Zero Flaws

Google Wave! It's been eagerly anticipated by many, and finally the beta is open to the lucky few who managed to bribe, beg or steal an invite. With thanks to a very good friend who has immediately rocketed their way up my Christmas list, I logged into my Wave account for the first time this week. I'm fairly impressed, with one caveat.

I'm not going to recap all the various clever bits of functionality Wave provides. Many other sites have done this to death, and there's that incredibly long Google IO video that shows you everything you could possibly want to know. What I will do is offer a couple of words of advice and caution. I have to do that, otherwise you'd realise I'm just posting screenshots of Wave to make you jealous.... (Read More)

Unless you've been living a solitary existence in a warm and cosy cave you'll no doubt have spotted the minor matter of a swine flu pandemic sweeping the world. And if you're in the UK, you'll also have heard about the National Flu Pandemic Service. You'll also probably have heard about how, immediately after launch, the website component of this service crashed and was taken offline for several hours due to "unprecedented demand". You'll have seen the comments from the UK Government about how well the service has worked, and from the Conservative party opposition about how bad and slow the response was. All very interesting.

However this post on Zero Flaws is to tell you one thing, and one thing only. The National Flu Pandemic service (website and call centre) wasn't suddenly created and put into action this year when swine flu began to rear its head. The massive demand for the service also wasn't unprecedented. The service was discussed and designed way back in 2008, after the H5N1 Avian Flu outbreak, and way back then the speed of response and anticipated volume of demand was known, discussed, and represented a huge concern to all involved - both to the Government, and to the companies they asked to tender for the service.

So keep that in mind when you hear reports of how well - or how badly - the service is operating. And that, I'm afraid, is all I can say on the matter.... (Read More)

Presumed security is an interesting thing. Although not something that's commonly discussed, it's actually the other side of "security through obscurity". Security through obscurity refers to a system that's made so deliberately complex that it (in theory) deters attacks simply due to that complexity. In other words, it's so difficult to understand that an attacker doesn't have a chance of finding a security flaw in it. Hopefully. However any decent security professional will immediately pop up and tell you that security through obscurity is actually no security at all, because you're relying on smoke and mirrors to keep you safe. And that's fair enough. Because it's true.

Presumed security, on the other hand, is almost never talked about in IT security circles. It's very simple to understand and is best demonstrated by this recent BBC News article: Illegal immigrant stows away on Sandhurst coach. Sandhurst, for those of you not aware, is the premier military officer training academy, renowed worldwide for the calibre of officers it produces. As the BBC article explains, an Afghan illegal immigrant was able to simply jump on a coach in Germany, enjoy a trip to the UK, and get off the other end actually inside Sandhurst before being discovered. Straight through security, no questions asked. This was possible because of one simple fact: the presumed security of Sandhurst is so great it actually doesn't need much security at all.... (Read More)

Over recent years it seems that employers and organisations are increasingly looking towards standardised testing to dig into people's capabilities and personalities. Companies often ask prospective interviewees to take a verbal reasoning test before even getting an interview, and at the other end of the scale MENSA is beloved of the IQ test to control membership (although one might wonder why people with high IQs need to pay a £45 membership fee to access a social network).

What does all this have to do with security? That's a very good question.... (Read More)

Whilst I work on the next full length article for Zero Flaws I thought this merited a brief post. The Home Office has now released the consultation paper for the proposed communications monitoring system (as discussed in the previous two articles), called "Protecting the public in a changing communications environment". You can find the paper at this link, as well as instructions on how to submit your comments and response for consideration. The closing date for submissions is 20th July 2009, and rest assured Zero Flaws will be participating!

I've never been a big fan of Vista. Back in those heady days before service pack 1 I gave it a whirl and found it slow, bloated, and zero improvement on Windows XP. To this day I quite happily run Windows 2000 (honestly, I know, but it's stable and fast), Windows XP and Windows Server 2003 on my various personal and business machines. Add to that a couple of SuSE Linux boxes and one Ubuntu laptop and I've got everything I need, as well as a hefty electricity bill.

A while ago, though, I bought some new computers for a security test lab. Normally I just buy components and build computers myself but in this case I needed four machines quickly, so buying pre-built made sense. I ordered three without an operating system but checked the little box to have Vista Business pre-installed on the fourth. I needed to do some "real work" on these machines, so three years too late I thought I'd take the opportunity to give Vista a proper evaluation. After all, it's easy and fashionable to bash Microsoft without giving their products a proper chance.

Unfortunately I had no idea of the disaster in store. Not because Vista is a bad operating system - far from it - but because of another nightmare awaiting me. This wasn't a driver issue, or a software compatability problem. It wasn't even a bug, flaw or vulnerability. It was something far more insidious, and it's an issue that's becoming increasingly severe across the entire technology spectrum.... (Read More)