Skip to main content

Posts

So why are the NCSC so relaxed about Huawei?

I am struggling to work out why the NCSC seems to wedded to their capability to mitigate risks associated with Huawei kit in the UK telecoms network.  The current argument is very much about the risks are less about being Chinese and more about being not very good. It's worth noting that this is not why HCSEC was set up in 2010 and is in fact only a concern that was first fully referenced in the 2016 Oversight Committee report so the argument is possibly somewhat disingenuous.

It may well be that the reasons are completely mundane - it is very embarrassing for GCHQ to admit that after ten years of saying they can mitigate the risks to start claiming they can't and their arguably petulant reaction to the RUSI report shows that they do not like being publicly embarrassed.

So why are the NCSC/GCHQ so relaxed about Huawei?  Some (fairly random) thoughts:

1. They really can mitigate the risk of Chinese equipment in the UK telecommunications infrastructure.  This is what they would …
Recent posts

AI and the Internet: Sometimes it feels like the 1990s again

Over the past few months I have been (as well as editing the thesis) looking at the world of Artificial Intelligence developments, mainly in relating to working it into a module on an undergraduate BA course called Technology and National Security. (That's the name of the module which is 13 two hour lectures and 13 two hour tutorials, covering everything from the nature of war, through military ethics, to robotics, drones and automated weapons, with a quick detour through cyber-security and global security governance.  Very interesting if intensely depressing subject matter. Much more on this module in posts over the next few months as I finish up the materials).

Anyway, the over-riding feeling I was getting when looking at the state of AI developments was that it was just like the commercialisation of the Internet in the 1990s.    In brief:

1. Nobody is too sure how it is going to play out in the long term. 

Just like the commercial Internet in the 1990s there is a huge question …

Non-Academic Publishing

As part of the PhD process that is now (thank heavens) rapidly approaching its end, there have been several discussions suggesting that publishing some papers in 'respected academic journals' would be 'a good thing'.   There are a number of chapters in the PhD that could be carved out and turned into stand alone papers, but I have to be honest, after nearly four years, I am more likely to tear them out and burn them. 

I digress.

Having spent four years reading academic journals, I'm  not so sure about the value of contributing to them.  If I want to have a pointless debate about issues of definition I can do that when taking the kids to school. (This morning's starter for ten:  "Now that my son is 18 and technically an adult,does this mean my daughter is an only child?"  Son's view is no, daughter's view - well you can probably guess).

I digress again. 

The issue for me (and if you are one of my 12 regular twitter followers you will know this)…

And that's the last of the DPhil Interviews completed...

It feels momentous, but probably isn't, but today, the last of the DPhil interviews were finished.  This does bring some major factors into consideration, the main one being that I have close to twenty hours of recordings to transcribe.

I can feel carpal tunnel setting in already.

On a serious note, some very busy people have given generously of their time, to what was in most cases a complete stranger asking odd questions for which the potential benefit to themselves was probably nothing except the chance to have a chat about things that interest them and help someone out.

It is good that so many were prepared to talk to me.  Of course, I should remember that an equally large number said no politely, failed to turn up for agreed interviews, stopped answering phone calls and emails, or just told me to go away.  I know how those poor chaps providing unsolicited Microsoft support from a shed in India feel...... 

However, the memory I shall choose to retain is that there are some re…

Cyber Security and the Retail Sector - A Prize Winning Essay

As a general rule I don't tend to do a lot of 'academic' stuff, but for reasons too arcane to go into I entered a competition being run by the British Retail Consortium to write an essay on the cyber challenges faced by the retail industry.   Now, the essay didn't win, but it did come second. which is OK by me because it means I don't have to go and present it as a paper, but I can call it a prize winning essay.  It reminds me that the last time I was up for a prize for writing I was beaten to it by Ruth Rendell (another long story), but thanks to the BRC for running a competition like this.  It was good to spend a week looking at something immediate and relevant rather than purely academic.
Sadly, I don't think I can use this in any way in my thesis, so I still have 100 thousand words to go, minus the 500 I have written this week - so that's 99,500 words to go.  Anyway, I have pasted the essay below for those who enjoy this kind of thing.  Apologies for the…

Curiouser and curiouser

Some reports suggest that it was not spread by a phishing email[1] (although some hedge their bets by saying that it ‘could’ be, with some suggestions that the attackers had a pre-existing foothold that allowed the initial infection to occur,[2] or that it was through infected websites,[3] although there are also reports based on Darktrace information that it was initiated by a phishing email[4] and an initial email infection in Europe was reported as the source by the FT[5], although phishing is then conspicuous by its absence from the Darktrace blog of 17th May.[6]
It is probably true that there has been more than a little fear, uncertainty and doubt around the attack vector in particular.
This continues as of today (20th May 2017) with the Register quotes Malwarebytes definitively that the vulnerability was exploited by ports canning for exposed SMB ports and not through phishing emails.[7]
The same report suggests that Windows XP does not now seem to have been impacted (it’s so out o…

Thoughts on the wannacry virus and the importance of starting assumptions

This was written just as a piece to see what happens to the potential outcome of a piece of analysis when basic assumptions change.  I’m not admitting whether I think any of the below is accurate (except for the facts I have taken from others’ primary forensic analysis). More than enough has been written about the wannacry ransom attack, especially from a technical view point, and the post-attack analysis has made interesting reading in terms of ‘how’ this attack took place.  The quality of the forensic analysis has been pretty impressive – although some elements around attack vector still seem contested (or at least confusing to me.) The reading on ‘who’ fashioned this attack has been less interesting in that it seems to have come to the conclusion it was North Korea on the basis of re-used code blocks and not much else from what I have read.  The area that seems to have had even less analysis seems to be ‘why’.  It’s ransomware. it’s to make money.  I can almost see some of the people…