to leave at that point!)
• Make sure they know where they can buy lunch. Yes, they may have brought a sandwich the first day, but after that, they're staying in a hotel and need to take a break. Find out what they plan to do as often the consultant will work through lunch in order to leave a bit sharper. Don't make them feel bad for leaving sharp if they've already put in a days work.
• Make yourself available most mornings the consultant is on-site. If you're not there, whom should the consultant speak to?
• Don't insist the consultant has to start at the same time you do. Often when working away from home, they may like to check in with their family over breakfast. (The IT Manager at one of the places I cited above used to arrive very, very early and he insisted that I did the same "to avoid the traffic". (I was in a hotel a mile away and walked to the office). The folk that I needed to speak to were all artistic types and so would usually start to appear at about 09:30. The IT Manager would leave at three, but I still had a backlog of folk that I needed to speak to.)
• Feel free to check in with the consultant to find out how they are progressing. Will they still manage to deliver the work in the original timescale? What difficulties have they had? What's gone better than expected?
• Remember that you're getting your money's worth and not a pound of flesh. If you give the consultant additional demands, they are at liberty to invoice you more for things that are over and above the original statement of work. As a result of a series of late starts in one of the examples above, I didn't manage to complete the work whilst on-site. I ended up having to return the following week for two additional days. It was problematic to fit in, and caused a problem when invoicing the client.
• Some consultants, especially those that are very technical, may struggle to communicate with senior members of staff; equally, they may not convey something entirely on-message. In this case, provide constructive feedback to their employer.
• And don't forget, before they leave, to ask if there's any follow-up actions on either side and when you can expect the outcome of their work.

Comment: 2023/04/27 - News round-up.
Two small, but vitally important nuggets of information:-

First up: A very interesting story on changes within Google's Authenticator. It was the first MFA soft token generator I used - until I upgraded my phone. It was then that I had made a stupid assumption - that coming from Google, it would securely back up the MFA seeds to my Google Workspace account. At that point, I discovered the flaw that the latest update is designed to eliminate. Coming from Google, I reckoned it would implement the cloud backup part pretty well, but it turns out that it doesn't. I almost downloaded it again, but was too busy. I guess I'll stick with Twilio Authy for the time being. In truth, I have no idea whether it performs any better.

Secondly: If you use MS Edge, here's a good reason for using a different web browser.

Comment: 2023/04/18 - The death of the a salesman....
This morning, a friend highlighted how AI is making significant in-roads into OSINT in, what I can honestly say, appears to be the first genuinely useful deployment for the technology. In the ensuing discussion, another mutual friend, asked ChatGPT to write an ISO27001 proposal that he then shared with us. It was pretty good. There were more than a few passing similarities to the proposals that I wrote "back in the day", but there were also a few elementary errors including a discussion on the different phases of the programme of works that had clearly been lifted from a procurement document rather than a tender response.

I pointed out that this marked the death of the salesman(*) (something that was long overdue from my perspective; although not because they were being replaced by AI, I hasten to add). We then debated whether the consultant role could be eliminated too, and I've concluded that for many "closed scope" portions of work, such as ISO27001, the answer is probably yes.

In other news, I see that NCSC are introducing CLAS-lite. I use this moniker to highlight that the individual is not allowed to demonstrate any form of risk-acceptance or validation of compensatory controls (if my recollection is correct), and it deals with an even smaller, binary, framework than ISO27001. To my mind, Cyber Essentials consultancy is a really good candidate for being given over to a tailored LLM. It was, after all, scaled for SMEs and not intended for the industrialised gravy-train that it now fills.

Surely, turning the consultancy into an app benefits the original target audience monumentally, by virutally eliminating the cost associated with it? It also permits the big-hitters to scale into the areas where Cyber Essentials has ended up and can add the best value? Of course, it will never happen.....
--
(*) Other sexes are available, but they are all equally destined for the scrapheap too!

Comment: 2023/04/13 - Death of Bryn Parry....
There can't be many people in the countryside that don't know Bryn Parry from before Help for Heroes. His books of cartoons have occupied the coffee tables of many large houses up and down the land (and a good few little ones); often occupying a space in the littlest downstairs room too. For years, Mr Parry's Christmas cards, covering "the countryside, shooting and badly behaved dogs" were the mainstay for sending to close friends. And then, having been a successful cartoonist, he set up Help for Heroes. "Unusual" I remember thinking to myself, but it was clear that he had a vision that came about from his own military service which resulted in a strongly branded charity that I (and the rest of society, it seemed) was entirely happy to get behind. There was a time when every celebrity wore a brightly coloured H4H wrist band. Having worked with many soldiers during resettlement, I know that many do not consider themselves, "heroes", but here was a charity that unashamedly turned around and called their users, "heroes" in the face of ex-military-this or veteran-that. And so in time, my Christmas cards, became Help for Heroes ones.... Here was a man that made a difference to the world around him.

Comment: 2023/04/11 - News round-up....
Whilst we've not posted commentary on anything for over a month or so, the security world has been far from quiet:-

• Users of 3CX VoIP have been advised to stop using the 3CXDesktopApp and switch to the PWA web client. It appears that the Electron version has suffered from a supply-chain attack that is being attributed to North Korea according to Mandiant.
• FBI Denver are warning of the dangers of "juice jacking". The FBI are advising that it is just a regular reminder.
• Operation Cookie Monster has shut down Genesis Market's domains. In theory, you can check to see if your data has been compromised here, but the lack of a positive negative could be a problem. How many people, who are affected by this will actually check their spam folders for a response?
• And years after it was first suggested (in 2012), the mainstream press have cottoned on to a possible reason phishing e-mails are so recognisable. It's to weed out those recipients who are too intelligent to fall for the wider scam. At least for the time being....
• Apple continue to be less diligent than normal with two more vulnerabilities that have already been exploited. This follows on from similarly exploited near-zero days back in February.
• Odd intel leaks are turning up on Discord. What is also interesting is how they are being re-weaponised by seemingly pro-Russian parties.

Comment: 2023/02/28 - Think of the children....
I find it remarkably interesting that Signal is attracting an awful lot of attention. Meredith Whittaker, president of The Signal Foundation, makes a number of very rational observations regarding the Online Safety Bill. These arguments have been reported with varying degrees of accuracy, but broadly pointing out the failings. Needless to say, there have been the usual "think of the children" responses - and indeed utter silence from The Daily Mail. It is important to note that whilst Signal is the focus of the articles, if the Online Safety Bill passes into law, this is likely to also lead to "back-doors" being inserted into WhatsApp, RCS, iMessage and Facebook Messenger as well as (potentially) TLS, GNU Privacy Guard and OpenPGP, BitLocker (and Bitlocker-to-go), EncFS and LUKS amongst others.

I tried having a rational discussion with an individual, but it is such an emotive subject, it means that people who have little grasp of the subject have an opinion. They believe the hype that somehow end-to-end encryption is evil and directly sustains the criminal abuse of children. The thing is, every day there are billions of financial transactions that can only happen because of that encryption to secure the transaction and to prove the identities of the parties involved. Every time you purchase something on-line, you are using end-to-end encryption. Do either of these things make those involved paedophiles? It doesn't - in exactly the same way that owning a hammer, a car or even a firearm doesn't make you a murderer. It's a tool.

The reason end-to-end encryption gets a bad press is that it permits one criminal abuser to send media to another criminal abuser after the event. For every individual who uses it for that, there are many millions who look to end-to-end encryption to maintain their freedom in oppressive states or to blow the whistle on corporate corruption. Many use it to protect themselves from criminals themselves. Even if a backdoor was placed in the back of encryption, surely the criminals would just move to another technology - such as putting a CD or memory stick in the post - which could easily be done in such a way as to completely anonymise the identity of the sender.

End-to-end encryption cannot even be said to make child abuse worse or perpetuate it, for what can make it worse after it has occurred in the first place, except to sustain the abuse itself. Where is the investment to support dysfunctional families and to train and employ professionals to recognise those at-risk and support child abuse victims? What about appropriate social care and childrens' panels? Those things are far more expensive and difficult to get right. It's far easier to demonise a necessary piece of technology that the government relies upon itself (and will always continue to do so), yet wants to seriously weaken for their citizens - almost like in China, one of the most state monitored societies in the world.

Even if you still think that the ends justify the means and you cannot break the link between encryption supporting criminal activity, then you must remember the fundamental principle of British criminal law: Innocent until proven guilty. Treating every individual as a potential criminal and trawling indiscriminately until you find evidence of their malicious activities turns this on its head. How long will it be before it's used to find evidence of other things the government of the time has decided should not be permitted?

The argument against end-to-end encryption is fundamentally flawed. Trying to use technology to solve a societal problem simply does not work - especially when that technology is not the source of the problem; just like the COVID contact tracing application that resulted in tens of thousands of healthy staff having to take time off work because they were told to by a flawed algorithm. At best, the Online Safety Bill and its impact on encryption is nothing to do about keeping our children safe from criminals, its about being seen to do something about one of the most abhorant crimes in society. At worse, it's about permitting state surveilance on the device that contains your most personal sensitive information.

I'm going to leave it to the brilliant Ross Anderson who highlights that "doing surveillance whilst respecting privacy is really hard".

Comment: 2023/02/11 - Flying in the face of convention.
Sometimes, no matter how good the forgery is, the forger doesn't account for an anomaly in societal norms. I found this fascinating. It shows that it was Dame Sally's dislike of meaningless platitudes that meant that a cyber-attack was thwarted. (And as somebody that intently dislikes courduroy having been forced into it as a small boy, I applaud her valiant efforts in that area too.) It is a shame it doesn't always work out like that.

Comment: 2023/02/04 - The Calcutta Cup.
In what was probably one of the best rugby matches I have ever seen, Scotland retained the Calcutta Cup for the third time in a row. I believe that they have never previously achieved this. It was a brilliant game, made all the better by both sides playing good rugby. England were a formidable side (look at the possession statistics), but in the end, Scotland managed to exploit the chinks in their opponents game and skew things in their favour. The day was made all the better by Ireland beating Wales (sorry!) - whilst my wife was at a family birthday party - in Ireland!

Comment: 2023/01/31 - Analysis of working for the dark side.
I find this quite interesting given the rumours that suggest the payback was quite worthwhile. Alternative report here. Original report here.

After a particularly stressful day, I used to have a flight of fancy on the trip home, imagining how much it would take for the bad guys to buy me. It was always in the millions, except for one day when it wasn't. The reports above highlight that even when I was pretty low, the bad guys wouldn't have paid the smaller amount, let alone the bigger one!

Comment: 2023/01/30 - Predicting the future.
A friend asked me to predict the future today. He didn't say how far into the future, just make some predictions... For fun, I thought it would be worth sharing here:-

• The amount of data we produce on every aspect of our lives, should inform better decisions. The difficulty is that the sheer quantity of data means that we're actually making worse decisions. AI has an incredibly important role in reducing the amount of data we have to consume to more manageable levels so that we can make those better decisions.
• There is growing concern regarding autonomous "killer robots". What's the difference between a Terminator and a Tesla on autopilot? Both can kill, and may be required to make a judgement on "life worth" before doing so. How do you introduce proportionate regulations for each of these scenarios? I don't know, but perhaps the answer is to ban one, and provide an alternative for the other?
• The future car will not be powered solely by electricity. Instead it will be a combination of electric, hydrogen and synthetic fuel. There is insufficient capacity in the generation and grid to power electric vehicles, but they do have a niche role to play. A variety of power sources provides the best resilience and best potential for competition to reduce costs.
• There needs to be a beyond radical reset of car-ownership. In order to reduce carbon emissions, public transport needs improvement beyond all possibility and car ownership, for those that have access to it, needs to be discouraged. People should be encouraged to live closer to where they work. Carbon capture needs to become a thing.
• Climate change is only one issue. An equally human-ending problem is where we can't feed and provide affordable energy for the population of the world. The next third world will be in sink estates all over the world who are paid to consume four hours of electricity a day whilst the elites continue to waste their power allocation by scrolling through social media and providing their virtue signalling opinions for their fellow elites to consume; turning all of society into one beige fake viewpoint.
• Social media has given a voice to the inconsequential and the value of most of those options grossly exceeds its value to society. However, because people have been given a platform, most automatically believe they are right, important, have a valid, informed opinion and must be listened to. Some even conclude that they can abuse strangers or sexually harass them. Social media itself perpetuates the problem as it has to permit its "customers" to operate in this manner for it to monetise the results. It is not in the interests of these firms to encourage privacy, but in the future everybody will want privacy for 15 minutes.
• We, the people, vote for politicians. Once upon a time, the press used to hold them to account on our behalf, but the quality press is suffering. Why pay for independent journalism when you can consume so much opinion that portrays itself as that for free? It's concerning when even quality news sources rely on social media sound bytes to flesh out their own stories.
• Taking these two points to their natural conclusion: In order to show real worth to the greater good, social media needs to hold politicians to account; but that needs to be above abuse, nastiness and opinion. It needs to be independent, peer reviewed and ethical. Without this, society will continue to become more corrupt, self-serving and less human.
• It is not in the interests of social media firms to solve that one and it pains me to say this, but social media needs to replace politicians. Give everybody a button to allow them to vote on everything of consequence that goes through the world's parliaments. Get rid of politicians and return the power to the populace!

Don't have nightmares!

Comment: 2023/01/11 - Royal Mail suffering a cyber incident.
Oh dear. This is not good.

Being unable to send items internationally in the 21^ST century is unacceptable. I was lamenting this morning: Remember when you used to get two deliveries a day? One very early in the morning, and another after lunch? I think we get about two deliveries a week at the minute. In the face of the ongoing strikes, this feels like the beginning of the end for the Royal Mail. And not just any mail, but the Royal Mail.

Comment: 2023/01/01 - Happy New Year!
Once again, we're back on the Isle of Lewis to mark the eleventh birthday of BladeSec IA. This marks the first visit of the new security cart-shed hound to the island. Many of the locals we have met are enamoured that we chose to call him Suilvan after the Stornoway / Ullapool ferry (and not the mountain) that used to go out in all weathers - just like his canine descendant. Suilly (as he is known) had his first trip to our favourite beach yesterday (and it's not the one that tourists will tell you about). The more time I spend with dogs, the more I realise I prefer them to people!

As usual here is our tongue in cheek look at the last twelve months:-

• Average distance travelled to work: 16 miles.
• Distance to farthest job: 257 miles.
• Oddest manufacturer of tyres on vehicles owned by BladeSec IA staff: Nokian. (Odd because they used to be a subsidiary of Nokia in 1967).
• Value of donations to Wikipedia as a result of Travel Advice: £55.
• Value of donations made by BladeSec IA to support other good causes^(*): £165.
• Amount of time donated by BladeSec IA staff pro-bono: 20 days.
• Number of pages printed on the office colour laser since the Magenta reported being empty: 59.
• Number of BladeSec IA e-mail addresses reported as being pwned: 157.
• Number of manufactured e-mail addresses, appearing on the same list: 155.
• Best film seen this year - in a poll of BladeSec IA staff: Top Gun: Maverick.

Happy New Year!