Examination of Witnesses (Questions 320
WEDNESDAY 10 JANUARY 2007
Q320 Lord Mitchell:
Going on from that, I wondered what your views were of Microsoft's
automated security patching system? Does it not seem that it is
somewhat ahead of what other open source systems can provide?
Mr Cox: I had a look at this one. The first
automatic update software in the open source world was about 1998.
It is actually one of the things where open source vendors compete
against each other. One of their key differentiating factors is
the way they provide these kind of automated update services.
I would take the view that except for dial-up users where there
is a real problem with all products because the size of software
their updates require does not fit very well down the modem. It
is a solved problem now in the free and propriety world. I think
we are sorted on that one, both in the open source world and the
Microsoft world. The automated updates are there, they are working.
There are questions about the timeliness of delivery of patches
and that sort of thing, but not about having an automated update
Mr Laurie: I would agree with that. I think
it is a very good thing that Microsoft now provide automated updates
and the only limitation really is the time limitation. However,
what they provide patches and updates for is the Microsoft operating
system itself. In the open source world you will find that the
patches also include most of the third party software that you
have installed so the open source world has a much broader coverage
on automatic updates than Microsoft.
Q321 Lord Mitchell:
What is your opinion of the Vista operating system?
Mr Laurie: I think it is a very good thing if
it works. I have not been playing with it. It is not publicly
released yet. I personally do not use Windows; I use a Linux derivative.
I have not used Windows for as long as it has been around.
Q322 Lord Mitchell:
Do you think it goes some way to satisfying some of the criticisms
of earlier versions of Windows?
Mr Laurie: I think they are certainly trying.
Microsoft to their credit really do listen to the open source
community, the full disclosure community, and the security community.
They participate a lot in security conferences and so on and they
listen. I think they genuinely try to create a secure environment
and I applaud them for that.
Mr Cox, do you think Vista is the most secure system that has
ever been produced?
Mr Cox: In the general case it is certainly
not the most secure system, but the really secure systems have
always been produced for things like military use where usability
is not a factor. Whether it is the most secure operating system
for the desktop we will really have to wait six or 12 months to
see to what the figures are for malwear problems. I agree with
Adam on this, Microsoft have clearly made a good effort here.
There are a lot of things where open source versus Microsoft goes
on in the marketplace but security is very much the vendors versus
the fraudsters, we are all on the same side.
Q324 Earl of Erroll:
Mr Cox, in your written evidence you both suggested a need for
international governance of the Internet and you also expressed
distrust of governmental regulation hitherto. Could you describe
in more detail how you would like to see the Internet regulated.
Mr Cox: What has caused a lot of annoyance and
problems in the open source world has been regulation which is
controlling tools, things like control of encryption, control
of possession of software which is useful both for testing and
exploiting machines which, unfortunately, is the same software.
People often describe it as "thought" crime, offences
which have no victim which should not be a crime. At the same
time, if you are dealing with a real incident where damage is
being done and fraud is being committed, it is very, very hard
to do anything about it. Firstly, fraud is almost always international
so you trace it back and you find you are being attacked by a
Polish machine controlled by somebody in Nigeria who may or may
not be working for an American. Needless to say the system is
not well adapted to this in computing or outside of computing.
The second point is that the UK police, at least if you walk up
to the desk sergeant at a typical police stationand I have
a friend who has real experience of thishe does not understand
the problems (and why should he) and there is then nowhere else
to go. So a local music shop for example suffered some real problems
with spammers misusing their name, attempting to really do them
damage and to destroy their reputation. When they approached Swansea
police station the Swansea police were perfectly willing to help,
they really wanted to do the right thing but did not know enough
to do anything about it, and so we need something which deals
with electronic crime and computers, either an understanding in
police stations or we need a central contact point. Also with
this you need to act fast. One of the things about phishing attacks
is an email gets sent to one million people designed to trick
them to use some site. If you shut that site down in an hour for
most of those people by the time they get the email the site is
shut down. If you shut that site down in 24 hours, you have probably
made no difference so a very, very fast response is sometimes
needed to these things.
Q325 Earl of Erroll:
Right, so a lot of it is not necessarily so much Internet governance
as cross-border co-operation and also internal police responses,
which are really your concerns?
Mr Cox: I suppose in a sense we need to police
the Internet in the same way as we police streets. Whether that
is governance or policing I am not quite sure.
Q326 Earl of Erroll:
The other thing that came out was that the open source community
in some ways regarded the EU as the tool of big industry. Why
is this? Is it the dispute between the EU and the Commission and
Microsoft where Microsoft appears to be in breach of anti-trust
laws and taking defensive positions, that sort of thing?
Mr Cox: No, it is particularly to do with software
patents where there is a very distinct lack in the European Parliament
of control of lobbying, declaration of interests, this kind of
thing. We have found it very, very hard to work at getting our
point across in places like the European Parliament whereas the
big companies are able to spend huge amounts of money and that
has been used in various ways particularly by the media companies,
so we have had various instances of things we used to be able
to do which we are not allowed to do, but they fall outside of
Q327 Earl of Erroll:
Are some of those software patents inhibiting your efforts to
Mr Cox: They are. There are both legal and patent
ones. The legal one in the UK is partly the Computer Misuse Act,
particularly the recent update which is going to cause problems,
and also the libel law. The computer misuse side of it will cause
a problem because it is now an offence variously to possess tools
or give people tools which can be used to break into computers,
which are unfortunately the same tools that you need to identify
the security holes and test a security hole has been fixed and
so on. The Crown Prosecution Service was supposed to produce guidelines
on this issue but we do not know what those guidelines are yet.
It is not clear what will happen about private prosecutions. There
is a worry that disreputable companies might try to use that law
to shut down legitimate reports of security holes. If you are
trying to do things like anti-phishing what you want to do is
create a list of phishing sites, so at nine o'clock in the morning
I get this email in "there's a fake Lloyds Bank site"
and you put it on the list of fake sites. People check that list
and it puts up a thing when they go to it which says "this
may be a phishing site". In most areas of the world if you
do that and you get it wrong you might be liable to pay a few
thousand dollars to somebody who lost business. In the UK all
the lawyers will say is just do not do it. The patent one covers
patent claims on various things, particularly things like secure
mail checking. There has been some progress on that since the
written evidence. Microsoft owned at least one of those patents
and they used to have a multi-page dreamer whereby you could use
it but it was completely unworkable for most organisations. The
recent draft they had approving this is one page long and appears
to solve the problems, so there is progress being made there as
Q328 Earl of Erroll:
You seem to be against the concept of licensing security professionals.
Would it not be safer to have some method of trust in the people
who are likely to be working on our computers?
Mr Cox: From the open source world point of
view most security work is not done by security professionals,
by trade; it is done by students, done by volunteers and some
of it is done by professionals. If you were to try and regulate
and control who is a security professional, what you will actually
do is forbid a large number of people currently fighting the bad
guys from taking part. It is almost like saying you are not allowed
to help fight crime unless you are a policeman.
Q329 Lord Harris of Haringey:
Looking at the whole range of communicating computer-based devices,
what do you see as being the main vulnerabilities affecting private,
Mr Laurie: Currently the obvious attacks that
are going on are mostly theft of credit card details, attacks
against e-commerce, identity theft, phishing, scanning and then
using those details to attack on-line banking or even taking it
off-line and buying goods through traditional methods using the
details obtained. I think the problem of spam and viruses and
malwear is ever expanding.
Q330 Lord Harris of Haringey:
I am just wondering if you are answering a different question.
What I am interested in is most of us in this group are probably
carrying mobile devices of some sort which have access to the
Internet, do e-mail and things like that, and there is a whole
new generation of iPods coming along we have heard much about
in the last few days and so on. I would be interested inand
I think you alluded to it in your opening statementwhere
that leaves the individual user in terms of vulnerabilities.
Mr Laurie: In the future mobile devices are
becoming more and more tightly integrated into our lives and there
is a convergence of media and messaging and e-mail on the move
on your mobile and so on. There is a tendency to try and cram
more and more stuff into those small devices so clearly when that
device falls prey to an attack then the ability to unravel all
of your personal details, capture all of your contact details,
read all of your messages, possibly connect back to your home
networks, that becomes fairly significant. We did mention Wi-Fi
insecurity. Again these devices are becoming increasingly connectable.
It concerns me that in the protocols being used we do not seem
to be learning the lessons and every time a new product comes
along that has a new wireless connectivity mechanism they seem
to make the same mistakes. They reinvent the security mechanisms,
the crypto or whatever. With WEP they invented a whole new crypto
tracking system to secure those networks and got it wrong. Bluetooth
came along and they invented their own crypto system and again
got it wrong and are now having to generate new ones. So we do
not seem to be learning the lessons of the previous generations
of communication. The Internet has been doing secure communications
for years and then suddenly we are on wireless and then we have
to reinvent secure communications which we should not have needed
to. We could have learned the lessons from the Internet and applied
them to wireless.
Q331 Lord Harris of Haringey:
So you not saying for example mobile phones are inherently secure;
you are saying it is a failure to learn the lessons of the past?
Mr Laurie: And the failure to secure them has
much greater effect now because of how they are being used. For
Microsoft we talked about single identity and if your mobile phone
becomes the device that is your identity it will contain the credentials
of your identity and maybe biometrics. We see laptops with fingerprint
readers and so on. There is an increasing reliance on technology
to solve these problems like identity, but because they not getting
the security right the threat becomes much greater. If I can take
over your entire identity by stealing the contents of you mobile
phone which now has a single sign-on ID and your biometrics, fingerprints,
iris scans, whatever, then that is a huge problem. I think the
risk of that happening is increasingly there because of this reliance
on new technology just working and we will get it right.
Q332 Lord Harris of Haringey:
Do you feel that manufacturers are doing anything like enough
to address these problems?
Mr Laurie: I think they are trying but history
shows us that they tend not to get it right, so I guess the simple
answer to that is probably not.
Q333 Lord Harris of Haringey:
Do you have any information about the scale of the problem in
terms of the number of times or number of instances where the
attack has been through a mobile device as opposed to more conventional
Mr Laurie: I do not have any data relating to
current situations but certainly in the past for example when
I looked at Bluetooth issues and found vulnerabilities in the
Bluetooth protocol, what I found was there were huge numbers of
people who were vulnerable. I did some scans of Victoria Station
during rush hour, and from memory I think I found about 350 vulnerable
phones in the space of about an hour, and that was transitory
people who were walking past, that was not the same person being
counted multiple times. These technologies are being shipped in
their hundreds and thousands and millions, so if there is a vulnerability
of a mobile device that spreads very quickly, there will be a
lot of them out there.
Q334 Lord Howie of Troon:
How did you find these vulnerable devices?
Mr Laurie: Bluetooth has a facility to scan
for other Bluetooth devices. I was simply scanning, I was not
attacking them, and I was looking at the profile to say, okay
I recognise that profile as being a particular device that is
known to be vulnerable.
Lord Harris of Haringey: Before we move
on, it may be that is something we should be seeking specific
evidence on from particularly providers and suppliers of equipment
as to what they are doing to address the vulnerabilities of mobile
devices. It is a component of the area we are looking at but I
am not sure we have hard evidence and have specifically asked
about mobile phones.
If mobile devices were enabled by a fingerprint scan or an iris
scan, the fact you had the file for the iris scan or the fingerprint
scan would not help you, or can you inject a signal into the machine
and mimic it?
Mr Laurie: The potential is there. If you know
the fingerprint you are trying to spoof then you have got the
pattern you are trying to create, so you can generate a fake fingerprint
that will fool that reader. It has long since been proved that
most fingerprint readers on the market are actually vulnerable
to very simple attacks. In fact, there is a kids' TV programme
called Mythbusters where they recently tried a fingerprint
reader and they defeated it in three different ways, one of which
was a simple photocopy of the fingerprint, and this was one that
the industry was saying this is foolproof.
Is that by making an imitation fingerprint or by injecting an
Mr Laurie: This was by making an imitation fingerprint.
It is all very James Bond but you collect a fingerprint from a
glass or a CD case. I think in the case of the programme they
lent the guy a music disk and when they got it back they took
the fingerprint off the outside of the case and recreated that
as a photocopy.
Soon you will be able to buy a little fingerprint printer, will
Mr Laurie: Absolutely. The tools are all out
there. This is not a problem.
Q338 Lord O'Neill of Clackmannan:
I am almost loath to ask this question because you have frightened
us enough as it is! Looking to the future what do you see as the
most important emerging security threats in respect of personal
Mr Laurie: I slightly jumped the gun there because
that was one of the main things that concerns me the mostthe
reliance on biometrics. Single centralised databases of personal
informationthe more that we gather this stuff together
in one place the more vulnerable we make ourselves and the easier
we make it for people to take over our identities. Again it is
the reliance on technology. If you spend millions on systems that
say biometrics are foolproof and we are going to use these biometrics
to prove our identities and we have spent lots of money on it
and it is foolproof, that causes a real problem for somebody caught
up in the system when their identity has been spoofed. How do
I convince this huge industry that they have got it wrong? There
is a serious inertia against admitting that there is a problem
with the system so the more you claim a technology is foolproof
and the more money you spend on it the harder it gets to show
they were wrong.
Do you think that ID cards will be vulnerable in the same way?
Mr Laurie: Definitely. History tells us that
these technologies are not foolproof. I have done some work in
the area of RFID and there are lots of cases where industry is
claiming that an RFID cannot be cloned for example