back to article Bitter war of words erupts between UK cops and web security expert over alleged flaws in Cyberalarm monitoring tool

A war of words has erupted between the National Police Chiefs' Council (NPCC) and a British web security pro after a senior cop declared it would be "a waste of public money" to keep discussing security flaws in the body's Cyberalarm product. Paul Moore says he uncovered what he described as a number of serious flaws in …

  1. lansalot

    also, Pervade...

    https://www.vice.com/amp/en/article/newd88/this-uk-company-is-making-it-easier-for-private-companies-to-hack-back

    "For a fee, one organization will provide a system that detects and can hit back at hackers with its own arsenal of attacks. But this isn't some anonymous group on an underground crime forum. Instead, Pervade Software, a legitimate and public facing information security business based out of Cardiff, Wales, sells a platform designed for private companies to retaliate against hackers with DDoS and other digital attacks."

    1. Anonymous Coward
      Anonymous Coward

      Re: also, Pervade...

      That's irresponsible of them (or was? the article is dated 2017). Anyway, this bit from Pervade is particularly stupid:

      "We sell knives. If you use it to cut a chicken, that's up to you. If you use it for something else, that's also up to you."

      Yeah but they are effectively encouraging people to see the utility of their knives as things to stick in people who piss them off.

      1. Fruit and Nutcase Silver badge
        Alert

        Re: also, Pervade...

        "We sell knives. If you use it to cut a chicken, that's up to you. If you use it for something else, that's also up to you."

        And if the Metropolitan Police come after you for computer mischief enacted by the tool we sold you, that's your problem, not ours

        1. 0laf
          Facepalm

          Re: also, Pervade...

          In general in this country we don't sell 'things' which are specifically designed to harm even if these things are generally harmless if used responsibly. i.e. automatic firearms and high explosives.

          If you sell things which are explicitly designed to cause harm, in gerneral, the argument that "our products are only dangerous if used in a dangerous way" will not often work when in court.

          This is why in the UK you can't pick up a kilo of Semtex even if you only intend to use it as a paperweight or play-doh alternative.

          1. Alumoi Silver badge

            Re: also, Pervade...

            So, if I want to buy a non automatic firearm or ordinary explosives, I'd be allowed?

            After all, they are generally harmless and are not explicitly designed to cause harm, right?

            1. logicalextreme

              Re: also, Pervade...

              I believe that's affirming the consequent.

    2. Michael Wojcik Silver badge

      Re: also, Pervade...

      Frankly, this line:

      The disabling of TLS certificate validation, it's not a vulnerability but a risk

      is enough for me to cross Pervade off the list of "security" firms I'd be willing to do business with. But, yeah, that's another reason.

  2. Chris G

    If you trust the police.

    I don't.

    Considering their propensity for angling, I would not allow them any extra access to my data than absolutely necessary.

    How often do cops manage to make 2+2=5?

    1. Anonymous Coward
      Anonymous Coward

      Re: If you trust the police.

      "Well, you wouldn't want to make it hard for the police to get their Six Lines, would you citizen? Remember, we are here for your protection. Stay safe. Don't do anything which might draw attention to yourself. And love Big Brother."

    2. Anonymous Coward
      Anonymous Coward

      Re: If you trust the police.

      When it comes to IT, cops making 2 + 2 = 5 would be a blessing. In my experience, they're more at the level of 2 + 2 = a fish.

      1. Chris G

        Re: If you trust the police.

        "2+2= fish"

        So then you are nicked for either not having a fishing licence or poaching

    3. onemark03

      How often do cops manage to make 2+2=5?

      Could it be because they need an arrest in order to look competent and / or as though they're Doing Something?

      Bugger guilt or innocence.

  3. AW-S

    That cease & desist letter

    "It is sad that Moore has felt driven to contact his lawyers over the cease-and-desist letters he received from the NPCC"

    Having read the letter, I think he wants to protect his reputation and if he followed the instructions given to him by Andrew Gould, it would be ruined.

    Gould's comment about the use of a logo, given the overall circumstances, is just plain pathetic.

  4. iron Silver badge
    Big Brother

    > end users deploy Cyberalarm's "data collectors" on their networks in a demilitarised zone and those then send alerts to the local police force's cybercrime team.

    Can we connect a dynamo to Orwell's grave? The rate he's spinning at it will generate more electricity than Sizewell B!

  5. The Man Who Fell To Earth Silver badge

    Huh?

    Now tell me again why would I want unqualified police on my network using a crude tool specifically created for IT dummies that produces oversimplified output they can't interpret?

  6. Pascal Monett Silver badge
    FAIL

    What a bunch of tossers

    First, they send out a PDF with a link to an outdated version. Why was that outdated version still available online ? It seems a bit of housekeeping is in order.

    Then they get a second negative review and, instead of dealing with the issues, they abuse their power to send a menacing cease-and-desist because they're the Police and they don't want to waste their time any more.

    Sorry, but that is illegal and unacceptable. Apple does not have the luxury of sending cease-and-desist orders to people criticizing its products, but you, because you have the authority, you just bang one out. And that does not solve the problems that were raised.

    Oh, and saying that "...it is not conducive to the delivery of the programme's objectives to spend further time and public money engaging with these issues or with you " is really the most demeaning "speak to the hand" you can possibly deliver.

    Congratulations on being assholes. You get an A+ for that.

    1. DavCrav

      Re: What a bunch of tossers

      "Sorry, but that is illegal and unacceptable. Apple does not have the luxury of sending cease-and-desist orders to people criticizing its products, but you, because you have the authority, you just bang one out. And that does not solve the problems that were raised."

      Anyone can send cease-and-desist letters. If you wait around on this website for a while you will soon find an article about a company sending cease-and-desist letters about negative reviews, especially if they allegedly include knowingly false information.

      As for Apple specifically, use Apple's logo anywhere and see how long it is before you hear from them.

      1. Michael Wojcik Silver badge

        Re: What a bunch of tossers

        An excellent point, but it's also true that some organizations are much more prone to fire the lawer-guns. And sending C&Ds to security researchers is nearly always an indication of a firm which neither understands nor cares about security. When a company that supposedly specializes in security products does it, it's a red flag.

  7. heyrick Silver badge
    FAIL

    Typical, these days

    The police seem to be happy go all out silencing those who want to criticise the police, but doing actual police work appears to be so much harder.

  8. Anonymous Coward
    Anonymous Coward

    NPCC

    Are they the cnuts formally known as ACPO? *See many, many, events of them overstepping their remit and thinking they both create and 'are' "the law"

    1. Anonymous Coward
      Anonymous Coward

      Re: NPCC

      They are. Apparently the National Police Chiefs Council (NPCC) replaced the Association of Chief Police Officers (ACPO) in 2015. ACPO were a private limited company (operating not-for-profit). Wikipedia doesn't mention whether NPCC works the same way. It may not; one of the disadvantages of the ACPO was that, as a private company, it avoided some Freedom of Information legislation.

      Both organisations get/got their funding from the individual police forces and the Home Office.

      I assume Det. Ch. Sup. Gould is seconded to NPCC duties from his "home" force.

      1. Alan Brown Silver badge

        Re: NPCC

        " one of the disadvantages of the ACPO was that, as a private company, it avoided some Freedom of Information legislation."

        Until it was determined that it had been delibverately setup to prevent FOI access to FOIable stuff and as such DID fall under the rules anyway

        That's when it folded/phoenixed

    2. Version 1.0 Silver badge

      Re: NPCC

      So what would the local police force's cybercrime team do? The vast majority of attacks are not local.

      1. Anonymous Coward
        Anonymous Coward

        Re: NPCC

        I don't think local forces have cybercrime teams. The National Cyber Security Centre website states on their page about reporting phishing scam attempts (which should be reported to the NCSC):

        "You should not report a crime to the NCSC in this way. If you think you may have been a victim of fraud or cyber crime, and live in England, Wales or Northern Ireland, you should report this to Action Fraud at www.actionfraud.police.uk or by calling 0300 123 2020. If you live in Scotland, you should report to Police Scotland by calling 101."

        Action Fraud is run by the City of London Police force.

  9. Claptrap314 Silver badge
    Angel

    Sage advise

    "If you've got the budget, however, your organisation would also benefit from signing a contract with an IT security firm." I hear Fireeye is having a sale...

    1. hitchslap

      Re: Sage advise

      A firesale perhaps?

  10. sitta_europea Silver badge

    "...better than nothing at all..."

    You mean better than Action Fraud?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon