Light Blue Touchpaper

Yesterday the European Commission launched its new draft directive on cybersecurity, on a webpage which omits a negative Opinion of the Impact Assessment Board. This directive had already been widely leaked, and I wrote about it in an EDRi Enditorial. There are at least two serious problems with it.

The first is that it will oblige Member States to set up single “competent authorities” for technical expertise, international liasion, security breach reporting and CERT functions. In the UK, these functions are distributed across GCHQ, MI5/CPNI, the new NCA, the ICO and various private-sector bodies. And the UK is relatively centralised; in Germany, for example, there’s a constitutional separation between police and intelligence functions. Centralisation will not just damage the separation of powers essential in any democracy, but will also harm operational effectiveness. Most of our critical infrastructure is in the hands of foreign companies, from O2 through EDF to Google; moving cybersecurity cooperation from the current loose association of private-public partnerships to a centralised, classified system will make it harder for most of them to play.

Second, whereas security-breach notification laws in the USA require firms to report breaches to affected citizens, articles 14 and 15 instead require breach notification to the “competent authority”. Notification requirements can be changed later by order (14.5-7) and the “competent authorities” only have to tell us if they determine it’s in the “public interest” (14.4). So instead of empowering us, it will empower the spooks. But that’s not all. Member States must “ensure that the competent authorities have the power to require market operators and public administrations to: (a) provide information needed to assess the security of their networks and information systems, including documented security policies; and (b) undergo a security audit carried out by a qualified independent body or national authority and make the results thereof available to the competent authority” (15.2). States must also “ensure that competent authorities have the power to issue binding instructions to market operators and public administrations” (15.3) Now as Parliament has just criticised the Home Office’s attempt to take powers to order firms like Google and Facebook to disclose user data by means of the Communications Data Bill, I hope everyone will think long and hard about the implications of passing this Directive as it stands. It’s yet another unfortunate step towards the militarisation of cyberspace.

I’m delighted to announce that my book Security Engineering – A Guide to Building Dependable Distributed Systems is now available free online in its entirety. You may download any or all of the chapters from the book’s web page.

I’ve long been an advocate of open science and open publishing; all my scientific papers go online and I no longer even referee for publications that sit behind a paywall. But some people think books are different. I don’t agree.

The first edition of my book was also put online four years after publication by agreement with the publishers. That took some argument but we found that sales actually increased; for serious books, free online copies and paid-for paper copies can be complements, not substitutes. We are all grateful to authors like David MacKay for pioneering this. So when I wrote the second edition I agreed with Wiley that we’d treat it the same way, and here it is. Enjoy!

Today the UK Information Commissioner’s Office levied a record £250k fine against Sony over their 2011 Playstation Network breach in which 77 million passwords were stolen. Sony stated that they hashed the passwords, but provided no details. I was hoping that investigators would reveal what hash algorithm Sony used, and in particular if they salted and iterated the hash. Unfortunately, the ICO’s report failed to provide any such details:

The Commissioner is aware that the data controller made some efforts to protect account passwords, however the data controller failed to ensure that the Network Platform service provider kept up with technical developments. Therefore the means used would not, at the time of the attack, be deemed appropriate, given the technical resources available to the data controller.

Given how often I see password implementations use a single iteration of MD5 with no salt, I’d consider that to be the most likely interpretation. It’s inexcusable though for a 12-page report written at public expense to omit such basic technical details. As I said at the time of the Sony Breach, it’s important to update breach notification laws to require that password hashing details be disclosed in full. It makes a difference for users affected by the breach, and it might help motivate companies to get these basic security mechanics right.

The government has once again returned to the vision of giving each of us an electronic health record shared throughout the NHS. This is about the fourth time in twenty years yet its ferocity has taken doctors by surprise.

Seventeen years ago, I was advising the BMA on safety and privacy, and we explained patiently why this was a bad idea. The next government went ahead anyway, which led predictably to the disaster of NPfIT. Nonetheless enough central systems were got working to seriously undermine privacy. Colleagues and I wrote the Database State report on the dangers of such systems; its was adopted as Lib Dem policy and aspects were adopted by the Conservatives too. That did lead to the abandonment of the ContactPoint children’s database but there was a rapid u-turn on health privacy after the election.

The big pharma lobbyists got their way after they got health IT lobbyist Tim Kelsey appointed as Cameron’s privacy tsar and it’s all been downhill from there. The minister says we have an opt-out; but no-one seems to have told him that under GPs will in future be compelled to upload a lot of information about us through a system called GPES if they want to be paid (they had an opt-out but it’s being withdrawn from April). And you can’t even register under a false name any more unless you use a stolen passport.

Yesterday, banking security vendor Thales sent this DMCA takedown request to John Young who runs the excellent Cryptome archive. Thales want him to remove an equipment manual that has been online since 2003 and which was valuable raw material in research we did on API security.

Banks use hardware security modules (HSMs) to manage the cryptographic keys and PINs used to authenticate bank card transactions. These used to be thought to be secure. But their application programming interfaces (APIs) had become unmanageably complex, and in the early 2000s Mike Bond, Jolyon Clulow and I found that by sending sequences of commands to the machine that its designers hadn’t anticipated, it was often possible to break the device spectacularly. This became a thriving field of security research.

But while API security has been a goldmine for security researchers, it’s been an embarrassment for the industry, in which Thales is one of two dominant players. Hence the attempt to close down our mine. As you’d expect, the smaller firms in the industry, such as Utimaco, would prefer HSM APIs to be open (indeed, Utimaco sent two senior people to a Dagstuhl workshop on APIs that we held a couple of months ago). Even more ironically, Thales’s HSM business used to be the Cambridge startup nCipher, which helped our research by giving us samples of their competitors’ products to break.

If this case ever comes to court, the judge might perhaps consider the Lexmark case. Lexmark sued Static Control Components (SCC) for DMCA infringement in order to curtail competition. The court found this abusive and threw out the case. I am not a lawyer, and John Young must clearly take advice. However this particular case of internet censorship serves no public interest (as with previous attempts by the banking industry to censor security research).

Over the past two years, Peter G. Neumann and I, along with a host of collaborators at SRI International and the University of Cambridge Computer Laboratory, have been pursuing CTSRD, a joint computer-security research project exploring fundamental revisions to CPU design, operating systems, and application program structure. Recently we’ve been talking about the social, economic, and technical context for that work in a series of media interviews, including one with ACM Queue on research into the hardware-software interface posted previously.

A key aspect to our argument is that the computer industry has been pursuing a strategy of hill climbing with respect to security; if we were willing to take a step back and revisit some of our more fundamental design choices, learning from longer-term security research over the last forty years, then we might be able to break aspects of the asymmetry driving the current arms race between attackers and defenders. This clean-slate argument doesn’t mean we need to throw everything away, but does suggest that more radical change is required than is being widely considered, as we explore in two further interviews:

• A New York Times Profiles in Science article about Peter’s work in computer security, with a particular focus on arguments for clean-slate design, but also DARPA’s CRASH programme in clean-slate computing for security.
• My IEEE Spectrum Techwise Conversations podcast interview exploring the argument for clean-slate design and the nature of current attacker-defender asymmetry.

Last Friday’s successful appeal in the Golden Eye case will mean that significantly more UK-based broadband users will shortly be receiving letters that say that they appear to have been participating in file sharing activity of pornographic films. Recipients of these letters could do worse than to start by consulting this guide as to what to do next.

Although I acted as an expert witness in the original hearing, I was not involved in the appeal since. It was not concerned with technical matters, but was deciding whether Golden Eye could pursue claims for damages on behalf of third party copyright holders (the court says that they may now do so).

Subsequent to the original hearing, I assisted Consumer Focus by producing an expert report on how evidence in file sharing cases should be collected and processed. I wrote about this here in July.

In September, at the request of Consumer Focus, I attended a presentation given by Ms Marianne Grant, Senior Vice President of the Motion Picture Association of America (MPAA) in which she outlined the way in which rights holders in the United States were proposing to monitor unauthorised file sharing of copyright material.

I had a number of concerns about these proposals and I wrote to Consumer Focus to set these out. I have now noted (somewhat belatedly, hence this holiday season blog post) that Consumer Focus have made this letter available online, along with their own letter to the MPAA.

So 2013 looks like being “interesting times” for Internet traceabity — with letters going out in bulk to UK consumer from Golden Eye, and the US “six strikes” process forecast to roll out early next year (albeit it’s been forecast to start in November 2012, July 2012 and many dates before that, so we shall see).

This afternoon, the Information Commissioner will unveil a code of practice for data anonymisation. His office is under pressure; as I described back in August, Big Pharma wants all our medical records and has persuaded the Prime Minister it should have access so long as our names and addresses are removed. The theory is that a scientist doing research into cardiology (for example) could have access to the anonymised records of all heart patients.

The ICO’s blog suggests that he will consider data to be anonymous and thus no longer private if they cannot be reidentified by reference to any other data already in the public domain. But this is trickier than you might think. For example, Tim Gowers just revealed on his excellent blog that he had an ablation procedure for atrial fibrillation a couple of weeks ago. So if our researcher can search for all males aged 45-54 who had such a procedure on November 6th 2012 he can pull Tim’s record, including everything that Tim intended to keep private. Even with a central cardiology register, it’s hard to think of a practical mechanism could block Tim’s record as soon as he made that blog post. But now researchers are starting to carry round millions of people’s records on their laptops, protecting privacy is getting really hard.

In his role as data protection regulator, the Commissioner has been eager to disregard the risk of re-identification from private information. Yet Maurice Frankel of the Campaign for Freedom of Information has pointed out to me that he regularly applies a very different rule in Freedom of Information cases, including one involving the University of Cambridge. There, he refused a freedom of information request about university dismissals on the grounds that “friends, former colleagues, or acquaintances of a dismissed person may, through their contact with that person, know something of the circumstances of that person’s departure” (see para 30).

So I will be curious to see this afternoon whether the Commissioner places greater value on the consistency of his legal rulings, or their convenience to the powerful.

ACM Queue has posted my August 2012 interview on research into the hardware-software interface. We discuss the importance of a whole-stack view in addressing contemporary application security problems, which are often grounded in how we represent and execute software over lower-level substrates. We need to consider CPU design, operating systems, programming languages, applications, and formal methods — which requires building collaborations that span traditional silos in computer science research. I also consider the impact of open source on software security research methodology, and how we might extend those ideas to CPU research. A motivation for this investigation is our experimental CHERI hybrid capability processor, part of the CTSRD Project, a long-term research collaboration between the security, operating systems, and computer architecture groups at the University of Cambridge Computer Laboratory and the systems and formal methods groups SRI International Computer Science Laboratory.

Alex Henney and I have decided to publish a paper on smart metering that we prepared in February for the Cabinet Office and for ministers. DECC is running a smart metering project that is supposed to save energy by replacing all Britain’s gas and electricity meters with computerised ones by 2019, and to cost only £11bn. Yet the meters will be controlled by the utilities, whose interest is to maximise sales volumes, so there is no realistic prospect that the meters will save energy. What’s more, smart metering already exhibits all the classic symptoms of a failed public-sector IT project.

The paper we release today describes how, when Ed Milliband was Secretary of State, DECC cooked the books to make the project appear economically worthwhile. It then avoided the control procedures that are mandatory for large IT procurements by pretending it was not an IT project but an engineering project. We have already written on the security economics of smart meters, their technical security, the privacy aspects and why the project is failing.

We managed to secure a Cabinet Office review of the project which came up with a red traffic light – a recommendation that the project be abandoned. However DECC dug its heels in and the project appears to be going ahead. Hey, we did our best. The failure should be evident in time for the next election; just remember, you read it here first.