STE WILLIAMS

Security veteran and CSO at Tenable Marcus Ranum has made a plea^* for the world to stop using the expression “cyberwar”, for the very good reason that there’s nearly no way in which it resembles war in the physical world.

“How can you call something a domain of warfare when the most important properties of warfare cannot properly be applied to it?” Ranum asked delegates to the AusCERT 2013 last Friday.

A land war, he said, includes the ability to win, defences that might actually work, and manoeuvrability – none of which are tenable concepts in trying to defend computers from attack. He also voiced a deep suspicion that the word “cyberwar” exists solely so that the military can lay claim to it, and all the responsibilities and budgets that go with it.

“Anyone talking about cyberwar is trying to enlarge their influence,” he said.

There are, he added, a lot of people in the US military concerned that “someone’s going to ask ‘why do you have all this expensive cyber security stuff, when you keep getting owned by 14-year-old kids?’”

Whereas victories in a topological war might involve a surrender by one side, he said, “What does ‘winning’ even mean in cyberspace? What does the concept of victory mean?

“As far as I can tell, the only way you can really declare victory in a cyber-battle is if you are Intel, Microsoft and Cisco combined, and you can say to the other side, “you lose” and they agree.

“It’s not going to happen. You cannot conclusively drive your opponent away. In topological warfare, if you attack me with a thousand tanks and I destroy them, then you need another thousand tanks.”

The failure of any defence in cyberspace is just as inevitable as the ultimate failure of every castle ever built, because if an attacker cannot take a position by storm, there’s always bribery or subterfuge.

“The dymanics of warfare simply do not apply in cyberspace. You cannot cost your attacker so much that they can never come back,” Ranum said.

“I do not think of cyberspace as a military thing,” he said, and the use of “cyberwar” represents militaries, companies and governments “Desperately trying to find analogies in old thinking that apply to a new field”. ®

^*Bootnote: the usual press cliché is to describe it as an “impassioned plea”. It was the first keynote on the last day of the conference, after the gala dinner, and heads were so sore nobody was being impassioned. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/27/marcus_ranum_at_auscert/

Security veteran and CSO at Tenable Marcus Ranum has made a plea^* for the world to stop using the expression “cyberwar”, for the very good reason that there’s nearly no way in which it resembles war in the physical world.

“How can you call something a domain of warfare when the most important properties of warfare cannot properly be applied to it?” Ranum asked delegates to the AusCERT 2013 last Friday.

A land war, he said, includes the ability to win, defences that might actually work, and manoeuvrability – none of which are tenable concepts in trying to defend computers from attack. He also voiced a deep suspicion that the word “cyberwar” exists solely so that the military can lay claim to it, and all the responsibilities and budgets that go with it.

“Anyone talking about cyberwar is trying to enlarge their influence,” he said.

There are, he added, a lot of people in the US military concerned that “someone’s going to ask ‘why do you have all this expensive cyber security stuff, when you keep getting owned by 14-year-old kids?’”

Whereas victories in a topological war might involve a surrender by one side, he said, “What does ‘winning’ even mean in cyberspace? What does the concept of victory mean?

“As far as I can tell, the only way you can really declare victory in a cyber-battle is if you are Intel, Microsoft and Cisco combined, and you can say to the other side, “you lose” and they agree.

“It’s not going to happen. You cannot conclusively drive your opponent away. In topological warfare, if you attack me with a thousand tanks and I destroy them, then you need another thousand tanks.”

The failure of any defence in cyberspace is just as inevitable as the ultimate failure of every castle ever built, because if an attacker cannot take a position by storm, there’s always bribery or subterfuge.

“The dymanics of warfare simply do not apply in cyberspace. You cannot cost your attacker so much that they can never come back,” Ranum said.

“I do not think of cyberspace as a military thing,” he said, and the use of “cyberwar” represents militaries, companies and governments “Desperately trying to find analogies in old thinking that apply to a new field”. ®

^*Bootnote: the usual press cliché is to describe it as an “impassioned plea”. It was the first keynote on the last day of the conference, after the gala dinner, and heads were so sore nobody was being impassioned. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/27/marcus_ranum_at_auscert/

US mobile carrier Clearwire is getting ready to draw-down the Huawei kit in its network, in an apparent response to the never-ending story that the vendor is a threat to US national security.

While not a body blow to the Chinese vendor, since it’s won less than five per cent of Clearwire’s LTE build, it will drop yet more fuel onto the FUD-fire that continues to surround the vendor.

“We are materially reducing their footprint in our LTE network,” the company’s CTO John Saw has told FierceWireless.

In essence, FierceWireless reports, Clearwire has attracted the government’s paranoia because Sprint Nextel (majority owner of Clearwire, and with a bid in for the shares it doesn’t already hold) is itself subject to an offer by SoftBank from Japan.

The Japanese company is offering more than $US20 billion for 70 percent of Sprint, a deal that requires federal approval which would be smoothed somewhat if the billion-dollar project to remove the Huawei kit proceeds.

The Chinese vendor’s sole presence in the network, according to Saw, was at the edge, in the form of base stations, with Cisco and Ciena handling the network core.

Even at the edge of the network is apparently too close for the Feds.

Only a cynic, or practically anyone whose memory reaches back to the 1990s, would suspect that America was wrapping its own vendors in the flag as a bulwark against international competition. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/27/clearwire_to_pull_huawei_from_network/

Iranian hackers are launching state-sanctioned attacks on US energy firms and hope to sabotage critical infrastructure by targeting industrial control systems, according to American officials.

The attacks on oil, gas and power firms have so far concentrated on accruing information on how their systems work – a likely first step in a co-ordinated campaign that would eventually result in attacks aimed at disrupting or destroying such infrastructure.

The prospect of such attacks has senior American officials more worried than the espionage-related incursions which Chinese state-sponsored attackers have been blamed for, according to the Wall Street Journal.

“This is representative of stepped-up cyber activity by the Iranian regime. The more they do this, the more our concerns grow,” one anonymous official told the ‘paper. “What they have done so far has certainly been noticed, and they should be cautious.”

Iran has form when it comes to disrupting US critical infrastructure, having being blamed at the beginning of the year for a series of denial of service attacks on banks in the country.

However, sabotaging industrial control systems represents a greater level of sophistication on the part of the attackers and a serious risk to be managed by those energy firms involved.

Just last week, a report by Congressmen Ed Markey and Henry Waxman urged electricity companies to improve their security posture, after revealing that more than a dozen of those surveyed reported their systems were under “daily”, “frequent” or “constant” attack.

Ironically, some have argued that it was the infamous Stuxnet attack – widely believed to be a US-led effort to disrupt Iran’s nuclear program – which not only showcased the dramatic potential of targeting industrial control systems, but also drove Iran to beef up its own cyber defence and attack capabilities.

Unsurprisingly, the Islamic republic has maintained it is the victim, not the perpetrator, of attacks.

The Journal quotes Iranian spokesperson Alireza Miryousefi as saying “Although Iran has been repeatedly the target of state-sponsored cyber attacks, attempting to target Iran’s civilian nuclear facilities, power grids, oil terminals and other industrial sectors, Iran has not ever retaliated against those illegal cyber attacks.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/27/iran_payback_stuxnet_ics_attacks/

Sky News seems to have a habit of letting its credentials escape into the outside world, apparently letting the Syrian Electronic Army get its paws on its Google Play admin account.

As a result, it’s had the embarrassment of having the Sky News app screenshots in Google Play replaced with an announcement that “The Syrian Electronic Army Was Here”.

To rub salt into the wound, the company’s help desk Twitter account was also taken over to send out a message stating “Both Sky+ and SkyNews Android apps were replace, please uninstall”. However, that claim may have exaggerated the extent of the attack, since it seems more likely at this stage to be a case of the SEA putting its graffiti on the Google Play store page for the Sky News apps.

The account takeover also included redirecting the developer help e-mail account to the SEA.

Former Reuters social media editor Matthew Keys says he was alerted to the account takeover when the SEA sent him this screenshot:

The screenshot sent to former Reuters social media editor Matthew Keys

It’s not the first time Sky News has been embarrassed by being careless with security. Earlier in May 2013, one of its Twitter accounts was compromised to post “Colin was here”. In 2009, a Web petition being run by the broadcaster was defaced.

The Register has contacted Sky News seeking further information on the attack, but has yet to receive a response. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/26/sky_news_google_play_hack/

Ethernet Summit Internet and network security is bad, and it’s going to get worse before it gets better. To make it better, CIOs and IT admins need to rethink the way that they approach protecting their networks from hackers and other miscreants.

“We’ve got North Korea with ICBMs and we’ve got Iran developing an atomic bomb, but that’s not our biggest problem,” Brocade Communications chairman David House said at a future-forcasting panel during the Ethernet Innovation Summit this week in Mountain View, California. “Our biggest problem is cyber security.”

When talking about security, House wasn’t referring to privacy – that game has already been lost. “Give it up,” he said, “it’s over – everybody’s going to know everything.”

Every click you make on the web is already being tracked. “Right now, Amazon and Google know everything about everything you do, and the ads that pop up are all related to stuff that you have been looking at or you thought about,” House said. “They already know about you.”

But that’s not the problem. “Guess what? Larry Page doesn’t give a damn about you or any of that information,” he said. “It’s just a computer out there that knows about you.” You’re not that computer’s target, your buying habits are. “This is just a bunch of data and big data and databases that’s marketing to a market of one.”

If not Page – or, rather, his all-seeing computer – then who should we be worried about regarding our privacy? According to House, it’s hackers. “Everything is going to be known about you, and the guy who can hack into it is going to know everything about you,” he said. “It’s the hacker you need to worry about, not Google itself.”

The way that we’ve architected our networks has exacerbated the privacy problem, House argues. “We’ve been spending the last 40 years abstracting up from the piece of wire to higher and higher levels,” he said, “and visualization and software-defined networks are just another layer of abstraction that we’re putting into the environment.”

All that abstraction is providing more and more ways for hackers to break into networks. “Every one of these layers is a tunnel that people can go through to access things that they shouldn’t have access to,” he warned.

At another Summit session, a gaggle of security execs expressed equally pessimistic concerns. For example, Alan Kessler, CEO of data-security company Vormetric, has given up on traditional security measures. “Building a fortress around you network no longer works,” he said. “The bad guys are already inside. They already have access to your network – in fact, you may have hired them.”

Kessler also is of the opinion that the advent of cloud computing has brought with it another threat layer. “Even if you’re confident that you’re running your data center, you can trust your people, what if your data is in someone else’s cloud? How do you know whether the systems administrator who’s managing that server is someone you can trust?”

From Kessler’s point of view – and remember, his company is in the data-security business, so he’s paid to be paranoid – you can’t. Merely protecting your network from intrusion isn’t the way to ensure security. Instead, you should focus on locking down your data, and not just your network.

That data-lockdown point of view is shared by Jason Brvenik, VP for security strategy at SourceFire, a – surprise! – network security company. He also said that one glaring proof of the sorry state of network security is the unconscionably long time between when a network is compromised and when a company becomes aware of that fact – one Verizon study put the average time of that gap at over 100 days.

Brvenik said that companies need to use improved analytics to gather more detailed visibility into network activity, and to better share information about how they’ve been compromised. If they do, he said, “We can close that gap down. We can close it to weeks. We can close it to days. For some organizations we may even be able to close down it to hours or minutes.”

Brian Smith, CTO and cofounder of security analytics software vendor Click Security, agreed with Brvenik about information-sharing. “People tend to be very secretive about their security threats,” he said, “and we need as an industry to start sharing that knowledge more, because the attackers are essentially businesses – they’ve developed a piece of software and then they want to make a return on investment on it.”

The attackers do that, Smith said, by attacking one company, then another, then another, and so on, profiting on each attack. “We want to collapse that economy,” he said – and if a compromised company would share with other companies details about how it was compromised, it would make it more difficult for attackers to achieve their business goal of a healthy ROI.

But no security scheme will work unless a company has well-trained network-security techs on its payroll – and there aren’t that many of them to go around.

Most organizations, Smith said, simply realize, “Oh, we should worry about security – and then they appoint one of the IT guys, and say, ‘You’re now head of security – and, oh, by the way, you haven’t lost your day job’.” That won’t cut it, he said. Instead companies need to invest in training, education, and “professionalization” of network-security administrators.

Training users, however, is a lost cause. As Manish Gupta, SVP of products at “next-generation threat protection” developer FireEye put it, “You can’t put restrictions on users. It has never worked in the past, and it’ll never work in the future.” Or as Kessler put it, if you have a user who wants to run down the hallway with scissors, a security professional’s job is to help them do that as safely possible, because they’re still going to run with scissors.

Smith also said that a more vigorous attack on hackers was needed. “I think that for the last 20 years or so we’ve taken the approach as an industry of trying to armor the sheep. I think we need to start hunting the wolves,” he said.

“We have tried to make the devices more secure by putting anti-virus [software] on them, by putting controls in the network that prevent breaches,” Smith said.

“And the fact is that the bad guys just figure out ways around them.” Those preventative measure have been so ineffective that a Verizon breach report concluded that only 5 per cent of intrusions were uncovered by security processes.

“Of the sixty billion dollars that the industry spends on IT security,” he said, “they detect one in twenty intrusions that compromise those devices.”

So, more training, better data-lockdown, improved analytics, shortened intrusion-detection times – oh yes, and wolf-hunting. These measures all might help, but as for now the problem remains.

Until all those measures – and likely more – are accomplished, well, as Brocade’s House put it, “Security is going to get worse.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/24/network_security_is_bad_and_its_going_to_get_worse/

Security-watchers don’t appear overly impressed with Twitter’s introduction of two-factor authentication (2FA) to its service.

While some infosec experts welcomed the move, others argued that while it might help protect the accounts of individuals, it is ill-suited to the safeguarding of shared accounts of organisations – many of which have fallen victim to recent hijacking attacks.

On 22 May, users of the iconic micro-blogging service were given the option of using the 2FA service – which verifies login attempts by way of a code sent to a pre-registered mobile phone, as explained in a blog post by Twitter here.

The introduction of something stronger than basic user name and password authentication follows a spate of hijacking attacks over recent weeks where a long list of media organisations – including AP, The Telegraph, the BBC, The Guardian, The Financial Times and satirical new site The Onion – have had their Twitter feeds hijacked to promote propaganda from the pro-Assad Syrian Electronic Army.

The Telegraph and The Onion both said after the attack that they had been pwned via a determined multi-stage phishing attack where the attackers ultimately gained control of webmail accounts running social networking feeds.

High-profile individuals, including former Doctor Who actress Karen Gillan, have also had their Twitter feeds hacked to promote diet pill scams and other such crud.

Multi-user access, anyone?

But 2FA is useless to media organisations, or even small businesses, which have multiple users requiring access to the same account, experts contend.

“Media organisations which share breaking news via social media typically have many staff, around the globe, who share the same Twitter accounts,” explained Graham Cluley in a post to Sophos’s Naked Security blog. “2FA isn’t going to help these companies, because they can’t all access the same phone at the same time.

“Either those people will have to leave themselves permanently logged into Twitter (which is itself unwise from the security perspective), or one central trusted person will have to ‘own’ the phone – and share the six-digit code with journalists as they try to log in to share breaking news stories. It’s a complex problem to fix, and for that reason many media organisations may choose not to enable Twitter’s additional security at this time.”

Virus Bulletin anti-spam test director Martijn Grooten added that the same problem would be faced by most businesses that maintain a corporate Twitter feed.

“So if I want to share the company’s Twitter account with a colleague and set up two-factor authentication, we’d have to share a phone too,” he notes.

Jeremiah Grossman, CTO of WhiteHat Security, was more upbeat in making much the same point. “Twitter rolls out 2FA for users: good stuff, but how to support shared accounts,” he said.

A job listing, which has since been pulled, posted in February suggests Twitter has been looking for coders to develop “user-facing security features, such as multi-factor authentication and fraudulent login detection” for some months.

Cluley added that Twitter could learn lessons from Facebook, which has had a two-step login approval system since 2011, and also has multi-user access.

“In time, Twitter will surely mature and offer appropriate security, and mechanisms which recognise how many corporate brands and news organisations are using Twitter today,” he said.

“Maybe they will one day adopt a system like Facebook has, where multiple users can have access to an account – all with different levels of authority, all with different usernames and passwords.”

GooglePlus has also created a more sophisticated authentication set-up for shared accounts, Cluley told El Reg. “Google Plus and Facebook both give a way for individuals to have access to a brand page, but log in through their individual accounts (using 2FA, and different passwords),” he explained.

Logging in through your smartphone? When 2 (factors) become 1

David Emm, senior security researcher at Kaspersky Lab UK, said that while two-factor authentication will make it harder for hackers to hijack accounts, there are some potential pitfalls with the new approach, even for consumers. He is less critical than Cluley about Twitter’s design choices.

“It’s easy to see why Twitter has chosen to use SMS as the second authentication method,” Emm explained. “Nearly everyone today has a mobile phone, so this method doesn’t require people to carry around an extra token or device that generates the one-time passcode. Additionally, the cost of rolling out this technology is miniscule in comparison to investing in tokens and shipping them to its customers.”

“However, there are some potential pitfalls with using SMS as an authentication method. Many people log into their Twitter account from their smartphone via the Twitter app which doesn’t require login credentials to be entered each time. This means that the same device is being used for both authentication factors and if this device is lost or stolen, whoever finds (or has stolen) it will be able to access the account. Therefore, in effect, there is no longer two-factor authentication.

“Also, it is possible that we will see the development of smartphone-based malware that is specifically designed to steal the SMS authentication code. We have already seen similar malware designed to steal mTAN numbers for banking transactions. Examples include ZitMo (ZeuS-in-the-Mobile),” he added.

Cluley agreed that even those who enabled two-factor authentication were still vulnerable to some of the more sophisticated forms of phishing and man-in-the-middle-attacks.

“Determined online criminals could use “man-in-the-middle” techniques to grab the six-digit passcode alongside your password and username,” Cluley explained. “So, even if you do turn on Twitter’s 2FA, you still need to double-check that when you enter your username and password, or your six-digit code, that you are *really* on Twitter’s https website. Otherwise, the crooks can just use all three items to log in as you,” he warned.

Emm was more willing to give Twitter some credit for moving in the right direction in giving users improved authentication tools. “Twitter’s use of two-factor authentication should be welcomed with open arms,” he said.

“Two-factor authentication makes it difficult for someone to hijack an account by adding another method of validation. To date, a static password has been the only thing securing Twitter accounts, and all too often these are easy to guess,” he concluded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/24/twitter_2fa_analysis/

Wikileaks has released a transcript of a documentary about its history so it can add notes to each section saying “Wrong!”, a day before the film debuts.

The secret-spilling site has taken umbrage with We Steal Secrets: The Story of Wikileaks, which is set to debut in New York and Los Angeles today and released a transcript of the documentary online yesterday.

The annotated transcript, which can be found on the Justice4Assange website, comes with an introductory note claiming that the documentary is “filled with errors and speculation”.

“The stock footage used has been heavily edited, in some places distorting what was said,” the note said. “This is unprofessional and irresponsible in light of ongoing legal proceedings. It trivialises serious issues.”

The site highlights the point at which the film implies that top Wikileaker Julian Assange could be guilty of “conspiring with Bradley Manning”.

“This not only factually incorrect, but also buys into the current US government position that journalists and publishers can be prosecuted as co-conspirators with their alleged sources or with whistleblowers who communicate information to them,” the note said.

It also said that neither Assange nor anyone else at Wikileaks agreed to be in the documentary because they’re all going to be in a film “by respected Academy Award-nominated film-maker Laura Poitras” out later in the year.

Guardian investigative journalist Nick Davies also caught some flak for claiming Assange had said Afghan supporters of foreign military forces in their country “deserve to die”.

The documentary was commissioned by Universal for $2m and was made by film-maker Alex Gibney, according to the note, which also mentions that yet another film, “co-produced with Ken Loach’s 16 Films, will be released shortly”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/24/wikileaks_leaks_documentary_transcript/

Geek’s Guide to Britain For staff at the Government Communications Headquarters (GCHQ) in Cheltenham, there’s an air of Fight Club about the place. The first rule about GCHQ is you don’t talk about GCHQ.

It’s a well observed tradition, even though there are road signs and a bus route directing you to this highly secret establishment, the nerve centre of Britain’s communications surveillance operations.

GCHQ Benhall … does a doughnut keep better secrets? Source: Bing Maps/Digital Globe

The design of the doughnut-shaped building at Benhall has attracted a fair share of attention since its completion in late 2003. Indeed, if you take a look at the site from Google Earth, you might wonder if it inspired Steve Jobs’ plans for a new circular Apple building – a company that also likes to keep secrets.

Benhall is now the primary home of GCHQ and the majority of the service’s 5,300 employees are based here. The organisation’s own website describes itself as “one of the three UK Intelligence Agencies and forms a crucial part of the UK’s National Intelligence and Security machinery”. The other two are the Security Service (MI5) and the Secret Intelligence Service (MI6).

In years gone by, GCHQ in Cheltenham was spread over two sites a few miles apart: Oakley and Benhall. The Oakley site has largely given way to a housing development although some buildings remain with the barbed wire fence rather menacingly separating it from a kids’ play area on the new estate. While undoubtedly unintentional, this incongruousness does appear strangely Soviet – it’s perhaps fitting given Cold War concerns became GCHQ’s raison d’être in the 1950s.

GCHQ Oakley … recreation and razor wire live side by side these days

I was born into a GCHQ family as my parents met there. As I write, it now occurs to me that if GCHQ didn’t exist, neither would I. Spooky. I lived in a GCHQ house, too – purpose built to accommodate the growing workforce – and I could see Benhall’s satellite dishes from my bedroom window.

I worked there too, and before I tread further along this telecommunications taboo tightrope I should mention to our colonial cousins that what we have here is the equivalent of America’s National Security Agency (NSA). For me, this association came in handy when applying for a US visa to visit a GCHQ colleague working for that ultra-hush-hush outfit. Mentioning those three initials at the US Embassy had my passport visa stamp in seconds.

Incidentally, I did ask the GCHQ press office if there was any chance of a tour of the building or even some publicity pictures of the interior. Admittedly, there was a bit of wishful thinking behind the former – there were employee family tours when the building was complete – but the answer was no. The polite response to the latter request was that pictures would be considered on condition the article could be viewed before publication. That’s against our editorial policy, but chances are they’ve done that already.

Official Secrets Act warning

and that’s just the car park

I decided to take some photos myself, which are no more intrusive than those found on Google Streetview. It was only later that I spotted a “no photographs” sign, but as I was some distance away, I didn’t notice it at first. I doubt I’d notice if I’m now being followed or having my communications tampered with as a result, but it would seem like a waste of time and of public money.

If you do go on a tour of ‘Nam, taking pics aplenty up to the wire wouldn’t be a very good idea. The security staff, many of which are ex-servicemen, take a dim view of this sort of thing.

Choosing Cheltenham

As part of my research for this piece, I dug up Peter Freeman’s 34-page booklet titled How GCHQ came to Cheltenham, which lays out a longer story than I’d anticipated. Freeman details the early years and the decision-making process that saw this sleepy Cotswold town – that for 75 years up to 1945 had a static population of 50,000 – undergo significant changes when GCHQ became operational. The population swelled by 20 per cent in the 1950s with a housing programme in place to support Cheltenham’s new cottage industry: intelligence gathering.

Freeman remarks that the Ministry of Health’s initial views were that “Cheltenham did not want civil servants and already had plenty of local employment”. The Ministry of Works leaned on the Ministry of Health and consequently the town now breeds civil servants.

Early GCHQ history by staffer Peter Freeman

I was reading an exclusive edition of Freeman’s work which features various handwritten corrections and additional detail courtesy of my mother, and she would know being on the 1950s-era Foreign Office recruitment team based above the Ministry of Food bureau in Clarence Street, Cheltenham (rationing was still in operation in post-war Britain). Their task was to find the right stuff to staff Oakley and Benhall.

Yet how GCHQ came to Cheltenham owes more to what the Americans left behind after World War II than any strategic importance to the spa town’s location. The Oakley and Benhall sites were purchased by the Ministry of Works in 1939 and building works began for the purpose of housing government departments if an evacuation from London’s Whitehall became necessary. During the Blitz, some ministries had to move fast and ended up arriving before work on the temporary office blocks was complete. Each site had six of these utilitarian, single storey, 12-spur buildings that, in total, clocked up over 400,000sq ft of office space.

With the Blitz over, various departments returned to London, and the Americans, now involved in the war, found themselves at these two sites running a major HQ. The US SOS (Services of Support) dealt with logistics for the European Theatre of Operations, US Army (ETOUSA), and the buildings were used as offices for this communications hub. According to Freeman, the Americans arrived in secret and those coming from London had exclusive trains laid on to keep their movements under wraps. The railway staff at Paddington weren’t so clued up though, and slapped up signs on the platform saying “US Forces To Cheltenham”. As the Yanks dug in at ‘Nam, they consequently installed a substantial network of landlines which remained after the war.

US Forces in covert UK transportation ops … lucky they kept this quiet

Source: HyperWar

The clincher was when Cheltenham was visited by a staffer from GCHQ – then based at Bletchley Park near Milton Keynes – who knew of the site at Benhall, which was where the Ministry of Pensions had taken residence prior to an eventual move to Blackpool. Posing as an Admiralty official on a pensions fact-finding mission, he was granted a tour of the site and wrote up a favourable report of the place. Although there would be numerous inter-departmental and financial wrangles to follow, GCHQ eventually made its home in Cheltenham in the early 1950s.

Next page: The great British code warriors

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/24/geeks_guide_gchq/

Twitter is the latest major web service to beef up its security two-factor authentication (2FA). The security feature is a pretty simple and effective approach – and one the notorious Mega kingpin Kim Dotcom claims today to have invented back in the ’90s.

Two-factor auth is a simple process for verifying that the user accessing a service is legitimate. A random code is sent from the web service (via SMS) to the person’s phone, and the user then types the code into an authentication dialog on a web page.

But did Dotcom really invent 2FA for remote authentication? In short, it appears he did not.

In 1996, the then-Kim Schmitz filed for a patent entitled “Method for authorizing in data transmission systems”. The patent has a priority date of 29 April 1997, and it does indeed describe a two-factor authentication system. The user logs into a service, triggers a secondary authentication request, and this is fulfilled by SMS.

But Ericsson filed a patent titled “User authentication method and apparatus” with a priority date of 24 June 1994 that also covered 2FA using a pager or phone. A later patent filed by Nokia [“Method for obtaining at least one item of user authentication data”] with a priority date of 23 February 1996 resembles even more closely the 2FA approach used on the web today.

Kim Dotcom’s patent through the European Patent Office was cancelled in 2011 after opposition from Ericsson.

Kim Dotcom’s US patent remains in force. Whether the US Patent Office or the United States District Court of Texas would confirm the validity of the patent is an interesting question.

On his Twitter page, Kim Schmitz/Dotcom describes himself an “innovator”. To earn the title, you’ve got to introduce something new. Kim Schmitz/Dotcom – in this case at least – doesn’t appear to have done so.®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/24/kim_dotcom_2fa_no/