Monthly Archives: April 2014

A few weeks ago I sat down with senior law enforcement officers from Holland, Germany and the UK and asked them off the record the question "is there a ready role today for national crime agencies and cybercrime specialist divisions of Police forces in Europe in the Cloud age ?".

One thing was screamingly obvious that the interaction and information sharing between agencies is healthy and transparent and that's hugely beneficial to sovereign nations. However the reality is there is a gap between capability and actual delivery.

SOCA in the UK, folded into the National Crime Agency last year suffered from being seen as toothless and unable to deal in reality with cybercrime through lack of ability, lack of reach to actual sources from outside their jurisdiction (e.g mass mail spam / mail abuse and boiler office type schemes in overseas territories). We accept in Europe that there is a healthy impass between industry and law enforcement down to two clear issues,

1) Budget - even though the UK National Crime Agency has a £500m budget and interactions with intelligence partners it lacks the skillsets in depth and the tools and technologies to query data and to react at a pace thats efficient, and  industry needs to assist. The current tools and database technologies supplied by one incumbent provider are anything but helpful and if anything set UK law enforcement back by comparison to the working practices of their partners in Europe.

2) In the UK an over-reliance on agencies such as Child Exploit and Online Protection Agency (CEOP) and the Internet Watch Foundation (IWF) who are mired in being stuck between being lobbying agencies and ineffective and entirely out of touch. Whilst CEOP's continued interaction with industry partners such as Virginmedia and BT show encouraging signs it's very little too late. There is a need for a clear rethink of how take down notices and more serious protective measures can be enforced, faster, with more clarity interacting with local police forces sharing information proactively in realtime.

3) Fraud protection. The majority of online fraud happens overseas and vulnerabilities in key cornerstones of the Internet such as Heartbleed which I broke to the world now two weeks ago (no guessing who the Senior Security Developer at the Operating System vendor quoted was) are just the start. The internet glue is held together right now at managed hosting providers and internet service providers by embedded routers, switches, content delivery platforms and web hosting architectures. It could be up to three years before the least proactive ISPs who simply don't have a clue or the budget (or the kick) to fix the underlying infrastructures that provide key peace of mind to internet users, consuming service organisations and platform providers. In fact one thing that has not been identified correctly with bugs such as Heartbleed is one salient fact. Plausible deniability. A determined minimally equipped hacker today with a basic live Linux distro who wants to play merry hell quietly will do so. Don't expect to find him or her as most ISPs and Telco's haven't got staff capable of spotting them realtime. I've physically proved that this is a fact in reality.

In a past life I uncovered (with authority) a massive exploit at a major UK household name telco involving a major datacentre breach with proven exploits and a complete papertrail and audit log of intrusions and proven hops into highly protected networks previously thought segregated. As with many telco's you never hear about it because the nature of an SEC filing or public slapping from the Information Commissioner carries both a fine and red faces, as well as loss of reputation. When I then uncovered a breach in their billing platforms affecting residential customer data this was once more "lost" even though documented and brought to the attention of the board and chairman of a major household name vendor. Patched and quietly forgotten.  These things happen. They shouldn't - hopefully they happen a lot less now. I am prevented by being signatory to the Official Secrets Act to discussing far more scary real life scenarios that are in daily play today in larger infrastructures. Sadly vendor relationships and reaction need to be in a position where a reactive defensive stance should be taken ahead of time rather than faced with a major zero day exploit or data breach using publically available exploit code.

For six years I've talked about how we should practice security better. For six years I've worked with the Cloud Security Alliance and with Jim Reavis their chair. A few weeks ago I sat down with the British Standards Institute (BSI) who last summer worked with the CSA to adopt STAR and to push it to industry at least brings the UK up to speed showing, hopefully, law enforcement that they are playing behind the times and need to engage with industry better.

Relying on the badly constructed Computer Misuse Act and RIPA II is no longer good enough. If you can't communicate with industry, if you can't adopt open big data practices to analyse data and still rely on proprietary weak tools for analysis then the public suffers. If the public suffers then there is a tacit nervousness to go to the Cloud as actively as we'd like.

You can hear my interview with the BSI when I get back from the US, as to their take on why blended security controls and practical interaction between public disclosure and interaction is a great start to reacting, and to building preventative and lasting Cloud security and law enforcement. You can also listen to my interviews with Dr Udo Helmbrecht (Executive Director of ENISA) and Richard Clarke (White House Specialist Advisor on Cybercrime to the President of the United States) by following the inline links. If they take me seriously it would be nice if law enforcement woke up and changed working practices to take into account ever moving threat vectors and a larger than ever threat fabric that affects and impacts business confidence and technology investment.

Until then just cross your fingers as law enforcement are standing in the wind with their finger in the air.  Call Heartbleed a call to arms, sadly I have doubts that there is a groundswell to proactively deliver change. Let's hope that this makes someone's radar.

One salient point: We are here to help - if people reach out and ask that help is forthcoming, bury communal heads in the sand and you end up depleted in capability and unable to prosecute with mandated authority and a lot more cases thrown out in court resulting in a waste of taxpayer funded resources and costs.

Working together is smarter. Let's try.


I arrived into San Francisco on Saturday late PM, and today (Sunday) was all about setup of my gear to record, setting up my location at Moscone South for the interviews and recordings that we have planned for this week. Also got to spend time with the UK JBoss crew who I flew out with and to loan them audio gear to rescue them for their upcoming videos this week. So planning ahead and bringing spare kit paid off for once - even if it was someone elses benefit other than my own.

The stage is set for a much larger Summit for the 10th anniversary of Red Hat Summits. As of yesterday we were close to 4300 registrants for this years show, it's not too late to register for the discounted full summit rate. To come as my guest simply enter the discount code EMEACG at and you are good to go.

I start recording tomorrow (Monday), finishing final audio setup and tests tonight and looking forward to it being a busy week of great content. To hear last years archived shows and in preparation for this years simply bookmark the following URL to your PC, tablet or smartphone.

Look forward to creating you some great content this week !!



I will be bringing Red Hat Summit Radio back to life for 2014 live from the Moscone Center in San Francisco, you can subscribe via iTunes, Stitcher, Podfeed and many other syndicated feeds that are live. Alternatively visit and bookmark this URL from your tablet, smartphone or PC and you will have a live link to the latest recordings from this years Red Hat Summit.

Saving the URL to your homepage on your Android or iOS smartphone is even better, simply do it and then click it to always have access to the latest content with a custom smartphone / tablet friendly front end.