Proposed UK Law Bans Default Passwords
Following California’s lead, a new UK law would ban default passwords in IoT devices.
EDITED TO ADD (12/12): Commentary.
EDITED TO ADD (12/14): A draft of the bill.
Page 1 of 18
Following California’s lead, a new UK law would ban default passwords in IoT devices.
EDITED TO ADD (12/12): Commentary.
EDITED TO ADD (12/14): A draft of the bill.
In what is surely an unthinking cut-and-paste issue, page 921 of the Brexit deal mandates the use of SHA-1 and 1024-bit RSA:
The open standard s/MIME as extension to de facto e-mail standard SMTP will be deployed to encrypt messages containing DNA profile information. The protocol s/MIME (V3) allows signed receipts, security labels, and secure mailing lists… The underlying certificate used by s/MIME mechanism has to be in compliance with X.509 standard…. The processing rules for s/MIME encryption operations… are as follows:
- the sequence of the operations is: first encryption and then signing,
- the encryption algorithm AES (Advanced Encryption Standard) with 256 bit key length and RSA with 1,024 bit key length shall be applied for symmetric and asymmetric encryption respectively,
- the hash algorithm SHA-1 shall be applied.
- s/MIME functionality is built into the vast majority of modern e-mail software packages including Outlook, Mozilla Mail as well as Netscape Communicator 4.x and inter-operates among all major e-mail software packages.
And s/MIME? Bleah.
The Cambridge Cybercrime Centre has a series of papers on cybercrime during the coronavirus pandemic.
EDITED TO ADD (8/12): Interpol report.
Back in January, two senior GCHQ officials proposed a specific backdoor for communications systems. It was universally derided as unworkable—by me, as well. Now Jon Callas of the ACLU explains why.
Someone is flying a drone over Gatwick Airport in order to disrupt service:
Chris Woodroofe, Gatwick’s chief operating officer, said on Thursday afternoon there had been another drone sighting which meant it was impossible to say when the airport would reopen.
He told BBC News: “There are 110,000 passengers due to fly today, and the vast majority of those will see cancellations and disruption. We have had within the last hour another drone sighting so at this stage we are not open and I cannot tell you what time we will open.
“It was on the airport, seen by the police and corroborated. So having seen that drone that close to the runway it was unsafe to reopen.”
The economics of this kind of thing isn’t in our favor. A drone is cheap. Closing an airport for a day is very expensive.
I don’t think we’re going to solve this by jammers, or GPS-enabled drones that won’t fly over restricted areas. I’ve seen some technologies that will safely disable drones in flight, but I’m not optimistic about those in the near term. The best defense is probably punitive penalties for anyone doing something like this—enough to discourage others.
There are a lot of similar security situations, in which the cost to attack is vastly cheaper than 1) the damage caused by the attack, and 2) the cost to defend. I have long believed that this sort of thing represents an existential threat to our society.
EDITED TO ADD (12/23): The airport has deployed some anti-drone technology and reopened.
EDITED TO ADD (1/2): Maybe there was never a drone.
The Guardian is reporting that “every NHS trust assessed for cyber security vulnerabilities has failed to meet the standard required.”
This is the same NHS that was debilitated by WannaCry.
EDITED TO ADD (2/13): More news.
And don’t think that US hospitals are much better.
Ross Anderson gave a talk on the history of the Crypto Wars in the UK. I am intimately familiar with the US story, but didn’t know as much about Britain’s version.
Really good article about the women who worked at Bletchley Park during World War II, breaking German Enigma-encrypted messages.
EDITED TO ADD (7/13): There’s also a book: The Debs of Blechley Park and Other Stories, by Michael Smith.
This article argues that Britain’s counterterrorism problem isn’t lack of data, it’s lack of analysis.
Someone just registered their company name as ; DROP TABLE “COMPANIES”;—LTD.
Reddit thread. Obligatory xkcd comic.
Sidebar photo of Bruce Schneier by Joe MacInnis.