Minor Identity

The less mad son just had a significant birthday and Mrs U was fulminating about the difficulties the building society put in the way of his opening a teenager's account -- effectively the full-scale anti-money-laundering precautions for a pass-book account with no cheques and a cash-only card. As a minor can't be held to a contract, she couldn't even see the point of asking for a signature.

But I can. If I was laundering money, I think the prize of a full scale bank account attached to a false identity would be well worth waiting a few years for. And in the meantime, spending rich uncle Lenny's generous birthday and Christmas gifts on Premium bonds keeps the account warm, plausible, and busy with a spot of placement. So I don't blame them at all.

Swirl/Unswirl

Here's the Interpol (rare to see a .int domain) release on operation Vico. That's impressive work by the image experts, but I think the credit lies with the investigator who had the imagination to see that information was still there and the thing was worth trying. That's the leap I would have failed to take, and it's the difference between a proper investigator and the guy who looks at proxy logs.

After red-eye reduction, obscuring faces is probably the second most popular use for home image processing, the home porners generally botch it, and I've often wondered why packages don't include a better tool. Perhaps they can't find a suitably euphemistic name. Anyway, I suppose we'll now see a slew of unswirl tools.

Why is X.509 so grim?

I've been intending to assemble some notes about the way I've been using an OpenSSL install to knock off some certification requirements. I was going to start with a round-up of the ways that X.509 was needlessly confusing, redundant and bizarre. And I was going to say that large-scale, public, multi-party PKIs are wrong-headed and dangerous.

There's still room for the OpenSSL cookbook -- I'll do that. For such a long-lived product, the documentation just doesn't say what a typical newbie user will want to know. And there's room for me to come clean (if no-one else will) and say that the worst initial obstacle was that I got confused with OpenSSH!

But the rest has been done a long time ago. I wish I'd found it earlier. It's sufficient to say:

• X.509 PKI solves the wrong problem. It's not you. It really is too hard to get right.
• The semantics of the trust and reliance which X.509 attempts to create between unrelated parties are much more tricky than they look, do not address vital issues like counterparties' management of private keys and do not correspond with the ordinary requirements of law and regulation
• X.509 PKI only makes sense between parties who have a pre-existing legal structure (perhaps they're part of the same organisation), and have a means to deal with cancelling authorisation that does not depend on certificate revocation

Why? Witness Peter Gutman's PKI Introduction. And while you're at it, check out his other stuff too. I found the Encryption and Security Tutorial was particularly helpful.

Investigate That!

When you have to investigate a PC, there's the ideal approach, and the actual approach.

The ideal approach calls in a firm of investigators -- I use Kroll Ontrack as the sucessors to Vogon. They send in an engineer to take forensically sound images, and retain them on their systems until they can schedule an investigation to answer some of the basic questions. Two weeks to get there, and then further rounds of questions and answers ending in a report. Meanwhile you have managers wanting answers.

So there's the actual, otherwise known as DIY. Everyone does this sometimes, so here's a few pointers to protect your arse.

1) Give Babylon Her Due.

If this is one of the cases where the police need to be called, then you must do that. You can't be ordered to conceal it by your boss -- your duty as a subject trumps your duty as an employee. Definitely talk it over with a sane advisor who's familiar with the situation, but if it's ugly then you have to give the cops the option. Don't go mental about this: for certain spyware breaches the Computer Misuse Act, but what are the chances of some random piece of spyware originating from someone subject to the Act?

2) Get it Cleared.

You need a pretty explicit memo from your source of arse covering (your boss, HR) saying that the answers are wanted tomorrow, there is definitely no intention to rely on your investigation in any sworn proceedings, and that your advice to go the ideal route is not wanted or not practical in this case.

3) Take Care Anyway.

When you're half way into a DIY investigation and you realise that you are going to have to complain about the behaviour of an employee, or call the police, you do not want a sinking feeling that you've trampled on the only copy of the evidence. See the next post has basic tips for getting the data you need without booting the evidence disk or writing to it.

4) Keep it Locked Up.

One of the best reasons for working on images is that the record keeping to prove evidence is easy: you can keep the original locked away for long periods. If you're actually working on it, you have to sign it in and out, secure it when you leave your desk.... No fun, and not impressive when you have to swear a long chain on ins and outs, but better than no records kept at all.

Criminalise Your Enemies.

Is it strange that so much WAN traffic is unencrypted? That became a live issue for me when we were setting up a new recovery facility. Part of the project includes links between the machine rooms, and the service provider offered us a significant cost saving by using their network to replace a hop that would cost tens of thousands ordered from COLT. Everyone was happy except me. I saw it as a tap risk.

I hate taps. A network tap is one of the points where the balance tips in favour of the attacker. They are totally stealthy and very reliable. They can be serviced by a leave-behind -- a laptop running Ethereal or TCPdump with USB disks exchanged whenever the access can be had. The only real problem the attacker faces is getting access to a good network segment -- plugging in to a workstation LAN and risking an ARP spoof is going to get some user passwords, and that's not bad, but it's not the key to the domain.

But a trunk between machine rooms is another thing entirely. Modern domain traffic ought to be harmless if overheard, but console sessions on to the DCs, SNMP strings, enable passwords on switches ... One way or another, it's the place to be if you want passwords, not to mention seeing what the fileservers see.

So, OK, taps are bad. But is it any more risky to run our traffic over a service provider's network? The contract gives them a duty to keep our data confidential, and you won't find that in a service agreement from BT or COLT.

The short answer is the criminal law. Between the termination points of section 8 licensed telecoms providers like Colt and BT, special law applies: I think it's the Interception of Communications Act 1985, but anyway there are criminal penalties for tapping their systems without a warrant. They can't even do it themselves, and that's why there's no confidentiality in the contract.

The point here is not so much the penalties but the criminal liability. Evidence of a crime -- and an unexpected laptop stuffed with traffic logs is evidence -- lets the police investigate. Serious industrial spies always seek to operate below the radar of Babylon, and that makes for real protection.

IoCA is protection, but it's limited. It doesn't stretch beyond the endpoints. If we found a tap on the service provider's network, we could remove it, but no crime has been committed. To get any recourse we would have to mount our own surveillance and investigation, and that is a place I don't want to go.

We're sticking with the service provider's network, but some of the savings are going on hooking it through our firewalls with the encryption turned on.

The UK is a Nest of Hardened Criminals

I'm not sure how many times I broke the law last week. It must be hundreds -- I did it eleven times just now.

I've bought a music player and I'm ripping my albums. (It's a Samsung -- Ogg Vorbis is definitely smaller than MP3.) The law in the UK specifically provides for sound recordings, a CD is universally acknowledged to be a copyright work, an OGG (or an MP3, or WMA) ripped from it is obviously a copy, and copying infringes the Chapter II rights of the copyright holder. None of the Chapter III permissions applies, and it looks like I'm bang to rights -- up to two years in the chowkey. I have checked and there's definitely nothing in the act about "unless everyone is doing it, in which case it's OK."

I could call the police but I'm afraid they'll laugh at me. I could call the BPI, but I don't think they'll care either.

There are two ways to look at this. We can go with the BPI and say that it's an anomaly that needs to be cleared up. Or we can face the fact that intellectual property, so called, is so different from property that concepts like theft just don't work, and change the law accordingly.

In the meantime, it's fun to watch Samsung, Microsoft, Dell and all the other keeping mousy quiet and hoping the whole issue will go away.