Re: Background listening
Unfortunately there was one in 2013 as a direct result, and at least one more is known to be very likely to be linked to this scandal.
22 posts • joined 9 Apr 2009
This whole sorry saga does show the importance of good, solid, long-term investigative journalism. In this case there are a number of people who have doggedly pursued the truth over many years. The real heroes in this are Computer Weekly and Nick Wallis. Computer Weekly first picked up the story in 2004 and have run with it ever since then. The then-editor Tony Collins is also instrumental in exposing other disasters relating to software, including the Mull of Kintyre crash.
Nick Wallis picked up the baton in 2010 and has steadfastly pursued the story ever since. He's the source of most of the BBC articles, he's the co-author along with Richard Brookes of all the Private Eye coverage, and his regular blogging all throughout the legal process is absolutely compelling reading (https://www.postofficetrial.com/) . He's also the presenter of the Radio 4 series that's just ended and will also be presenting a Panorama about the scandal in a couple of weeks.
In the mainstream press although it will pain many to hear, the Daily Mail have been solid in pursuing and keeping this story in the public eye for a number of years now and actually have a pretty good track record in campaigning/investigative journalism.
Zoom made a breaking change in their backend (I believe it's to do with an encryption change) which meant they had to force-upgrade everyone to Zoom 5. There was a one month window after Zoom 5 first launched, but the backend was cut over on May 30th at which point anyone on older Zoom would no longer be able to connect. Sounds like for some reason your tablet was still trying to download an old Zoom client.
I'm not impressed with Kieran's article and it's causing a lot of confusion and concern (as many other sites are just copy/pasting the information without checking). I know I'll get downvoted for this but here's some facts to clear up a lot of the wilfull mis-information doing the rounds.
1. No, the app was not developed by Cambridge Analytica or Dominic Cummings or Marc Warner or anyone like that. People who jumped on that bandwagon mis-understood a different NHS contract. The app has been developed by Pivotal (part of VMWare) along with NHSX's in-house team.
2. No you don't need the app running in the foreground. The iOS app uses some clever techniques to allow it to run just enough in the background to be able to continue functioning. The Android app has some nifty code to allow it to parse the iOS bluetooth beacon format to maintain cross-app compatibility
3. The app does not track your location. The Android app only asks for location services because for some insane reason Google decided that Bluetooth permission is tied to Location (e.g you have to ask for the latter in order to get the former). The iOS app does not ask for location permissions and the Android app does not actually use location data.
4. The app appears to be well written and uses good security practice (strong crypto, certificate pinning, UK hosted API endpoints, etc). There have been some false tweets about the crypto not being secure but that's based on a mis-understanding of how APK was decompiled.
Disclaimer - I'm not involved in any way with the app, I'm director of a company which spent a lot of time yesterday pulling the app apart to see how it actually ticks.
We've got a similar issue - we'd love to send PDF bundles to the County Court but most courts still insist on printed bundles. To be fair the Judiciary would also love PDF bundles (they all have laptops and iPads now) - the sticking point appears to be the court clerks (who are the gatekeepers). We're trialling a system which is already used in a lot of the crown courts and some of the higher appeal courts - lets you ingest documents and then automatically indexes them, adds the appropriate cross-references between documents, etc. Then all parties can either just use a link to access the bundle directly in an interactive dataroom, or if you need to go old-school the bundle can be exported as a PDF (with automatic internal hyperlinks) or printed out for the terminally old-fashioned.
We're actually hoping to be able to use Covid-19 to force this issue; there was a change to the Civil Procedure Rules rushed out a few days ago which shows the Court Service is moving in the right direction but it's a chicken and the egg situation - no-one wants to be the first to use an electronic bundling system as until there is a successful precedent there is a risk that you could get censured by the Court for not having provided the documents in an approved form.
PS. One positive effect of Covid is that HMCTS have generously agreed that the email size limit for court service mailboxes will be lifted from 10mb to 25mb (except Judges who are already allowed to send/receive emails up to 150mb).
To be fair, it's just an implementation of TOTP (so you can use any TOTP app such as Google Authenticator, you don't have to use the Microsoft one. It still means the seed values are known by Microsoft so it's probably not perfect for tinfoil hat types, but it's certainly better than SMS based authentication which is trivial for a major player to compromise.
I'm seriously considering knocking up a simple app to do this, especially now it looks like they've backtracked and only require you to enter the nine box numbers from the VAT return. Although there are lots of spreadsheet bridges there seems to be a gap in the market for a simple standalone app for people who keep their records separately (spreadsheet, old-school desktop accounting software, etc) and don't mind just typing nine numbers into boxes once every three months and pressing a button.
As mentioned the main obstacle seems to be getting approved by HMRC to actually be able to access the API. That and coming up with a suitably snazzy name. I'm tempted by something like Hector - bonus points if anyone can remember him, and the word sums up HMRC's approach to MTD quite appropriately!
I recall reading a few months ago there had been a UK Gov report into the vulnerabilities of GPS (it's not just navigation - GPS timing signals are used for all sorts of scary things like synchronising electrical grid frequencies and regulating frequency slicing on the mobile phone networks). The conclusion was that jamming or solar events leading to a loss of GPS would have potentially catastrophic effects on modern life.
They suggested a number of solutions, one of which was eLORAN . Basically an update of the old LORAN navigation network used until the mid 90s it would provide both location and timing (whilst many other GPS alternatives only do one or the other) whilst being virtually impossible to jam due to the much lower frequencies used. Unfortunately a trial a few years ago was kyboshed when other European countries turned off their transmitters (rumour has it there was pressure from the Commission not to support tech which could rival Galileo), so there's currently only one transmitter running (enough to support timing but not location, which needs multiple transmitters).
Setting up a chain of eLORAN transmitters would have the same utility as a British GPS system and would be considerably cheaper!
We've just gone through Cyber Essentials Plus and the assessor did check that all company mobiles were running the latest patched version of the OS (in our case iOS). He used a combination of reporting from our MDM system plus spot-checking a few devices at random.
I can thoroughly recommend CE and CE+ as it's not too onerous and for once it seems to actually focus on real-world risks (e.g checking that your perimeter firewall actually blocks malicious URLs, your AV stops dodgy attachments, your users don't run as admin and you can't run downloaded exe files without a warning).
The one that caused us some problems (and it's actually a good one) was although we'd patched systems up to date, there are some Microsoft patches that only actually apply if you make a registry change. Thus we failed as the scanning software correctly reported that some of the patches weren't live. The solution there was to push the relevant registry key via Group Policy.
Until a few years ago they actually had several thousand direct customers as staff and pensioners had accounts with the Old Lady. No credit card, but a rather fancy cheque book with sort code 10-00-01 . And back in the good old days they had ridiculously cheap loans and mortgages. Mind you no chance of an overdraft facility - if you went a penny overdrawn you'd get a polite but formal letter telling you not to do it again.
They also used to have a number of commercial accounts for Government departments such as HMRC
All scrapped by Mervyn King as part of his drive to turn the bank into a giant economics thinktank and get rid of everyone actually interested in banking. This after a certain Scottish chancellor shafted Eddie, the previous governer, by removing all the regulatory bits and handing it to the idiots in the FSA.
+1 - we always timestamp as part of our code signing process as otherwise you get exactly this issue - when your cert expires anything signed with it won't know that the cert was valid at the point it was signed.
The only problem you sometimes get is that the main timestamping servers run by all the big CAs are notoriously flakey and completely unsupported - if they break then you just have to find another one. Not helped by the fact that Authenticode signing uses a different method of timestamping from pure RFC3161 and not all timestamp servers support both formats.
What we really need is someone to offer cheap signing certs and provide a decent reliable timestamping server. Unfortunately LetsEncrypt have said they don't want to go into that area as they would be the obvious choice...
There's a surprising amount of mis-information and mis-understanding about Google's 2FA here. Probably not helped by the fact 2FA can mean lots of different things to different people and vendors use the term for all sorts of things.
However proper 2FA means RFC6238, popularly known as Time-Based One Time Protocol (or TOTP for short). This is a standard devised by the Initiative for Open Authentication (OATH - not to be confused with Oauth!) and because it's an open standard there are loads of implementations of it. Google Authenticator and Microsoft Authenticator are the obvious ones, but even things like Symantec VIP (used for PayPal 2FA) is actually a tweaked version of TOTP and can be kludged to let you use a standard TOTP app instead of having to buy a PayPal dongle.
The key thing about TOTP is that it's entirely offline - no need for SMS or an internet connection. You simply put a seed value into your authentication app (usually by means of a QR code) and away you go. Some apps don't let you back up the seed, so the simple answer there is to either save the QR code image file in a safe place, or print it out and stick it in a fireproof safe/leave a copy with your lawyer/insert paranoid method here.
There are also quite a lot of server side implementations of TOTP now, and it's really easy to implement in code as well - there are libraries for all the major programming languages. So really, if you have a website which needs authentication, there's no excuse not to support it.
The latest standard that's emerging is FIDO (also known as U2F) but I personally don't like this one as it requires a physical key/dongle.
Source: I wrote a Windows TOTP server application a few years ago that my company still uses to provide mandatory 2FA for our corporate VPN.
I tend to agree with O'Callahan to some extent - when it comes to traditional AV. That's increasingly redundant as it won't easily detect new threats until updated, can be exploited, is often bloated, etc.
However in the last few years there have been some interesting next-gen AV products appearing which do seem to still have a place in our battery of security measures. Products like Webroot and Cylance (I'm sure there are others but these are the two I've heard of) which don't just do the traditional scanning of files but also monitor system behaviour. For example if a process suddenly starts writing to lots of different files one after the other, they'll alert to say this might be ransomware encrypting all your files. From that point they'll also log rollback data so that when you say "oh s**t it is ransomware!" they can undo all the changes made by that process, block it and automatically fire a report off to the mothership to analysis.
As has been said above it's all about layers - AV is one part of a solution amongst software restriction policies, firewalls, user education and a large pointy stick.
Agreed - didn't mean to say it was their fault as it does look like a Juniper issue from what has been said so far. I was just commenting on the ironic timing. I've always taken the view that everyone in the IT industry is going to have problems some day, it's how they deal with them that matters and so far (to an outsider) their communication has been reasonable.
We had a National Ethernet line out for about 90 minutes in the end. What was frustrating was that we couldn't get through to Virgin and nor could our hosting provider (who supposedly have direct access to senior Virgin technical contacts). We ended up getting our info from a combination of the UKNOT mailing list and the Andrews & Arnold IRC chatroom.
We eventually found out from other sources that a router overheated in their Poplar POP. They failed over to a standby router, but after about 30 minutes that one went bang as well apparently.
The Linx issue was separate, as mentioned previously.
Still, to be fair to them (and believe me that's difficult!), it's the first outage of the Ethernet service we've had since it went live about 9 months ago...
Biting the hand that feeds IT © 1998–2020