Tag Archives: disclosure

ISNow – Ethical Hacking

The following introduction was originally published in the BCS Information Security Now Magazine, Spring 2011 issue (Volume 5, Issue 3), which was on the topic of Ethical Hacking:

“There has been debate and disagreement as to whether the term ethical hacking is correct and appropriate. Adding ethical as a prefix to a word that has the baggage of hacking does not placate those that subscribe to a belief that hacking is solely unlawful (forgetting the history and alternate uses of the word). For myself, I have more of an issue with ethical, as criminals may have a stronger ethical position than some professionals, demonstrated in some recent leaks. Ultimately it’s down to authorisation and scope, not terminology.

As seen from numerous recent large-scale intrusions, seemingly backed by state-sponsors, spammers and fraudsters, failure to test adequately can be a factor. Only once you start with a known secure system or service can you look to keep it that way.

It’s mine, I can do what I want
Restrictive laws can give those that wish to tinker and open up closed and proprietary systems a significant legal headache, even when only trying to restore a feature removed by the manufacturer. Copyright (monopoly rights) was originally conceived as a protection against duplication. Once you’ve bought, say, a games console why should rights of fair use to modify or adapt be so limited?

There is a lot of discussion around what responsible disclosure entails, and not everyone agrees (even on the name), but on the whole it is reporting the finding in a responsible way, usually to the site or vendor, and providing sufficient time to develop, test and deploy a fix before announcing it to the world.”

A PDF version of the magazine is available online at:

http://www.bcs.org/upload/pdf/isnow-spring2011.pdf

Talk on ‘RIPA: Perception & Practice’ (Slides)

I spoke at the BCS Information Security Specialist Group’s 11th Annual Legal Day, held at the RAF Club, London on Friday 22nd January 2010. My talk was entitled “RIPA: Perception and Practice” and the slides are now available:
View more documents from INFOSEC_Maven.

Talk on ‘RIPA: Perception & Practice’

I will be speaking at the BCS Information Security Specialist Group’s 11th Annual Legal Day, being held at the RAF Club, London on Friday 22nd January 2010. My talk is entitled “RIPA: Perception and Practice”, although I was tempted to title it “RIPA: Proportionality, Paranoia and Practice”, and the synopsis is:

“There has been much discussion in the media and elsewhere about the use and misuse of the powers granted to many public authorities under the Regulation of Investigatory Powers Act 2000 and associated legislation.

Stories about snooping on people for trying to get their children into a particular school or letting their dogs foul the street may make the front page, but they are not necessarily representative of how the powers are used in general.

Sure, they should lead to questions about the implementation and effectiveness of the necessity and proportionality tests that are a mandatory part of the legislation, but there may be greater things to concern ourselves with when law enforcement and the intelligence community wish to grow and extend the use of data retention, monitoring and surveillance.

This talk will give an overview of many years of practical experience and interactions with the public authorities authorised to seek access to information under RIPA, Part I, Chapters I & II.”

Further information can be found in the events section of the BCS ISSG website:

http://www.bcs-issg.org.uk/events.html

Computing – Data Retention Laws to Change

I was quoted by Computing in an article covering the Communications Data Bill. I was talking about the UK adoption of the EU Data Retention Directive (EU DRD) for Internet data, after an 18 month delay to help ISPs get ready. Would have been nice to have my job title and company name printed correctly in the article though…

The full article is available online at:

http://www.computing.co.uk/computing/news/2217202/retention-laws-change-4017535

ZDNet – Communications Data Bill

I was quoted by ZDNet in an article covering the Communications Data Bill. I was talking about the UK adoption of the EU Data Retention Directive (EU DRD) and how it affected the current voluntary data retention regime, but the article also covers the Interception Modernisation Programme (IMP) – although not by name – and the desire for a centralised government controlled database of all communications data records.

The full article is available online at:

http://news.zdnet.co.uk/communications/0,1000000085,39420722,00.htm