False Registration

A few weeks ago, I got a weird piece of post – a V5 registration document for a vehicle I’ve never owned, to a name I’d never heard of, but with my address on it.

Having asked around a bit (in case the person was just a cretin who put in the wrong address) it turns out that this is a semi-common scam, registering a vehicle to a different address in order to avoid parking and speeding tickets etc.

As such, some people suggest that it should be registered as SORN (Statutory Off-Road Notification) but that still connects the vehicle to the address, and leaves you open to receiving documents, fines etc.

Instead, I decided to instead return the document to DVLA, along with a cover note explaining that I didn’t know the car and didn’t know the person, and had been at current address long enough to know that the person hadn’t lived there any time in the last decade. I scanned in both documents so I’ve also got a record of it, should it be needed.

Yesterday, I got a response from DVLA, which confirms that what I did is the best thing to do. They’ve removed the connection of my address to the vehicle, although it’s still possible that some fines etc. may come to me – but in that case, to send the issuing authority a copy of the letter received, and confirm that It’s Not Mine.

So, interesting to see how things work. Hopefully I won’t get any further issues with it, but I’m as protected as possible if anything does happen.

 


Phoneless

Via an article on Raptitude ( The Simple Joy of “No Phones Allowed”) I came across a company called Yondr whose idea/offering seems simple and pretty brilliant.

Basically, they create “phoneless areas” for concerts (as well as other events, but mainly concerts) by locking them away.  The smart bit is that they’re not stockpiled somewhere (which would be way too tempting for thieves etc.) Instead, they’re put in a pouch that locks, and the phone stays with the owner.

If the phone is really needed, there are unlock-stations outside the concert area, so the bag can be unlocked and the phone used.

But – as per the article, and as per my own experience – people in general are fucking lazy, and even that extra effort of moving twenty yards to unlock the phone to use it is more than most can be bothered to do. And so those people stay in place, watch the concert (or whatever) and aren’t distracted by their phones.

I’ve griped (on several occasions) about concerts now where more people seem to be filming the gig through their phones than actually watching it and how distracting that is for those who actually want to see the performance (although Yondr won’t fix the other issues mentioned there of people constantly chatting to their mates while the show is on, or keep going to the bar etc.)  and this seems like a really good way of reducing that desire.

Yondr don’t say how much their service costs to install – I assume it’s not going to be cheap – but I really do hope it’s something that both venues and artists support and promote.  I know I’d be more likely to go to a gig/venue that was ‘phones-free’…


Current Scams

At the moment, there are a couple of interesting (and fairly well-crafted) scams going around.  I’ve seen/received all of these in the last week or so.

Firstthe ‘we know what you’ve been up to‘ scam email.

It says something along the lines of “I know what you’ve been up to – when you were on that porn site (it’s noticeably non-specific on details) I loaded a screen-grabber to your machine, so we could record your ‘activities’“.  Some of them also have something like “We know your password for the site was [whatever]” – the password is usually an old one that they’ve taken from a record including your email address, and gambles on people using the same password across multiple sites. (In fairness, most people do exactly this)  And then it asks for a ransom “or your shame will be available for all to see” It’s pretty basic, but is apparently enough to scare a certain sub-set of people (AKA gullible idiots) who so far have forked out around $250,000 to the scammers.

Second – and there are two types of this currently bonging around – are the HMRC scams.

These basically draw on the whole paranoia about HMRC losing payments, or trying to take the business owner to court.

I’ve had umpteen emails about “Your payment hasn’t gone through” along with attached links or forms to fill in – always a pretty damn good clue that it’s a scam.  And again, they’re all ridiculously non-specific, don’t mention a company name/details, or what the payment is supposedly for – another warning sign

The second type, which is a bit nastier, is the phone message – I’ve had a couple now, with a message saying “We’re issuing a warrant in order to discuss this matter with you“, and sounding a lot more official.  Still no details though, or anything about what they’re wanting to discuss. (I know, in theory GDPR would also stop them from discussing, but that’s a side point for now)   However, they show the phone number – in my experience, calls from HMRC and the like come through a switchboard, and usually show as “Unknown Number” – and a quick search on that number provides more than enough evidence that it’s a scam.

 

Of course, there are plenty of other scam emails out there – it’s just that these are the ones I’ve noticed specifically this week, and particularly after having received a couple of the “HMRC” calls yesterday and today, so I thought I’d write a bit about them.


Gone Phishing

One of the things about being a techie is that I own a fair number of web domains. Some I’ve got for things like ongoing projects, business names I like, and a bundle of other stupid shit.  A lot are in the “when I get a chance” state of being – the ideas remain, and haven’t been done by anyone else, but for now they’re kind of drifting.

However, one of the other things I do is have a couple of domains that are purely for use when buying stuff.  They’re set to forward everything to my home email account, so it means I can set up anything @ the domain and it’ll do what I want. While it sounds a little bit mental, there’s a very good reason for all this.

For the purposes of explanation, let’s say I own a stupid domain, like myemail.com

So – when I buy something from a new company, I register with them using [company_name]@myemail.com . Any mail there will come to me – it’s a legitimate email address, just not one I’ll ever send an email from. (I can if I need to, but that’s a different point)  Everyone’s happy.

The key, though, is that if [company] starts spamming me, I can block that specific address, rather than having to do any kind of weird and fragile message rules etc.  It’s easy – I just add [company_name]@myemail.com to the ‘bin everything’ list, and there we go, it’s gone.

What I’ve found recently though is another interesting one – I can easily tell when [company] has been hacked, or lost its mailing list somewhere.

This week, I’ve been getting some *very* clever phishing emails (the ones about ‘just log in, give us your details, and we’ll sort this out’) to one particular address. They’re good enough that if they had come direct to my home email, I might’ve clicked on one by mistake. (I haven’t, but I could have)  They’re *that* good.  But I can see that they’ve come to [company]@myemail.com , so a) I know they’re shit mails, and b) I know that [company]’s mailing list is being used.

I’ve let [company] know, although there’s not much they can do about it now. But at least maybe they can notify their customers that their details have been leaked/stolen.

All told though, it’s another interesting reason to have that particular domain, and to use it in this way to keep my own information as safe as possible.


False Flags

Over the last week or so, there’s been an incredible amount of news coverage about the (alleged) ‘attempted assassination’ of an Russian ex-spy in Salisbury.

Today, the news has been full of stuff about how the nerve-agent used ‘points the finger at Moscow’, which just pings all the ‘yeah, but’ bells in my head.

Now, I’m not trying to say “Russia wasn’t involved”, because I simply don’t know.  But… this sort of “well it must’ve been them, they’re the ones who made it” ‘evidence’ and hype always makes me a bit twitchy.  If you extrapolate that, you might as well say that a car manufacturer must be responsible for every accident on the road, “because they’re the ones who made it”.

I don’t know enough on this one way or the other.  But if I were a player on a much larger political stage, and I wanted to (for example) divert public and media attention away from one ongoing political clusterfuck, and point it all somewhere else, I’d be looking at making a Big Bad Enemy that can be blamed for Why You Should Be Afraid. And I’d probably work to either get materials that can be attributed to that Big Bad Enemy, or… well, or just make up all that ‘evidence’. Because of course it’s all ‘top secret’ and ‘in the interests of national security’, so they’re never going to produce that evidence in public anyway.

And it’s impossible to imply that only Russia had access to this stuff.  If nothing else, American scientists (and there’s no way there weren’t security/agency personnel in that entourage!) visited and helped decontaminate the plant where the nerve agents in question were being produced.  If they were approved for Russian military use (and they were) then those nerve agents would’ve been distributed to army installations and so on. All too easy at that point for them to be ‘mislaid’ and/or sold or stolen to anyone else.

All told, this entire story stinks, and rings very much as “A big boy did it, and ran away!”  It’s all just a bit convenient.


Running Into The Flames

Following on from the stories about the terrorist attack yesterday at the Houses of Parliament, the BBC has a piece on the people from St Thomas’s Hospital (literally just over the bridge from the Houses of Parliament) who, on hearing about the incidents, ran to help.  And not just doctors and nurses – I feel a huge dollop of recognition should also be due to Tobias Ellwood, the MP for Bournemouth East, who went to help resuscitate the stabbed policeman.

I don’t care what the hell else is said about those events, but those people are heroes.  Stories like these always remind me of the speech from the West Wing TV Series, (The episode “20 Hours In America, Part II“, if you want to look it up) in the aftermath of another (fictional) terrorist attack …

… and two others are in critical condition, when, after having heard the explosion from their practice facility, they ran into the fire to help get people out. Ran into the fire. The streets of heaven are too crowded with angels tonight.

Gets me every damn time, the people who don’t stand and take pictures, who don’t run away, but instead run towards the danger.  I’d like to think I’m of a similar ilk – but who really knows, until that time comes?


Slack Data

In the car I hired last weekend, it had a load of built-in tech – Ford’s Sync system – that was quite interesting, not least for the fact that it worked really nicely and easily. Connecting my phone to the car was a doddle, the satnav worked well (and better than my usual stand-alone device in several ways) and it all just seemed pretty easy.

However. It’s obvious that it was designed for a standard “family car” scenario, rather than a vehicle that would be hired to many different users. Which makes sense, but leads to an interesting longer-term problem…

Basically, people are lazy – and don’t think about their data. So the convenience of connecting one’s phone to the car system for hands-free calls etc is great, as is the simple download of the phone’s address book to the system. But if you then don’t delete it when you take the car back to the hire place, it’s all available to the next user. The same applies to the satnav system – ‘recent destinations’ is a goldmine of activity, right down to house number and location. (And I suspect, with a bit of work, one could connect the destination to a phone number in that downloaded phonebook)

It just interests me, how little people care (or understand) about their information. I cleared down the whole car system before I returned it, which took less than five minutes all told. So it’s not much work, but it’s still work, which most people don’t seem willing to undertake.

I’ve suggested to the hire company that it should perhaps be part of the car sanitising process when it’s returned (or before it’s hired back out, whichever) although I realise that makes it more hassle for them, and there’s a lot of different setups in the various cars.

Of course, it’d be better if people cleaned up after themselves – or the car tech had a “forget everything” button/process (although that would still be too much effort for most people) that did the job. But that won’t happen until people realise how important this shit can be, and sadly that tends to only happen by negative paths/occurrences/events, and will always be learned too late.


Lockdown (Experimental)

In the interests of – well, really just geekery – I’ve turned on HTTPS encryption on D4D™. It should be an invisible process to users of the site, but I want to know if it actually is or not.

I firmly believe in making all internet connections more secure, for a bundle of reasons I’m not going to go into right now. So I figure I might as well do some testing of it here (as well as on some other projects I’ve been running, or that are coming up and haven’t been mentioned here) to see how it goes.

In other news, it’s been a busy old week again, but I’ll write more about that in a different post.


Security Stupidity

Every so often, I’ll see a scenario that just leaves me utterly gobsmacked. Sadly, they’re usually based around security of some sort – for whatever reason, it’s something I’m generally pretty tuned in to, and aware of.

Yesterday’s one was an absolute blinder – and caused by a complete lack of thought/awareness.

While I was walking at lunchtime, the person in front of me was paying a bill over the phone. Using hands-free, so it was all done out loud.  (I don’t quite get why some people use hands-free for conversations on mobiles while walking – particularly when they’re still holding the mouthpiece to their mouths anyway. People be weird)

That wasn’t so bad – he was entering the card details using the keypad, so in that aspect it was fairly secure. Not how I’d have chosen to do it, but hey, I’m not one to judge.

The bit where it all went tits up, though, was that the payment line then reads the numbers back to the user, as a confirmation. “If this is correct, press 1“.

It’s a scenario where the developers etc. have thought about how to confirm the card data, and it makes sense to read it back. They’ve just not seen the real-world situations where people then do these things in public, on hands-free speakers. But it meant that – were I a bad person – I’d have all of that guy’s card information (it even read back the CV2 validation number) which I could have made use of.

 

And in case anyone’s wondering, I did tap him on the shoulder when he’d finished the call, and explained that he really should get that card changed ASAP. If I could hear it, or if he does that on a regular basis, then the card is compromised, and it’s only fair to make him aware of it.

It’s up to him, of course – but the fact I told him his card number, expiry date, and CV2 (correctly – I really do need to get out more) certainly seemed to focus his mind somewhat…


Home Security

Over the last couple of years, I’ve walked round the village fairly frequently, just for extra exercise (and also, you know, why not?)

Over the last couple of days (the days between Christmas and New Year, which I saw someone call “the festive perineum”, which amused me more than it should have) while doing that route, it’s made me think about just how easy people make it for potential burglars, just by advertising that they’re not home.

No lights, curtains open, even stuff left outside the door.  It’s really quite gobsmacking.

After all, it’s not like time-switches are rare (or expensive) – they’re the easiest thing to use to at least make a house look occupied. Yet even that simple thing seems to be beyond so many people. I (kind of) get it, if you’re in 355 nights out of the year or whatever, that it might not be something you bother with. But it’s not like the Festering Season comes as a surprise – and if you know you’re going to be away, why not spend a tenner and at least get a couple of timeswitches so you can put on a radio/TV and a light?

Maybe (hopefully) these people have never had a break-in, have never known that icky feeling that someone else – someone uninvited – has been in your home, has gone through your things. Let alone that that person has then taken some of those things, and you have to figure out just what has gone.  I hope that’s the case, but it’s still no excuse for being complacent about it (in my opinion) and leaving oneself open to the chance of that happening.

It’s no excuse for complacency, but then, people so rarely seem to need an excuse to think “It’ll never happen to me”. Until it does – and then it’ll be everyone else’s fault.


For Your Safety

You know, I for one am getting really tired of the government phrases “It’s for your safety” and “it’s for your security”, which are getting bandied around more and more.

This week it’s been used about blocking flights to and from Sharm El-Sheikh because of an alleged – but unproven – bomb in the hold of the plane that crashed in the Sinai desert last week. It’s also been used in discussions about monitoring everyone’s internet traffic and holding those records for at least a year, and in revelations about MI5 monitoring every domestic phone-call in the UK for the last ten years.

Governments like people to be scared – and more and more, we seem to be happy to let the government take these measures ‘because it makes us safer’. It doesn’t, it just gives up more information to the government – and all in the name of ‘safety’.

Basically, it’s shit.

[I know, I need to think more about this and write more. But it’s a phrase that bugs me every time it’s used]


Breaking Things

Last Friday there was a big(ish) story in the BBC and Media about the convicted paedophile who is requesting his laptop – complete with ‘non-obscene’ images of one of his victims. Dorset Police were quoted in the story as saying it would be ‘unlawful’ to delete/remove those images from the laptop, because they’re not technically obscene or showing nudity.

Now, aside from the fact that there’s something so blatantly wrong with this entire process (and why wasn’t the laptop just removed/destroyed as part of the evidence and ‘proceeds of crime’ bollocks?) then surely this is a perfect opportunity for a tragic IT-related ‘accident’?

Make sure it’s believable, could happen, and is feasible, and it’d be the devil’s own job to prove anything.

For example, a liquid spillage. Or leaving the machine next to – I don’t know – some kind of large magnet. Maybe the metal scanner in a doorway. Or just mis-filed in such a way that a) it can’t be found or b) it got destroyed. Lost property, IT security, avoidance of possibility for divulging person information.

There are many, many ways in which this could’ve never been an issue. The mis-filing and “sorry, can’t find it” would be easiest (and probably hardest to be disproved) but any of them would work nicely.  It’s more of a problem now, because they’ve admitted that a) it exists and b) it’s currently in an OK state. Ooops.


Information Security

While commuting in London the last few days, one thing that has really surprised me (although I know it shouldn’t) is how much information people give away unconsciously, and their general lack of consideration of their own security.

Standing on the tube, every day I see people using their phones without lock codes, as well as reading confidential emails etc. while on the train. I know, I know, some of it is just that I’m a nosy bastard – but all the same, it’s pretty surprising (to me) that people are so unaware of people around them who could be getting information etc.

It’s not just the emails and phones, of course. Standing in the local sandwich shop, I can see the PIN numbers people use on the Chip+PIN machines. (And of course the odds are that people use the same PIN number for their card transactions and for their phone unlock codes) Then they go and sit down, putting their bags beside them.

And I’ve lost count of the number of people I’ve seen carrying laptops in laptop bags, with the strap just over one shoulder – easy to slip off in a crowd and get away with into the distance.

If I were criminally inclined, I would have been able to easily nick two or three iPhones a day – and know which ones were unlocked with no PIN lock at all, or what the PIN code is. I’d be able to take handbags or wallets and know what those PIN codes are in order to make cash withdrawals etc. And I could probably get away with a laptop bag or two as well.

It gobsmacks me how little people seem to think about their own security, and the security of their information. It’s not even an “It won’t happen to me” attitude – I think most people aren’t even conscious of those potential risks.

I don’t have any answers to it. People just don’t seem to take it seriously. It’s the same with passwords (we’re always seeing lists of weak passwords that are in use, but even so they don’t change) and many other things. How we change it, I truly don’t know…


CEOP and NCA

I see that with the introduction of the new National Crime Agency (whose name sounds more like a criminal organisation, similar to Murder, Inc., than a law-enforcement one – you’d have thought National Crime Prevention Agency would’ve been a better choice) they’ve also wrapped up CEOP (Child Exploitation and Online Protection) into it as well.

I’ve always had my doubts about the use of CEOP as anything except propaganda. (and I’ve said so before)  I don’t doubt that there is such a thing as child pornography, nor that abuse happens, that it’s more prevalent (or at least more reported on) now, and that t’internet has made things easier for paedophiles and abusers to both find victims and distribute those images.  (And on a related subject, I also just read this story from the Guardian, and Bloody Hell)

But – ah, but – I do doubt that the methods for distribution of those images include things like Facebook and Twitter. I do doubt that ‘abuse’ on social media is as prevalent as CEOP makes out. The stats they release every quarter always make me think that they’re more about justifying their own existence, as do most of their stories, press releases and news soundbites.  Yes, there should be an area of Policing and/or Law Enforcement that deals with these issues – but in my opinion it should be a part of standard policing, similar to New York’s Special Victims Unit (yes, it’s real, not just part of a TV Series mythology)

I’d rather see specialists per force – with the ability to communicate and operate between forces – than an agency that works so hard to justify its own existence.

Or of course, I could be being wholly cynical and uninformed about the entire thing. Who knows?


Increased Security

At the moment, there is a huge attack going on against blogs using WordPress.

It’s primarily attacking the blogs who’ve kept a lot of the default settings – particularly keeping the primary user as “admin” with weak/known passwords – but still, it’s better to make sure that things are secure.

D4D™ has always been on an altered install of WordPress – mainly because I’m really bad at leaving things alone – so I’m less concerned about it, but all the same, I’ve added in a couple of security plugins just to reinforce things.  I’m also making use of Cloudflare to add another level of security.

It’s going to make things interesting for a lot of Blog Owners on the WordPress platform, though.  Basically, if you’re on WP you need to :

  1. Make sure you’re not relying on the “admin” user
    1. Add a new user to WP , give it admin rights (and a strong password)
    2. Set “admin” to have the lowest possible permissions (contributor), or delete it completely.
  2. If possible, make sure your database isn’t using the wp_ prefix for all wordpress tables.
  3. Use Cloudflare or similar
  4. Install the Limit Logins plugin
  5. If you know what you’re doing, also install the Extend WP Security plugin
  6. Take backups!

There’s other stuff along the way, but those really are the key points.


Google Web History

On March 1st, Google’s privacy policy is changing.

If you don’t want your web history (among other things) stored past that date, you need to delete it in the next week. If you leave it ’til 1st March, it will be too late – you need to have done it by the end of 29th Feb.

The EFF has a useful page here about how to delete your Google web history.


Honest Intent

On this particular day, remember that Guy Fawkes is still the last person to enter the Houses of Parliament with honest intentions.

The Gunpowder Plot is a healthy reminder that terrorism really is nothing new.  Mind you, if the risk of terrorism now were to involve being hung, drawn and quartered, I wonder how many would still think it such a cool thing ?


It’s not about religion

In today’s news there’s been a big thing about Barack Obama defending the right to build a mosque near the Ground Zero site in New York.

The best bit of it all though was the quoted parts of the speech…

We must all recognise and respect the sensitivities surrounding the development of lower Manhattan, Ground Zero is, indeed, hallowed ground. But let me be clear, as a citizen, and as president, I believe that Muslims have the same right to practise their religion as anyone else in this country.”That includes the right to build a place of worship and a community centre on private property in lower Manhattan, in accordance with local laws and ordinances. This is America, and our commitment to religious freedom must be unshakeable. The principle that people of all faiths are welcome in this country, and will not be treated differently by their government, is essential to who we are.”

He told the group of US Congressmen, government officials and foreign dignitaries that America’s tradition of religious tolerance distinguishes it from “our enemies”.

“Al-Qaeda’s cause is not Islam,” he said, “it is a gross distortion of Islam”.

And that’s the primary point for me – Al-Qaeda is not an Islamic cause, the current phase of “islamic terrorism” isn’t about islam at all, it’s just about terror. Anyone who thinks that these terrorist episodes are about religion really is a bloody moron – religion is (as always) the convenient talking-point to support the ’cause’.


New Scam/Phishing Email

Yesterday I noticed a new spam / scam / phishing email that seems to have appeared.

It purports to come from Amazon, and tells you that your order has been despatched, along with some links that are clickable.  The links actually go off to a russian site, but I’ve no idea what that does, and have no intention of finding out.

The biggest clue that it’s a spam/scam are

  • the prices are all in dollars (which is a bit of a giveaway for us in the UK)
  • you haven’t ordered anything from Amazon
  • it’s got a link to “see the ordered items”, rather than just listing them in the mail
  • the email address it’s been sent to isn’t the one you’ve got listed with Amazon

But all told it’s one of the better spam/scam/phishing-type emails of the moment.  Best to publicise it and be aware of it.


Security Reading

All quiet round here at the moment, as my brain is utterly failing to process stuff.

I’m stuck with reading a metric butt-load of security stuff (as written about at the tail end of last week) which is about as interesting as you’d expect.

Check out this – it’s the first paragraph of the documentation, which (as I understand it) is meant to make you want to read more…

CLASP — Comprehensive, Lightweight Application Security Process — is an activity-driven, role-based set of process components whose core contains formalized best practices for building security into your existing or new-start software development lifecycles in a structured, repeatable, and measurable way.

In any game of Buzzword Bingo, that paragraph/sentence will get you “House!”

There’s 600+ pages of this shit to wade through, so posts here might be a bit slow


Documentation

In the run-up to the Festering Season, I had one hell of a lot of work coming in with some documentation that needed doing in order to get us what’s known as PCI-DSS accreditation. PCI-DSS stands for “Payment Card Industry Data Security Standard”, and it’s a total fucking nightmare.

Anyway, one of the big steps in attaining this PCI-DSS standard is to have somewhere around a metric shit-ton of paperwork. No kidding. There’s some 230-odd points in the PCI-DSS standard, and each one of the bloody things needs documenting. It’s a serious bit of work just getting all the paperwork done.

With the other stuff I also had to do in order to get everything in place, the documentation took a back-seat, and we ended up getting it done by me speaking into a dictaphone, and then getting an audio-typist to type it all up. It was supposed to save me a stuff-load of time. And it worked – I’d got all the dictation done in two and a half days, and the typist did everything in time for mid-January.

Or so we thought.

It turned out that the audio-typist was a tossbag, and didn’t actually do all that much in the day they were in – at the end of which they said they’d done it all.

Cunty fucking bugger.

It’s taken me the intervening three fucking weeks to get things back to where I thought I was in mid-January. Three weeks of doing this sodding documentation, three weeks of making sure it’s right, and that it all makes sense. Oh, and still doing all my normal insane workload as well.

This goes some way to explaining why I haven’t been writing much on D4D in that time – I’m utterly damn sick of typing, and didn’t have the time or headspace to do much here.

I’ve just now finished the documentation for PCI-DSS. We’ll review it tomorrow and next week, so I’m sure there’ll be some edits. But that’s just fiddly crap – the most important thing is that I’ve broken the back of it. I’m done.

I’m also utterly fucked. But that’s beside the point. I’m done with the documentation.  Happy, happy day.


Living with Terrorism

Over Christmas there was yet another terrorist “attack” in a plane over the US. And as a result, Fuhrer Brown has said that full-body scanners will be brought in to all the main UK airports because ‘they’re crucial in the fight against terrorism”. Which, frankly, is bollocks – the experts don’t even agree that the explosives used by Umar Farouk Abdulmutallab on Christmas Day would be found by a full-body scanner.

I’ve written before about Security Theatre, and really this is all more of the same.

What makes me really laugh though is all the shite that politicians spout about doing this “because we won’t give in to terrorism”.

  • Every single time you take a flight and have to take your shoes off for a search, terrorism caused it.
  • Every time you go through a full-body search from now on, that’s been caused by terrorism.
  • Any time you can’t take a drink or shampoo abroad, that’s been caused by terrorism.
  • Any time you read about ID cards or airport security, that’s been caused by terrorism.

And actually, for pretty much all the above items, you could replace “caused by terrorism” with “caused by the threat of terrorism”. Because most of it isn’t actually related to terrorist acts – it’s related to “plots”, rather than the real thing.

Basically, if you’re travelling by plane, you’re affected by terrorism or the threat of it. Every time you’re affected, you think about why you’re being affected. And bang, terrorism wins yet again.

In fact, the only recent occasion where terrorism really hasn’t affected things (yet, anyway) was the bombings in London on the 7th July. Certainly that event has made people more aware of the risk of terrorism and suicide bombers – but it hasn’t involved extra security checks, or changes to the way we live.

So wittering on about not letting terrorists win, while adding in new pointless security measures “to prevent terrorism”, that’s terrorism winning its case.


Being Trusted

With the new job I’m actually finding myself in a fairly serious position of trust and responsibility – quite weird, for having only been with the company for two months.

For example, I’m completely responsible for the security of the data, a lot of which is seriously sensitive. That’s fine, I’ve been there before with other sets of information, but the sheer scale of this one is what makes it a bit intimidating. The stuff I’ve inherited from my predecessors is – to be polite – a bit shambolic, with what looks like a lot of “Oh, that’ll do” workarounds. So I’m getting to fix these things, and that can be a bit stressful.

This week has been (and still is, to some degree) a high point on the stress levels, because of two big jobs.

First, I’ve had to change all the encryption methods on the site, to bring it into accordance with some industry guidelines. That means de-crypting the existing data, re-encrypting it with the new method, then de-crypting it all again to make sure it matches the first set of de-crypted data. For 75,000 records. Suffice it to say, there were *lots* of backups in place, so I could roll it all back whenever.

Second – and this is due to be happening either tonight or tomorrow – we’re moving all the database stuff over to the new server. Again, having a seperate server for the database is a requirement of the industry standards but means a lot of work – killing the site, taking backups, copying them to the new server, and restoring the data. We could have used replication to copy one database to t’other, but to be honest I’m happier with the slower method which I’m familiar with in this case, rather than one I haven’t needed to use before.

Along the way, I’m also now a key-holder for the office – something else I don’t actually mind, and have done plenty of times before – but again it’s that responsibility, that trust which I still find surprising. I shouldn’t, but I do.

The final piece of this has started this week, as we’ve now got a new developer on board so I’m now in charge of a team of three developers, having to set up all the infrastructure for development areas, change control, training, documentation, everything. I’m responsible for two other people’s jobs as well as my own. That’s the scary bit – in the case of the new developer, I’ve been the one to interview him, I’m the one who’s said he’ll do the job. If I’m wrong, then he’s going to go, and won’t necessarily have anything to go to.

It’s all a bit of a leap into the – what? It’s not unknown, I’ve run small teams before, and run other businesses before I got back into IT and Web stuff. But it’s a big leap for me all the same, from where I was working last year as sole developer for one of the local councils, and now I’ve got a team, a set of plans, and a whole shitload of work.

Weird the way things work out sometimes, isn’t it?


Email Fuckwittage

Following on from the post a while back about the Marketing Manager for the Ireland distributor of a Japanese car sending out a marketing email with all the addresses CCd in instead of BCCd, I’ve had a couple more instances this week of email fuckwittage.

First of all, an email from a recruiter at Modis International (an Agency I dealt with once) who pimped out an email again using CC instead of BCC to throw it to loads of people. Even better, there were a number of fuckwits who then exacerbated the situation by using ‘Reply to All’ rather than ‘Reply’, and thus ended up spamming everyone themselves.

The second instance is even better though – at work, we’ve been setting up a secure site with SSL, and the company being used for the SSL certificate tried to email the equivalent of me@www.site.com instead of me@site.com . And tried it three times, without understanding what the problem was.

So all told, it’s been a bit of a week for fuckwits.


Self-Assessment

Over the weekend, I completed – and sent off – my Self-Assessment Tax Return to Your Friends And Mine at HMCE.  The deadline for receiving them is October 31st (i.e. this Saturday) so I’ve only just scraped it this year, having been really really good with it last year.

I know, I could do it all online, and have ’til January 31st to fill it in etc. – but I still don’t trust the online system. I wrote about this a couple of years back, and my feelings are still the same. Mainly, I’m happy to spend the money and use the Special Delivery stuff to get the tax return in – it just means I’ve got a signed confirmation that the Tax Return has been received where it’s been sent.  I’ve been bitten by that before, the entire “Oh no, we haven’t received it” from HMCE. Of course, if you say you haven’t received something from them, it’s a case of “Well we sent it, so you must have received it”, but it’s not the same thing when it’s time to send stuff to them.

Basically, when it comes to sending documents to HMCE, it always pays to be paranoid. Always assume that they are either :

  1. Vindictive
  2. Inefficient beyond the dreams of man
  3. Both

and you’ll be OK.

It’s because of that – OK, it’s partly because of that – that I still don’t trust the online submission of tax returns. Yes, you can be pretty sure they’ve received it – but when it comes to HMRC, “pretty sure” simply isn’t sure enough. I feel the same way about HMCE’s online submission as I do about the people who store all their important data/files with Google, Amazon or some other internet cloud-based server – in other words, “Expect it to get lost. Expect it to get hacked.”

My tax return is on paper. Yes, I know it’ll end up being clocked in to the HMCE ‘System’. That’s fine. But letting their system be the only place it’s held? Sod that. I’ve got a photocopy of the tax return. I know where the figures came from, and I’ve got them recorded. I expect HMCE’s copy of the document to get lost, edited, hacked or mislaid. If/when it happens, I’ve got my own hard-copy backup.  If you’ve done all the calculations on-line and not printed out the results (or even better, screenshots) and/or received confirmation from the system of those figures, what proof have you got of what you filled in?

Even if it’s simply that the electronic version gets corrupted, if HMCE also have it on paper then there’s some way they can recover the information without me even needing to be involved. If they only have an electronic version, then lots of people are going to be screwed if anything does happen.

So while I can, I’ll stick with doing my tax return on paper and sending it in to them. When they eventually go to “Online only”, I’ll still make sure I’ve got a printout of the entire thing, along with all the figures I’ve used to calculate it.

Call me paranoid, I don’t mind. Frankly, I’ve been kicked in the nuts by HMCE too many times to not be paranoid. And that’s not paranoia – that’s just common sense.


Three Nines

Of course, you also have to bear in mind that 911 was the main emergency number in the US well before the advent of 9/11, (or 11/9 – whichever you prefer) and there was always speculation that the date was chosen for exactly that reason.

As a result, I suspect there might be a few security agencies wondering whether 9/9/9 might be planned to be of similar significance/utilityin the UK…


Plane Stupid

I still find it hard to understand the certainty of the Government and Security Forces that terrorist attacks will happen again on aeroplanes. Maybe they know something I don’t.

To me, security – or at least the perception of security – comes about through making easy targets into harder targets. When it comes to home security, we don’t look at making our houses completely thief-proof. We look at making them into a harder target than my neighbours.

In my opinion, people in general – whether it be your everyday office worker, a burglar, a politician, or a terrorist – are lazy. They’re not going to do something difficult if they can do something easy.

On the terrorism front, airports are (in theory at least) the hardest target around now. Bear in mind though that I’m still a firm believer in ‘Security Theatre‘ – so airports at least appear to be the hardest target. They’re certainly more hassle than (for example) sitting on a bus or a train.

So I find it hard to understand that conviction that planes are still the prime target. Personally I’d probably be trying to look at anything but planes and airports.


How not to do it

This post has been deleted, on the request of Ian Corbett, Marketing Manager of Toyota Ireland, and his legal advisers.

For more explanation, see here.


Mis-Spelling

Yesterday, I got three spam emails attempting to go phishing for my log-in details.

Now, as I’ve said before many times, I feel that anyone who responds through these phishing emails deserves everything they get for being a bell-end and clicking on links in random emails. (Particularly when they then go to some very odd URLs that have nothing to do with the bank in question – in this case www.mybank.alliance-leicesterXXX.com)

And if anyone responded to any of these particular three emails, then they’re even more deserving of getting ripped off. In fact I’d then go so far as to simply term it as an idiot tax.

Because the subject line for all of these email addresses was :

Secure Message from Alliance & Liecester

And if you don’t spot that in the email, and still click on the links, you damn well deserve to lose your information/money.


Think 25

Over the weekend, I noticed that Sainsbury’s (and, I assume, the other supermarkets) are now operating a “Think 25” policy, where if you’re buying items that are prohibited under a certain age, you’ll get asked for ID first.

What items are we talking about? Well, to my knowledge – and this isn’t a comprehensive list, although I could probably find one if I tried – it consists of :

  • Cigarettes  (18 or over – it used to be 16, but changed in October 2007)
  • Alcohol (18 or over)
  • Blades – knives, razor-blades etc. (18 or over)

It used to be that if you looked under eighteen, you’d be asked for ID. Fair enough – 18 was the limit for most of the age-limited items.

Then the stores started getting paranoid about customers who just “looked” 18 getting through the system, so they invoked the “Check 21” policy, where even though you were legally allowed to buy said products, if you looked up to three years older than that, you would still get asked for ID – and not allowed to purchase the products if you didn’t have ID.

Now they appear to be even twitchier about it, and the “ask for ID” limit is 25 – and that’s if you look 25, not whether you are or not. So a whole seven years more of being asked for ID.

And the really stupid bit? The entire thing is voluntary – which means it’s perfectly legal for the only-just 18 till-person to sell the (for example) beer, but ask ID of someone who looks up to seven years older before they can sell it.

Totally barmy.


Airport “Security”

I’ve always been fascinated by the entire “security theatre” thing since 11/9  (Sorry, 9/11)  and this article goes some way to showing some of why I find it so interesting.

What’s security theatre? It’s the farcical measures that’ve been thrown up – particularly in airports – since the 9/11 terrorist attacks. They’re not about security, they’re about making people think they’re secure – and it’s all pretty farcical when you think about it.

Bruce Schneier has been a critic of airport security and the security hype for a long time now – he’s a security and cryptography expert, who’s written some very cool stuff over the years, and knows what he’s talking/writing about. He’s quoted throughout the article, and makes far more sense than anything that the TSA and associated agencies can come up with.

All told, it’s a well-written piece, and well worth reading.


Inauguration

So, today is the day when Barack Obama is inaugurated as President of the USA.

I just wonder how long it’ll be before there’s an undeniable assassination attempt now. By that I mean one that’s not just a redneck in a pickup heading towards Washington DC, but shots fired, Secret Service running around etc.

Because I’m an über-cynic, I suspect that it won’t be long…


Locked Down

One of the things I’m kind of fascist about in the workplace is locking down workstations when people are away from them. In a big environment, it’s all too easy for someone else to use your computer to do something that they don’t want attributed to them (Such as sending a rude email to the CEO, for example) and if the workstation’s left unlocked then it’s even easier.

In the new place, people just don’t have the mindset to lock down their computers when they leave them. It’s something they should be doing, and it’s part of the IT policy, but they just don’t.

So since I started, I’ve been instigating a guerilla campaign to start making my colleagues lock their workstations down when they leave them. In short, if they don’t lock them down, I play…
(Note : I should point out, if I were to leave my workstation unlocked, I’d fully expect them to do the same to me in return.)

  • Stage One : I created emails to CEOs, colleagues etc., but didn’t send them, and just left them on the desktop.
  • Stage Two : Close down open applications
  • Stage Three : Change the Desktop images
  • Stage Four : Change the colour schemes
  • Stage Five : Change the password…

So far, we’re just on Stage Three. People are learning slowly but surely, but as they learn, the penalties for mistakes become far steeper…


Home Hub Security

Got a BT Home Hub? If so, you really need to read this on the Register, and then go off to BT’s site and follow their instructions for making it properly secure rather than leaving the security settings at their defaults.

Thankfully, we don’t have one of these abortive pieces of crap and instead have our own wireless router/firewall thingy.

But it’s scary to see just how insecure the BT Home Hub is by default…


eNannying

The story today about a report recommending better laws against ‘e-crime’, recommending that software producers etc. should be made to pay compensation to the victims of ‘e-crime’ left me frothing at the mouth.

Responsibility for protecting users also fell to “the IT industry and the software vendors, the banks and internet traders, and the internet service providers”, he said.

Now I’m sorry, but that is just utter shit. Well, up to a point, anyway.

Personally, I firmly believe that we’re responsible for our own security, whether that is the physical stuff (closing/locking doors and windows, locking the car, that kind of thing) or whether it’s computer security – anti-virus, firewall, security patches, keeping the OS up to date, all that guff. However, I also try to bear in mind that the world is full of fuckwits, so I would like to see PC manufacturers/sellers have some decent (and preferably free) security software pre-installed on all new machines. Mind you, I’d also like to see ISP CDs provide the same kind of thing. And I’m not talking about processor- and memory-intensive hogs like McAfee or Norton, either. And I do think that if you’re provided with a broadband router/modem, then it should be one with a built-in firewall, rather than just the cheapest box they can find. So on that score yes, I do feel that companies should be encouraged to do more to deal with the problem from the start – and to have these things installed and activated by default, without the need to go through shedloads of financial commitments and contracts (McAfee/Norton/Symantec, I’m referring to you) – just have it ready to run from Day One.

But when all’s said and done, that security is still a personal responsibility, not one that should be legislated by government. If you opt for being a fuckwit, not running AV, running an out-of-date or unpatched browser/OS, and then clicking on some dodgy email purporting to be from your bank rather than going direct to the bank website to check it out, you deserve to get stung. I tend to think of it as an idiot tax.

Antivirus-wise, AVG offers a completely free version of their fantastic anti-virus software, which I’d recommend to anyone. Personally, I use the paid-for licensed version, because I think that the software is so good it’s worth the £25 for two years for a single license. (I’ve actually got it licensed for 5 machines, I think – should keep me going)

But none of this internet security stuff is really difficult. You just have to have some kind of intelligence, and not just click on a link in an email, for example. It really isn’t rocket science.

And if you can’t be arsed to run AV, or do just click on that link that says it’ll go off to [xxx] bank so you can change your password, as it may have been hacked already? Then I’m afraid you should be liable for the results of your own idiocy. And I’d say the same thing even if I were to fall for something like that.

Idiot tax – pay it, and learn from the experience.


Terrorism Bollocks

On the way home last night, I got ‘stop and search’ed in the entrance hall of Cambridge station under the auspices of the Terrorism Act 2000. It wasn’t for any reason, just part of the random shite during ‘heightened’ alerts.

Now, in general I don’t really have a problem with the stop-and-search stuff. I got used to it a long time ago, when I was in the throes of heavy insomnia, and would regularly get stopped and searched at 4am when I was out for a walk. I understand the principles of it, and the Bentham-esque supposed panopticism, where the theory goes that if you are under constant scrutiny, you never know when They really are watching you. It’s the same motive that underlies all the CCTV crap, and many other bits of our current legal surveillance framework.

What I do object to is that when I get stop-and-searched, the search is so cursory as to be utterly fucking pointless. Yesterday’s one was a case in point.

All they did was look in my backpack. That was it. I didn’t have to turn on the laptop that was in there, to ‘prove’ that it wasn’t an explosive device cunningly disguised. I didn’t have to open the bottle of water there, to prove it was water, and not some colourless liquid explosive. They didn’t even open the pockets on the bag – at least one of which was heavy with portable hard-drive, USB stick, headphone cables, metal pen, and some other stuff that had all the hallmarks of a small explosive device. (electronics, wires, small compact box, blah blah)

They didn’t check me at all. I could’ve had weapons on me, small gas canisters (those little gas capsules for CO2, for example) or been wired to chuff and back – hell, my entire belly area could’ve been padding and C4. But none of it was checked.

And let’s be honest, if I were some numpty bent on self-immolation with a C4 waistcoat or whatever, would a stop-and-search have any effect? Would it bollocks. If I were that dedicated/committed to blowing myself to kingdom come, and taking as many people as possible with me, (which I must emphasise to the hard-of-thinking I am most certainly not) then fuck it, the rail station entrance hall is as good a place as any. And ooh look, the chance to take out three or four policemen as well. Bonus.

Would stop-and-search have been of any use in the current wave of so-called ‘attacks’. Would it bollocks. Well, unless they’ve a method for using stop-and-search against oncoming burning vehicles, or ones being driven at speed towards the station.

And when all’s said and done, that’s what I object to – the fact that the entire thing is just staged shit to make people ‘feel’ more secure. It’s got no practical use whatsoever. Maybe iit would’ve had some use f I’d started sweating, or praying, or some other massive giveaway. I doubt it though.


Handwritten – an Update

About a week ago, I wrote about the cashpoint (ATM) machine with the handwritten notice on it – which (to my surprise) garnered no comments at all.

Anyway, walking past the same pair of machines today, I noticed that this time the same one was out of order, but had up the machine’s default “Out of service – please use another machine” message on the display. No handwritten sign was in evidence at all.

I wonder if anyone’s noticed yet that they lost money last week?


Visiting the US?

In the Telegraph, there’s a very interesting story about what the USA does when you book a flight to visit them. The short answer? It’s probably better to pay cash

By using a credit card to book a flight, passengers face having other transactions on the card inspected by the American authorities. Providing an email address to an airline could also lead to scrutiny of other messages sent or received on that account.

Quite honestly, with attitudes like that, what on earth makes the US expect that people would still want to visit them?


Web Numpties

On the subject of numb-brained persons, and their inability to deal with common knowledge, is it really a shock to know that a large number of people are still total twunts when it comes to computers? No, not really.

Fair enough, this entire story is about “honeypot” PCs and seeing how long it takes them to be attacked – but by definition these honeypots are unprotected – no firewall, no anti-virus, and (most importantly) a complete numpty at the keyboard.

The survey found 17% of people had no anti-virus software and 22% had no firewall. A further 23% said they had opened an e-mail attachment that came from an unknown source.

I’m sorry, but if people can’t be bothered to use an anti-virus tool, and to activate either Windows’ own software firewall, or get one of their own, then they bloody well deserve to be taken for a ride. As for opening up email from unknown sources, I kind of wrote about this over the weekend, but still, nearly a quarter of people have opened random emails with (one assumes) a subject line that makes them think it’s OK to open? I despair. Mind you, again, people who do that just deserve to be ripped off – it’s like an idiot tax.

At home our broadband connection comes through a box with a built-in firewall and router. There’s also at least a software firewall on all the machines in the house. And all of them use AVG’s anti-virus as a matter of course.

After all, it’s not like it’s difficult to get a decent free bit of anti-virus software like AVG. And OK, while my favourite software firewall has now disappeared (thanks to Symantec, who always were a bunch of scum-sucking weasels anyway) it’s still not difficult to find and install the likes of Zone Alarm, or even to use the entire anti-virus/firewall combinations released by companies like Norton, McAfee, et al.. It’s just that the “Oh, it’ll never happen to me” attitude still prevails, and it’s likely to continue to do so for the forseeable future, and for one prime reason. People are numpties. Simple as that.

Personally I think that all broadband connections – be it ADSL, Cable, ISDN, whatever – should use boxes with at least a basic built-in firewall. I know Windows XP SP2 activated the software firewall by default, and I think that’s a good thing too. I would like to see new PCs come with a decent (and free) anti-virus scanner – although of course Dell et al probably get a huge dollop of cash for pre-installing shit like McAfee on the computers they provide – so that everyone has access to the basic protection, from Day One, without having to shell out extra money.

If PC makers, Broadband providers and so on simply work on the assumption that people won’t bother, and just provide these simple things as a built-in, then a whole load of these problems would go away. Most standard PC users don’t bother uninstalling what comes with the PC, they want to just plug-and-go. So give them the security straight away. Don’t assume that either a) people will know they need this stuff or b) that they’ll go and download and install it as the first thing they do. They won’t. They’ll leave it ’til the PC is a heaving festering lump of viral content, pop-ups, and email shite, and then complain…

The computer’s gone wrong! I didn’t do anything! It’s the computer’s fault!


Asking For It

In today’s “local” news on the BBC, it appears that police are warning drivers not to leave sat-nav units in their cars when unattended. To me, this really isn’t rocket science. Apparently to a lot of people it is.

When I walk anywhere, I tend to notice what’s in cars. I don’t know why – I guess I’m just nosy, really – but I do pay attention. And it’s quite amazing the number of people who do leave expensive stuff out on view when they’ve parked up. Now yes, maybe it is “only for a couple of minutes” – although a lot are at least overnight – but still, you’ve got to be pretty bloody dumb to leave the sat-nav in it’s cradle, with only a window to “protect” it. Same applies for the people who strong leave their phones in their cars, and even their wallets.

All in all, the “don’t leave valuables in the car” message has now been circulating for at least a decade, if not two. As we carry more and more valuable stuff around with us, it would seem sensible to be more aware, but instead people seem to still make use of the “It’ll never happen to me” mentality that drives me utterly bananas.

So far as I’m concerned, if you leave valuable stuff like sat-nav, mobiles, money, cameras etc. visible in the car – and a lot of people do – then you should be prepared to lose it. And of course if you’ve been a numpty and left it there visible, the insurance won’t pay out for it either – in fact, it’s like a tax for idiots. Works for me…


Biobouncer.

Now here’s a scary development – BioBouncer (although it’s a bloody horrible name) Basically, it’s a facial recognition system for bars – it scans each customer’s face as they come in, and then can check it against a list of “undesirable” customers.

Using advanced facial recognition biometric technology, BioBouncer™ quickly and accurately identifies these potentially dangerous people as they walk in the door – so they don’t even have a chance to ruin someone else’s experience. Powered by a combination of patent pending performance enhancing software intricacies, BioBouncer™ captures facial images of all club patrons as they enter. These images are then matched against a database of individuals who have broken club policy in the past and who are not welcome anymore. Maybe they are known to carry a weapon, have been removed for violence, or violate the club’s illicit drug policy.

Should a match occur, an alert is sent to your security personnel via wireless network and informs them of the alert location, accompanied by a photograph of the individual. Depending on club protocol, your staff can react quickly and effectively to either remove the person or at least be aware of his location. And speed? BioBouncerâ„¢ matches against 1,000,000 faces in less than one-second.

And if you’re just an innocent punter, out for a night? Supposedly those images that aren’t needed or referenced are deleted at the end of the night.

As Bruce Schneier says in his Crypto-Gram email (which is where I got this from),

Anyone want to guess how long that “automatically flushed at the end of each night” will last? This data has enormous value. Insurance companies will want to know if someone was in a bar before a car accident. Employers will want to know if their employees were drinking before work — think airplane pilots. Private investigators will want to know who walked into a bar with whom. The police will want to know all sorts of things. Lots of people will want this data — and they’ll all be willing to pay for it.

And the data will be owned by the bars that collect it. They can choose to erase it, or they can choose to sell it.

It’s rarely the initial application that’s the problem. It’s the follow-on applications. It’s the function creep. Before you know it,
everyone will know that they are identified the moment they walk into a commercial building.