October 2012 Archives

Government official gives practical security advice - shock horror

| 1 Comment | No TrackBacks
| More

When I heard that Andy Smith's eminently sensible comments at the Parliament and the Internet conference yesterday had gone viral I feared he had suffered a Ratner moment. I have just taken a look at the comments responding to the BBC news cover of the story and how they hjave been rated by those reading them: a massive vote of confidence in Andy. I had long known that the strange age profiles on many social networking and e-commerce sites were commonly because of false ages but had not previously appreciated how many users simply give April 1st as their birthday.

Last January, when I blogged on the great LinkedIn leak, I commended the East European approach to Internet Security: "never tell the truth on-line unless there is a good reason to do so" - sooner or later what you have posted on-line will be collated and used against you.  The big differnce between them and us is that they fear a new Stasi. We fear organised crime impersonating us and stealing our savings or destroying our credit ratings and leaving us stranded with our cards blocked. Our children have more fear of on-line bullies or the copyright police.

I have also described why it is that new neterati discover before puberty that they need at least three on-line IDs: one their parents and teachers can read, one for their friends and one for their best friends. Around puberty they discover the need to be able to trash any or all of them: when they fall prey to bullies or their best friends become their worst enemies. Shortly after Facebook introduced its timeline I listened to a group of under-graduates discussing whether it was easier to trash their Facebook profiles and start again, or to work out how to use the new privacy routines, with the risk they might have missed something.

This morning I was received yet another e-mail covering the latest nonsenses in the ongoing saga of expensive displacement activity that passes for Government (US, EU, HMG etc.) electronic ID policy. This evening I have just received the draft minutes of a meeting on Monday on how to enhance trust in the on-line world. First we have to consider the meaning of trust, how it is earned and how it can be restored once lost. The comments in reply to the BBC news cover for yesterday's comments reveal just how comprehensively it has been lost.

Hence the importance of going back to basics - for example using the opportunity of the transition to IPV6 to clean up Internet addressing routines (splitting as far as possible between those which are verifiable and those which are intended to genuinely anonymous). Hence my comments on the importance of the current Nominet  consultation.   

What is the difference between the Cities Of Westminster and London

| 1 Comment | No TrackBacks
| More

BIS has just announced a "Foresight" report saying that "computer trading shows benefits to financial markets but calls for joint action to manage risks." For "Foresight" read "Hindsight". I remember an event on "Envisioning the Future" organised by Nortel almost twenty years ago when the means of monitoring markets based on computer trading systems was one of the themes for discussion.

This is a salutary reminder of just how far BIS (Westminster) is behind the City (London/Canary Wharf) - not much over a mile or two but at least a decade or two.  The difference in mindset is similar to that between Shanghai and Beijing - five hundred miles and five hundred years (the Chinese think long term). New Yorkers have a similar view of Washington.  I also remember the Silicon Valley view of Europe - those other side of the planet, at the far far end of the red-eye, even more out of touch than the Federal Government in Washington.

 

Last night I was at a meeting discussing the meaning of trust in the on-line world and some-one mentioned the Edelman Global Trust Survey. This has now been running for over a decade and is full of interesting material. Among other things it shows how, even after the collapse in trust in financial services, they are still more trusted than the politicians who seek to regulate them.


 

Enhanced by Zemanta

Why will so few UK small firms transact on-line other than for pizzas? Click and Tell

| No Comments | No TrackBacks
| More

Today sees the launch of Get Safe On-line Week. Do get involved - the most public events in London will be at Waterloo Station to intercept those on their way into the City and at Canary Wharf (hosted by HSBC) for the other high net worth risk-takers who are at most serious risk from the impersonation and fraud that increasingly follow successful phishing attacks and database compromises.  

I would also, however, like to draw attention to a dirty little secret that the on-line enthusiasts and cyber security industry are anxious to hide: the reason why barely 30% of small firms are willing to transact on-line (other than for local takeaways). The National Fraud Authority analysis of Small Firms as victims of fraud is truly chilling. Chris Yiu revealed the 30% figure at a Policy Exchange Fringe meeting on broadband policy at the Conservative Party conference but had no analysis of the causes. I had, however, seen similar data from small firms organisations - which gave clear analyses of the reasons.  

Why is Dublin the on-line capital of Europe ?

| 2 Comments | No TrackBacks
| More

Is it the Irish Tax rates, which enable Apple, Facebook and Google to pay negligible taxes on their multi-billion revenues in the UK and other EU member states? Or it is the Irish implementation of the privacy, data protection and other directives?  Will an Austrian student succeed in raising the funding necessary to challenge the latter? What will be the consequences if he does?         

Will HMG really entrust our personal identities and data collected under statutory authority to those who base their ID governance in Dublin, their IT and security staff in India or their files on the west coast of the US? You could not make up the idea that the Home Office might seriously consider outsourcing the running of our immigration and criminal records to an India software company - but this is allegedly about to happen

Does the Home Secretary's refusal to allow Gary McKinnon to the US mark a sea change in attitudes to national sovereignty over matters of national security - or is it a fig leaf to cover a much bigger retreat?

A surprisingly proportion of the UK tax base depends on the way that the rest of world still trusts London, more than Dublin let alone Dubai, Mumbai or New York, as a global trading centre. The plans of Apple, Google and Microsoft to base people (if not necessarily tax and data governance) operations in London show that we still have an edge. Their plans to support educational activities (at all levels from schools to post-graduate) show they would like to see that edge continue. 

Were we to adopt an Irish approach to industrial strategy and economic policy we would almost certainly see inward investment and tax revenues rise sharply and an earlier investment led recovery. Hence my repeated call for 100% tax relief on capital investment  to make it attractive for Apple, Facebook, Google, Vodafone and others to plough their UK profits into the UK infrastructure investment (including power supplies and communications) that is necessary to support the trusted data centres and global on-line operations that should naturally be based in the UK - alongside the development (and production not merely research) of products and services for the smart, green world of the Internet of Things.   

On Monday evening I will be doing my bit, planning a competition on the meaning of trust in the on-line world, to help position London, not Dublin, as the on-line capital of Europe. My partners believe that government has no role in this process.  I fear they are wrong. Government has to get out of the way and actively remove both the regulatory overheads that get in the way of trust and reduce the taxes which cost more (including by driving profit centres out of the UK) than they raise.  That will not happen without concerted political effort. More-over that effort should include the Trade Unions - whose members (and members' children and grandchildren) are losing out on the jobs of the future while the Westminster Village and political idealogues of right and left obsess over the egalitarian battles of the past. 

Next Thursday, at the Parliament and the Internet Conference, the Digital Policy Alliance (EURIM) has organised a session (14.10 - 15.00) to discuss the role that the UK could and should play in that brave new world. Will HMG (especially Treasury, BIS, DCMS, DECC and Home Office) allow the UK to do so?   

 

   

Enhanced by Zemanta

Is civil law more effective than criminal law in addressing on-line malpractice?

| No Comments | No TrackBacks
| More

Next week is Get Safe On-line Week and I have been busy trying to persuade those who are serious about protecting their organisations, their staff, their customers and the families of their staff and customers to get involved. I am, however, struck by how many pay lip service to the need for "awareness" but are unwilling to link to practical advice on on-line safety and incident reporting form their own websites.

The reasons vary but I am struck by those in the public sector where there is also a srong reluctance to admit to the scale, nature, causes and consequences of fraud and impersonation and the value of using tried and tested, twenty year-old. technology-supported (but not technology-driven) approaches to the reduction of fraud and impersonation. Thus we see displacement activity regarding new UK goverment electronic ID policies or the EU "harmonisation" of  IDs instead of using electronic invoicing against agreed purchase orders to slash £2 billion of procurement fraud. We see an equal reluctance to use credit reference checks to fast track benefit claims and transactions that are unlikely to be fraudulent - so that effort can be focussed on those who really do need support because they drift in and out of employment and temporary accommodation and no-one will provide them with credit, whether or not their current claim is valid.

Hence my rants on ID Policy and the potential problems with the grandiose plans for the computer systems to handle Universal Credit. However, next week I will be focussing on the positive and have helped organise a couple of meetings to look at alternative ways of improving confidence in the on-line world: the first (on Monday) is to progress the competition on the meaning of trust in the on-line world. The second is on the use of civil law to improve redress and deterence. But first  we have to see what the current situation is really costing those who believe they need do no more than mouth platitudes.

At a Policy Exchange Fringe Meeting at the Conservative Party Conference one of the speakers, Chris Yiu, used data from a recent survey which showed that almost all SMEs now have websites but barely a third transact on-line. I asked whether that was because they could not get the symmetric broadband access that is necessary to run an inter-active website or because they were scared of not getting paid. Dido Harding of Talk Talk spoke of 10 mb leased lines available for £1000 (although the lowest quote I can get in West Norwood is well above that and I am told the choice available to me is not available in, for example Wapping, let alone across most of the UK). Chris had not yet unpacked his data but it gelled with that from other sources where the cost of compliance and the liability to fraudulent charge were blamed for take up of under 30%. Meanwhile the National Fraud Authority Segmentation Analysis of the vulnerabilties of small firms to fraud is chilling.

So who really does want to win new business from SMEs by not only helping them go more confidently and securely on line - but also helping them get redress when (not if) they are successfully attacked? And how are they going to go about it?

Ross Andreson has regularly exposed some of the economic nonsenses in this area and raised the value of using old fashioned civil law to obtain redress. On Tuesday evening the Conservative Technology Forum has a meeting to look at the practicalities and implications of swtiching political focus from criminal to civil law. It greatly reduces the burden of proof: balance of probability v. beyond reasonable doubt and brings in the potential for action under tort etc. against those who aid and abet by negligence not just design. It allows the use of well-established routines for cross-border legal action and avoids law enforcement politics over jursidaction etc. But quite apart from all those international law firms and forensic accounting practices eager to help trace and retrieve the money (less their fees), there are also issues of accountability and of predatory action by copyright and patent trolls.   

Hence I stop with the question.

Perhaps on Wednesday I will be a little wiser.

 

 

   

Enhanced by Zemanta

The importance of the Nominet consultation  on their proposed new direct.uk service cannot be under-estimated. The EU Regulation on electronic IDs may be the first political/regulatory initiative to view a domain name as an electronic identity which requires some form of verification. It will not be the last.

 

The reaction of consumer groups to the discovery that a .co.uk registrant (let us call it  britishpartygoods.co.uk) might be a located in the backwoods of Bangladesh or China meant that it was only a matter of time before Nominet would come under pressure to create routines for verifying that organisations do indeed have a UK address before the receive a .uk domain name and that the name and address have not subsequently been hijacked.

 

The issues raised in this consultation are, however, complex and far reaching and it is important that this consultation receives responses from all those interested in the issues of identity, security, fraud, impersonation, privacy and also anonymity over the Internet.

 

Nominet has set up a number of different opportunities for stakeholders to get involved and ensure that any resulting service or changes meet the needs of businesses, boost trust in the .uk namespace, and contribute positively to Britain's fast-growing internet economy.

Has HMG given up on trying to impose an ID scheme?

| 1 Comment | No TrackBacks
| More

Recent "leaks" appear to indicate that Cabinet Office has finally given up on trying to impose a uniform ID scheme on the warring tribes of Whitehall, let alone the rest of us. It is probably a very sensible decision. Howver, given the nature and scale of reported losses of personal details, codes and passwords from the files of those whose ID systems it is suggested we might wish to use, the decision raises interesting questions as to who will be responsible for fraud and error. Can HMG slough off the liabilities (with regard to those IDs which it recognises) being wished on it by the EU e-ID Regulation? 

It would also be interesting to know what information will be available to help us make an informed decison as to who we trust to manage the identities we choose to use for dealing with government. And also what happens when we decide we no longer trust them - or they decide they do not trust us and revoke our identities because they think they are being used for fraud or piracy or some other breach of their service conditions.  

The competition which I have previously mentioned, on the meaning of trust in the on-line world is now gathering pace.Over a dozen leading Universities planning to use the "questions" to stretch the thinking of some of the brightest and best of their students. The drafting of those questions is also proving to be "fun". One that has recently been been added to the list is how we could/should handle situations where "identities", including mobile phones and passwords, may be used by any member of  an "extended" household, including "lodgers" and their friends. This is apparently common among a surprisingly large proportion of those dependent on benefits. These may be genuinely collected for them (or spent) by their partners, children, grandchildren or carers. Or they may be stolen: randomly or systemically. Hence the value of the old-fashioned routines for collection by a named individual (who knows and is known to) the counter staff from a named post office. Hence also the concerns of groups like Elder Abuse over ID routines.     

Another tricky question is the aggregation of responsibilities, liabilities and risks associated with the "secure electronic identities" issued to the various legal entities of, say, Lehman Brothers (which had over 2,000 separate trading entities). This is exercising the Financial Stability Board which may well mandate action in the not too distant future. It also helps account for the differences between HMRC and DWP over ID policy.

My personal favourite remains not only unanswered but almost taboo: how do you know that it is not only me, but that I am a free agent, not acting under duress?  The failure to provide satisfactory solutions is why some very high value industries (such as the jewelry trade) are so reluctant to use electronic authorisation routines.        

Meanwhile the Nominet consultation on the possible issue of issuing validated direct.uk addresses could lead to a step-change in our ability to trust that we really do know who we are dealing with. The value of a validated Internet address as an electronic identifier is considerable - provided we have reasonable confidence in the validation process and take action ot use the switch to IPV6 to remove the spoofing weaknesses in the current system. For those who say "what about the right to remain anonymous". I would say that I would like to see variations on .anon.uk administered by those who we can reasonably trust to ensure that no-one can break the anonymity. Many of the current anonymising are seriously flawed.     

Enhanced by Zemanta

Towards a sustainable 21st Century Infrastructure

| No Comments | No TrackBacks
| More

The need for infrastructure investment has become fashionable. It is one of the lobbyists topics at this year's party conferences. But only one event (18.00 - 19.30, 8th October, Austin Court, Birmingham) tries to knit together various Green, Energy, Transport and Communications threads.

 

Over the past six months sub-groups of the Conservative Technology Forum have been working on the issues that need to be addressed to pull through investment in creating sustainable 21st Century Infrastructures: smart meters, smart grid, smart cities and smart infrastructure, including ubiquitous broadband (fixed and mobile, urban and rural).

 

The investment is needed to not only support ubiquitous computing (the Internet of Things) but also to avoid the need for rationing (both bandwidth and energy) by 2015 when, without action NOW, the lights will start going out and mains power to data centres will depend on whether the right kind of wind is blowing in the right places - even if more of the country has "not quite so painfully slow" always on (except during power cuts) Internet connections.

 

This week, while others have been looking at who was responsible for delaying funding decisions on rural broadband and 4G for over a year, I was reviewing a draft paper on why funding for smart meters and grids (to reduce peak energy demand) has dried up at the same time as investment in new generating capacity. The answer can be found in the small print of Ed Milliband's 2009 Energy White Paper when low risk pilots to demonstrate the business case were blocked in favour of an ubiquitous centrally planned policy which gives no obvious benefits to early adopters.

 

On Monday 8th October from 1800 - 19.30, in Austin Court (outside the security ring of the Conservative Party Conference), John Hayes MP (one of the new Energy Ministers) and Ian Taylor (former Science Minister) will open discussion at a meeting at which I expect the main points from the first of the new CTF policy studies (it is actually the first paper from theme 5 in the list) to be presented. The choice of venue allows the discussion to be extended beyond delegates and registered lobbyists to involve those concerned with pulling through investment in smart meters, smart grids, smart cities and ubiquitous broadband (fixed and mobile, urban and rural) to support ubiquitous computing (the Internet of Things) and the actions necessary to prevent the lights going out in 2015. 

 

The clash with the Next Gen broadband conference is more than a little unfortunate. The danger was flagged as soon as it was learned that the latter might be held during the party conference season. Several important broadband players face a difficult choice, particularly those who are less interested in meeting nominal targets for 2015 and whether BT has an unfair advantage, than in stimulating and rewarding investment in the world class resilient, reliable utility networks that will underpin the world of the 21st century.

 

I am hoping that the Next Gen event will be recorded so that I can watch and/or listen to the highlights at leisure. We have not made formal arrangements to record the meeting in Birmingham but I am reasonably confident that many of the audience will do so (they are that kind of audience) and I will look for some-one to do a mash-up of the best.  

 

Enhanced by Zemanta

ED Balls and Open Government give the opportunity for a Broadband Breakthrough

| No Comments | No TrackBacks
| More

The announcement by the Shadow Chancellor that Labour would put the receipts from the 4G auction towards subsided new build housing gives Maria Miller a great opportunity to cut a year or more off the timescale for rolling out both fixed and mobile broadband. It is most unclear how much the 4G auction will raise. Ed Balls was expecting £3 - 4bn but the actual is likely to be considerably less and the first £600 million appears to have already been committed. Meanwhile Ian Grant has commented on the bloodbath within DCMS and the departure (voluntary or otherwise) of those seeking to get better value for money before the new Secretary of State could start asking them questions.

Yesterday I was told, how correctly I do not know, that DCMS is one of the departments that are most determined in their resistance to the Cabinet Office drive for open government, particularly with regard to securing value for money in their procurement policies. Now it would appear that those who take Cabinet Office policy seriously are fired for leaking.

I would love to see the Secretary of State not only pull off her negotiations today and get the 4G auction over before the New Year in return for an end to litigation, but also secure Treasury agreement to announce (at the party conference) that the uncommited proceeds will be spent on pulling through ubiquitous broadband to also help improve public services and create jobs in rural areas and inner cities. The latter anncouncment would imply that the current, backwards looking  single supplier framework will be swept away and local authorities will be supported in pooling funds (from what-ever source), using what-ever procurement frameworks (from those of Local Government, JANET or the NENs to PSN) to pull through investment in converged, open access networks capable of meeting the needs of the 21st century.   

But in order to make a reality of such an announcement and achieve timely results it is probably also necessary for the Minister to order DCMS to follow both the spirit and the letter of open government. That will not come at all easy for a Department with so many skeletons in its closets (from negotiations with the Arts Council, BBC and Sky to those over National Lottery and the Olympics) and the habits of mind which result from dealing with media owners, content owners and creative artists . Now that they are nearing Valhalla perhaps the time has come for a new Abbess Hild to persuade the Norsemen to convert to christianity and the Christians to pool their differences.       

I would still expect BT to manage win most of the converged infrastructure and network servcies business on offer, but on fair terms, with no need for state aid and in ways which give a better long-term return to its shareholders than watching its customer's businesses move overseas as the UK falls behind the rest of the world as a location of choice for on-line business.

P.S. I also happen to believe that a VAT  holiday with regard to converting and refurbishing currently empty or semi-derelict properties would do far more to alleviate housing shortages than using the uncertain receipts from the 4G Auction.

Enhanced by Zemanta

About this Archive

This page is an archive of entries from October 2012 listed from newest to oldest.

September 2012 is the previous archive.

November 2012 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Archives

Recent Comments

Renata Hucks on Freedom of Information (a... : Do I have your permission to quote a few sentences...

 

-- Advertisement --