Zero Flaws: Latest Articles

Wave Hello

IanK — Sat, 17 Oct 2009 20:18:40 +0100

Google Wave! It's been eagerly anticipated by many, and finally the beta is open to the lucky few who managed to bribe, beg or steal an invite. With thanks to a very good friend who has immediately rocketed their way up my Christmas list, I logged into my Wave account for the first time this week. I'm fairly impressed, with one caveat.

I'm not going to recap all the various clever bits of functionality Wave provides. Many other sites have done this to death, and there's that incredibly long Google IO video that shows you everything you could possibly want to know. What I will do is offer a couple of words of advice and caution. I have to do that, otherwise you'd realise I'm just posting screenshots of Wave to make you jealous.... (Read More)

The National Flu Pandemic Service

IanK — Sat, 25 Jul 2009 20:21:19 +0100

Unless you've been living a solitary existence in a warm and cosy cave you'll no doubt have spotted the minor matter of a swine flu pandemic sweeping the world. And if you're in the UK, you'll also have heard about the National Flu Pandemic Service. You'll also probably have heard about how, immediately after launch, the website component of this service crashed and was taken offline for several hours due to "unprecedented demand". You'll have seen the comments from the UK Government about how well the service has worked, and from the Conservative party opposition about how bad and slow the response was. All very interesting.

However this post on Zero Flaws is to tell you one thing, and one thing only. The National Flu Pandemic service (website and call centre) wasn't suddenly created and put into action this year when swine flu began to rear its head. The massive demand for the service also wasn't unprecedented. The service was discussed and designed way back in 2008, after the H5N1 Avian Flu outbreak, and way back then the speed of response and anticipated volume of demand was known, discussed, and represented a huge concern to all involved - both to the Government, and to the companies they asked to tender for the service.

So keep that in mind when you hear reports of how well - or how badly - the service is operating. And that, I'm afraid, is all I can say on the matter.... (Read More)

Doctor Watson, I presume?

IanK — Thu, 09 Jul 2009 19:44:58 +0100

Presumed security is an interesting thing. Although not something that's commonly discussed, it's actually the other side of "security through obscurity". Security through obscurity refers to a system that's made so deliberately complex that it (in theory) deters attacks simply due to that complexity. In other words, it's so difficult to understand that an attacker doesn't have a chance of finding a security flaw in it. Hopefully. However any decent security professional will immediately pop up and tell you that security through obscurity is actually no security at all, because you're relying on smoke and mirrors to keep you safe. And that's fair enough. Because it's true.

Presumed security, on the other hand, is almost never talked about in IT security circles. It's very simple to understand and is best demonstrated by this recent BBC News article: Illegal immigrant stows away on Sandhurst coach. Sandhurst, for those of you not aware, is the premier military officer training academy, renowed worldwide for the calibre of officers it produces. As the BBC article explains, an Afghan illegal immigrant was able to simply jump on a coach in Germany, enjoy a trip to the UK, and get off the other end actually inside Sandhurst before being discovered. Straight through security, no questions asked. This was possible because of one simple fact: the presumed security of Sandhurst is so great it actually doesn't need much security at all.... (Read More)

This is not the answer you weren't looking for...

IanK — Sat, 02 May 2009 18:02:45 +0100

Over recent years it seems that employers and organisations are increasingly looking towards standardised testing to dig into people's capabilities and personalities. Companies often ask prospective interviewees to take a verbal reasoning test before even getting an interview, and at the other end of the scale MENSA is beloved of the IQ test to control membership (although one might wonder why people with high IQs need to pay a £45 membership fee to access a social network).

What does all this have to do with security? That's a very good question.... (Read More)

Genuine Disadvantage

IanK — Sun, 22 Mar 2009 19:49:13 +0000

I've never been a big fan of Vista. Back in those heady days before service pack 1 I gave it a whirl and found it slow, bloated, and zero improvement on Windows XP. To this day I quite happily run Windows 2000 (honestly, I know, but it's stable and fast), Windows XP and Windows Server 2003 on my various personal and business machines. Add to that a couple of SuSE Linux boxes and one Ubuntu laptop and I've got everything I need, as well as a hefty electricity bill.

A while ago, though, I bought some new computers for a security test lab. Normally I just buy components and build computers myself but in this case I needed four machines quickly, so buying pre-built made sense. I ordered three without an operating system but checked the little box to have Vista Business pre-installed on the fourth. I needed to do some "real work" on these machines, so three years too late I thought I'd take the opportunity to give Vista a proper evaluation. After all, it's easy and fashionable to bash Microsoft without giving their products a proper chance.

Unfortunately I had no idea of the disaster in store. Not because Vista is a bad operating system - far from it - but because of another nightmare awaiting me. This wasn't a driver issue, or a software compatability problem. It wasn't even a bug, flaw or vulnerability. It was something far more insidious, and it's an issue that's becoming increasingly severe across the entire technology spectrum.... (Read More)

Standard Bearer

IanK — Sun, 22 Feb 2009 19:33:04 +0000

Standards are a wonderful thing. They keep everything.... well.... standard. And as we security specialists flit from job to glamourous job, living the rock and roll consultant lifestyle, we can take comfort from knowing that any half decent IT department will stick to using industry standards to solve problems and build IT infrastructures. Corporate IT is a complex beast and, by laying down a generally accepted way of robustly designing systems, standards make it more manageable and secure. Pity the poor techie who has to create every single solution from scratch every time, for he maketh the IT security consultant rich.

Last week an odd thing happened. I decided I hated standards.... (Read More)

Very Phishy

IanK — Wed, 24 Dec 2008 19:49:20 +0000

Phishing is a very real, very annoying pain for security professionals. It's exceptionally easy for a would-be scammer to set up a fake website and send out a few million spam emails, catching a few unlucky victims in the process. Fortunately these days most Internet users know what a phishing scam is even if they can't always spot them every time. 100% accuracy is always a difficult thing to aim for, but when you sit back and consider the problem it's quite an interesting issue. From a security point of view it should be absolutely possible for every Internet user being to spot 100% of the phishing scams 100% of the time.

A contentious claim? Perhaps, but it's clear what's preventing us from even getting close. It's the fault of legitimate companies, who are making it far too easy for the phishers to scam us all. ... (Read More)

The Home Office Reply

IanK — Wed, 12 Nov 2008 19:01:15 +0000

After sending in the "Dear Ms Smith" letter I thought it would be a long wait for a reply from the Home Office regarding the Government's proposed communications monitoring system. Surprisingly I've received a response already, albeit a canned one that doesn't actually address the questions I raised. In the interests of fairness I've reproduced the reply below. In essence, though, the Government's previous statements have been repeated and the emphasis has been placed on the public consultation due to take place soon. Rest assured Zero Flaws will be participating!... (Read More)

Dear Ms Smith...

IanK — Tue, 21 Oct 2008 20:21:58 +0100

Since the last Zero Flaws post, the UK Government has made some significant noises regarding the implementation of a communications monitoring system. Last week Jacqui Smith, the UK's Home Secretary, gave a press conference to clarify the Government's plans. Essentially she wants to create a monitoring system that records the metadata of phonecalls, emails and web browsing sessions.

Many campaigners have complained about the gross invasion of privacy this monitoring system will cause, and they're absolutely right. However Zero Flaws has another, slightly different concern: this system will be a vast waste of taxpayers' money, and by definition will never be fit for purpose. So, in the spirit of public service, Zero Flaws sent the following letter to Ms Smith this week.... (Read More)

ICANN, coffee and pastries

IanK — Wed, 02 Jul 2008 20:05:07 +0100

An interesting thing happened last week. The Internet evolved. In a blink of an eye the restrictions on top level domain names - the .com or .net bit at the end of a web site address - were wiped away. ICANN, the organisation responsible for managing and maintaining this addressing system, approved a change to the DNS infrastructure that will allow any top level domain to be registered. DNS, as you'll remember if you read the Robustly Flawed article, is the telephone directory of the Internet. Until last week all top level domains, .com, .uk, .net and so on, were restricted to a tightly controlled list of possibilities. As well as the generic domains such as .net every country gets a top level domain, for example ".uk" for the UK. That's how things work, and ICANN have stuck very tightly to this position. In fact although adding extra top level domains is trivial ICANN have proved very reluctant to actually do it - campaigns to give adult websites a ".xxx" domain have been going on for years.

Great, but it's a shame that it's all pointless. This might well come back to haunt me but let's go for it anyway. Allowing anyone to register a new top level domain is an utterly useless exercise. I predict, to use an Internet meme, an "epic fail".... (Read More)