Posts by Philip Virgo

Will Ireland join the UK in exiting before any real risk of the EU taking action.

Does this mean 5,500 experienced staff available for retraining as network security specialists.

Was this the software equivalent of the Ford Edsel? Or is it more profound - a tipping point that well finally enabled the Chinese to do to the US software industry what the Japanese did to their car industry half a century ago?

It could always be to do with GCHQ wishing to demonstrate that they are worthy hosts for the new National Cyber Centre. We will know if they stop trying to prevent funding for the development of UK security products which block all executable code unless expressly permitted - thus sodding up (technical term) most current attack vectors - and also (potentially) the business models of much of the current on-line industries.

Tomorrow came yesterday

Back in 1984 the NCC Microsystems Centre has a contract to test six GP systems. Each contained routines for recording, collating and exporting adverse reaction data (still not standard across) and not just record export (albeit on floppy discs) for transfer to other practices. Most also contained field level security (including "named doctor only" envelopes for "sensitive" information such as "says he caught it off the senior partner's daughter").

This is a good introduction. For a deeper understanding of why things are as they are, I recommend reading the Long Finance report on Cyber Catastrophe re-insurance http://www.longfinance.net/lf-research.html?id=937 . I attended some of the workshops leading to that report, have blogged on the likely consequences http://www.computerweekly.com/blogs/when-it-meets-politics/2015/08/the-ashley-maddison-hack-illus.html

The key point is that cyber is being routinely excluded from mainstream policies leaving policies which cover the cost of "incident management" (hopefully including business continuity), provided the organisation has an agreed incident management plan in place.

Why buy? Already the big UK Insurance Companies are more sophisticated in their approaches to Cyber risk than almost anyone else. The delete it from the policy unless you take out a specific policy which mandates best practice and, even then, covers only the cost of implementing a pre-agreed incident management plan - which commonly includes using a mix of leading security forensics consultancies to identify who attacked you and how so that they can decide whether to fund an "asset recovery" programme along the attack vectors used (including to launder the proceeds). .

This is what happens when a minister tries to impose good practice on the "professionals"

Right at the very start the Minister said he wanted the "pathways" checked before any code was cut.

The officials ignored him. Ministers set policy - they do not decide how it is to be implemented.

So the "usual suspects" burned through several hundred million before what they had produced was tried out on real humans. Surprise, surprise - it did not work - other than technically.

The "reset" was to go back to testing processes with real humans before they were enshrined in code for large scale roll-out.

It looks as though a subset does indeed work with real humans - and the phased roll-out of that subset can now begin - at an accelerating pace.

Next will come the task of "folding in" the other benefits - but at each stage checking that the changes work with those who are intended to use it. Hence then open-ended timescale.

I find it interesting that the Register should not be a fan of good practice.

The other way of looking at this is the abuse of legal aid to enable criminal lawyers to trawl through everything collected by (or available to) law enforcement, whether or not it might be relevant. What is being said is that it is too much hassle to review the way that court procedures have become skewed in favour of organised crime as a whole: not just in favour of well-lawyered terrorist groups.

US spook comms saved from attack by who: North Korea?

Remembering that TOR was created by US Naval Intelligence to protect its secure communications, including from leak from other agencies, I read the e-mails from the TOR organisers rather differently. My conclusion is that they have now reviewed the situation and are satisfied that those agents whose security was not breached by Manning and Snowden remain safe. Whether or not you believe that they not know or suspect who attempted the breach is up to you. My guess is that it was not the FBI or NSA but a foreign power, perhaps North Korea as a proxy for ... take your pick ... they need the money now that the falling oil price has destroyed their sales of conventional weapons.

Why are you all thinking negatively. Perhaps one of the insurance companies looking to underwrite well-managed cyber risk (and thus dictate the future) made him an offer he could not afford to refuse.

He checked his stories

When I ran the NCC Microsystems Centre (New Fetter Lane 1982 - 4) he was almost the only journalist who took nothing on trust - he checked it all out. A great source of knowledge and also very discrete on his sources. He never quoted any of my youngsters on anything not cleared by myself or one of my consultants. He independently checked what we gave him to use from our tests when we were not willing to be quoted. He was also happy to sit beside the youngsters explaining what he was looking for and showing them how he looked for it. A lovely man - and a very good, and patient, teacher.