If you tell enough stories, perhaps the moral will show up.

2006-10-27

Commuter

Just north of Sevenoaks this morning I was looking down to the southeast and I saw a rare sight: pre-dawn colours in a clear sky. The whole range from sodium orange at the horizon up to space-black in the zenith. I wanted to wake up the whole carriage, rip away their newspapers and tell them to look at the world. But then we went into the North Downs tunnel and when we came out the sky was was a rather tasteless cream and light blue, so I left it.

And anyway, it would have been eccentric.

2006-10-20

Criminalise Your Enemies.

Is it strange that so much WAN traffic is unencrypted? That became a live issue for me when we were setting up a new recovery facility. Part of the project includes links between the machine rooms, and the service provider offered us a significant cost saving by using their network to replace a hop that would cost tens of thousands ordered from COLT. Everyone was happy except me. I saw it as a tap risk.

I hate taps. A network tap is one of the points where the balance tips in favour of the attacker. They are totally stealthy and very reliable. They can be serviced by a leave-behind -- a laptop running Ethereal or TCPdump with USB disks exchanged whenever the access can be had. The only real problem the attacker faces is getting access to a good network segment -- plugging in to a workstation LAN and risking an ARP spoof is going to get some user passwords, and that's not bad, but it's not the key to the domain.

But a trunk between machine rooms is another thing entirely. Modern domain traffic ought to be harmless if overheard, but console sessions on to the DCs, SNMP strings, enable passwords on switches ... One way or another, it's the place to be if you want passwords, not to mention seeing what the fileservers see.

So, OK, taps are bad. But is it any more risky to run our traffic over a service provider's network? The contract gives them a duty to keep our data confidential, and you won't find that in a service agreement from BT or COLT.

The short answer is the criminal law. Between the termination points of section 8 licensed telecoms providers like Colt and BT, special law applies: I think it's the Interception of Communications Act 1985, but anyway there are criminal penalties for tapping their systems without a warrant. They can't even do it themselves, and that's why there's no confidentiality in the contract.

The point here is not so much the penalties but the criminal liability. Evidence of a crime -- and an unexpected laptop stuffed with traffic logs is evidence -- lets the police investigate. Serious industrial spies always seek to operate below the radar of Babylon, and that makes for real protection.

IoCA is protection, but it's limited. It doesn't stretch beyond the endpoints. If we found a tap on the service provider's network, we could remove it, but no crime has been committed. To get any recourse we would have to mount our own surveillance and investigation, and that is a place I don't want to go.

We're sticking with the service provider's network, but some of the savings are going on hooking it through our firewalls with the encryption turned on.

2006-10-12

Fingered by the Make-up Girl

It appears that Italian MPs have been tricked by a TV show into submitting sweat samples. The samples were analysed to show that a large minority had been taking what local law treats as drugs of abuse. The gimmick is that the swabs were taken as the dupes were being made up to quote opinions on camera for a fake documentary about the budget.

It would have been more fun to ask them their opinions on drug abuse. It doesn't take much insight into the political mind to speculate that those opinions would be pretty uniformly negative, regardless of the blood THC level.

If you live with integrity -- some degree of consonance between words and actions -- it's easy to laugh at those poor mugs. They must be sweating more than ever now. The trouble is that the effort that goes into keeping us honest drains the fun out. We're prigs and bores. There's no help for it. Each one of those men will be better company than me, and his children will love him more. We should protect them, not laugh.

And the question has to be, whether anybody other than the police has the right to gather that sort of history, the evidence that we are all scattering more widely and more unconsciously: DNA on the laundry, web browsing at the ISP, fibres on the trousers, drug abuse at the barber's, traffic histories and mast use on the mobile, spending on the card .... What will trip you up? Is being too dull to notice the only possible defence?

2006-10-11

Commuter

Coming home yesterday evening I watched in the twilight as the mist off the river poured through gaps in the grown-out hedge and evaporated in the warm meadow. But now heading back the other way, everything is cool and there is a deep silvery blanket shining in the bright moonlight.

2006-10-05

H. Sapiens

On Tuesday I was working with the owner of information risk on the information security policy. She's a jew and we were talking about her reflection on the day of atonement just gone. I was, and am still, upset by the stupid emails I've been reading as part of this current investigation. Jewish spirituality has that ancient focus on the ethical value of mindful compliance with God's law, and she compares that with the chaotic response of colleagues to our sane and reasonable policy, or even the idea of policy: "Everyone would much happier if we just obeyed the rules and got on with the fun stuff ....."

I know she's right, or at least I agree, but there's something else too, and as I groped for the words to express it, I looked around the open plan office and for a moment my vision changed. What I saw then was a colony of great apes, that third chimpanzee species, created by language and bipedalism on the journey from forest to office, but still the same animal: obsessed with rank and sexual display, endlessly inquisitive, endlessly communicating and endlessly systematising. And utterly unconcerned about rules that try to stop us being what we are.

When we accept law, we defy our own natures. Against resistance like that, the policy of the IT security ape is so much desert wind.

2006-10-02

Chain, chain chain

I've been collecting MTA logs from one of our Exchange servers. They're one of my favourite logs -- a little forbidding at first, but yielding mountains of information if you put in the time. I forgive them for breaking the mapping between text line and event. Browse them on the tracking.log share, and view in a decent text editor with word wrap off.

Now these logs are valuable, at the moment. That's why I'm collecting them -- they may be required to prove a point in court. So I want to copy them off the share and put them in a safe place. But that's not enough. What's to stop me editing them after the fact to show anything I want to show? Enough care with dates and formatting would make it the devil's own job to prove that I'd fabricated the record, and it's that capacity to make a perfect forgery that lies at the heart of the problem with computer evidence.

What courts want is swearing, and plenty of it. Each step of the chain needs a claim that can be fairly made, on oath, that the data passed on, is the data received.

The traditional method would be to print out the file and sign and date every page. That signature isn't the oath that would be made in court, but it's the basis on which you could swear that oath: "yes -- I signed it that day, so that must be the printout I had on that day." If you didn't sign it, how could you be confident enough to swear? After all, one printout looks much like another. Computer people laugh at this as a defence against forgery -- if you were planning to fake it, surely you can lie about the date too? but in fact courts are using an important tool here. It's consistency that makes lying difficult and it's inconsistency that lawyers concerned about the quality of opposing evidence seek to expose. By signing and dating, you are offering up a hostage to fortune, secure in the knowledge that no inconsistency can arise because this is actually what did happen.

Now these log files are a hundred thousand events long and I am not printing them out a) because it would be nonsensical and b) because it wouldn't help anyone. Whoever's going to check?

This is what cryptographically secure hashes are for. If I can vouch not for the file, but for the hash value, the chance of a subsequent modification being meaningful and preserving the hash value is negligible. So, every day I use Microsoft File Checksum Integrity Verifier -- FCIV. In a command shell, I run:

FCIV -sha1 \\EX1\tracking.log
(this prints a line of hash for every archive)
copy \\EX1\tracking.log\*.* h:\myarchive
FCIV -sha1 h:\myarchive
(will give the same values above)

Then I print off the transcript and sign and date it, transforming a bunch of editable files into a record that is set as if in stone. Anyone who cares can take my copy of the data and check it against the printout theselves in a minute or so. All the colossal contingencies boil down to a single question: did I fake my signature? and if so how is that to be shown? Since I didn't fake it, I should be OK, and so will my evidence.