infosec – Page 31 – Stilgherrian

23 November 2012

Talking Click Frenzy on ABC 702 Sydney

I hadn’t even heard of Click Frenzy until the thing fell over, which shows how much attention I pay to the realm of commercial retail. But I ended up talking about it on ABC 702 Sydney the other day, because, well, it fell over.

I’ve posted the entire radio segment here, including the comments by Margie Osmond, chief executive of the Australian Retailers Association, because I was baffled by her excuse that technical incompetence is OK because other people are sometimes incompetent too.

I think the important thing to understand with this is that it’s been running for about five, six years in overseas countries. It runs in the US and UK and a whole range of other places under the Cyber Monday banner. And for all of that period that it has been operating overseas, as recently as last year, they routinely have crashes as part of this mechanism, simply because of the unpredictable peaks and troughs that occur as part of the mechanisms.

Traffic analysis is a thing, folks, and so is robust network design. Just because you can’t do it, doesn’t mean it can’t be done.

I was fairly even-handed in my commentary, pointing out that it’s possible for the developers to have recommended a more robust architecture that then wasn’t implemented because of cost or whatever. But later in the day I discovered more about the technical problems and I’d have gone in harder.

In particular, I discovered that they’d committed a rather bad security mistake, which I wrote about for ZDNet: Password exposed in Click Frenzy security slip.

The morning presenter at ABC 702 Sydney is Linda Mottram.

Podcast: Play in new window | Download (8.7MB)

04 November 201204 November 2012

Weekly Wrap 126: Wattle, sniffle and SCADAgeddon

Monday 29 October to Sunday 4 November 2012 was a busy week, made slightly less busy by the need to recover from the throat infection identified last week and then, because I was run down, fatigue that was probably a mix of a cold and hay fever.

Hence the photograph of the wattle I’ve posted here. It is to blame.

Dear Plant Kingdom, if I spread my genetic material all over you the way you do over me, I’d be arrested! Please behave yourself.

[Update 1545 AEDT: I am reliably informed that the hay fever is unlikely to be caused by wattle pollen.]

Podcasts

Patch Monday episode 161, “Cybergeddon now? Industrial control systems targeted”. A conversation with industrial control system (ICS) security specialists James Arlen (@myrcurial) and Dave Lewis (@gattaca), who blog and podcast at liquidmatrix.org.

Articles

Keeping ‘Cybergeddon’ at bay, Technology Spectator, 31 October 2012.
Google defames us all, but should we sue?, Crikey, 1 November 2012.
Cyber crime wave: tsunami or ripple?, CSO Online, 2 November 2012.

Media Appearances

On Thursday afternoon I spoke about the Google defamation decision with Richard Glover on ABC 702 Sydney.
On Friday morning I spoke about data mining with Gerard Callinan on ABC Gippsland.
On Friday the new Balls Radio podcast was posted, wherein I spoke about the Google defamation decision.

Also, the Sydney Opera House has posted the video of my Festival of Dangerous Ideas panel, I Share Therefore I Am. I’ll write more about that in due course.

Corporate Largesse

On Monday evening I had a few beers with Michael McKinnon from AVG Australia and New Zealand, which they paid for.
On Tuesday morning I attended the breakfast launch of Windows Phone 8 at the Blue Bar,level 36 of the Shangri-La Hotel, overlooking Sydney Harbour. Microsoft paid for that, obviously.

The Week Ahead

Next week is pretty much all about Singapore. On Monday I’ll head down to Sydney and get some writing out of the way. Then on Tuesday it’s Singapore Airlines flight SQ212 departing Sydney at 0905 AEDT and arriving in Singapore mid-afternoon local time.

Wednesday is Verizon Business’ APAC Media Day, a five-hour meeting followed by cocktails. On Thursday I’m visiting the hospitality tent at the Barclays Singapore Open golf tournament as Verizon’s guest. Friday through Sunday has yet to be finalised, but there’ll be at least two articles to write and a podcast to produce.

Oh, and a social life.

My flight back to Sydney SQ231 leaves Singapore at 45 minutes past midnight Sunday night — so technically that’s Monday morning.

[Photo: Wattle near Railway Parade, near Wentworth Falls, one of the causes of my hay fever this week.]

28 October 2012

Weekly Wrap 125: Intelligence and infection

It’s hard to believe that just two weeks ago I was dealing with snow because this week, Monday 22 to Sunday 28 October 2012, included a day of working at Manly beach.

As you’ll read in a moment, it also included a series of digs at Australia’s law enforcement and intelligence communities. And it wrapped up on Saturday with the discovery that I’ve been suffering from a rather nasty throat infection. Which explains why I was so tired and irritable.

Penicillin to the rescue!

Podcasts

Patch Monday episode 160, “Data retention’s underlying attitude problems”. My commentary on the Australian government’s proposals for data retention for use by law enforcement, which I’ve already written about further and upon which I’ve even received follow-up comments.

Articles

DSD confirms: application whitelisting is the go, CSO Online, 24 October 2012.
Cyberwar is happening now: turn your sysadmins into heroes, ZDNet Australia, 25 October 2012.
High praise for Oz DSD’s “Catch, Patch, Match”, CSO Online, 26 October 2012.

Media Appearances

On Friday the new Balls Radio podcast was posted, wherein I spoke about data retention. Again.

Corporate Largesse

None.

The Week Ahead

The week begins tonight with a midnight recording for this week’s Patch Monday podcast. Then I have to complete a story for Technology Spectator by 1000 AEDT before wrapping up Patch Monday. And then I catch the train to Sydney.

I’m then staying in Sydney overnight so I can be at Microsoft’s Tuesday morning breakfast briefing on Windows Phone 8, and after that the rest of the week is as yet unplanned. Chaos is my friend. Stand by.

[Photo: Freelancing, a picture of my working environment on Thursday. That’s the Steyne Hotel overlooking the beach at Manly in Sydney.]

27 October 201226 August 2020

ASIO’s got it easy, says terrorism expert

“ASIO don’t seem to realise how privileged they are compared to intel orgs in other Western democracies,” tweeted terrorism researcher Andrew Zammit (pictured) yesterday.

Zammit is a researcher at the Global Terrorism Research Centre (Monash University) and Australian Policy Online (Swinburne University), and he was responding to my blog post from yesterday, â€œInsulted, ASIO? That’s not really the problem, surely?â€ and the attached podcast.

Here are his subsequent tweets, turned into continuous prose:

CIA for example has ongoing congressional oversight (of actual operations) as opposed to our occasional parl[iamentary] inquiries, people can FOI CIA docs only a few years old (ASIO has 20-30 year exemption) and some of the CIA’s analytical roles are transparent, as in analysts will have CIA business cards whereas even an ASIO kitchen hand’s identity will be kept secret. And CIA isn’t even a domestically-focused agency. So yes, ASIO needs to be less precious about being asked questions.

I agree. From the perspective of the United States I’m a foreign national, yet I’ve spoken with officers from the FBI, NSA and the Secret Service — all of whom had business cards with their full names. The closest I’ve gotten in Australia is chatting briefly with a DSD chap, one of two attending Linux.conf.au in January this year — given names only, and I suspect that those given names were really in scare quotes.

The excuse always given is “operational security”, but I do think the world has changed. The tools and methods are surely not so different from SEKRIT agencies to private-sector security companies and even analysis in non-security realms, given that so much technology is now available off the shelf to all comers.

Surely these days OPSEC is more about protecting sources and the specific operations that are or are not being conducted?

Of course I really don’t know this stuff. I’ve never worked in this field. I’ve never even held a security clearance. I’m just an interested bystander mouthing off. But I am intrigued.

26 October 2012

Talking data retention (again) on Balls Radio

My regular spot on Phil Dobbie’s Balls Radio this week was a conversation (yes, another one) about the Australian government’s data retention proposals.

Here’s the audio of my segment. As you’ll hear, it’s much the same argument as in my last post about the Patch Monday podcast, with random asides about the meaning of misogyny and what should be done with real estate agents.

Yes, there’s a few audio dropouts. Welcome to the joys of using Skype over Telstra Next G mobile broadband while 1.5 kilometres into the eucalypt scrubland.

Podcast: Play in new window | Download (Duration: 14:38 — 6.4MB)

If you’d like more Balls Radio, have a listen to the full episode. You can subscribe over at the website.

26 October 201226 October 2012

Insulted, ASIO? That’s not really the problem, surely?

There aren’t many places in the world where you can openly accuse the nation’s top police and intelligence agencies of having an attitude problem, as I did on Monday, without being visited by the men in the van with the canvas sack. Which is a good thing.

In this week’s Patch Monday podcast, embedded immediately below for your convenience and CBS Interactive’s traffic logging, I departed from the usual format to present a personal opinion.

Data retention for law enforcement is one of the most important political issues relating to our use of the internet now and as far into the future as we care to imagine, I said, and it’s being mishandled.

The Australian government’s current one-page working definition (PDF) of what constitutes communications metadata (which can be requested by law enforcement agencies without a warrant) as opposed to communications content (which generally does require a warrant) is, to anyone with a technical understanding of how the internet actually works and is evolving, virtual gibberish.

“Dangerously immature” is how I described it.

I also raised three points where I think the version of reality being promoted by the Australian Federal Police (AFP) and the Australian Security and Intelligence Organisation (ASIO) is wrong.

This is a push for more power. We conduct so much more of our lives online than we ever did on the phone, and that means the balance of power is changing. We need to have a conversation about this.
The AFP says quite specifically that they’re not after our web browsing activity, but I don’t see how the working document supports that argument. And other agencies, including the Australian Securities and Investment Commission (ASIC), are after that stuff.
ASIO and the AFP constantly talk about the powers being needed to catch the terrorists and pedophiles. But the law will probably be modelled on the current law for the phone, which provides access to communication metadata to many other agencies with far less stringent accountability rules for many other, far less serious, crimes.

Please have a listen and tell me what you think.

Podcast: Play in new window | Download (21.5MB)

The podcast stands on its own, but I want to emphasise the thing that still disturbs me…

Continue reading “Insulted, ASIO? That’s not really the problem, surely?”