Tag Archives: Information Security

Misguided Security Managers

Posted on by

In the July / August edition of Infosecurity Magazine, there is a fairly interesting article on security matters, and differences, in the public and private sectors. I cant find this article online so you will have to trust me.

There is a quote in the article, from an “anonymous” security manager which sadly echoes comments I have heard right across the public sector, when public servants discuss the need to protect public privacy:

One senior manager at a local council – who ask not to be named – told infosecurity that he would rather be brought before the courts for an information security charge, than because a child or other vulnerable person has been harmed as a result of data not being shared.

(Here, I get visions of Reverend Lovejoy’s wife crying out “wont anyone think of the children”)

In the article this is presented as a dilemma public sector information security professionals face on a regular basis. My experience of said individuals supports this. It is very tabloid friendly. It is also complete nonsense that infuriates me to the point of wanting to choke the life out of the idiots who say it. (note for any future court action – this is purely imaginary, I am not really planning to kill anyone now or in the future)

There are so many things wrong with this it is hard to know where to start.

This person is paid to be a security manager. They are not a child protection professional. They are there to manage the security of the information that the public have entrusted to the council. Nothing else. If their job description means they have to ensure that vulnerable persons are safe in their homes, then I suspect there is something seriously wrong going on.

As a public servant, this “senior manager” is paid by the public, who you would rightly assume should have some expectation of his behaviour. Unless we’ve moved into some weird world where the vulnerable pay more for their services he has no right to unilaterally assume what laws he will follow and what laws he will break. He has no right or authority to compromise my privacy and personal data because he thinks that doing so 100,000 times might save one vulnerable person.

Equally this “manager” (sneer quotes intended) has no way of knowing if he is placing the safety of vulnerable people in further danger. Privacy laws and restrictions on how your personal data can be handled are there to protect everyone. Yes this includes criminals but it also includes vulnerable people. If this senior manager feels sending a copy of the addresses of everyone “at risk” to an agency across town would be helpful sharing of their data, what would he do if it got lost? What is his defence if his information security failures allow a predator to get the details of the vulnerable people he seeks to protect?

Equally importantly, what about those who only become vulnerable because of his lackadaisical attitude? This idea that passing private information and personal data is inherently a GOODTHING™© is insane. An otherwise fine person who has their home address details passed into the hands of a criminal becomes a vulnerable person. They have, through no fault of their own, become open to a vastly different threat – one they may not be prepared for. Is this acceptable behaviour for public servants? Imagine a serial rapist who gets hold of modified electoral roll data indicating addresses (and telephone numbers) of every house in the area where a single female lives. Would you be happy with the response that he would rather be in court over an Infosec case?

I suspect the real problem is that privacy and information security statutes don’t have enough teeth. If this senior manager was facing 20 years in jail for an infosec compromise, I am sure he would think differently. As it stands, nothing he does will get him properly punished in a court of law, so he must be talking about the court of public opinion. This is, sadly, so seriously misled by the tabloids that it is easy to see he would be hounded to the brink of suicide if it turned out he had withheld data that might have possibly prevented the death of a child. In a similar manner, if it turned out he had lost a disk containing the personal details of 250,000 people it would get, maybe, a few column inches.

To an extent this is our fault. We want easy to digest news. We ignore the mights and possibilities in the first instance, so we can get to the meat of saving the child. In the second case, its too technical, too distant and probably doesn’t affect “us” so we don’t really care about it. We, the public, are stupid.

Weird security

Posted on by

Bruce Shneier’s blog discusses how to secure your laptop at international borders. Ignoring the fact that the Shneier methods are impressively ingenious – although, surely, in the sledgehammer-nut category – the truly amazing thing is that any government thinks “security” is served by searching laptops at airports.

I don’t mean “searched to make sure that they aren’t hiding bombs or weapons”. That would be a completely reasonable kind of search.

No, I mean searched, in the sense of “searching the hard drive.” This is absurd, in purely practical terms – ignoring the civil liberties questions – on so many levels. (I planned to list the practical difficulties of the idea, but they should be obvious to anyone who’s ever trawled their own hard disks for hours, in a quest for a two years old cv.)

The gaping elephant-in-the-room sized flaw in the whole procedure is the INTERNET. Any given piece-of-dangerous-information can be sitting comfortably on a computer in end-country x, hours before a courier-with-the-laptop has driven to an international airport in origin-country y. So, why the laptop searches?

Civic Duty

Posted on by

It seems that not only is the UK full of people too stupid to realise that 42 days detention of innocent people is a BADTHING©™®, but it is also full of people with a weird idea of what to do when something, which is a potential threat to national security, happens.

The second main news item on the BBC now (after the travesty of 42 days) is about the government losing some top secret documents on a train. Now, I am not going to harp on about the irony that a government that wants to intern people for six weeks is staffed by people who can’t look after a document for a sixty minute train journey. That would be too obvious 🙂

What really intrigued me is the actions of the member of public who found the documents. Did they, upon seeing the MOD and Government headers and top secret classifications, go straight to the police and report this heinous breach of national security?(*) No. Did they, on realising a crime had taken place report it to the police? No. Did they, in fact, do anything which could be described as fulfilling their public duty? Not really, no.

What they actually did was give it to the BBC security correspondent. Yes, not just turned up at the BBC and said here you go, they actually made enough arrangements to find out who the BBC security correspondent was (I have no idea and cant be bothered to look it up), then went to the BBC to hand over the documents. Madness.

What sort of world do we live in where 65% of people want innocent people locked up but don’t have the sense of civic duty to hand top secret documents in to the police, preferring to give them to the media….

* Top Secret apparently means “Information and material the unauthorized disclosure of which would cause EXCEPTIONALLY GRAVE DAMAGE to the nation (UK).” (source)