I also have a blog on other subjects.

Secure Microblogging

Proposal

It is possible for microbloggers to publish their public keys as a link from their profile. This might be indicated by preceding the URL with a code, such as a double $$ dollar sign. Add an agreed symbol, $$ for example, at the beginning of the message to indicate that it has been signed by being encrypted with the matching private key.

Similarly, a message encrypted with another's public key could be preceded by $$username. A message starting with:

$$username $encrypted text

though as will be clear in due course this might not always be desired.

As the message string is short, it should be encrypted directly to as to not lengthen it. As a result, if PGP type encryption were to be used, the message should be treated as the session key, not the body text. Given the sixe of microblogs this should not be onerous.

Securing communications through microblogging

Message signing

Alice:

• creates a micro blogging account
• publishes a link to her public key in her profile
• posts a message encrypted with her private key, preceded by the $$ code.

Result:

• anyone can read the message, by using Alice's public key
• only someone knowing Alice's private key could have sent it

Secure Messaging

Alice and Bob:

• create a micro blogging account each
• publish a link to their public key in their profiles

Alice:

• posts a message encrypted with her private key, and Bob's public key preceded by the sequence $$bob $$.

Result:

• anyone can see that Alice has sent Bob a message
• only someone knowing Bob's private key can decode the message
• only someone knowing Alice's private key could have sent the message

Anonymous Addressing

Alice and Bob:

• create a micro blogging account each
• publish a link to their public key in their profiles

Alice:

• creates a string encrypted with her private key and precedes it with the sequence $$bob. This concatenated string is then encoded with Bob's public key and posted as a message, preceded by $$$.

Result:

• anyone who uses secure communication with Alice attempts to decode the message using their private key
• Bob alone will find a message starting with $$bob
• no-one can see that Alice has sent Bob a message
• only someone knowing Bob's private key can know that the message was for him and decode the message
• only someone knowing Alice's private key could have sent the message

End of Office - End of Empire

Introduction

"If you only have a hammer, you tend to see every problem as a nail." Abraham Maslow

There is no denying the influence that the Microsoft Office family of products has had on education. Teachers have adopted the term "a PowerPoint" to mean a presentation. It is only a few years ago that there were a range of applications that might be used - Worderfect and Lotus 1-2-3 are just two. The shift over the past decade to a monopoly position has been made in small steps, and has considerable impact on our students' learning.

The educational benefits of these products is not clear cut, and reaching a conclusion is probably beyond the scope of this article. The fact that has been seen as the only solution to be taught or used in education seems difficult to contradict, and as a result many of our syllabuses and examinations in ICT seem unhealthily focused on one, proprietary, product.

full article - pdf

Portable Data Security

I was involved in a discussion on a mailing list the other day about how to secure peoples' USB sticks. This may have something to do with the unfortunate habit of various people to leave IT equipment on trains. The initial request was for a device that would work without much intervention on the part of the users. I recommended two Free Software solutions. The next posting recommended a proprietary software solution, the next a proprietary hardware solution.

Let's take the second of these first. This USB stick requires the user to type in a PIN, on the USB stick. This seems like a good idea. Well it might be, if the design was given sufficient scrutiny. Twenty seconds after I had read the post recommending this device, my favoured search engine gave me the result I had vaguely recalled. This memory stick had been comprehensively hacked. Lever the case apart, solder on a resistor in the right place, and low and behold, all the data was available. This was pretty predictable really. Now my writing style in mailing lists may leave something to be desired. The upshot was that I probably upset the author of the post proposing a demonstrably and publicly insecure solution. He went out and found a newer, more expensive solution. This USB memory stick is embedded in epoxy and sealed in a steel case. It uses a chip of some description to perform AES encryption on the fly. Make ten mistakes in guessing the password and it goes into Mission Impossible mode and self destructs. The company argues that it is effectively impossible to hack. Now where have we heard that before.

• "The lock that couldn't be picked."
• "The unsinkable boat."
• "The Chip and Pin terminal is completely secure."
• "The end of boom and bust."

Now it maybe that this memory stick is perfectly designed. The problem is that if you visit the reviews of this device, they all seem to have the same words in them. Little phrases catch your eye, over and over again. Their source is the manufacturer's website and press releases. Now I occasionally write for money, and it is never enough. These reviewers are being paid precious little for their work. Before the changes of the past few decades, journalists would at least have time to consider their work before submitting it. These journalists just do not have the time. They are working under deadline pressures, many of them freelancers on poor wages. So what do they do? Simply reuse the press releases and websites. This has been termed "Churnalism" and a book by this title has recently been released.

So has anyone independently tested this new device? I doubt it. It does carry a NIST FIPS certificate, but so have many other failed devices, and anyway, this only confirms that the encryption algorithm has been implemented properly. So, this is my reading of the development process...

• Idea gets drawn on back of envelope
• Calculations involving profit get done on a spreadsheet
• One, two or three engineers are given the task of designing the device
• A second team of engineers then try to crack it
• Repeat 3 and 4 a number of times
• It is deemed good enough and sold

Now ask yourselves - where is there space in the process for saving money? Remember, you are convinced that the original design on the back of the envelope is already perfect. Besides which, the investors want a return on their money.

Now it maybe that this device is completely secure internally, and it maybe that it is safe to leave it on the train. The problem is that I just cannot find out if it is that good. I have the company press release and website, and then I have the churnalists' interpretations of the company press release and website. At this point it might be worth going back to the original question on the mailing list. I got the distinct impression that the reason for the request that it was seamless, was that the IT support considered that if there were any thought involved it would be beyond the end users. Users are so used to being treated as incapable of doing things, that it has become a self-fulfilling prophesy. They spend their lives using computers as typewriters, calculators and filing cabinets. Their managers are worse. I cannot count the number of times that I have heard managers sound almost proud about not understanding computers.

I have a rule that I will not employ someone to do something of which I do not understand the basis. My reasoning is simple. If you do not understand the basics of plumbing, then your plumber can sell you anything. I am sure I am not far from the truth when I say that a manager who does not understand IT can be sold anything by his technicians. I have a friend who was working in a technical support in a law firm. The technicians managed to convince their bosses that the upgrades were going to take about a month of weekend overtime... This in turn reminds me of the story about the bank traders who were doing things their bosses did not understand.

I have a second rule, that I will not use anything that I cannot understand. Please note, I say "cannot" not "do not". If I understand the principles then that is good enough. This impacts on my choice of software and hardware. I prefer to be able to find out or work out what they are doing. I also want to be able to see other people inspecting and understanding the systems. As Linus Tovalds (well maybe it was him) put it, "Given enough eyeballs, all bugs are shallow." Oh, and I definitely want to be able to understand my data. As an example I am writing this in AbiWord on an Asus EEE PC. If I open the file I can read the text, and the markup. I can understand the file format.

How much more important is this when it comes to computer security? To take something on trust from a manufacturer or supplier can only be regarded foolish. With the trends in churnalism referred to above it is pretty clear that we cannot just rely on the media - old or new. Bloggers are hired for a couple of dollars an hour, through services like oDesk to say what ever people want. You can flood the Internet with positive reviews for a few hundred dollars. You can probably overwhelm negative reviews for a few dollars more. The reader should not get the impression that I know there is a flaw with the security of the device I am referring to. The fact is that I do not know - and cannot know unless and until it is proved insecure. This is the problem with "security through obscurity" as Bruce Schneier amongst others have called it. With free and open source solutions the code is inspected by many people, including potentially me. This does not guarantee that it is totally secure, but it does encourage a situation where, if flaws are found, they are fixed. They seem to always be announced, even when they are as embarrassing as the error in the SSH key generation in Debian. Now if a manufacturer of a piece of security hardware suspected a fault, what is the advantage to them of announcing it? Answer, none.

Let us return to the issue of mobile devices and security. There are two cases to consider. Case One: carelessness with hardware. Case Two: The planned theft of data. The first case refers to people finding CDs, memory sticks, cameras and laptops on trains - or for that matter on eBay. The likely outcome of a member of the general public finding something like this is that they will either announce it to the press, or they will wipe the device and use it themselves. In neither case is the security of the data really at risk. My belief is that the many more of people would keep suitcase of money than would use a found credit card. Similarly, if someone found a memory stick containing, say, the personal details related to many bank accounts, it is probably safe. If it is even weakly encrypted, then it is almost certainly safe - as long as the likely contents are not obvious from inspection. Thus if the laptop boots up saying "MI5 Property" then it is less secure than if it does not announces its origin. Memory sticks and CDs should be labeled in such a way that makes sense only to those inside the organisation, and without the organisation's name on them. With weak encryption and anonymous hardware we are now secure from the non-intentional theft of data. It is highly unlikely that an accidental find will be subjected to too much scrutiny - if interesting data in not obvious it will be safe. Two final points:

• don't rely on the office suite to encrypt the file - these have almost always been cracked.
• select files names that are note obvious, "Bank Accounts Details" might create more interest than "BA081212".

The second case is more problematic. This is the case when someone sets out to intentionally steal data. Again, this splits into two cases, those with a specific target and more promiscuous attacks. An example of a promiscuous attack is buying second hand computers on eBay in the hope that personal data can be extracted from them, or hosting a honeypot on the Internet that collects user names, e-mail addresses and passwords, and then tries them against PayPal... These are a risk to everyone, and require good practice to avoid:

• wipe everything before you sell it
• use different passwords for your important on-line accounts

Businesses and government departments ought to find these easy to implement.

The real problem arises when someone specifically sets out to steal your data. If you are a school, hospital or charity you need to consider whether this is likely. It strikes me as improbable. This suggests that you should stop at developing the good security practice outlined above. If you data accidentally falls into the wrong hands then, even with weak encryption, it is unlikely that your data will be compromised. If you are not sure that you fall into this category then read on.

If you feel that your data is sufficiently valuable to be targeted for theft then you need start by training your staff. They need to be computer security literate. They need to understand the value of the data and then follow all good practice. You also need to hire a hacker to carry out penetration testing of your organisation's handling of portable data and respect what you are told.

As for data encryption, you need the most reliable and secure that you can find. This means using free and open source software. There are a number of products that fit the bill, but the top two have to be GNU Privacy Guard and TrueCrypt. These both have the potential to make your data extremely secure. These can both be compromised in a moment by someone else having access to your hardware, or your staff using a computer that is not secure. Thus having a completely portable an apparently secure memory stick, that needs no software on the computer is a security risk. Consider the planning of such a data theft.

• A key logger is set up an a computer
• A third party allows you to use that computer to access your memory stick
• A week later a pickpocket steals your memory stick

This emphasises the point that it is all about training your staff to appreciate computer security.

The bottom line is that if someone wants your data badly enough, they will get it. You can only protect yourself by making sure that it will be more cost them more than it is worth. It is worth noting that many of the computer viruses that appear in the wild have a payload that fails to deploy properly. It is my suspicion that many of these were written with one specific installation in mind and released in to the wild to cover up the tracks of the data thief. If you consider that your data is vulnerable to this sort of effort, then you really should talk to the penetration testers. You cannot trust the opinions of your IT department or, for that matter, any of your employees, because they have prejudged the matter.

Popular Subscription, LPG and Free Software

In the remarkable book "White Mars" by Brian Aldiss (with Roger Penrose) there is a discussion of a concept called "Popular Subscription". I quote:

"We are conditioned to subscribe to the myths of the age. We hardly question the adage that fine feathers make fine birds, or that young offenders should be shut up in prisons for a number of years until they are confirmed in misery and anger. When witch hunts were the thing, we believed in witches or, if we did not believe, we did not speak out, for fear of making ourselves silly or unpopular."

I was at my local LPG filling station, in Lye, the other morning and was chatting with the guy who does the conversions and another owner of an LPG converted car. We were trying to understand why more people did not convert their cars to LPG, when it will pay for itself in abut 2 years and there after almost halve the fuel costs. For myself, I bought a 20 year old Volvo estate, in really excellent condition, for £900 and then paid £1,500 to convert it to LPG. The car has a good decade's life in it and now costs me about 11p a mile, for a luxury car that will carry a massive load - which I need for my work. We could not understand how people could not see the logic of doing the same. Aldiss' concept explains it pretty well, it is that most people cannot consider alternatives to the common views. Everyone runs their car on petrol, so that must be the thing to do. I explained my work with Free Software, and said I faced the same problem. I explain that Free Software is:

• Free - as in without cost;
• Reliable - very well maintained;
• Cheaper - in that you can often run it on older hardware;
• Sustainable - if you need a specific piece of software, you can maintain it.

I sometimes wonder if I'm wasting my breath. Yes, I'm managing to make a living out of supporting GNU/Linux and the like, but most people just won't get the idea. Just like most people won't get the idea of LPG conversions for their cars. This is not a conspiracy, it's just a cockup of society that constructs people who conform in their thoughts - they just find it really hard to listen to new ideas.

This morning I filled up again, and when I wandered in to pay, I was brought to a halt. There was a Toyota Prius in for conversion. I had a long chat about the conversion, which was only the second that they knew of in the UK. Now I'm not certain about the Prius, particularly as the key to being green is not driving, but this was interesting. I reckon that it will cost about 4.5p per mile in fuel. Now that is cheap! Is it cheap enough? We not for me, as I reckon that over the five year term my old Volvo will cost me considerably less (about a third of the total cost of ownership).

Government interest in 'open source'

The day after the local elections Becta put out a tender for a project to promote 'open source' adoption and development in UK schools. There are two points to note about this - the timing and the performance indicators they chose. If you wish to the the tender documents I've made them available through GoogleDocs.

The Timing

OK - when it comes to politicians I'm a cynic. My reading of the sequence is as follows:

1. The Tory party received a briefing paper on FOSS.
2. Cameron makes a speech about open source. This may have been timed to prevent the Labour party responding rapidly, because of the purdah rules about making announcements in the run up to elections.
3. The day after the local elections, this tender is published.
4. The period of the project is set to run until just after the expected date for the general election.

I expect that if you look around you will find the most government agencies have just released similar tenders, all designed to counter the spin doctors' expectation of the Tory manifesto.

The Performance Indicators

If you have a look through the KPIs in this tender, you will find they are trivial. I am a member of several free software in schools mailing lists - at least two of them already exceed the KPIs for discussion, and the community developed Schoolforge UK exceeds the communication ones.

This is incredible - the authors of the tender document clearly haven't done their homework. I guess that anyone tendering on this will have to take advantage of the opportunity offered to increase these KPIs.

Creating wealth with free software

A report by the Standish Group indicates that adoption of ‘open source’ has caused a drop in revenue to the proprietary software industry by about $60 billion per year. That’s not a huge amount of money compared to what has been lost though the misselling of mortgages, but it is still a lot. The report identifies the value of these ‘open source’ products to be about 6% of the world market for software. Unfortunately, the Standish Group doesn’t believe in openly sharing its research, instead selling it for $1,000…

In an ideal world, we could presume that the companies that are not spending this money on proprietary software are spending it wisely. If you are a senior decision maker, then find out about the cost savings that are possible in IT at the moment. Thinking about an IT department in a large organisation, it is unlikely that the management are going to want to reduce their spending, as this will make them less important… and we can assume that managers don’t want this. It will be much easier to stick to the proprietary route and keep spending money.

Find a good consultant and offer them the $1,000 that the Standish Group are charging for the report. You'll never make a better investment.

The OFT, Building Companies, Cartels and Building Schools for the Future

My initial involvement with BSF was being part of a team proposing a free software solution to an authority. We were not successful. Today I hear the OFT allegation that 112 construction companies have been running a cartel in bidding on high value contracts. I note that 5 of the 6 companies that won that BSF contract are in this list.

Looking at the complete list, I have found BSF contracts for:

• Apollo Education
• Durkan
• Galliford Try
• Balfour Beatty
• Carillion
• Willmott Dixon

The evidence of price fixing would seem to be extensive, with the BBC reporting that several of the companies has requested leniency from the OTF. They would appear to be claiming that their practices were now fully compliant. One can only wonder what the additional cost to the tax payer will be, as these contracts are effectively mortgages. Does this mean we will re-pay any fraudulently inflated prices several times over?

Please email me if you find anyother links between any of these companies and BSF, so I can update this list.

Richard Rothwell
17th April 2008

---

It's the data, stupid.

During Clinton’s successful 1992 campaign James Carville hung a sign in their headquarters with the following three points:

1. Change vs. more of the same
2. The economy, stupid
3. Don’t forget health care.

He was attempting to counter Clinton’s inclination to offer solutions to any and every topic he encountered. I know I have a similar tendency, and it comes into play when I attempt free software advocacy. As a result I’ve been working on my own version. My sign looks like this:

1. Change vs. more of the same
2. The data, stupid
3. Don’t forget the excluded.

The data is something I have been trying to emphasise of late. It was driven home to me when I was running a training session for a project I’m running providing computers to socially excluded families. I was explaining why it was important that the kids backed up their work onto their memory stick. “If the computer breaks, then we can replace that, but we won’t take responsibility for your data. I charge lots of money to retrieve data for people” One of the kids asked me why it cost so much to get lost work back. I drew my example from their school coursework. “Well, if you’ve spent 40 hours on a piece of exam coursework, even charging that at minimum wage then it’s worth £200.”

But backup is only the start of this question. The current debate about attempts to get ISO to adopt Microsoft’s Office Open XML. This worries me - I know that if I save a file in OpenOffice then I can uncompress the file and read the internal XML. Now I’m not enough of an expert to discuss the relative merits of the two standards, but I know ODF works and a key point is that there should not be competing standards. I also suspect that some of the extreme obfuscation within the OOXML format is part of a longer term vendor lock-in plan. Now, the question is how to deal with this in my advocacy. The story I tell is this…

“I went to retrieve a word processor document I’d written several years before. Actually, quite a long time back, as I had been produced on a freeware DOS word processor. I managed to find a PC with a 5.25 inch floppy disk drive, and copied the file over. But I didn’t have the program. I opened the file in a editor and discovered that it was a mess. Weird characters all over the place. I had lost my work.”

What is the point of archive and backup if you can’t read you data?

First published in the Free Software Magazine.
Richard Rothwell April 14th, 2008.

---

Free Software - is it a political question?

Think, for a moment, about what the free software community looks like from the external gaze. “Bloody Communists” - I’ve never actually had a businessman say this to me when I’ve been explaining free software, but I’m sure they’ve thought it. I suppose the smarter ones might have thought “anarcho-syndicalists”. Choosing to use free software may be simply economic, but contributing to any such project is surely a political statement.

So what is this statement? I’m not the person to write your statement, but I can offer mine.

My background is as a teacher. I spent years trying to get kids to use computers and think about what was going on around them. I had the constant frustrations of using software that I couldn’t dismantle and rebuild when it failed. I had vague memories that it had not always been like this. While at university I was required to do some calculations about the maximum bit rate a human could process - and it struck me that my word-processor was demanding more. This realisation led to a slow journey from small deployments of free software, culminating the installation of a complete school network running Linux Terminal Server Project. It has also led to a complete change in my life - I’m no longer a teacher and earn my living substantially from free software, working mainly with the voluntary and education sectors.

I hold to the principle that the way to earn money from free software is from what you are doing, not from what you have done. This means training, consulting, coding, installation and support. It’s a great life - though working for myself is a bit scary, as I can’t rely on my historical practice of calling the management incompetent.

The only organisation that I work for that had ever thought about the implications of the software it was using is the Birmingham Friends of the Earth. I encounter charities and voluntary organisations on a daily basis - and they have a policy about buying fair-trade coffee, but haven’t even thought about their software. Most of these organisations believe in co-operation and sharing, and yet don’t have the expertise to apply it to their use of IT. So I try to educate them and show them the benefits, for both themselves and the wider community.

Experience tells me that the capitalist model is disastrous when applied to software development. Does that mean I believe that capitalism is disastrous in general? Let’s just say that in my personal and business life I seem to enjoy myself the most when I’m functioning as an anarcho-syndicalist.

First published in the Free Software Magazine.
Richard Rothwell April 10th, 2008.

I also blog at this site - though it pulls fewer punches.