We Still See Security Through a Lens, Darkly

My latest BBC column was at the end of the year, as I only seem to manage 3 weeks out of 4 at the moment because of the pressure of other things.  It’s about contact lens displays and our inability to design security in from the start, and can be read on the BBC News Website as usual:

As December comes to an end journalists and pundits around the world have been telling us which devices or technologies they think are the most important from the last year.

Here on the BBC tech site Rory Cellan-Jones chooses cloud computing while Jonathan Fildes opts for smartphone applications and Maggie Shiels reveals her love for her Blackberry, to which she is clearly addicted.

Picking one innovation as the most important or as representative of a year is notoriously difficult, but it is at least retrospective.

The iTunes Application Store was one of the year’s biggest successes, whatever one might think of Apple’s arbitrary approvals process or the constraints placed on application authors, and Google really did launch Wave, albeit as an early, buggy alpha release.

Looking forward is much trickier…

Enjoy.

Stop. Look. Change your Password

[I’ve been neglecting this space for the last few weeks… this was published on the BBC News site on October 9]

If you use a web-based email service then here’s a public service announcement. Tufty the Squirrel says ‘Change your password. Now. Before you read the rest of this column. And if you use your webmail password for any other services go and change it there too.’

OK, assuming you’ve done that, we can discuss the apparent plundering of tens or even hundreds of thousands of login details from Hotmail, Yahoo! Mail, Gmail and other web-based email services, revealed last week when a partial list of ten thousand addresses was posted to – and quickly withdrawn from – the Pastebin code-sharing website and details of another 30,000 accounts were posted elsewhere.

The compromised email addresses seem to be the result of a number of phishing exercises, where fake websites are set up to harvest login credentials from those who can be tricked into visiting the phishing site instead of the authentic home page for their service provider, and not related to any security flaws in the webmail services themselves.

Continue reading “Stop. Look. Change your Password”

Being Open About Secrecy

[As ever, you can read this on the BBC News website too]

It must be tricky to be an advocate of transparency when your job involves selling serious encryption tools to government departments, large and small companies, hospitals and people who are concerned about having their bank account details hijacked from a home PC.

After all, the point about good encryption software and the systems that surround it is that they provide a way to keep your secrets secret, while open government and the effective regulation of financial services would seem to require the widest possible dissemination of all sorts of operational data, from MPs expenses to bank investment portfolios.

And once something is on a website, in an email or available for inspection through a published program interface then it is no longer secret, however well the copy on your internal network might be protected. Continue reading “Being Open About Secrecy”

Don’t have nightmares

[As ever you can read this on the BBC News website. Or on any of the spamblogs that rip off my copy and use it as linkbait.]

Anyone concerned about the security of their computers and the data held on them might sleep a little uneasily tonight.

Over the past few weeks we’ve heard reports of serious vulnerabilities in wireless networking and chip and pin readers, and seen how web browsers could fall victim to ‘clickjacking’ and trick us into inadvertently visiting fake websites.

The longstanding fear that malicious software might start infecting our mobile phones was given a boost when the Information Security Center at US university Georgia Tech outlined how phone software could be hijacked to create ‘botnets’ and allow handsets to be remotely controlled.

And now a group of researchers at the Security and Cryptography Laboratory at Ecole Polytechnique Federale de Lausanne in Switzerland have shown that you can read what is typed on a keyboard from twenty metres away.

Continue reading “Don’t have nightmares”

My del.icio.us bookmarks for July 23rd through July 30th

Here’s what I tagged on del.icio.us between July 23rd and July 30th:

Shouting ‘bug’ on a crowded Internet…

[As ever you can read this on the BBC News website, and it’s also on CircleID]

In the last few weeks we’ve seen two very different approaches to the full disclosure of security flaws in large-scale computer systems.

Problems in the domain name system have been kept quiet long enough for vendors to find and fix their software, while details of how to hack Transport for London’s Oyster card will soon be available to anyone with a laptop computer and a desire to break the law.

These two cases highlight a major problem facing the computing industry, one that goes back many years and is still far from being resolved.  Given that there are inevitably bugs, flaws and unexpected interactions in complex systems, how much information about them should be made public by researchers when the details could be helpful to criminals or malicious hackers.

Continue reading “Shouting ‘bug’ on a crowded Internet…”

My del.icio.us bookmarks for July 13th through July 17th

Here’s what I tagged on del.icio.us between July 13th and July 17th:

My del.icio.us bookmarks for July 10th through July 11th

Here’s what I tagged on del.icio.us between July 10th and July 11th:

My del.icio.us bookmarks for July 4th through July 5th

Here’s what I tagged on del.icio.us between July 4th and July 5th:

I saw this…

Here’s what I’ve tagged on del.icio.us on %date%: