At Orgcon 17

I am just back from orgcon17, and here are my notes; this was a two day conference, with many sessions on issues of concern to digital liberty campaigners on regulation of the use personal data. It took place over two days, consisting of lectures & panels and workshops. On the first day, at Friends House, where we had the use of the amazing central meeting room it looked at the coming legislation on investigatory powers, the use of the law to make political advances (it’s slow & uncertain), an interview with Caroline Criada Perez, the campaigner who got the first woman on British bank notes and a women’s statue in Parliament Sq.. It looked at e-voting systems in Taiwan where the government used a consensus building software product to engage the population in traffic management solutions design. Jamie Bartlett spoke about privacy vs. security. There was a session on Digital Liberty & regulation in Nigeria. There was also a session on the privacy vulnerability to the coming “age verification for porn users” regulations. Much of these lectures are available on the ORG’s Video channel.

The second day consisted mainly of workshops focused on campaigning. There was a workshop that reviewed the technical architecture of the investigatory powers bill (as they then were i.e. the architecture and legislative stage). There was a workshop in using the Freedom of Information Laws to enhance campaigning, and also about the likely campaigning tools to be offered by the coming General Data Protection Regulation (GDPR) i.e. enhanced subject access requests, the right to be forgotten, of remediation and to object and stop processing.

There were sessions on building local Open Rights Group groups, how to perform IT security effectively for campaigners and a review of the ORG’s Blocked tool.

I chaired a session on building a Charter of Digital Rights, with Richard Barbrook and Mara Leverkuhn. Richard announced his initiative to put some more detail behind the Jeremy Corbyn’s Digital Manifesto which they created to support his 2016 Leadership Campaign. I documented/advertised this session on my blog https://davelevy.info/digital-liberties/

ooOOOoo

The relevance of this conference to CISSP certification is in the Regulation & Compliance domain. One of the critical to IT organisations is failing to keep up with laws and regulations. The ORG focuses on the law as it relates to privacy, censorship & intellectual property. Businesses need to keep these laws in mind when designing their risk taxonomy and control catalogue.

This was written in Oct 2018, nearly 12 months after the event; I did it to claim CISSP CPD Credits. I have as normal, for me, in these circumstances backdated the article to the time of occurrence. …

Digital Liberties

I am just about to set of for ORGcon 2017. It’s a two day conference and I am chairing a panel tomorrow at 15:00

How to make a People’s Charter of Digital Liberties

Help Labour to make a People’s Charter of Digital Liberties

 

A small panel discussion led by Richard Barbrook, on how Parliament and the people could build a People’s Charter of Digital Liberties. The panel will be chaired by Dave Levy, a Labour Party member of the ORG Supporters Council, the second panellist will be Mara Leverkuhn, a Labour Party digital rights activist.

In his 2016 leadership campaign, Jeremy Corbyn’s Digital Democracy Manifesto promised that Labour would introduce a People’s Charter of Digital Liberties when elected to power.

This panel and discussion is designed to focus on how this digital bill of rights could be developed, how one might use the networked society’s tools to synthesis opinion, crowd source the clauses of the Charter and make an actionable development plan. The panel will be small, and maximum time will be given for attendee contributions. …

Passwords

I was pointed at an article in the Washington Post on password security. It’s quite long and so I summarise:

  1. Length is better than complexity (More than 12 bytes)
  2. Simple transformations are no help (Don’t use 1st letter Caps and last character as 1 or !, mutt5nut5 is considered very easy.)
  3. Don’t reuse passwords for accounts that you care about! (A corollary is to delete the accounts on services you no longer use.)
  4. Write the passwords down in a secure place if you have too many, or use a password manager. (They are in favour, I am not so sure.)
  5. Don’t use personal facts about yourself (Bdays, Place of Birth, Pet’s names)

They have conducted some volume research by cracking and survey which they reference in the article and built a password checker based on these lessons but using it breaches one or maybe two of the rules I set myself in my Linkedin blog article “Password Vaults”. It’s on the internet, and we can’t read the code; that’s not to say it’s not a useful training tool. …

Research

Techdirt, providing a public service as ever have posted a piece on confusion in the US Federal Government agencies. Whenever seeking to censor material, one has to prohibit research into the censored material and the techniques used to enforce the censorship. This is equally true in technology, and since encryption is used to ‘protect’ material, in the US they have prohibited research into circumventing “Digital Rights Management” technology which is used by creative capitalism to manage pay-per-view. This has led to the absurd situation that, in the US, unlocking phones was a prohibited technology for a while. The Copyright Office, often seen as creative capitalism’s agents in Government, have come to the conclusion that the copyright laws interference with security research is a bad thing. Whether they’ll repeal those bits of the law is another matter. …

Wannacry

Having done my best to ensure that my personal systems are as safe as I can make them, I am preparing a personal response to the #wannacry attack last weekend. Meanwhile, I consider this by John Elliot, a great response on the public policy side, and this by David Thomas, a useful look at the IT Security response where he argues that it’s not just about “Vulnerability Management” and that Technical Debt is not just a funky word to get money for the maintenance budget. Neither of them major on the NHS IT Security failings that made them such a target but David makes the points that the UK & NHS weren’t the only victims with Taiwan, Russia, Ukraine and India all suffering from attacks. This is from Microsoft’s Chief Legal Officer, Brad Smith and is also important, He re-states Microsoft’s commitment to all its customers and calls for better government response including the idea of a digital Geneva convention. The Washington Post describes the discussions inside the NSA and reveals aspects of how they decide whether to release security vulnerabilities or weaponise them. It’s argued that the cyber weapon was like “Fishing with dynamite”, but as ever no public evidence to allow the people that pay for this to evaluate their claims. …

On the GDPR

The week before last, I attended the BCS legal day and have finally published my notes on this blog. The priority was the coming General Data Protection Regulation. I prefer to write in a style recognising those who have informed me or changed my mind but the notes have been anonymised as I believe that the day was held under Chatham House rules,  The running order has been changed to make the story better and to conform to my preferred priority order, of principles, rights, obligations and enforcement.  The day consisted of two presentations, entitled “Key Issues”, “the Data Protection Officer” and one on trends in enforcement. …

Compliance

After attending the BCS IS Security Group meeting yesterday, I began to think about how small (or more accurately, medium) companies might deal with the additional compliance actions required of the GDPR. There would seem to be two design patterns, a golden source, or an all knowing switch. The first pattern led me to consider the SaaS solutions, which should be used to dealing with suspects, prospects and customers (CRM), also any employees that might be employed, with the ERP solution catering for personal data located in the supply chain. Over the years I have been made aware of Sugar CRM & OpenBravo (ERP), more recently I have looked at Financial Services KYC problem, and been pointed at kyc.com,  an enhanced CRM system designed for the financial services industry. The gap is an industry leading HR system, and it will surprise none of my long term friends and colleagues, that I think we can assume that fault is in the buying community where the priority would seem to be recruitment and applicant tracking although, of course, payroll was the first SaaS offering by an order of decades. …

A note on IT Integrity and authority

I posted an article that had taken a long time to get approval for on my employer’s blog, Information Integrity, the final frontier. I argue that the business has not taken integrity as seriously as it has availability and confidentiality. In the blog, I state that,

Information integrity requires an accurate representation of the state of the business and the audit records as to how it got there. Modern systems need to record both; it’s not enough that the system is provably accurate, records are required to ensure that transactions and changes are appropriately authorised.

The key insight is that not only must the true state of the data be recorded but that the person verify this truth must be recorded.

The article talks about strong “Requirements Management” and good “Testing” processes, and then talks about the use of PKI to sign application to application feeds or transactions to guarantee to the system of record that the author is a permitted actor and that the delivered data is accurate and authorised. I also propose that application logs as proposed under the “Application Security” domain of ISO/IEC 27034 should be used to record the authority/author of a database update.

ooOOOoo

Given the startling longevity of this blog, I have made a mirror of the Citihub article and loaded it to this site; integrity: the final frontier, a mirror …