Lord Toby Harris Logo

Archive for the ‘Technology’ Category

Monday
Aug 8,2011

I gather that the Total Politics Blog Awards are now in progress.  I want to make it quite clear that I will not be in the least bit affronted should you chose to vote for this blog by clicking here.

Saturday
Jul 30,2011

The Royal Air Force mission statement is:

“‘An agile, adaptable and capable Air Force that, person for person, is second to none, and that makes a decisive air power contribution in support of the UK Defence Mission”.

That is pretty clear and fits in with the RAF image, “The Few” and all that.

By contrast the mission of the United States Air Force is:

 “To fly, fight and win in air, space and cyber space.”

The “and win” bit is maybe a tad more aggressive than making a decisive contribution, but the interesting bit is the inclusion of cyber space.

Now this may be a bureaucratic land-grab with the USAF making a bid for the cyber-security leadership role in the United States Government, but it does pose the question who has the lead for cyber-defence in the United Kingdom?  Answers on a postcard (or email) please. 

Royal Air Force Typhoons

Tuesday
Jul 26,2011

An intriguing story is drawn to my attention by Team Cymru, leading experts on cybersecurity issues.  This highlights some strange goings on with the electronic voting system used in the 2004 American Presidential Elections in the State of Ohio.  As I remember it, early exit polls from Ohio suggested that John Kerry had won the state but that as the votes were counted it appeared that the exit polls were wrong and that Ohio had voted for George W Bush.  The electoral college votes from Ohio were pivotal and had they gone for Kerry he would have become President. 

The report says:

“A new filing in the King Lincoln Bronzeville v. Blackwell case includes a copy of the Ohio Secretary of State election production system configuration that was in use in Ohio’s 2004 presidential election when there was a sudden and unexpected shift in votes for George W. Bush.

The filing also includes the revealing deposition of the late Michael Connell. Connell served as the IT guru for the Bush family and Karl Rove. Connell ran the private IT firm GovTech that created the controversial system that transferred Ohio’s vote count late on election night 2004 to a partisan Republican server site in Chattanooga, Tennessee owned by SmarTech. That is when the vote shift happened, not predicted by the exit polls, that led to Bush’s unexpected victory. Connell died a month and a half after giving this deposition in a suspicious small plane crash.

Additionally, the filing contains the contract signed between then-Ohio Secretary of State J. Kenneth Blackwell and Connell’s company, GovTech Solutions. Also included that contract a graphic architectural map of the Secretary of State’s election night server layout system. 

Cliff Arnebeck, lead attorney in the King Lincoln case, exchanged emails with IT security expert Stephen Spoonamore. Arnebeck asked Spoonamore whether or not SmarTech had the capability to “input data” and thus alter the results of Ohio’s 2004 election. Spoonamore responded: “Yes. They would have had data input capacities. The system might have been set up to log which source generated the data but probably did not.”

Spoonamore explained that “they [SmarTech] have full access and could change things when and if they want.”

Arnebeck specifically asked “Could this be done using whatever bypass techniques Connell developed for the web hosting function.” Spoonamore replied “Yes.”

Spoonamore concluded from the architectural maps of the Ohio 2004 election reporting system that, “SmarTech was a man in the middle. In my opinion they were not designed as a mirror, they were designed specifically to be a man in the middle.”

A “man in the middle” is a deliberate computer hacking setup, which allows a third party to sit in between computer transmissions and illegally alter the data. A mirror site, by contrast, is designed as a backup site in case the main computer configuration fails.

Spoonamore claims that he confronted then-Secretary of State Blackwell at a secretary of state IT conference in Boston where he was giving a seminar in data security. “Blackwell freaked and refused to speak to me when I confronted him about it long before I met you,” he wrote to Arnebeck.

On December 14, 2007, then-Secretary of State Jennifer Brunner, who replaced Blackwell, released her evaluation and validation of election-related equipment, standards and testing (Everest study) which found that touchscreen voting machines were vulnerable to hacking with relative ease.

Until now, the architectural maps and contracts from the Ohio 2004 election were never made public, which may indicate that the entire system was designed for fraud. In a previous sworn affidavit to the court, Spoonamore declared: “The SmarTech system was set up precisely as a King Pin computer used in criminal acts against banking or credit card processes and had the needed level of access to both county tabulators and Secretary of State computers to allow whoever was running SmarTech computers to decide the output of the county tabulators under its control.”

Spoonamore also swore that “…the architecture further confirms how this election was stolen. The computer system and SmarTech had the correct placement, connectivity, and computer experts necessary to change the election in any manner desired by the controllers of the SmarTech computers.”

In the Connell deposition, plaintiffs’ attorneys questioned Connell regarding gwb43, a website that was live on election night operating out of the White House and tied directly into SmarTech’s server stacks in Chattanooga, Tennessee which contained Ohio’s 2004 presidential election results.

The transfer of the vote count to SmarTech in Chattanooga, Tennessee remains a mystery. This would have only happened if there was a complete failure of the Ohio computer election system. Connell swore under oath that, “To the best of my knowledge, it was not a fail-over case scenario – or it was not a failover situation.”

Bob Magnan, a state IT specialist for the secretary of state during the 2004 election, agreed that there was no failover scenario. Magnan said he was unexpectedly sent home at 9 p.m. on election night and private contractors ran the system for Blackwell.

The architectural maps, contracts, and Spoonamore emails, along with the history of Connell’s partisan activities, shed new light on how easy it was to hack the 2004 Ohio presidential election.”

Interesting, if true.

Friday
Jul 1,2011

One of the most enjoyable things that I do in Parliament is to chair the judges for the annual  information technology competition for primary schools, Make IT Happy, organised by PITCOM (the Parliament IT Committee).  Earlier this week around 120 children – the regional winners – came to Parliament with their teachers to receive their awards and to hear which schools had been judged the national winners.

This year the entries were of a particularly high standard and all the regional winners had done extremely well, but especial congratulations went to the national winners:

1st Prize – Wales – St. Julian’s Primary School

2nd Prize – London – Northwood Primary School

3rd Prize – South East – Milbourne Lodge School

Top prize-winners were St Julian’s Primary School in Newport where the children had come up with the idea of making short “how to” videos, addressing common IT problems.

Each video was made by pupils, explaining and demonstrating the techniques needed. They posted the videos on their school website, and then worked to publicise them to a variety of groups in need of IT help.

Among those that benefited locally were an old people’s home, Glyn Anwen, and other schools in the area. St Julians also used the videos to cement their links with a partner school in Rwanda, which had recently received laptops from a charity.

The videos are well worth a look ….

Read More http://www.walesonline.co.uk/news/wales-news/2011/06/30/city-school-wins-5-000-uk-prize-for-making-people-happy-with-it-91466-28965644/#ixzz1QmYfk8ci

Thursday
Jun 30,2011

The BBC is reporting that:

“Both reactors at the Torness nuclear power station have been shut down after huge numbers of jellyfish were found in the sea water entering the plant.”

The report continues:

“It is not known why there are so many jellyfish in the area.

Water temperatures along the east coast of Scotland have been relatively normal, but it is thought higher than average temperatures elsewhere in the North Sea may be a factor.

Operations at nuclear power plants in Japan have been disrupted by large numbers of jellyfish in recent years.”

I am sure many people will be disturbed by the idea of plagues of jellyfish around our shores, but when they start clogging up the inflow of cooling water into nuclear power stations it is time to get worried.

Climate change is real.  It is happening and some of its effects are not what you might expect.

Wednesday
Jun 22,2011

Sophos’s NakedSecurity site tells the cautionary tale of the company chief executive and the slighted IT administrator who took his revenge:

“Imagine you’re giving a presentation to the board of directors at your company. You have your PowerPoint slides all ready, you’re projecting onto a 64 inch screen… what could possibly go wrong?

Well, what would you do if your carefully composed presentation was replaced on the big screen by images of a naked woman? My guess is that you wouldn’t know where to put your laser pointer..

52-year-old Walter Powell used to be an IT manager at Baltimore Substance Abuse System Inc, until he was fired in 2009. Clearly someone who believed that revenge should be served red hot, Powell used his computer knowledge to hack into his former employer’s systems from his home and install keylogging software to steal passwords.

On one occasion, Powell took remote control of his former CEO’s PowerPoint presentation to the board of directors, and projected pornographic images on the 64 inch TV.

Press release about Walter Powell's sentencing

According to media reports, Judge M. Brooke Murdock gave Powell a two year suspended sentence, and ordered him to 100 hours of community service and three years’ probation.”

Interestingly, I read this on my way home from hearing a presentation from the CEO of a very large corporation who had described in passing the processes (that even he described as draconian) his company follows in monitoring the activites of employees who hand in their notice,  which includes checking what company files they access and download, reviewing their outgoing email traffic and monitoring memory stick usage. Once caught, twice shy?

Monday
Jun 13,2011

It is estimated that in twenty-five years time two-thirds of the world’s population will live in areas of significant water stress and shortage.  This will be one of the factors – along with climate change, rising sea level and the loss of arable land – that will drive major population migration and feed into global insecurity.

A year ago there were reports that East African nations were struggling to contain an escalating crisis over control of the waters of the river Nile.  According to the Guardian:

“The nine countries through which the world’s longest river flows have long been at loggerheads over access to the vital waters, which the British colonial powers effectively handed wholesale to Egypt in a 1929 agreement.

Egypt has always insisted on jealously guarding its historic rights to the 55.5bn cubic metres of water that it takes from the river each year and has vetoed neighbouring countries’ rights to build dams or irrigation projects upstream which might affect the river’s flow.”

Now, India has been accused of “water terrorism” against Pakistan:

“India is rapidly moving towards its target of making Pakistan totally barren by building dams on three major rivers including Chenab, Jhelum and Indus flowing into Pakistan from the Indian side of the border. These dams are being built in blatant violation of international laws and Indus Water Treaty singed between the two countries to ensure equitable distribution of water resources. Pakistan has, long been challenging these moves of the Indian authorities and the issue had been referred to international arbitration on various occasions. Both Islamabad and New Delhi have held several rounds of talks to resolve the matter but no tangible results could be achieved. Realising the nefarious designs of the Indian leadership, political parties in Pakistan term New Delhi actions as ‘water terrorism’. Recent talks on Baglihar Dam between the two sides remained unfruitful and Pakistan is understood to have decided to seek international arbitration once again to secure its share of the water.
Yesterday, a report published in all national newspapers has raised alarm bell when an Indian engineer, Jee Parbharkar, speaking at a seminar organised by The Federation of Association of South and Central Asian Countries (FIESCA) in Nepal, said if all on-going dam projects on rivers originating from Kashmir were completed in time, India would be in a position to stop water flow to Pakistan completely by 2020. He further claimed that by 2020, India would be producing such a quantity of hydel power that it would be able to export it to neighbouring countries including Pakistan. Pakistani delegate to the seminar, Sultan Mahmood said that India has already started producing electricity from four big and 16 small dams while the work on third dam is in full swing near Kargal Valley. In this dam, 45 per cent of Indus water would be diverted to its reservoir through a tunnel.
Such a situation is not acceptable under any circumstances and it is about time that our leadership takes the matter seriously and move all international forums available to raise this sensitive issue. Indifference of concerned authorities had already damaged Pakistan’s cause and if nothing is done fast, Pakistan soon would be a barren state.”

Tuesday
Jun 7,2011

A few days ago I reported on the call for a “general obligation for data security”.

Now comes this report on CBS (thanks to FutureCrimes):

I wonder how many companies and government agencies are equally careless in this country?

It makes leaving a paper on a photocopier seem old hat …..

Sunday
Jun 5,2011

High-level legal guru, Stewart Room, gave an excellent presentation at last week’s East-West Institute Global Cyber Security Summit.  In it he called for a “general obligation for security”, saying:

“I believe that holders of sensitive data, the controllers of important networks, systems and infrastructures – and their supply chains – should face a clear legal requirement to keep these assets safe and secure. As well as describing the obligation, this general security law should describe the consequences of failure.”

He pointed out that:

“It is naive to think that all relevant actors will do what is necessary to protect these assets without a clear steer from the law. Ignorance, laziness, apathy, short sightedness and greed are all powerful counterweights to enlightened self interest.”

He also highlighted the dangers of simply addressing the problem through the prism of the protection of personal data only.  Intellectual property is currently being leeched from corporate data systems all over the world – an issue repeatedly referred to at the Summit.  Likewise the vulnerability of national infrastructure systems – including power grids and water supplies – is also now increasingly apparent.

He warned that:

“In the UK and most of the rest of Europe the law for security is effectively left to reside in the domain of privacy and data protection law. This is a grave mistake. …  it gives the mistaken impression that the law only sees security as being important in the context of the handling of personal data. Of course, we all know that the substance of security extends much further that this. The impact of this problem is worsened by the fact that far too many people and organisations do not take data protection law seriously. Thus, the law is not properly driving behaviours.”

And there may be unintended consequences:

“This gives effective ownership of the field to people who are the least competent to manage it. I am talking about a small cadre of data protection regulators and bureaucrats, who are so slanted toward privacy that they may unwittingly encumber us with anti-security policies, which could jeopardise the health of cyberspace, our economies and our societies.”

He concluded byasking “what will a general obligation for security look like?”:

“Aside from removing the issue from the privacy and data protection domain and describing the nature of the obligation to secure assets and the penalties that may flow in breach, a general obligation for security will capture:

1. Critical definitions. We need to agree the parameters and make sure that we are all talking the same language.

2. The traditional “cyber crime” subject matter, dealing with the criminalisation and prosecution of unacceptable behaviours of hackers, botnets and others whom attack information and information systems. The interests of law enforcement should be properly served.

3. The role of the private sector cyber security industry, so that innovation in IT solutions can continue. We are totally reliant upon the private sector for security solutions, so we must give it our full support.

4. Intelligence sharing between the public and private sectors and across geographical boundaries.

5. The need for identification measures for people and machines operating in cyberspace. Privacy should not provide a cloak for criminals and anti-social behaviour.

6. The right for people and organisations under cyberattack to take offensive action in their defence. This is probably the most controversial point. But we need to ask ourselves whether it is morally right to tie the hands of those under attack. And we need to be sure that we do not open Pandora’s box.”

Whilst ideally this needs a solution in international law, a good start would be made by legal changes in this country to establish a better and more robust framework, whilst British Ministers argue for European-wide changes via Brussels and press the case through the G8 and G20 fora.

There was a palpable sense of urgency about the need for change at last week’s summit.  I hope it was felt by Francis Maude MP, who is apparently now the Minister in charge of cyber-security, and that he takes it back to his Government colleagues.

Wednesday
Jun 1,2011

I am attending the Worldwide Security Summit being held at the QEII Conference Centre in London.
It is currently being addressed by Dr R Chandrashekar, the Secretary of the Department of Information Technology in India. His address has been very wide-ranging, but I was much taken by the way in which ha acknowledged almost as an aside a massive vulnerability to the world economy before moving quickly on.
After spending several minutes outlining the increasing dependence of the world on the internet, including government and commercial systems. He then pointed out that, of course, the internet only functions because of the existence of a small number of undersea data cables, connecting the major continents together. These have been damaged from time to time, for example, by shipping and by natural disasters. These have produced significant, if (so far) short-term, disruptions. For those wanting to cause major problems for the world economy the implications are unfortunately obvious …….