The Cyber Academy Launches In Edinburgh

In a post almost exactly two years ago, I talked about a concern of mine that I’m pretty certain I share with many who work in the ‘technology’ sphere in general. To summarise, if one of the primary goals of education is to provide kids with the skills that they need to secure employment in later life, how can the teachers of today possibly keep up with the pace of progress?

As Noam Chomsky said in an interview I read this week,  “If you are teaching today what you were teaching five years ago, either the field is dead or you are“. And if the majority of kids in school today will end up working in jobs that don’t currently exist, it’s clear that finding ways to bridge that widening gap will become increasingly critical.

The thought hit me again today as  I went along to the launch of The Cyber Academy at Napier University this afternoon. The new venture, which pulls in a wide range of collaborators from across academia, government and business, is focused on developing an environment which will produce many of the people that are so badly needed as security threats continue to rise daily in our increasingly-networked society.

There were a number of interesting talks but the one that stood out for me was by John Howie who gave a great summary of just how far we’ve come and the challenges that lie ahead in a world where everyone – with a little knowhow – can use the mobile in their pocket to access any other connected device in the world. A situation which of course is only going to become more complicated if the much-trailed Internet of Things suddenly explodes (hence the blockchain solution that IBM have been investigating).

John also drew a key distinction between information security – defending data contained within your own database or system – and cyber security – a term which has no accepted definition but which he convincingly argued relates to the interconnectedness of such databases. For example, if malware attacks your system, how do other databases then react and collaborate to ensure that overall that weakness become systemic across a networked world.

It’s a great programme and credit must go to Bill Buchanan who has clearly championed and worked hard to build the idea and ultimately deliver an Academy that has the potential to gain significant importance over the next few years. From a personal perspective, I’m also intrigued to see how it evolves within our post-Snowden society. And, of course, if there’s going to be a raft of highly-skilled new cryptographers coming knocking about in the area, who knows, I *may* just happen to redirect a few towards the Scottish Bitcoin Meetups…

Whose Security Is Best?

I woke up this morning to an email from Amazon confirming that I’d just bought Bruce Schneier’s new book, ‘Data and Goliath‘ whilst I was sleeping. Ah, the wonders of forgetting you’d pre-ordered a book way before its release date…

Anyway, there’s obviously little I can say about the book as I’ve still to read it. But I can however recommend another great essay from Schneier which he posted recently on his blog: ‘Everyone wants you to have security, but not from them‘.

As I wrote yesterday, there’s a general confusion about encryption. As Schneier points out in his essay, it’s too simplistic to say that the big tech companies don’t want your data to be secure in some way in order to have their wicked way with your information. Instead, it’s far more accurate to say that companies such as Facebook and Google are constantly striving to become the single place where you deposit all of your valuable data – so that they can then protect it alone.

But of course, move ahead with that ‘single point of failure’ model and we run the very real risk of significant breaches occurring at some point or another in the future, as Lenovo discovered to their (and their customers’) cost last week. Or from secretive actors breaking into such systems and inevitably compromising the system for all participants regardless of what their motives might be, such as the Gemalto break-in whereby the encryption keys for billions of mobile phones were stolen.

It’s a binary choice that we have. Security or surveillance. Privacy or convenience. And until MaidSafe launches, the likely outcome under the current architecture of the internet doesn’t look too appealing.

The Encryption Battle Heats Up

It’s not surprising that there’s so much confusion in the minds of the general public when it comes to encryption. There are so many conflicting narratives around, each of which is wrapped up in varying degrees of political spin.

Take for example, Michael Chertoff who basically helped to create the Patriot Act in the US which paved the way for mass surveillance in the aftermath of the 911 attacks. After moving on from a career which included a four-year stint as Secretary of Homeland Security.

However, it seems that Chertoff has changed his mind. He now believes that everyone should have the right to strong encryption without the backdoors that are currently being sought by many government agencies around the world.

“I’m sympathetic to law enforcement, but nevertheless I’ve come to the conclusion that requiring network managers or ISPs to retain a key that would allow them to decrypt data moving back and forth on a particular device is not something the government should require,” he said. “If you require companies to manage a network to retain a key to decrypt, I guarantee you another provider will allow someone else in the world to have that key. What happens is, honest people will have a key to encrypted data that’s held by a third party. As we’ve seen in the past, that can lead to problems.” 

That’s quite some turnaround.

And quite different to the position of the Director of the NSA, Mike Rogers and recent statements in the UK from David Cameron. After all, even President Obama has stated in a recent interview, “I’m a strong believer in strong encryption” (seemingly contradicting an earlier statement that encryption should be unlocked by the authorities in certain circumstances).

Changes are coming: mobile phone companies are encrypting by default, there’s pressure to move all websites from http to https under the Let’s Encrypt movement and public awareness is rising. And yet there’s still a big issue here. There’s a very strong argument to say that the level of technological knowledge in order to adequately protect yourself in today’s society is one which is disproportionately damaging to those from poorer socio-economic backgrounds.

No doubt individuals and groups will continue to come forwards to protect those who inevitably are forced to rely on others to provide user-friendly solutions in this area. But working out how much protection those volunteers require in order to carry out their jobs – and who can be relied upon to provide them with this necessary support – is where we truly start to learn what sort of society we live in.

Hacking The Car Wash

As the Internet of Things develops, we’re going to see more and more security issues present themselves whilst more items move online. We’ve heard recently about an (unnamed) German steel mill being hacked. Next up, renowned security researcher Billy Rios (known for hacking X-ray systems and airport baggage scanning systems) has now flagged up the potential vulnerabilities presented by car washes.

The car wash isn’t necessarily something that jumps to the top of the list when considering the varied security threats that are out there in the big bad world. After all, it’s a large, stationery piece of heavy equipment that only ever gets installed in certain controlled locations (namely petrol stations). But after showing that he could guess a default password on the machine’s web interface to take over control of the system controlling the car wash from afar, Rios points out:-

“[If] a hacker shuts off a heater, it’s not so bad. But if there are moving parts, they’re totally going to hurt [someone] and do damage…I think there should be some distinction between those sort of devices. Turning on and off the lights is cool, but if you create something that causes something to move, you can’t allow them [the manufacturers] to voluntarily opt into security.”

“…These machines are very dangerous, and typically, when you have these machines installed someplace, they are only able to be operated by qualified technicians. They could hurt someone. So when you start putting these things online, it changes the threat model dramatically”.

Sounds just like a scene at the start of a sci-fi film, doesn’t it?