The Security Backlog
All the stuff that I should have covered whilst wishing I was dead
Published 15:04, 28 April 11
Everything was going so well at Dunhacking, but a dodgy Brick Lane curry eaten at the a market stall whilst attending LinkedGov Hackcamp flattened your correspondent for 10 days, and since then the backlog has been too terrifying to address properly.
So let's address it improperly instead.
It's been a fantastic month for security stupidity:
Tomtom has been flogging "anonymised" user data to the Dutch police, so they can work out where best to put speed traps. For anyone who isn't aware, anonymisation is rarely done right, and it's further to be seen whether the Dutch Police - the hint is in the organisation's name - might want to ask Tomtom more detailed questions should they feel the need.
Sony broke all records in pwnage - well something of this scale had to happen sometime - that the credit card information for 70 million users was encrypted will make the PCI community somewhat happier, but that the corresponding PII (personally identifiable information) was not, will infuriate the ICO and its peers.
Both Apple's iPhone and Google's Android have both been building up anonymised (there's that word again) databases of WiFi base-station geolocations - and helpfully storing them on your phone thereby tracking everywhere you go. It's been a mediatastic episode, but frankly it's not a big story when Twitter, Facebook and Foursquare and every other app on your phone are trying to do much the same thing.
The US Government is so concerned by the grief its citizens must suffer in order to remember their login password that they've decided to
waste moneysolve the problem once and for all. But I repeat myself...
Amazon EC2 crashed so that everyone who bought into the idea that moving "to the cloud" would magically solve your availability issues, suddenly learned otherwise. Cloud evangelists responded by blaming the cloud users for not embracing multiple availability zones and redundant cloud providers, in much the same way that they used to blame enterprise datacentre owners for not buying redundant hardware and network links.
Somebody in the USA got woken up by the FBI because someone had used his unsecured Wifi network for nefarious purposes; it's probably not long now before the same happens in the UK, whilst the law and public understanding that IP addresses do not necessarily equate to individual citizens gets thrashed out.
Part I of this article draws a parallel between today's cybersecurity debate and the run-up to the Iraq War and looks at how an inflated public conception of the threat we face may lead to unnecessary regulation of the Internet. Part II draws a parallel between the emerging cybersecurity establishment and the military-industrial complex of the Cold War and looks at how unwarranted external influence can lead to unnecessary federal spending. Finally, Part III surveys several federal cybersecurity proposals and presents a framework for analyzing the cybersecurity threat.
...which should be essential reading for our very own OCSIA.
Finally: Infosec came to town, at the same time as London Security B-Sides and the monthly DC4420 London DefCon chapter meeting. They were good - see reviews one, two, three - but if you missed them there will be another DC4420 next month, there may be another B-Sides later in the year, and a little bird tells me to expect a big London security conference this autumn - stay tuned for details.