Monthly Archives: March 2015

Two years ago I sat in an auditorium and watched an enraged  Mikko Hypponen of F-Secure on stage at LinuxCon Edinburgh talking with passion about the double standards of the intelligence communities dealing with their stance on encryption. He was beyond furious at the methodologies and underhand ways that the US and UK intelligence services had burrowed into undersea cables and broken into communications at many of the technology and internet companies that we take for granted daily, with impunity.

Now heres the thing. I am the only member of the open source community - in the entire world, who has gone on the record on tape with somebody from the White House to ask them, openly, about their stance on post Snowden world for handling things like Heartbleed, like encryption and their relationship with industry and inter agency and inter ministerial responsibilities when handling security issues. I interviewed Richard Clarke now former Senior Cybersecurity Advisor to POTUS and former senior security advisor to four previous Presidents of the United States, the week of Heartbleed and he volunteered information that I never even asked for in a candid interview on my radio show (still available on Stitcher by clicking here).

So imagine my surprise this morning when I sit up in bed and read an article on the BBC news portal with Rob Wainwright from Europol who is complaining about the stance that technology companies are now having to endpoint security, to key management and to proper end to end, in transit encryption of data in the cloud. The point Europol make is that by the proper management of SSL traffic and the more intelligent use of encryption in AMQP and other protocols it makes it harder for the intelligence services to listen to potential terrorist traffic.

Now I have to be very circumspect and proper here in how I write this article to avoid arrest. I have signed the Official Secrets Act. I have worked within GCHQ. I have been involved with the design and implementation of secure communications and encryption endpoints to Top Secret and above. I do know where the bodies are buried with regard to the weak and lax vendor acquired devices that have formed the basis of government, agency and defence spending for the last seven years.

The fact that the current and former UK governments (and their US counterparts) alongside many industry partners across multiple verticals buying the same kit have overpaid for  weak industry acquirable catalogue standard run of the mill technology. Badly written, badly managed by their vendors (for once not the governments fault) and walked blindly down alleys. This has allowed accreditors with weak understanding of cipher management and underlying dependent libraries, binaries and protocols have allowed literally hundreds of millions of pounds to have been spent on devices with less security certification than an iPhone6. These devices sit in frontline daily use today across the EU and the US. It's farcical that many governments have approved catalogues where they have approved vendor lists for devices, many of which are so badly broken and so compromised in their design and implementation that the poor accreditor or purchasing manager armed with a requirement,  an accredited service catalogue is therefore buying an outdated inferior product for four times the cost of building it properly using current shipping available code. There is NO liason, co-operation, upstream engagement, engineering or security engagement between these vendors and their outdated OS source. None. At all. Can I make this any clearer. The people shipping the boxes running the embedded Linux that powers and protects our end points reliant on nation state security DO NOT talk to the people releasing and developing it. If you were not scared before you have every right to be now. I've got the actual sources (from the vendors with their consent under GPL compliance) of a few of these devices numbering the tens of thousands in their deployment and it's beyond scary. If you were to go back in time via Distrowatch to January 2009 you would see more current, more valid sources to base your security on.

It's terrifying, if not vaguely criminal, certainly deeply unethical, that these vendors have been allowed to make hay while the sun shone, and have not engaged with the upstream OS vendor, the SSL community nor had the brains to understand the downstream implication to their government customers and have now put at risk the entire infrastructure and emergency response capability of their customers reliant on their devices.

Even when warned in writing those government agencies and accreditors because they are hamstrung by weak upstream advice on SSL and encryption ciphers and key material, through ambivalence, have instead walked hand in hand into one of the biggest potential security nightmares they can imagine. Worse there is nothing today they can do other than rip it out and start again across UK, US, EU and many member state governments whose assumptions around encryption at the core of many services is broken.

If Europol are serious then it's time they worked upstream to secure the devices that have formed the basis of the planning and infrastructure of their government partners. Instead of moaning about not being able to watch us, they should actually be asking, who is watching us ?

You can't have it both ways. We react as an industry because we form best practices. The eyes of the community are on Open-SSL to race to make sure that the fixes that have come out since Heartbleed (I was the first person to get the Heartbleed story to ZDNet the night it broke) are stringent. The fixes that have come out in three tranches since October to further harden basic function calls reinforce that. Expect to see more in the coming weeks and months as further scrutiny is poured on older functions and calls. As the implementation of PKI across Cloud and across telecommunication products and services is hardened to enforce customer security and reduce risk of man in the middle attacks and the likely attack on weak endpoints then it reduces the attack vectors and the threat fabric.

In the Open Source community we are entirely open, practical and totally enshrined on ensuring that we release early and release often and that we work stoically to get patches out to protect people reliant on secure auditable code. We don't always get it right but it's therefore even more shocking how badly many companies who then take that code to build devices forget why and where and how it came to be. Thats especially true of many supplying sensitive areas of the target market where the threat fabric is larger and the attack vector surprisingly large.

Expect the bad guys to go after the soft targets, if you're an Android user then security through obscurity, e.g throw out your phone and tablet every seven or eight months and replace them given your vendor is probably clueless (unless its Google or Samsung), if you're an Apple user you can sleep easy as long as you don't use a myriad of apps any one of them that could be handling a listening function to a service harvesting your information or device credentials.

We aren't reacting, as an industry, to lock out police and intelligence services, to state that is beyond stupid. We are reacting to protect ourselves and our customers because of the ham handed, without recourse manner that GCHQ and the NSA and other government agencies have behaved and now we're locking down upstream and mainstream services to assure companies and individuals that they do have the security they always assumed they have.

What Europol should be doing, if they understood how to engage - which clearly they don't, would be sitting down to work with us to understand how and why and where and to foster better working practices. Until that day happens then its back to the old days of seizure of devices only now the issue is that they can't read, open or interpret them, even under warrant, even with industry partners or complex rootkits.

Sadly, gloss will be painted over the fact that the technology that they've acquired themselves is so 1998 in it's design and implementation that as I pointed out it should be more worrying as to who is watching them, and more focus should be spent on fixing that in the short term. Only issue they have there is that the vendors can't help them as the vendors have only one focus, revenue. The vendors themselves don't talk to the OS vendor. How do I know this ? My phone hasn't rung and we've never spoken to them. They're too busy making money from shoddy reimplemented badly coded, badly repackaged outdated insecure code selling it to governments who accredit it secure.

This is fixable. Issue is that the right people don't sit down to fix it or to emerge from the tunnel into daylight able to even understand the core problems. They're too busy making blanket procurement decisions to buy the wrong kit from the wrong people. I'd be more worried about your own infrastructure decisions than technology companies doing their job right to circle the wagons and lock you out.

Now for those who question my authority to make these claims remember it was my security invention that protects and ensures the online safety of millions of people every single day globally, from school children across the UK and US school districts to retail businesses, hotels and motorway service stations and the myriad of devices and platforms that took their lead from our sources. For fifteen years I've made a career out of keeping people safe and doing it openly and trying to do the best I possibly can to get people to play nicely. It would be nice if someone listened and sat round a table and did something practical.

Who wants to bet nothing changes ?