Select Committee on Science and Technology Minutes of Evidence


Examination of Witnesses (Questions 320 - 339)

WEDNESDAY 10 JANUARY 2007

MR ALAN COX AND MR ADAM LAURIE

  Q320  Lord Mitchell: Going on from that, I wondered what your views were of Microsoft's automated security patching system? Does it not seem that it is somewhat ahead of what other open source systems can provide?

  Mr Cox: I had a look at this one. The first automatic update software in the open source world was about 1998. It is actually one of the things where open source vendors compete against each other. One of their key differentiating factors is the way they provide these kind of automated update services. I would take the view that except for dial-up users where there is a real problem with all products because the size of software their updates require does not fit very well down the modem. It is a solved problem now in the free and propriety world. I think we are sorted on that one, both in the open source world and the Microsoft world. The automated updates are there, they are working. There are questions about the timeliness of delivery of patches and that sort of thing, but not about having an automated update system.

  Mr Laurie: I would agree with that. I think it is a very good thing that Microsoft now provide automated updates and the only limitation really is the time limitation. However, what they provide patches and updates for is the Microsoft operating system itself. In the open source world you will find that the patches also include most of the third party software that you have installed so the open source world has a much broader coverage on automatic updates than Microsoft.

  Q321  Lord Mitchell: What is your opinion of the Vista operating system?

  Mr Laurie: I think it is a very good thing if it works. I have not been playing with it. It is not publicly released yet. I personally do not use Windows; I use a Linux derivative. I have not used Windows for as long as it has been around.

  Q322  Lord Mitchell: Do you think it goes some way to satisfying some of the criticisms of earlier versions of Windows?

  Mr Laurie: I think they are certainly trying. Microsoft to their credit really do listen to the open source community, the full disclosure community, and the security community. They participate a lot in security conferences and so on and they listen. I think they genuinely try to create a secure environment and I applaud them for that.

  Q323  Chairman: Mr Cox, do you think Vista is the most secure system that has ever been produced?

  Mr Cox: In the general case it is certainly not the most secure system, but the really secure systems have always been produced for things like military use where usability is not a factor. Whether it is the most secure operating system for the desktop we will really have to wait six or 12 months to see to what the figures are for malwear problems. I agree with Adam on this, Microsoft have clearly made a good effort here. There are a lot of things where open source versus Microsoft goes on in the marketplace but security is very much the vendors versus the fraudsters, we are all on the same side.

  Q324  Earl of Erroll: Mr Cox, in your written evidence you both suggested a need for international governance of the Internet and you also expressed distrust of governmental regulation hitherto. Could you describe in more detail how you would like to see the Internet regulated.

  Mr Cox: What has caused a lot of annoyance and problems in the open source world has been regulation which is controlling tools, things like control of encryption, control of possession of software which is useful both for testing and exploiting machines which, unfortunately, is the same software. People often describe it as "thought" crime, offences which have no victim which should not be a crime. At the same time, if you are dealing with a real incident where damage is being done and fraud is being committed, it is very, very hard to do anything about it. Firstly, fraud is almost always international so you trace it back and you find you are being attacked by a Polish machine controlled by somebody in Nigeria who may or may not be working for an American. Needless to say the system is not well adapted to this in computing or outside of computing. The second point is that the UK police, at least if you walk up to the desk sergeant at a typical police station—and I have a friend who has real experience of this—he does not understand the problems (and why should he) and there is then nowhere else to go. So a local music shop for example suffered some real problems with spammers misusing their name, attempting to really do them damage and to destroy their reputation. When they approached Swansea police station the Swansea police were perfectly willing to help, they really wanted to do the right thing but did not know enough to do anything about it, and so we need something which deals with electronic crime and computers, either an understanding in police stations or we need a central contact point. Also with this you need to act fast. One of the things about phishing attacks is an email gets sent to one million people designed to trick them to use some site. If you shut that site down in an hour for most of those people by the time they get the email the site is shut down. If you shut that site down in 24 hours, you have probably made no difference so a very, very fast response is sometimes needed to these things.

  Q325  Earl of Erroll: Right, so a lot of it is not necessarily so much Internet governance as cross-border co-operation and also internal police responses, which are really your concerns?

  Mr Cox: I suppose in a sense we need to police the Internet in the same way as we police streets. Whether that is governance or policing I am not quite sure.

  Q326  Earl of Erroll: The other thing that came out was that the open source community in some ways regarded the EU as the tool of big industry. Why is this? Is it the dispute between the EU and the Commission and Microsoft where Microsoft appears to be in breach of anti-trust laws and taking defensive positions, that sort of thing?

  Mr Cox: No, it is particularly to do with software patents where there is a very distinct lack in the European Parliament of control of lobbying, declaration of interests, this kind of thing. We have found it very, very hard to work at getting our point across in places like the European Parliament whereas the big companies are able to spend huge amounts of money and that has been used in various ways particularly by the media companies, so we have had various instances of things we used to be able to do which we are not allowed to do, but they fall outside of Internet security.

  Q327  Earl of Erroll: Are some of those software patents inhibiting your efforts to increase security?

  Mr Cox: They are. There are both legal and patent ones. The legal one in the UK is partly the Computer Misuse Act, particularly the recent update which is going to cause problems, and also the libel law. The computer misuse side of it will cause a problem because it is now an offence variously to possess tools or give people tools which can be used to break into computers, which are unfortunately the same tools that you need to identify the security holes and test a security hole has been fixed and so on. The Crown Prosecution Service was supposed to produce guidelines on this issue but we do not know what those guidelines are yet. It is not clear what will happen about private prosecutions. There is a worry that disreputable companies might try to use that law to shut down legitimate reports of security holes. If you are trying to do things like anti-phishing what you want to do is create a list of phishing sites, so at nine o'clock in the morning I get this email in "there's a fake Lloyds Bank site" and you put it on the list of fake sites. People check that list and it puts up a thing when they go to it which says "this may be a phishing site". In most areas of the world if you do that and you get it wrong you might be liable to pay a few thousand dollars to somebody who lost business. In the UK all the lawyers will say is just do not do it. The patent one covers patent claims on various things, particularly things like secure mail checking. There has been some progress on that since the written evidence. Microsoft owned at least one of those patents and they used to have a multi-page dreamer whereby you could use it but it was completely unworkable for most organisations. The recent draft they had approving this is one page long and appears to solve the problems, so there is progress being made there as well.

  Q328  Earl of Erroll: You seem to be against the concept of licensing security professionals. Would it not be safer to have some method of trust in the people who are likely to be working on our computers?

  Mr Cox: From the open source world point of view most security work is not done by security professionals, by trade; it is done by students, done by volunteers and some of it is done by professionals. If you were to try and regulate and control who is a security professional, what you will actually do is forbid a large number of people currently fighting the bad guys from taking part. It is almost like saying you are not allowed to help fight crime unless you are a policeman.

  Q329  Lord Harris of Haringey: Looking at the whole range of communicating computer-based devices, what do you see as being the main vulnerabilities affecting private, individual users?

  Mr Laurie: Currently the obvious attacks that are going on are mostly theft of credit card details, attacks against e-commerce, identity theft, phishing, scanning and then using those details to attack on-line banking or even taking it off-line and buying goods through traditional methods using the details obtained. I think the problem of spam and viruses and malwear is ever expanding.

  Q330  Lord Harris of Haringey: I am just wondering if you are answering a different question. What I am interested in is most of us in this group are probably carrying mobile devices of some sort which have access to the Internet, do e-mail and things like that, and there is a whole new generation of iPods coming along we have heard much about in the last few days and so on. I would be interested in—and I think you alluded to it in your opening statement—where that leaves the individual user in terms of vulnerabilities.

  Mr Laurie: In the future mobile devices are becoming more and more tightly integrated into our lives and there is a convergence of media and messaging and e-mail on the move on your mobile and so on. There is a tendency to try and cram more and more stuff into those small devices so clearly when that device falls prey to an attack then the ability to unravel all of your personal details, capture all of your contact details, read all of your messages, possibly connect back to your home networks, that becomes fairly significant. We did mention Wi-Fi insecurity. Again these devices are becoming increasingly connectable. It concerns me that in the protocols being used we do not seem to be learning the lessons and every time a new product comes along that has a new wireless connectivity mechanism they seem to make the same mistakes. They reinvent the security mechanisms, the crypto or whatever. With WEP they invented a whole new crypto tracking system to secure those networks and got it wrong. Bluetooth came along and they invented their own crypto system and again got it wrong and are now having to generate new ones. So we do not seem to be learning the lessons of the previous generations of communication. The Internet has been doing secure communications for years and then suddenly we are on wireless and then we have to reinvent secure communications which we should not have needed to. We could have learned the lessons from the Internet and applied them to wireless.

  Q331  Lord Harris of Haringey: So you not saying for example mobile phones are inherently secure; you are saying it is a failure to learn the lessons of the past?

  Mr Laurie: And the failure to secure them has much greater effect now because of how they are being used. For Microsoft we talked about single identity and if your mobile phone becomes the device that is your identity it will contain the credentials of your identity and maybe biometrics. We see laptops with fingerprint readers and so on. There is an increasing reliance on technology to solve these problems like identity, but because they not getting the security right the threat becomes much greater. If I can take over your entire identity by stealing the contents of you mobile phone which now has a single sign-on ID and your biometrics, fingerprints, iris scans, whatever, then that is a huge problem. I think the risk of that happening is increasingly there because of this reliance on new technology just working and we will get it right.

  Q332  Lord Harris of Haringey: Do you feel that manufacturers are doing anything like enough to address these problems?

  Mr Laurie: I think they are trying but history shows us that they tend not to get it right, so I guess the simple answer to that is probably not.

  Q333  Lord Harris of Haringey: Do you have any information about the scale of the problem in terms of the number of times or number of instances where the attack has been through a mobile device as opposed to more conventional means?

  Mr Laurie: I do not have any data relating to current situations but certainly in the past for example when I looked at Bluetooth issues and found vulnerabilities in the Bluetooth protocol, what I found was there were huge numbers of people who were vulnerable. I did some scans of Victoria Station during rush hour, and from memory I think I found about 350 vulnerable phones in the space of about an hour, and that was transitory people who were walking past, that was not the same person being counted multiple times. These technologies are being shipped in their hundreds and thousands and millions, so if there is a vulnerability of a mobile device that spreads very quickly, there will be a lot of them out there.

  Q334  Lord Howie of Troon: How did you find these vulnerable devices?

  Mr Laurie: Bluetooth has a facility to scan for other Bluetooth devices. I was simply scanning, I was not attacking them, and I was looking at the profile to say, okay I recognise that profile as being a particular device that is known to be vulnerable.

  Lord Harris of Haringey: Before we move on, it may be that is something we should be seeking specific evidence on from particularly providers and suppliers of equipment as to what they are doing to address the vulnerabilities of mobile devices. It is a component of the area we are looking at but I am not sure we have hard evidence and have specifically asked about mobile phones.

  Q335  Chairman: If mobile devices were enabled by a fingerprint scan or an iris scan, the fact you had the file for the iris scan or the fingerprint scan would not help you, or can you inject a signal into the machine and mimic it?

  Mr Laurie: The potential is there. If you know the fingerprint you are trying to spoof then you have got the pattern you are trying to create, so you can generate a fake fingerprint that will fool that reader. It has long since been proved that most fingerprint readers on the market are actually vulnerable to very simple attacks. In fact, there is a kids' TV programme called Mythbusters where they recently tried a fingerprint reader and they defeated it in three different ways, one of which was a simple photocopy of the fingerprint, and this was one that the industry was saying this is foolproof.

  Q336  Chairman: Is that by making an imitation fingerprint or by injecting an electronic signal?

  Mr Laurie: This was by making an imitation fingerprint. It is all very James Bond but you collect a fingerprint from a glass or a CD case. I think in the case of the programme they lent the guy a music disk and when they got it back they took the fingerprint off the outside of the case and recreated that as a photocopy.

  Q337  Chairman: Soon you will be able to buy a little fingerprint printer, will you?

  Mr Laurie: Absolutely. The tools are all out there. This is not a problem.

  Q338  Lord O'Neill of Clackmannan: I am almost loath to ask this question because you have frightened us enough as it is! Looking to the future what do you see as the most important emerging security threats in respect of personal safety?

  Mr Laurie: I slightly jumped the gun there because that was one of the main things that concerns me the most—the reliance on biometrics. Single centralised databases of personal information—the more that we gather this stuff together in one place the more vulnerable we make ourselves and the easier we make it for people to take over our identities. Again it is the reliance on technology. If you spend millions on systems that say biometrics are foolproof and we are going to use these biometrics to prove our identities and we have spent lots of money on it and it is foolproof, that causes a real problem for somebody caught up in the system when their identity has been spoofed. How do I convince this huge industry that they have got it wrong? There is a serious inertia against admitting that there is a problem with the system so the more you claim a technology is foolproof and the more money you spend on it the harder it gets to show they were wrong.

  Q339  Chairman: Do you think that ID cards will be vulnerable in the same way?

  Mr Laurie: Definitely. History tells us that these technologies are not foolproof. I have done some work in the area of RFID and there are lots of cases where industry is claiming that an RFID cannot be cloned for example—


 
previous page contents next page

House of Lords home page Parliament home page House of Commons home page search page enquiries index

© Parliamentary copyright 2007