Two years ago I sat in an auditorium and watched an enraged  Mikko Hypponen of F-Secure on stage at LinuxCon Edinburgh talking with passion about the double standards of the intelligence communities dealing with their stance on encryption. He was beyond furious at the methodologies and underhand ways that the US and UK intelligence services had burrowed into undersea cables and broken into communications at many of the technology and internet companies that we take for granted daily, with impunity.

Now heres the thing. I am the only member of the open source community - in the entire world, who has gone on the record on tape with somebody from the White House to ask them, openly, about their stance on post Snowden world for handling things like Heartbleed, like encryption and their relationship with industry and inter agency and inter ministerial responsibilities when handling security issues. I interviewed Richard Clarke now former Senior Cybersecurity Advisor to POTUS and former senior security advisor to four previous Presidents of the United States, the week of Heartbleed and he volunteered information that I never even asked for in a candid interview on my radio show (still available on Stitcher by clicking here).

So imagine my surprise this morning when I sit up in bed and read an article on the BBC news portal with Rob Wainwright from Europol who is complaining about the stance that technology companies are now having to endpoint security, to key management and to proper end to end, in transit encryption of data in the cloud. The point Europol make is that by the proper management of SSL traffic and the more intelligent use of encryption in AMQP and other protocols it makes it harder for the intelligence services to listen to potential terrorist traffic.

Now I have to be very circumspect and proper here in how I write this article to avoid arrest. I have signed the Official Secrets Act. I have worked within GCHQ. I have been involved with the design and implementation of secure communications and encryption endpoints to Top Secret and above. I do know where the bodies are buried with regard to the weak and lax vendor acquired devices that have formed the basis of government, agency and defence spending for the last seven years.

The fact that the current and former UK governments (and their US counterparts) alongside many industry partners across multiple verticals buying the same kit have overpaid for  weak industry acquirable catalogue standard run of the mill technology. Badly written, badly managed by their vendors (for once not the governments fault) and walked blindly down alleys. This has allowed accreditors with weak understanding of cipher management and underlying dependent libraries, binaries and protocols have allowed literally hundreds of millions of pounds to have been spent on devices with less security certification than an iPhone6. These devices sit in frontline daily use today across the EU and the US. It's farcical that many governments have approved catalogues where they have approved vendor lists for devices, many of which are so badly broken and so compromised in their design and implementation that the poor accreditor or purchasing manager armed with a requirement,  an accredited service catalogue is therefore buying an outdated inferior product for four times the cost of building it properly using current shipping available code. There is NO liason, co-operation, upstream engagement, engineering or security engagement between these vendors and their outdated OS source. None. At all. Can I make this any clearer. The people shipping the boxes running the embedded Linux that powers and protects our end points reliant on nation state security DO NOT talk to the people releasing and developing it. If you were not scared before you have every right to be now. I've got the actual sources (from the vendors with their consent under GPL compliance) of a few of these devices numbering the tens of thousands in their deployment and it's beyond scary. If you were to go back in time via Distrowatch to January 2009 you would see more current, more valid sources to base your security on.

It's terrifying, if not vaguely criminal, certainly deeply unethical, that these vendors have been allowed to make hay while the sun shone, and have not engaged with the upstream OS vendor, the SSL community nor had the brains to understand the downstream implication to their government customers and have now put at risk the entire infrastructure and emergency response capability of their customers reliant on their devices.

Even when warned in writing those government agencies and accreditors because they are hamstrung by weak upstream advice on SSL and encryption ciphers and key material, through ambivalence, have instead walked hand in hand into one of the biggest potential security nightmares they can imagine. Worse there is nothing today they can do other than rip it out and start again across UK, US, EU and many member state governments whose assumptions around encryption at the core of many services is broken.

If Europol are serious then it's time they worked upstream to secure the devices that have formed the basis of the planning and infrastructure of their government partners. Instead of moaning about not being able to watch us, they should actually be asking, who is watching us ?

You can't have it both ways. We react as an industry because we form best practices. The eyes of the community are on Open-SSL to race to make sure that the fixes that have come out since Heartbleed (I was the first person to get the Heartbleed story to ZDNet the night it broke) are stringent. The fixes that have come out in three tranches since October to further harden basic function calls reinforce that. Expect to see more in the coming weeks and months as further scrutiny is poured on older functions and calls. As the implementation of PKI across Cloud and across telecommunication products and services is hardened to enforce customer security and reduce risk of man in the middle attacks and the likely attack on weak endpoints then it reduces the attack vectors and the threat fabric.

In the Open Source community we are entirely open, practical and totally enshrined on ensuring that we release early and release often and that we work stoically to get patches out to protect people reliant on secure auditable code. We don't always get it right but it's therefore even more shocking how badly many companies who then take that code to build devices forget why and where and how it came to be. Thats especially true of many supplying sensitive areas of the target market where the threat fabric is larger and the attack vector surprisingly large.

Expect the bad guys to go after the soft targets, if you're an Android user then security through obscurity, e.g throw out your phone and tablet every seven or eight months and replace them given your vendor is probably clueless (unless its Google or Samsung), if you're an Apple user you can sleep easy as long as you don't use a myriad of apps any one of them that could be handling a listening function to a service harvesting your information or device credentials.

We aren't reacting, as an industry, to lock out police and intelligence services, to state that is beyond stupid. We are reacting to protect ourselves and our customers because of the ham handed, without recourse manner that GCHQ and the NSA and other government agencies have behaved and now we're locking down upstream and mainstream services to assure companies and individuals that they do have the security they always assumed they have.

What Europol should be doing, if they understood how to engage - which clearly they don't, would be sitting down to work with us to understand how and why and where and to foster better working practices. Until that day happens then its back to the old days of seizure of devices only now the issue is that they can't read, open or interpret them, even under warrant, even with industry partners or complex rootkits.

Sadly, gloss will be painted over the fact that the technology that they've acquired themselves is so 1998 in it's design and implementation that as I pointed out it should be more worrying as to who is watching them, and more focus should be spent on fixing that in the short term. Only issue they have there is that the vendors can't help them as the vendors have only one focus, revenue. The vendors themselves don't talk to the OS vendor. How do I know this ? My phone hasn't rung and we've never spoken to them. They're too busy making money from shoddy reimplemented badly coded, badly repackaged outdated insecure code selling it to governments who accredit it secure.

This is fixable. Issue is that the right people don't sit down to fix it or to emerge from the tunnel into daylight able to even understand the core problems. They're too busy making blanket procurement decisions to buy the wrong kit from the wrong people. I'd be more worried about your own infrastructure decisions than technology companies doing their job right to circle the wagons and lock you out.

Now for those who question my authority to make these claims remember it was my security invention that protects and ensures the online safety of millions of people every single day globally, from school children across the UK and US school districts to retail businesses, hotels and motorway service stations and the myriad of devices and platforms that took their lead from our sources. For fifteen years I've made a career out of keeping people safe and doing it openly and trying to do the best I possibly can to get people to play nicely. It would be nice if someone listened and sat round a table and did something practical.

Who wants to bet nothing changes ?

I am making good progress having been home a few weeks since getting out the Acute Stroke Unit at the RUH in Bath. I thought I'd post a message here in video format to say thank you to everyone for their messages of support and goodwill. It's meant a lot to me so rather than type it all out, I've recorded it and put it online.

If you follow me on Twitter or social media you'll be aware that I've been a bit poorly and been treated after having had a mini stroke. A wake up call to start prioritising my working hours and my deliverables rather than trying to do 15/16 hr days doing a European day then US hours plus other bits. 2014 was a pretty awful year for me dealing with a lot of crap that I had to wade through that made me stressed to the point of personal breaking point. This, therefore has been a  complete wake up call.

So for now this means the podcasts that were lined up are on hold and a few articles that I was working on are also in the pending tray. There are a few articles to go live this week and next on TheStack.com and prep for FOSDEM continues in the hope I am well enough to go. If I am well enough I will mix the podcast content and release it but not in the next few days.

For now I am laid up, grateful to the amazing ambulance staff from Bath and North East Somerset Ambulance Service, and the staff and consultants at the Acute Stroke Unit at the RUH in Bath, the specialist MRI/CT imaging staff and everyone who reached out to help diagnose me, and then treat me. The UK NHS is in total crisis at the minute and without resources to help many. My experiences were amazing and I was looked after, made to feel safe and diagnosed promptly able to receive the treatment that saved my life.

The Conservative government should be disgusted at it's lack of care for the NHS. The staff deserve our support and our applause not our derision.

For now I'm doing very little, my wife has been told to make me behave until I am able to return to a normal everyday functioning life.

So it's the festive season that has crept up on us already. Seasons Greetings folks !

Now an apology

The last five months for me have been a blur. I've been locked away writing a new portal thats launching at Red Hat in the New Year as well as working hard on the ever growing Cloud portfolio at Red Hat.

The blog has suffered because I've been more or less writing for a living and not having a single moment to myself to concentrate on getting new editorial out there. Also with the new Red Hat Cloud blog going live so soon I wasn't sure as to whether I'd kill this and just concentrate on stuff. However its now obvious that with everything I commercially write having to go past a team of fedora wearing legal eagles that to drop this conduit to the public would be stupid. Here I can post pretty much whatever I decide to within reason as I own the domain and the service.

So some new stuff thats coming up. In the New Year we launch a new portal - HombresInHats.com which is live now with a holding page and that will be featuring a cadre of some of the best talent at Red Hat, John Mark Walker, Thomas Cameron, James Kirkland, Jon Masters, Bill Bauman, Jon Benedict, Dave Neary, Rhys Oxenham, I'll be writing and broadcasting from there too. We could and should have gone live this quarter but if you hadn't noticed Red Hat had a HUGE quarter just published, continuing our steady and reliable market growth. With Cloud and non RHEL revenues now growing double digits year on year you can understand why we haven't had time to record stuff in our own spare time.

Also, I am relaunching The CloudEvangelist Radio Show thats sat dormant since June 12th. I've recorded two shows already and I'm doing a third between now and New Year with two special guests. Expect that content to go out over Christmas vacation period now I have downtime to concentrate. It will be available on Stitcher, Podfeed, iTunes and all the usual locations so watch for the launch post with links to those locations and the NEW RSS feed. The old RSS feed is dead dead dead - please delete it and add the new location when I announce it.

Other stuff. I am in talks to write a book with a legal eagle here in the UK aimed at the CIO talking about cloud law, intellectual property, cloud security and basic stuff to keep folk out of jail.

FOSDEM comes up 30th January in Belgium. I will be attending with the Red Hat crew so if you're coming out come appear on the radio show I will be recording for a fourth successive year.

So for now, from the family here at Red Hat, my family here in the South West of the UK, I raise a glass to your good health, thanks for staying the distance and look out for the radio stuff I release in the next few days.