Lockdown (Experimental)

In the interests of – well, really just geekery – I’ve turned on HTTPS encryption on D4D™. It should be an invisible process to users of the site, but I want to know if it actually is or not.

I firmly believe in making all internet connections more secure, for a bundle of reasons I’m not going to go into right now. So I figure I might as well do some testing of it here (as well as on some other projects I’ve been running, or that are coming up and haven’t been mentioned here) to see how it goes.

In other news, it’s been a busy old week again, but I’ll write more about that in a different post.


Security Stupidity

Every so often, I’ll see a scenario that just leaves me utterly gobsmacked. Sadly, they’re usually based around security of some sort – for whatever reason, it’s something I’m generally pretty tuned in to, and aware of.

Yesterday’s one was an absolute blinder – and caused by a complete lack of thought/awareness.

While I was walking at lunchtime, the person in front of me was paying a bill over the phone. Using hands-free, so it was all done out loud.  (I don’t quite get why some people use hands-free for conversations on mobiles while walking – particularly when they’re still holding the mouthpiece to their mouths anyway. People be weird)

That wasn’t so bad – he was entering the card details using the keypad, so in that aspect it was fairly secure. Not how I’d have chosen to do it, but hey, I’m not one to judge.

The bit where it all went tits up, though, was that the payment line then reads the numbers back to the user, as a confirmation. “If this is correct, press 1“.

It’s a scenario where the developers etc. have thought about how to confirm the card data, and it makes sense to read it back. They’ve just not seen the real-world situations where people then do these things in public, on hands-free speakers. But it meant that – were I a bad person – I’d have all of that guy’s card information (it even read back the CV2 validation number) which I could have made use of.

 

And in case anyone’s wondering, I did tap him on the shoulder when he’d finished the call, and explained that he really should get that card changed ASAP. If I could hear it, or if he does that on a regular basis, then the card is compromised, and it’s only fair to make him aware of it.

It’s up to him, of course – but the fact I told him his card number, expiry date, and CV2 (correctly – I really do need to get out more) certainly seemed to focus his mind somewhat…


Home Security

Over the last couple of years, I’ve walked round the village fairly frequently, just for extra exercise (and also, you know, why not?)

Over the last couple of days (the days between Christmas and New Year, which I saw someone call “the festive perineum”, which amused me more than it should have) while doing that route, it’s made me think about just how easy people make it for potential burglars, just by advertising that they’re not home.

No lights, curtains open, even stuff left outside the door.  It’s really quite gobsmacking.

After all, it’s not like time-switches are rare (or expensive) – they’re the easiest thing to use to at least make a house look occupied. Yet even that simple thing seems to be beyond so many people. I (kind of) get it, if you’re in 355 nights out of the year or whatever, that it might not be something you bother with. But it’s not like the Festering Season comes as a surprise – and if you know you’re going to be away, why not spend a tenner and at least get a couple of timeswitches so you can put on a radio/TV and a light?

Maybe (hopefully) these people have never had a break-in, have never known that icky feeling that someone else – someone uninvited – has been in your home, has gone through your things. Let alone that that person has then taken some of those things, and you have to figure out just what has gone.  I hope that’s the case, but it’s still no excuse for being complacent about it (in my opinion) and leaving oneself open to the chance of that happening.

It’s no excuse for complacency, but then, people so rarely seem to need an excuse to think “It’ll never happen to me”. Until it does – and then it’ll be everyone else’s fault.


For Your Safety

You know, I for one am getting really tired of the government phrases “It’s for your safety” and “it’s for your security”, which are getting bandied around more and more.

This week it’s been used about blocking flights to and from Sharm El-Sheikh because of an alleged – but unproven – bomb in the hold of the plane that crashed in the Sinai desert last week. It’s also been used in discussions about monitoring everyone’s internet traffic and holding those records for at least a year, and in revelations about MI5 monitoring every domestic phone-call in the UK for the last ten years.

Governments like people to be scared – and more and more, we seem to be happy to let the government take these measures ‘because it makes us safer’. It doesn’t, it just gives up more information to the government – and all in the name of ‘safety’.

Basically, it’s shit.

[I know, I need to think more about this and write more. But it’s a phrase that bugs me every time it’s used]


Breaking Things

Last Friday there was a big(ish) story in the BBC and Media about the convicted paedophile who is requesting his laptop – complete with ‘non-obscene’ images of one of his victims. Dorset Police were quoted in the story as saying it would be ‘unlawful’ to delete/remove those images from the laptop, because they’re not technically obscene or showing nudity.

Now, aside from the fact that there’s something so blatantly wrong with this entire process (and why wasn’t the laptop just removed/destroyed as part of the evidence and ‘proceeds of crime’ bollocks?) then surely this is a perfect opportunity for a tragic IT-related ‘accident’?

Make sure it’s believable, could happen, and is feasible, and it’d be the devil’s own job to prove anything.

For example, a liquid spillage. Or leaving the machine next to – I don’t know – some kind of large magnet. Maybe the metal scanner in a doorway. Or just mis-filed in such a way that a) it can’t be found or b) it got destroyed. Lost property, IT security, avoidance of possibility for divulging person information.

There are many, many ways in which this could’ve never been an issue. The mis-filing and “sorry, can’t find it” would be easiest (and probably hardest to be disproved) but any of them would work nicely.  It’s more of a problem now, because they’ve admitted that a) it exists and b) it’s currently in an OK state. Ooops.


Information Security

While commuting in London the last few days, one thing that has really surprised me (although I know it shouldn’t) is how much information people give away unconsciously, and their general lack of consideration of their own security.

Standing on the tube, every day I see people using their phones without lock codes, as well as reading confidential emails etc. while on the train. I know, I know, some of it is just that I’m a nosy bastard – but all the same, it’s pretty surprising (to me) that people are so unaware of people around them who could be getting information etc.

It’s not just the emails and phones, of course. Standing in the local sandwich shop, I can see the PIN numbers people use on the Chip+PIN machines. (And of course the odds are that people use the same PIN number for their card transactions and for their phone unlock codes) Then they go and sit down, putting their bags beside them.

And I’ve lost count of the number of people I’ve seen carrying laptops in laptop bags, with the strap just over one shoulder – easy to slip off in a crowd and get away with into the distance.

If I were criminally inclined, I would have been able to easily nick two or three iPhones a day – and know which ones were unlocked with no PIN lock at all, or what the PIN code is. I’d be able to take handbags or wallets and know what those PIN codes are in order to make cash withdrawals etc. And I could probably get away with a laptop bag or two as well.

It gobsmacks me how little people seem to think about their own security, and the security of their information. It’s not even an “It won’t happen to me” attitude – I think most people aren’t even conscious of those potential risks.

I don’t have any answers to it. People just don’t seem to take it seriously. It’s the same with passwords (we’re always seeing lists of weak passwords that are in use, but even so they don’t change) and many other things. How we change it, I truly don’t know…


CEOP and NCA

I see that with the introduction of the new National Crime Agency (whose name sounds more like a criminal organisation, similar to Murder, Inc., than a law-enforcement one – you’d have thought National Crime Prevention Agency would’ve been a better choice) they’ve also wrapped up CEOP (Child Exploitation and Online Protection) into it as well.

I’ve always had my doubts about the use of CEOP as anything except propaganda. (and I’ve said so before)  I don’t doubt that there is such a thing as child pornography, nor that abuse happens, that it’s more prevalent (or at least more reported on) now, and that t’internet has made things easier for paedophiles and abusers to both find victims and distribute those images.  (And on a related subject, I also just read this story from the Guardian, and Bloody Hell)

But – ah, but – I do doubt that the methods for distribution of those images include things like Facebook and Twitter. I do doubt that ‘abuse’ on social media is as prevalent as CEOP makes out. The stats they release every quarter always make me think that they’re more about justifying their own existence, as do most of their stories, press releases and news soundbites.  Yes, there should be an area of Policing and/or Law Enforcement that deals with these issues – but in my opinion it should be a part of standard policing, similar to New York’s Special Victims Unit (yes, it’s real, not just part of a TV Series mythology)

I’d rather see specialists per force – with the ability to communicate and operate between forces – than an agency that works so hard to justify its own existence.

Or of course, I could be being wholly cynical and uninformed about the entire thing. Who knows?