Schneier on Security

I have a great deal of respect for you, you have just as much right as anyone else to earn a living and there are few people who have done more to raise awareness of real security issues, but you make a very good point:

It's hard to rage against the man when you *are* the man.

If you want the technical view, read the clayton et al materials at http://www.lightbluetouchpaper.org/

Funny you right this today, I saw an article in the paper over the weekend (Parade magazine, actually) that quoted you about airport security and then mentioned that you were a "BT security" person. I thought I had missed something, but I guess not.

Sadly Bruce is the only BT exec with morals, but hey...

You've got a point; Bruce Schneier *is* the Man.

At least he works for BT, not BA.

Can you comment on Obfuscated TCP, then?

(Link stripped from my last post. here's the ObsTCP project page: http://code.google.com/p/obstcp/ )

Thanks for the clarification Bruce.
But, incident?
I believe you mean incidents; trials were carried out in 2006 and 2007, both potentially illegal under the Regulation of Investigatory Powers Act 2000.
A leaked summary of the 2007 trial is here:
https://wikileaks.org/wiki/British_Telecom_Phorm_Page_Sense_External_Validation_report

Many thanks for this reading between the lines many willsee the warnings. As a BT shareholder I find the fact BT carried out these without the involvement of their paid security and network staff who are paid to protect customers privacy.

suupose that speaks volumes for BT,s integrity and morals.

You mean you can't even edit the Wiki entry?

Some links from earlier this year:

http://www.theregister.co.uk/2008/03/17/bt_phorm_lies/
http://www.theregister.co.uk/2008/04/01/bt_phorm_2006_trial/

There's news from a few days ago about BT and Phorm.

http://www.theregister.co.uk/2008/09/05/bt_phorm_police_meeting/

@ Nicholas Weaver:

In particular, here are Richard Clayton's posts about Phorm.

http://www.lightbluetouchpaper.org/2008/04/04/the-phorm-webwise-system/
http://www.lightbluetouchpaper.org/2008/04/22/stealing-phorm-cookies/

I know there are some very honerable security people at BT, and they aren't very pleased with the whole Phorm thing - however, as per Virgin Media (who I work for), it's only by pushing boundaries that we define what is acceptable.

I'm actually glad that this happened - it opens up a debate about privacy in the UK, and specifically what companies can do with data they have access to, but don't 'own'.

In the UK we are totally retarded in this respect, IIRC, we only got any privacy laws from our EU membership :-(
(which is a bit sad)

Anonymity is something that 'brits' seem to think exists, but are always outraged when it doesn't - and we don't look at the legal agreements hard enough, or we'd see what companies put in there - which is scary.
(e.g. Google Chrome v1 EULA)

The cynicist in be does not think that these investigations will go anywhere.

After all, what Phorm did is just what most governments would love to do themselves: automatically profile internet users and assign them a risk factor. Next time you get pulled over for a speeding ticket, the cop can quiz you about the extremist web site you visited three months ago.

They just don't have the data or resources. Yet. Phorm and Google will be eager to lend a helping hand, I'm sure.

@Bruce

Thanks for acknowledging this issue Bruce, at the very least. I don't think anyone curses you for your relationship to the company after years of morally sound commentary on privacy and security. Kudos to you.

@Dom De Vitto & @FP

Google Chrome EULA:
http://www.neowin.net/news/main/08/09/04/google-updates-chrome-eula

Turns out it was a mistake?

@ Florence, Bruce,

"As a BT shareholder"

It think you have a lot more to worry about of the NHS IT systems BT has involvment in.

As far as I can tell BT used some dodgy accounting with regard to payments supposedly earned but not recieved and other future earnings to get executive bonas payments.

The U.K. magazine "Private Eye" had an interesting series of articles adout it shortly before it was anounced that BT was buying Counterpane.

As has often been noted "actions speak louder than words" and BT have sullied their own name on a number of occasions.

Ahhh, censorship-that-is-not-censorship at its finest. Well done, BT.

It's difficult to disagree with your employer in public. Still, good luck contributing to debate that is presumably going on within the company.

As often is the case, find your harshest critics, then silence them. The question then becomes, when do we recognize what actually happened?

Had no idea you worked in telecom? Had the impression you where some sort of security analyst in a university of some sort, but thats how wrong the impression can be when you don't know the entire background of a person.

The irony of this case to me seems to be that BT operated under the advice of "legal council" rather than privacy and security experts.

Hopefully you can teach those lawyers a thing or two, Bruce. The law can be relevant to security but not always the best litmus on its own, especially when it comes to untested areas of information security.

When people refer to BT here regarding Phorm, could they be more specific and mention 'BT Retail'. It might be a small difference when viewing from the outside, but I know it certainly isn't when viewed from the inside!

"When people refer to BT here regarding Phorm, could they be more specific and mention 'BT Retail'. It might be a small difference when viewing from the outside, but I know it certainly isn't when viewed from the inside!"

Well, it's the perception from the outside that BT need to deal with. This Phorm rubbish is dirtying BT's brand as a whole, not just BT Retail. How can anyone trust any part of BT to carry their data securely if they are, as they appear to be, willing to lie about what they have done with customer data in the past? I certainly will never use BT for home or business broadband again, whether that's "fair" on some sections of the business or not.

I'd suggest someone should have thought of that before signing up with these crooks in the first place.

Seconding what Chris above said. I just had to set up Broadband for my girlfriend and chose to avoid BT Retail and any of their subsidiaries (PlusNet, Brightview, Waitrose Broadband). I'll also be avoiding any other business owned by BT (eg Dabs.com) for the foreseeable future.

@ G

It is hard to split BT retail from BT group when Phorm start to post repeats of the PR spin on the forums for BT group on interactive investor. This was allowed to be put in the news for BT group shareholders to see on Thursday 4th Sept.

I agree that it can only be set up on BT retail as all other ISP's customers contracts are nothing to do with BT so would cause some problems if BT started to use phorm on other ISP's customers.

@Colossal Squid

I know many that have started to boycott these same companies.

Hi Bruce,

I hope you read this. I feel it is important if Phorm is to go ahead that the security people in BT have access to the full source of any 3rd party software running within their network which has potential access to privileged communications.

That would mean that BT need effectively to be in charge of the build process, so they know what is actually running on their own servers.

When Phorm issues patches and updates, I would hope a delta of the source is reviewe alongside a delta of the software requirements and it is confirmed via fingerprint of the binary image that the actual software running represents the source provided for review.

In short, I choose to trust BT with my private communications, and unless people like you are there to assure me that all the necessary checks and balances are in place to ensure that Phorm can't step out of the box, and that rogue employees can't start a secret data harvest, then I will not trust BT to handle my data.

An article in The Register recently said that BT were being spoken to by Police in London about Phorm. Thank Christ for that!

I mean, if the vast majority of the UK Government forgets to encrypt, and/or password protect files, or even to take their memory sticks WITH THEM when they go somewhere like a TUBE TRAIN, then I'm sure the Police will have BT in check.

Ahem.

Avoid BT. Rent your lines from Tiscali or Toucan, and make your calls through Vonage or Skype.

The privacy, security, and integrity of data communication must be protected.

Phorm must be stopped.

Phorm is wrong. Spyware on the ISP network. A wiretap. Incredible stupidity to trial at BT in 06 & 07. Criminal. Glad police are investigating.

Sign the Downing Street petition (18k people have)

Phorm must be stopped. Now. And Kent can take a hike and go back to his adware and rootkits or launch Phorm in Asia somewhere if they let him.

If you can't comment on Phorm, any chance of taking a look at Nebuad's similar implementation in the States?
http://en.wikipedia.org/wiki/NebuAd
http://www.theregister.co.uk/2008/04/10/american_isps_embrace_behavioral_ad_targeting/

@Colossal Squid:

According to an article in The Globe and Mail (http://tinyurl.com/6dun2n) NebuAd uses your IP address (run through a hash algorithm) to identify you. I can see two significant problems with that. First, my home IP address is dynamic. So I might end up seeing ads targeted at the previous lessee of that IP address.

Second, even if my home IP address were static, my whole family shares one IP connection to the Internet. So the targeting fails again - I might be seeing ads based on my son's browsing. To take this to the extreme: the business I work for has well over 1,000 employees in one building, all of whose browsing gets funnelled through one (or perhaps a handful) of IP addresses. How are NebuAd going to sort THAT out?

I hope one day your valuable insight to security will be used one day as an expert witness in court for this whole phorm - webwise affair. I guess, you being an honourable man, BT retail will not come out too well from your truthful analysis.