back to article GCHQ cyber-chief slams security outfits peddling 'medieval witchcraft'

The chief technical director of GCHQ's National Cyber Security Centre has rebuked infosec companies for spreading fear, uncertainty and doubt about hackers to sell products. At the Enigma 2017 conference this week, Dr Ian Levy said world-plus-dog were trying to flog security defenses to tackle "advanced persistent threats," …


  1. amanfromMars 1 Silver badge

    Do they lead where angels fear to tread or just follow crazy orders ......??

    GCHQ ..... Defending the Indefensible and Inequitable, and let us suggest that be akin to a perverse fiat capitalist money system and corrupt political incorrect and inept establishment model, is the Abiding Pervasive Treat which just keeps on giving the reasons for active dissent and quiet deep revolution, intelligent madness and idealistic mayhem ?

    Now, if that be true, or even should it contain any grains of truth, is an enemy identified at the top in the rank and file for vanquishing? To ignore the weakness is a stupid madness confirmed and highlighted as being systemic in established models, and that is stupendously massive vulnerability for exploitation open to all manner of interested and interesting state and non-state actor type entities.

    1. tr1ck5t3r

      Re: Do they lead where angels fear to tread or just follow crazy orders ......??

      The fact they are accusing security outfits as peddling nonsense, is a GCHQ chief in denial. No he (Robert Hannigan) stepped down suddenly due to family reasons.

      Did Russia hack and rewrite his speech notes before he put himself on the parapet?

      Have the media been reporting fake news about Russia hacking, and if so who is driving this Russian Hacking meme, someone called Andrew Parker MI5 perhaps?

      Or maybe the truth is these spooks never had the best people as the brightest all sought positions with tech firms in an earthquake zone chasing money, meaning Govt can only get convicted criminals with IT experience to work for the "Ministry of Justice" at best.

      What does that say about the current state of affairs?

      Even the hackers working for media outfits are earning better money than GCHQ employee's, but then what can you expect when the Royal Marines can not even keep track of weapons & ammunition stolen from right under their noses.

      Looks like a Grunt exposed the slap dash methods of the MOD Top Brass!

      1. amanfromMars 1 Silver badge

        Re: Do they lead where angels fear to tread or just follow crazy orders ......??

        Kettle Black Pot all spring to mind, Dr Levy, regarding that “medieval witchcraft” being peddled by others.

        With all the GCHQ is supposed to be able to do, virtually unknown and practically undetectable by others, and let us assume that it is everything that would be needed to be done to deliver an omnipotent omniscience anywhere and everywhere, then it does reveal a distinct lack of intelligence in future application of programs with intelligence for leaderships gifted with secret intelligence services and compendia of hearts and minds operations for launching with media manipulated puppets.

        And such, as long as it remains so obvious a deficit and disability in the field, will be always a subject and object to be attacked and tested by systems into such projects which be more advanced and enlightened.

        If you aint leading where all can follow are you bound to be rendered ineffective and considered compromised and pwnd by agents with hidden failing agendas. And that is the black pot which GCHQ is kettled in.

        And that is a result and problem which is entirely due to a lack of leadership right at the top of such services and of everything everywhere using and effected by its services.

        J'accuse. The evidence as presented by everyday chaotic news is overwhelming.

  2. taxman

    Bad news

    Inland Revenue service? That's not existed for over 10 years.

    If it refers to HMRC then they "got off their arse" and implemented DMARC and SPF back in 2013 and have been trying to get others to follow suit. Looks like their actions have been noticed and now NCSC have taken up the baton.

  3. Anonymous Coward
    Anonymous Coward

    "Levy’s talk was interrupted by a rather irate conference attendee who accused the agency of setting up a system that could possibly be used for censorship, similar to the UK’s infamous anti-porn firewall."

    Therein lies the rub - there almost certainly would be pressure for it to be compromised for such a purpose.

    Theresa May is the latest of many in successive governments who appear to regard access to information to be their prerogative and not for lesser mortals.

    With religious and nationalistic beliefs once again threatening to be the driving force in politics then it is a case of trading liberty for the poisoned apple promise of security.

    1. Peter 26

      This needs to be run by the private sector, not GCHQ. Why has this not happened? Why have they had to implement their own systems?

      1. Anonymous Coward
        Anonymous Coward

        You'd have to explain why you think that, for anybody to get anything from your comment.

      2. tr1ck5t3r

        If you build your own OS & Network, then how can hackers use the usual tricks that work for Windows, Linux, Apple, Android and so on?

        Lets face it, the BT network is and was largely unique until Bell Labs/AT&T started interfering with the UK telecoms infrastructure under the pretence of global standards. Then the Israelis started supplying cards for the telephone exchanges which were prone to failing at the first lightening strike, but these cards also always had to go back to Israel to be fixed.... data harvesting perhaps using common natural phenomena to create the high failure rate? Snowden showed some things haven't changed with regard to intelligence sharing but some cultures are more secretive and paranoid than others for historical reasons.

        If you want an insight into their activities look here at their recruitment pages.

        Typical technologies include OS/Kernel; FPGA; GPU; Bespoke Processors; C/C++; Networking

        Research includes Firmware design; systems architecture.

        So you know when you hear about a new bug affecting an OS or some hardware like this one.

        Pay attention to whats not said instead of what is said.

        They have the resources thanks to the taxpayers to sit there and hack your systems.

        Just why do you pay them money to hack your systems? Are you stupid?

      3. Bluenose

        Why the private sector?

        Are you suggesting we give it to the private sector so they can offshore it somewhere safe like Romania or Bulgaria and of course the private sector would never do anything wrong like misue the information that the can collect or rip off customers for the serivce they provide and then reduce the effectiveness of that service.

        Public sector is not always bad and private sector is not always good. What needs to be established is what works best for all and not the minority whehter they be right wing MPs who want to spy on everyone or money focussed private sector companies who simply want to pay more money to their board members.

      4. Primus Secundus Tertius

        @Peter 26

        "Why ..." may be a rhetorical question, but here is my suugested answer.

        By and large, the private sector does not do deep, fundamental innovation. Minor incremental updates, yes, but real new thinking is rare. They employ doers and sellers, not thinkers.

        So these things need to be hatched in the universities or other research establishments.

    2. netminder

      Sadly, given the actions of State actors like Putin we will soon have neither anyway.

    3. Primus Secundus Tertius

      @AC (1st)

      Outside the technical readership of El Reg there are many people who say internet porn is wrong, it should be stopped, and the techies should stop whingeing and just stop the porn.

      I once read that automatic telephone exchanges were invented by somebody annoyed beyond endurance after his calls to company A were connected to company B because B had bribed the operators. The telephone industry has matured, and the computer industry will have to do the same.

      1. Mage Silver badge

        Losing Customers: cf fake Domain parking and evil DNS

        Convinced that it should be subscribers, rather than the operator, who chose who was called—anecdotally, Strowger's undertaking business was losing clients to a competitor whose telephone-operator wife was intercepting and redirecting everyone who called Strowger—he first conceived his invention in 1888, and patented the automatic telephone exchange in 1891. It is reported that he initially constructed a model of his invention from a round collar box and some straight pins.

        See Wiki on Almon Strowger

        Certainly that's what I was told in the 1970s,

  4. Anonymous Coward
    Anonymous Coward

    Hackers are not the only threat.

    The secondary reason for any security is now, in my opinion, the defense from our own government, with the snoopers charter, GHCQ infiltrating internet backbones, and the mission creep of internet censorship. Anything statments that comes from GHCQ should be viewed with extreme skepticism.

    1. tr1ck5t3r

      Re: Hackers are not the only threat.

      Misdirection is a valid technique in the dark arts of spying.

      You feel more relaxed and let down your guard if you think they are only hacking network backbones.

      Perhaps consider the fact the US Tech sector is just a PR friendly part of the US Military with spooks from other countries more interested in whats going on in your home than anything else. DO you really think Bill Gates got that knighthood just for MS Windows service to business, or perhaps its really a window into your life?

      Whilst you might sense someone staring at you when out & about or from across the office, you sense nothing when that cold dark abyss of the camera in your smart phone is secretly watching your every move, whilst that microphone is recording everything you emit from your orifices.

      Listening in to people when they are asleep is the best because so many people sleep talk when they dream, so you can find out what's on someone's mind, which is why the smartphone is used as an alarm clock more than any other application. Perhaps you have secret pervasion, like sticking things up your bottom? Its all recorded for future posterity.

      I trust you have seen the news?

      Spooks including MI5 & MI6 will play your behaviours more than you think, why do you think they have a close working relationship with escort agencies, sex and blackmail are the two oldest tricks in the book. Something Journo's know only too well, but sometimes they have to resort to drugging their targets in a bid to get them into a compromising situation which might be the "banker" that comes in handy later on in life, and with the best pharmacy in the world of legal and illegal drugs at their disposal, they can do anything they like, after all they make the rules and its all done in secret until the journo's get given a tip off so often seen with public figures including celeb's & politicians stepping out of line.

      Maybe you will think twice next time you read the Daily Mail about some juicy gossip, just what is the real agenda behind the scenes?

      1. Jamie Jones Silver badge

        Re: Hackers are not the only threat.

        Awwww Mike, still not cured after all these years?

      2. Primus Secundus Tertius

        Re: Hackers are not the only threat.


        Sir or Madam,

        You vastly overestimate the extent to which They are interested in Us. Believe me, I went to a privileged university with some of Them.

        We/Us are merely statistics, 60 million of Us in the UK. Cheap computer hardware is not here to benefit Us but to benefit the Googleocracy that collects statistics about us on a huge scale.

    2. Oh Homer

      No "advanced persistent threats" here. Honest!

      Says GCHQ, the organisation that probably poses the greatest advanced persistent threat to UK citizens' cybersecurity.

  5. Anonymous Coward

    Diversion ahead

    "Advanced persistent threats" is a term which covers sophisticated state sponsored hacking and pervasive technical surveillance. Misdirection is a form of deception in which the audience's attention is focused on one thing to distract its attention from another. Should I be surprised that an employee of GCHQ wants to downplay GCHQ's core business and divert attention elsewhere.

    1. Paul Crawford Silver badge

      Re: Diversion ahead

      That is indeed possible.

      However, looking at the numerous "advertorial" reports of APT and other malware, often with no real information about the infection vectors, etc, we see from companies selling AV carp, he does have a point that many reported "APT" come down to simple incompetence and a lack of top-level action to deal with it (you know, like budgeting for security and backing up the CSO's policies at a board leve to have them implemented and testedl).

    2. John Smith 19 Gold badge

      "sophisticated state sponsored hacking and pervasive technical surveillance. "

      Now those are what I'd call Advanced, Persistent Threats.

      Neither look like going away and both attack privacy and anonymity, both of which are essential to allow the democratic process to operate effectively.

    3. Version 1.0 Silver badge

      Re: Diversion ahead

      It's 2017 and this is News?

  6. Destroy All Monsters Silver badge

    Hyping APT

    Churnalists "taking up the flame" of this and that politicial candidate or getting instrumented as mouthpieces of politicial propaganda are as guilty as any of the hoodie hype.

    But in the end, it's all about not getting looted. And this comes down to proper information security governance. Which we ain't gonna get.

    1. Doctor Syntax Silver badge

      Re: Hyping APT

      "And this comes down to proper information security governance. Which we ain't gonna get."

      Until after the event.

      1. John Smith 19 Gold badge

        "proper information security governance. Which we ain't gonna get." Until after the event.

        Sadly not necessarily even then.

  7. Anonymous Coward
    Anonymous Coward

    He needs to start at home

    1. Doctor Syntax Silver badge

      What's odd about that? It just has a picture of its author at the top.

  8. Stuart 22

    Stupid Telco

    "He pointed out that a UK telco had recently been taken offline using a SQL injection flaw that was older than the hacker alleged to have used it."

    Not the one who lost their CEO this week?

    1. Anonymous Coward
      Anonymous Coward

      Re: Stupid Telco

      They told him is was doubly best, not to Talk about it.

  9. Roj Blake Silver badge

    Medieval Witchcraft?

    What's medieval witchcraft is the claim that encryption with backdoors is still secure.

    1. Anonymous Coward
      Anonymous Coward

      Re: Medieval Witchcraft?

      > What's medieval witchcraft is the claim that encryption with backdoors is still secure.

      That's not witchcraft, that's Intelligent Design! (After all there is some truth in herbal remedies)

    2. allthecoolshortnamesweretaken

      Re: Medieval Witchcraft?

      Well, what about contemporary witchcraft then?

  10. junglesnot

    I think I might be developing dyslexia: every time I see the word "Usenix", I read it as "Unisex".

    1. Rich 11 Silver badge

      What's unisex? Sex on a unicycle? Two institutions of higher education spawning a business venture? Something involving ponies with the horn?

    2. Anonymous Coward
      Anonymous Coward

      "every time I see the word "Usenix", I read it as "Unisex"."

      That's okay. Every time I see the word Windows I think; let's bust through them and get to the outside! And don't get me started on raspberry pies...

    3. allthecoolshortnamesweretaken

      Oh, I'm so glad I's not just me!

      Every time I see 'usenix enigma' my brain will convert it into 'unisex enema'.

  11. Anonymous Coward
    Anonymous Coward

    He doesn't seem to know what the words "medieval" or "witchcraft" actually mean.

    1. Rich 11 Silver badge

      False advertising.

    2. Doctor Syntax Silver badge

      "He doesn't seem to know what the words "medieval" or "witchcraft" actually mean."

      Medieval witchcraft is probably the code name for one of GCHQ's operations.

      1. allthecoolshortnamesweretaken

        In "Tinker, Taylor, Soldier, Spy", "witchcraft" was the material gained from source "Merlin". Which turned out to be an operation to undermine the service and to protect a mole inside it.

  12. Anonymous Coward
    Anonymous Coward

    It's more like snake oil than witchcraft

    I get the point, but using religious hate-speech weakens it somewhat.

  13. This post has been deleted by its author

  14. x 7

    what UK porn firewall?

    My porn downloads quite nicely thank you

    1. Anonymous Coward
      Anonymous Coward

      Your porn may download ok. My isp is blocking it. Every time I try to download porn on my connection I have trouble with it staying up.

      1. Korev Silver badge

        Oh come on, it's not that hard...

      2. d3vy

        Maybe your pipes not fat enough?

  15. Black Rat

    adequate pernicious toe-rags

    Seriously with comments like that and they wonder why they cannot attract new talent. Then again maybe it's a recruitment test, a challenge for those with the stones to go after the GCHQ firewall.

  16. Camilla Smythe

    Hello. Pleased to be telling you...

    My name is Ian from Microsoft GCHQ and your computer is reporting back to us it is having problems so I am here to fix it for you. Please to be pressing the Windows Key and R.

  17. james 68

    Whatever it takes to make a sale

    Only tangentially related:

    When working in an all girls secondary school in Belfast I got a call from the headmistress to attend a meeting because she couldn't understand the reams of buzzwords the contractor was spouting. As it turns out the meeting was for migrating to a hosted cloud system. As the head technician I should have been there in the first place but the headmistress "hadn't wanted to bother me" which was foolish.

    I listened to the guys bullshit for maybe half an hour and it was painfully clear that he had no idea what he was talking about. I then asked him if the school would be connected by a secure VPN, he didn't know. I asked what kind and strength of encryption was used both on the connection and stored data, again no clue. Annoyed by this point I pressed him on how exactly his company guaranteed the data concerning 400+ young girls would be secure considering that if it went into the wild the school would be the one held legally responsible, It was at this point that he started waffling about "security through obscurity" and I got up and walked out taking the headmistress with me.

    This cloud company btw came supposedly vetted and rated for security by the NI education authority.

    From what I heard at that meeting, waving chicken bones while humming cumbaya would have been more effective.

    The overall view of many companies concerning security, when they really should know better, is woeful.

    1. Mage Silver badge

      Re: Whatever it takes to make a sale

      I gave a presentation once.

      The chairman of the board complained that it was over the top security and lock down. He said most students wouldn't have a clue how to hack stuff.

      I pointed out:

      a) They could look it up on the internet.

      b) What about the other expert students? Were they trustworthy? It only needed one expert bad egg, and he might even explain it to the others.

      Despite being the most expensive, we got the contract.


POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like