Author Archives: dickmorrell


Today I lost a good friend from the security community.

Richard James was a security technologist and one of my friends. We first worked together in the fires of what became VirginMedia. I came out of self imposed retirement after selling SmoothWall to head up a fledgling part of NTL the former cable TV telco and broadband provider. Richard worked for the security team at Telewest the other UK cable incumbent provider, the crux being that NTL and Telewest both owned by Barclay Knapp would come together to form VirginMedia.

I joined NTL at a time when I didn't want or intend to be working. I made my money and retired in 2003 and had no reason or intention of being employed having exited SmoothWall and I certainly had no reason to want or need to work with idiots. So imagine my surprise when I got talked into digging NTL out the crap to go in to head up what would not even be know as cybersecurity but as a security customer function. Going to war daily with the existing "hardware network and security guys". Working alongside some great folk many of whom I am still friends with who actually got little credit for keeping a 7m user network alive, whilst their better paid bosses did little of anything credible and took the credit.

I scared the crap out of folk at NTL. I was hired to get them out the proverbial and to realign their MTAs and their caches, their ability to reduce customer services calls from tens of thousands of infected customers and a badly deployed platform that I used to root at will and hence why by the time I left I was reporting direct to the Chairman and was his personal security and goto guy for securing his Gloucestershire mansion and his London townhouse. By the time I left I was part of the team acquiring Telewest and also involved hands on with the merger meetings that very few people knew about at NTL even people who I had to work with every day. Richard came along as part of the acquisition and was part of a small team of security folk who had worked miracles.

Press and customers assume a telco is well organised. Telewest wasn't. It was a sinking technical ship and their mailservers in Liverpool were held together with tape and string and they took our lead in walled gardening customers and understanding how I built out whitelisting and greylisting and replaced Sieve rules and the dumb stuff that we inherited when I joined that made little to no sense.

It was just as hard for the incumbent security staff and management who were mostly traditional Cisco types with almost no useful skillsets and rightly they ran scared, and rallied to kick back and anybody who knows me knows that is when I'm at my best - I genuinely am not going to back down and I don't need the hassle or the money. If I tell you something is broken and it needs fixing or it will be hacked take it as read. If the network team don't rate it as a risk trust them or me.

Difference is I already hacked it and here is your data on a USB key. An exercise we used to play out in the CEO's office whenever the network team would try to ask for my head on a stick whilst I proved them to be old school and lacking in skills useful in dealing with modern cybercriminals. One Sunday I remember rooting an entire platform remotely and copying 300k subscriber bank account details to an external drive and then walking into the CEO's office and putting it on his desk after the network team had told them the platform was secure. Richard wet himself laughing.

It must have been hell for them because with all the CISSPs and certificates in the world they'd never met a hacker before and it was like taking candy off the proverbial baby. Even if I did take a £100k+ paycut to take the job to kill time rather than sit at home it was still hopefully a learning curve for their future careers. Richard got it, he'd back me up regularly.

Luckily NTL had some amazing management in the form of Steve Townsend, Dom Forrest and Justin Leese who would sit back and just let me do whatever I wanted. Consistently I would prove the point that it wasn't about me being right and them being wrong but the fact that I would regularly break into critical systems and platforms, and they wouldn't see me coming. It made life fun, that and the fact I had written into my contract I never had to wear a suit and could work from home.

There is a well known story that during this time I got bored went to Spain for two weeks and replaced myself with a server running Perl scripts outputting Acrobat PDF reports on a cron that created daily emailed management reports and nobody was any the wiser. It was essentially money for old rope and it wasn't hard to shine in a bucket of crap. Richard thought it hilarious someone could drop off the face of the earth and replace himself with nine Perl statements, Postscript and QMail. A fact nobody knew apart from a few other folk in the security team.

Richard got it, he understood the changing face of security. We had long discussions night after night during the acquisition process and we became firm friends at a time when people were reapplying for their jobs. He made himself safe by being honest, stoic and steadfast and able to translate some of the threat management and identification stuff into a platform at Telewest pre acquisition. He even became part of Chatham House rules projects with me with the intelligence services that only senior management at NTL and Telewest had awareness of. Working with the betting industry, the Post Office and major banks on DDoS issues and threat mitigation. One evening Richard and I along with Nigel Beighton (then found ourselves sat having dinner in The Dorchester Hotel in London with MI6 and Whitehall security folks, it was hilarious it was like being at school and being invited to sit and eat with the teachers. We felt out of place even though we were there for good reason. After the 7th July attacks on London that feeling accelerated with us both spending time working in London with the intelligence community.

When NTL and Telewest joined forces Richard became part of the host security team. I knew I'd had enough, I was bored. I was exiting stage left knowingly to go do exiting stuff first for Bell Labs in California and Lucent Technologies (pre Alcatel) and then to San Mateo to do Zimbra.

We kept in touch and talked regularly and met up at security shows and were supposed to have dinner this week but my wife and I had tickets to go to a music concert Tuesday night. He was down from Glasgow at Aztec West where he was staying while working for T-Systems in Germany doing security work with their partner EE the multiplay cellular broadband player.

On Wednesday night we talked till 1am. We talked about doing another startup sometime in the distant future to give ourselves something to do when we hit our 50s which isn't too far off and where just like SmoothWall we'd throw the rule book out the window and we'd employ our friends.

We talked about family, he was madly in love with his partner who had been in a massive car accident 18 months ago and was about to have to face court to get damages. How he'd been so grateful that fateful day that she had been driving his BMW which gave her a survival chance in the impact with a commercial goods vehicle. He knew I was happy, he was happy I was finally a dad after having spent the majority of my adult life in a very unhappy relationship where I would never have been one. He told me regularly I was punching above my weight with my amazing wife. We talked and laughed till 1am. He said that he was proud that my name would crop up in conversations and he could say he was my friend. That was one of the last things he said to me less than two days ago. It will stick with me forever.

Thirty six hours later I am sat having lunch when I receive word he had died suddenly this morning.

World. Shattered.

He was my friend, he liked music I couldn't dance to, he had a sense of humour that would make you laugh till you hurt. He was a talented technologist, a man who loved his family and who was honest decent and true.

Richard James you were part of the change from traditional bricks and mortar security to a time where security is more intrinsic and fluid than ever before. I will do another start up one day and I will do it knowing you'd have been part of it and made it successful. You were one of the good guys, nobody could say a bad word about you. You made a dent in peoples lives and you were the difference I am sure in me not embedding folk in whiteboards back in the day. A constant source of fun, bright eyed, a bundle of fun and utterly reliable to your core. A true friend.

Rest in peace buddy, I am stunned at your passing and bereft that you aren't around to tell me crap jokes and be my DJ.


I keep being asked "how do I get involved with what you're recording and putting out on your podcast ?". Well the simple answer is you have to be brave enough to stand in front of a field recorder in the bowels of The Moscone and talk to me. I'm recording all day today and Wednesday and there are still slots free.

Remember I AM a journalist so you have to treat me as such when we talk, this stuff goes public fast so think about what you're going to say and enjoy the ride.

Usual caveats apply. This podcast is meant for entertainment purposes only. Your mileage may vary. Do not try this at home. Void where prohibited. Some assembly required. Do not use while operating a motor vehicle, heavy equipment or when configuring an OpenStack architecture. Podcasts may be too intense for some listeners and children under 30 years of age. Please remain seated until the podcast has come to a complete stop. Studies have shown regular exposure to these podcasts causes increased weight gain. I am not a professional, I have no training, I'm not even particularly good at horse whispering. Don't believe everything that you know. Please keep your hands in the vehicle at all times. Do not tap on glass. Do not eat anything that has been on the floor for more than 3 days. Keep your hands to yourself. Not to be taken internally etc etc.

I recorded and released a show with the legend that is Josh Bressers from Red Hat and that recording is out now, click below to listen or goto iTunes, Player.FM or Stitcher (links in story below).


Live from RSA Conference 2016

This week I am in San Francisco recording a special radio show for and Red Hat called "Locked Down" I will be talking to the brightest and the best at RSA, expect to see a variety of shows going live over the week, discussing everything about the growing technologies, emerging products and the challenges that we are facing in security.

How do I get the show ?

If you have an iOS device simply subscribe via the Apple Podcast client on iOS available from the Apple store (or via Overcast or your podcast client of choice), simply search for "Locked Down" once installed. Stitcher Internet Radio App also is carrying the show.  SoundCloud is also carrying the stream.

If you have an Android device install Player.FM or BeyondPod and again search on "Locked Down" and subscribe. Stitcher Internet Radio App just like Player.FM and BeyondPod carries the show - all installable from the Google Play store. You can also listen in via SoundCloud.

If you are in a browser you can listen to all the shows as they appear using Player.FM directly by bookmarking and clicking directly via your desktop, or via Stitcher in Safari, Firefox or on any Mac or Windows browser. Stitcher doesn't always play well with Chrome, if you're a Chrome browser user click the Player FM link.

You can listen to episode 1 here in this post or visit SoundCloud's stream 

I land back in Britain jetlagged, wake up from a brief sleep to find the news flooding my phone's news feed that the Linux distro, LinuxMint, had a bad day at the office. ISO images with backdoors and forum / website rooted and modified with some data potentially stolen.

The thing with LinuxMint is that it's a great project with high user figures, easy to run, it's the goto Linux for the user fed up with Windows and even I have a couple of Mint laptops. However, it's never been "security first and foremost" in the minds of the tiny release crew.

This post isn't going to attack the team behind Mint. Mint is a great project, it's default build does a lot of things right that other distros get wrong. In the default install it allows you to use whole of disk encryption and it also allows you to wipe the target disk and encrypt the user home directory which other distros do not by default. Thats a huge win for users. It's only let down by the default state of the build not defaulting to secure itself down using UFW or basic hardening out the box and a better state of repository awareness to ensure that a better security patching infrastructure isn't utilised. Anybody installing Mint who has a clue needs to spend 45 minutes post build tying it down, once achieved your workstation is pretty damn tight with one exception. That exception is underlying assured trust.

The packages for LinuxMint and other Ubuntu derived projects uses so much bleeding edge and community derived not sanitised code that it is very much a suck it and see approach, e.g you wouldn't deploy Mint in a commercial or workplace environment or anywhere where total data security was an issue. It's a lot more secure than Windows 10 so lets set that straight before we jump into the reasons why you shouldn't be using Mint now on an ongoing basis.

Mint, like many Linux distros before it is built on love. It's maintainer is an amazing guy who has put heart and soul into his project and worked miracles to get regular releases out the door. It's regularly hailed by my friend Stephen J Vaughn Nicholls as a great distribution. A great distribution for hobbyists. You can't compare say Fedora and Mint. Fedora is built on engineering and built by major engineering teams in the OSS community meeting at conferences worldwide (but still built on a tiny shoestring budget and goodwill). Mint relies on Ubuntu but ignores some of the basic security doctrines that Ubuntu has built in (e.g root user hardening) and also ignores some of the upstream patching conventions too.  Makes zero sense, but thats where we're at and you'd think in 2016 there would be more common sense approach to understanding user / sudo segregation and risk avoidance.

The issue with the rooting of the website was just daft. Reading the timeline on the website it looks to have been "handled quickly" and in good order but the damage to reputation may now already have been done. As a community project you never utterly control community gifted mirrors but you should have better controls over your portal and your storage of user data.

Already the finger pointing has started. I'm not sure it helps. One thing is for sure this is a bad day at the office for a project that has given a lot of home Linux users a first taste of Linux.  Mint is not a company with infinite resources and engineers, they're trying their best and marching on goodwill. Now is not the time to tar and feather now is the time to just nod your head and realise that it was a bad day at the office but it was a long time in the making.

Nothing wrong with being a hobbyist, thats where so much goodness in the community is derived.

If you want a Cinnamon flavoured workstation, install Fedora, install Fedy post install then install Cinnamon from the command line. Done. Secure and ready to go to work.