ACCU Home page ACCU Conference Page
Search Contact us ACCU at Flickr ACCU at GitHib ACCU at Facebook ACCU at Linked-in ACCU at Twitter Skip Navigation

pinEditorial: Can you keep a secret?

Overload Journal #103 - June 2011 + Journal Editorial   Author: Ric Parkin
Privacy and security have been in the news a lot recently. Ric Parkin looks behind the curtain.

It’s not been a good few months for Sony.

First of all it was one of many companies whose manufacturing plans were thrown into turmoil due to a major earthquake and tsunami. It wasn’t so much the direct damage, but disruption to power generation and supply chains has shown how vulnerable Just In Time production methods are to even small delays. [Sony]

The automotive industry was affected even more, as it turned out that a single chip making plant that was destroyed made about 40% of the chips used worldwide in car manufacturing. With deliberately low stocks of parts, car production has been severely disrupted [Renesas]. This did make me wonder what sort of equivalent risks to production applied to software development, given that the Toyota Production System, and other JIT processes are the inspiration behind many Agile development practices. A few spring to mind – a major risk is an unexpected change in production capacity. This will usually be caused by personnel changes, such as illness or leaving the company. Finding a replacement and getting them up to speed is a non-trivial effort, which is why Brooks’s Law was noted [Brooks]. Less serious causes can include power cuts, and problems with computers and networks.

As I write this, the PlayStation network has only been partly restored following an intrusion that potentially exposed personal details of millions of users. Unfortunately they intially turned a serious problem into a PR disaster by looking to be slow to admit to the problem, or giving details about what had actually been compromised. Some of this could well have been due to the difficulty of tracing where exactly the intrusion had access to, what had been taken, and how this would affect users. But some things were definitely handled badly, in particular whether passwords had been stored in plain text or not. It turned out they had correctly only stored a hash – a large number or string that was generated from the password and used to confirm you’ve typed a password in correctly without actually transmitting or storing the password itself [Hash], but it took time to clarify this.

Unfortunately, some identity information was stored such as dates of birth, and it’s this that is the main cause of concern as it can be used as the basis of identify theft. It has severely dented their reputation. It did make me question my own approach to computer and identity security, both as a developer (yes, we only store hashes!) and as a user. I also recently updated our password dictionary for cracklib [Sourceforge], which sees how secure a new password is. The new dictionary is massively larger than our previous version, and we’re finding that it includes many passwords that used to be thought of as strong, but now appear in dictionaries that are used by brute-forcing algorithms. I’m seriously reviewing my password policy to make them harder to guess, and will avoid supplying unnecessary personal details (I was always reluctant anyway).

Other sources of leaked information have been making the news recently. One high profile one was finding out that iPhones stored a list of locations where you’d been [Jones]. While this was only used internally for some performance improvements, again it worried a lot of people as it effectively gave anyone with access to your phone (or the iTunes backup on your computer) a log of your movements. Promptly a fix has been issued to delete the data when no longer needed. Of course, the authorities have other ways of tracking your phone, even if they’re too much effort to deploy except in serious cases. The obvious one is that phone companies have logs of which mobile stations you can connect to, which is enough to track you fairly accurately via some simple triangulation. Even before that, getting access to telephone logs and doing some fairly simple traffic analysis could be used to pick up patterns, and reveal the structure of an organisation. I was reminded of this recently after seeing the latest incarnation of some of this analysis software [i2]. Most scary of all is that I was heavily involved with a major rewrite of this software back in the mid to late 90s, and it was interesting to see that despite over a decade of improvements, there were still signs obvious to me that the core of my code is still there. A warning that code can last for longer than you might think!

Of course, if an identity thief wanted a your details, or someone wanted to track you, it’s probably easier to just keep an eye on people’s Facebook updates and pictures in the Cloud. It’s troubling just how much personal information can be gleaned by even a cursory glance and some simple searches, and when coupled with position updates via tools such as Foursquare, it’s pretty easy to see where someone is, what they are doing, and who else was there. If that’s in real time and the person’s address is known, and a break-in would be trivial.

The other interesting technology news that's been around recently is the way that Twitter is being used to get around so called ‘Super-injunctions’ and reveal secrets that people had been trying to keep under wraps. By rapidly retweeting, a story be spread extremely quickly, and the ‘Spartacus effect’ of thousands of people doing it makes them think that they are immune from prosecution. Time will tell whether that will remain true, as there’s already talk of disclosing details to the police of people who have helped. Dispiritingly, most of the cases seemed to be celebrities trying to conceal affairs, which is a sad reflection on certain sections of the press. Personally I’m not interested in that at all – they have as much right to a private life to muck up as I do. But there are issues of privacy, freedom of speech, and a society fast changing how it communicates.

One thing that was worrying though – at one time someone posted a list of supposed injunctions which turned out to be wildly inaccurate (some so bizarre you just knew they were a joke), causing some swift rebuttals and embarrassment. Is this a taste of things to come, where fast communications and ‘Chinese Whispers’ cause all manner of wild stories and accusations to be propagated? As the saying goes, a lie is halfway around the world before the truth has got its boots on. In this vein, there was an interesting experiment performed accidentally by Graham Linehan who writes the sit-com The IT Crowd [Linehan]. After tweeting an amusing lie – that Bin Laden was watching the show on the captured videos – he was suprised just how fast it spread and mutated incorporating completely random stuff, before he finally exposed it.

And sometimes people just won’t talk about it when you want them to – I noticed a couple of comments recently from ACCU developers who’d written their own iPhone games about how much effort it was to try and generate some interest. With so many apps to choose from it’s now an uphill struggle to get any attention.

Bubble 2.0?

We seem to be in a technology stock bubble again. Things that make me feel this way include the recent purchace of Skype by Microsoft for a massive $8.5bn, and the imminent floatation of LinkedIn at a large valuation, and rumours about FaceBook or Twitter being floated soon. It all feels very reminicent of 2001, although this time it’s social networking driving interest instead of early internet companies and biotech. But yet again to pick the real winners without over paying for them will be hard, especially when what seems to be the next big thing suddenly goes out of fashion, or more likely, becomes so widespread it’s no longer what makes a company unique and hence valuable. Buyer beware.

Bletchley Park fundraising effort

The past two Novembers have seen the enjoyable ACCU Security conferences, held at Bletchley Park to raise money for their activities. Well, Astrid Byro has decided to go that extra mile this year to raise even more. About three and a half miles to be more accurate – upwards. On 16th August she’s going on an 8-day trek to the Everest Base Camp, which is 5,545 metres above sea level. ‘You must understand the context of this endeavour.’ she says. ‘ I’m afraid of heights and this will challenge my fears on a daily basis with multiple crossings of rickety bridges across torrential gorges. In addition, I will be doing this at the end of monsoon season so there is the ever-present danger of flash floods as well as the menace of leeches. I hate leeches.’

She’s set a fundraising target of £50,000, so would be a great help to Bletchley. She is hoping to achieve this target by donations as well as corporate sponsorship so if you would like a photo of your corporate logo flag flying at Base Camp, want her to wear sponsored logo clothing, or you have a stunt in mind, she’s open to negotiation.

You can follow Astrid’s progress on her blog as she pursues her training programme, at www.abc-ebc.blogspot.com and you can support her by making a donation at www.justgiving.com/Astrid-Byro. Good luck!

[Photograph published under Creative Commons Licence 3.0 – original can be found at http://www.happytellus.com/gallery.php?img_id=5143]

References

[Brooks] http://en.wikipedia.org/wiki/Brooks's_law

[Hash] http://phpsec.org/articles/2005/password-hashing.html

[i2] http://www.bbc.co.uk/news/uk-13366706

[Jones] http://www.bbc.co.uk/blogs/thereporters/rorycellanjones/2011/04/iphone_tracking_creepy_cool.html

[Linehan] http://www.bbc.co.uk/news/magazine-13467407

[Renesas] http://www.bbc.co.uk/news/business-13421065

[Sony] http://www.bbc.co.uk/news/business-13557431

[Sourceforge] http://sourceforge.net/projects/cracklib/

Overload Journal #103 - June 2011 + Journal Editorial